commit 0bd2038c86a6dee3270856c2c1e2dc6a9c6cdee9 Author: Andreas Ahmann Date: Fri Jan 24 16:18:47 2025 +0100 Public Information diff --git a/HISTORY.md b/HISTORY.md new file mode 100644 index 0000000..2e9a7ed --- /dev/null +++ b/HISTORY.md @@ -0,0 +1,409 @@ +# Version History + +## February 2025, beta 168 + +- Remove extra certificate from RMS component + +## January 2025, beta 167 + +- Update to nscale 9.3.1300 +- Added terminationGracePeriodSeconds to all PODs, can now be set with `.terminationGracePeriodSeconds` + +## december 2024, beta 166 + +- the secondary disk is now optional and needs to be enabled with `mounts.disk.enabled: true`. +- the default mount for the hid is now on the secondary disk. If you have hid enabled, this is a breaking change! Make sure you deal with existing HID files. + +## december 2024, beta 164 + +- Separated the buffers and DA for performance reasons in nstl. The buffers are now stored on a new volume *disk*. +- Added `/var/crash` to nstl, storing potential crash dumps on pTemp. + +## december 2024, beta 163 + +- Update to nscale 9.3.1202 +- Next to .this.resources, you can now also set .this.sidecarResources and .this.initResources. + However, you should not do so unless you know what you are doing. + +## december 2024, beta 162 + +- Changed Resources for Fluentbit Sidecar Container + +## december 2024, beta 161 + +- Added startup probes for all components + +## November 2024, beta 160 + +- Added a startup probe for nstl + +## November 2024, beta 159 + +- Added .instance.stage to identify a stage + +## November 2024, beta 158 + +- Added service.name for Open Telemetry + +## Oktober 2024, beta 157 + +- Latest ERP-Proxy Version by Ceyoniq. This also has been **renamed** to **erpproxy** to match the **eprcmis** connector chart naming +- First BETA of ERP-CMIS Connector in directory **erpcmis** +- Added the possibility to add Annotations to Payloads, for the use with OpenTelemetry + Also see [here](https://opentelemetry.io/docs/kubernetes/operator/automatic/) +- Also added hard coded openTelemetry support for convenience +- Fixed a bug where the prepper chart waited for post sync in argo deployments + +## Oktober 2024, beta 156 + +- nscale ERP Proxy Chart now available. There is still a bug in this first image by Ceyoniq, so the chart will not bring up a running + system yet. But the Values are in, so you can start setting up the instances. + +## Oktober 2024, beta 155 + +- Added the possibility to use configMaps and secrets in the generic mount interface. + Please see the *generic* example for details + +## September 2024, release 1.2.1500 + +- Update to nscale 9.2.1502 +- Added value `logForwarder.db` to set a fully qualified path to the database file, in case you do not want to have it along the logs. + Example: + ``` + logForwarder: + - name: Accounting + path: "/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv" + db: "/opt/ceyoniq/nscale-server/storage-layer/logsdb/logs.db" + ``` +- BASEFOLDER Value Typo corrected in SharePoint. Is now `Values.nappl.baseFolder` +- The default value for `doInitialCrawl` was a bool. It is now a string `false` which is correct. +- You can now add any extra Annotation to services and ingresses. + Example: + ``` + global: + ingress: + annotations: + nginx.org/proxy-read-timeout: "20s" + service: + annotations: + consul.hashicorp.com/service-sync: "true" + ``` +- Add `.this.ingress.proxyReadTimeout` to set this extra annotation to ingress objects +- Ports can now be disabled in NetworkPolicies, if you use a CNI driver that does not support them. + This is especially for the "endPort" Attribute, that is currently not supported by Cilium. +- Added port 443 to the egress in Network Policies for Pods accessing the K8s API +- there was a duplicate podDisruptionBudget. Fixed it. +- Fixed a bug with respect to Volume Names / Static Volumes and Storage Classes +- Correction of documentation regarding `global.pullSecretOverride` (wrong, missing s) and `global.pullSecretsOverride` (correct) +- Fixed a bug where PAM could not communication with JOBSNAPPL in a HA scenario + +## August 2024, release 1.2.1400 + +- Fixed bugs regarding KubePing Protocol in Version < 9.1 + +- Fixed bugs regarding tenant-chart-agro. Be aware: It was the .helmignore after all. + +- Added nscale 9.1.1506 to versions and released the chart version to repo + +- The Application Chart now waits a minute before executing to prevent race condition problems +- Setting SERVER_BASE_URL in Application Layer for SAML redirects to work +- Added Liveness Probes + +- Added the possibility to define *PodDisruptionBudgets* for any component. + +- Added a readyness probe to postgres +- reviewed the resource consumption and added better requests and limits. Also see the sample *resources* + +- Working on the documentation +- updated sharepoint chart to meet the latest specs from Ceyoniq +- Sharepoint Connector is now a StatefulSet +- SharePoint DoInitialCrawl now defaults to false +- Changed nstl and sharepoint updateStrategy to OnDelete +- Update Sharepoint to version 9.2.1400 + +- Update nscale auf 9.2.1402 +- The nstl HID Check was disabled by default, as it only made sense when using multiple volumes. Now, we habe pTemp since a few builds, so it makes + sense now to store the hid file to pTemp. Therefore a new pTemp directory *hid* has been created to hold this file. The new sample *hid* shows how to turn this feature on. +- nstl checks the *audit.log* size when starting up. After an update, the log directory on emptydir got deleted when re-creating the new pod. This caused + the audit log to be empty and caused an error. The log directory of nstl has also now moved to pTemp to avoid this. +- Added *limitations.md* to the docs directory and READMEs + +- Update jsonl structure to get AI Support Assistent running + +- Health Check des SP Connectors nun auf `/nscale_spc/images/icons/PowerPoint.svg` + +- Added *generic mounts* to be able to add any pre provisioned PV to a container. Like a smb, nfs oder cifs share with migration data for pipeliner for example. +- Moved the nstl cluster service to the nstl chart and made sure the default ports etc. are used correctly +- Bugfix in domain name + +- Adding *Service* configuration section to most components. This section can be used to disable a components service (along with the potential ingress) to + be able to configure cluster services for retrieval (used in the SharePoint scenario). Please see the sharepoint sample for more information +- Adding a clusterService configuration as an additional option to achieve above goal + +- Commented the SharePoint Probe out, because it needs work + +- New Instance Group Feature + You can set an alternative `.instance.group` to bundle multiple Instances together. This will allow traffic to be passed beween all instances within this group. + This is ment to be used for large instances that you might want to split up. Please see the `group` sample. +- Fixed a bug in the resolver, preventing sliced maps to be deepCopied into .this + +- Fixed a bug concerning Postgres PullSecrets +- Added pullSecretsOverride +- waitFor can now be turned off if you feel argoWaves are all you need: + ``` + utils.disableWait: true + ``` +- argoCD Waves can now be turned off if you feel waitFor is all you need: + ``` + utils.disableWave: true + ``` +- Added FluentBit:2.0 as default LogForwarder e.g. for the Accounting Log. + +- Changed the default argoCD waves to make sure the prepper runs first +- Fixed a bug, where the condition of the sharepoint instances were all bound to the same key +- Adding *Maintenance Mode*, to start pods without starting the service, providing the possibility to gain access to the container to perform recovery tasks that need to be done offline. In order to do this: + - All *waitFor* definitions are ignored + - All *Health Checks* are ignored + - The container starts in idle + - Application Jobs are disabled + You can put a component, an instance or the whole environment into maintenance. +- Adding a new values map: `.instance` holding `.instance.version` currently, showing the nscale Version installed (pinning the nappl) +- Adding downward compatability for `nscaleVersion` and `componentVersion` +- the *nplus Environment Chart* now has a *prepper* component you can turn on if needed +- nstore Downloader is now *disabled* by default +- Renamed Administrator Server aka RMS to *nplus Remote Management Server* + This should show the proximity to the *nscale Remote Management Service* and the idea of using a *virtual Server* for the rich Admin Client +- worked on Documentation +- Re-Structuring the Samples Directory + +Breaking Changes + +- The **storageClass** of a static volume is now set to empty ("") to prevent the PV from being bound to the wrong PVC. We also recommend putting a claimRef into your PV to make sure only the correct PVC can bind to it. + Your PV also has to set the storage class to "" otherwise it will not bind. + see https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + +- Slicing Environment Chart into Subcharts: + The Environment Chart is now an Umbrella Chart. It references the operator, toolbox, dav and backend separately. By that means, you can now also add those charts to the Instance Umbrella Chart with *SIM* + +- Adding *SIM* to Instance + The *Single Instance Mode* lets you run a single *nplus Instance* in your namespace. The Instance *should* be named after the namespace. You can turn on the environmental components *operator, toolbox, dav and backend* in the Instance chart to get a single chart that brings all it needs + +- Excluding "globals" from ArgoCD Values + There was a large globals section in the ArgoCD Application, that was unnecessary. It is removed + +- Adding *Prepper* as a component to deploy git assets prior to component deployment: + Sometimes you need to deploy assets like Web Snippets to the Instance *before* any other component is deployed and initially started. The prepper can be used to download assets from git, extract tarballs and then calling scripts to perform any custom action. The prepper has no waitFor condition, thus running directly after the PVs are created, which happens in the *backend* chart of the environment. *Prepper* ist much like the *Application* Chart, but it of course cannot deploy anything into an Application Layer, as the nappl not yet exists. + +- Adding download capability to the Application Chart + You can now define downloads, that the Application Chart should perform prior to executing any script or App Installation + +- CIFS Mode for File Storage, preventing chmod from being run in scripts, is now *on* by default. +- Renamed the *nappl* Cluster, if there is no prefix (as in instance name == Release.namespace due to SIM) +- fixed a bug, where some resources (defaultconfig, networkpolicies, database config, ...) were not created in the release namespace but the default + +- Added `includeNamespace` + By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + +Potentially Breaking Changes: + +- The former Environment Chart used non-Standard Labels you might have used for your firewall rules. These are now normalized and the new environmental components behave just like any other component. + +- Introduced *ptemp* as a persistent temp space, e.g. for the accounting logs or database dumps etc. +- Accounting in Storage Layer: set `accounting: true` and the csv files will be written to *ptemp* + +## July 2024, release 1.2.1303 + +- customizingMode as new switch in *web* +- fixed a bug with timezone data +- Add a key to switch off certificate generation if no issuer is set: createSelfSignedCertificate +- Added tcps as port with 3006 to nstl +- Fixed a bug with the resolver in combination with the instance name: Resolving was too late for some + String operations. +- Normalized all examples that no more includes are used in templates (are not necessary any more) and also + single quotes are normalized to double quotes for strings, as we now do not need to use double quotes for the + includes any more. +- Adding nscale Web tls and completing Zerotrust Mode +- Changed the default of priorityClasses: It is now OFF. See FAQ for documentation +- global flags and defaults for TZDATA / Timezone setting + +Big things: + +- An all new Values sub-system: + - You can now stage **any** value! + - You can now override **any** value on **any** stage! + - This also works with your own values for your custom charts + - templates used in values are automatically and recursively resolved. This also works with your custom values! +- Update to nscale 9.2.1302 +- Many cleanups + +Breaking Changes: + +- new .Values section: *meta* +- *nscaleVersion* is now in section meta +- *componentVersion* is now in section meta +- *ports* is now in section meta +- *type* is now in section meta +- *wave* is now in section meta +- *commercial.tenant* is now in section meta +- *commercial.provider* is now in section meta + +Non breaking Changes: + +- *this* + In code, you can now refer to `.this.*` instead of `.Values.*`. + *this* is build from .Values (for component values), .Values.global (for instance values) and .Values.global.environment (for environment values) automatically +- automatic resolver + after condensing the `.Values` into `.this`, a new recursive resolving function now looks for any template used in values and resolves it (using `.this` values) +- new .Values section: *override* + This section is automatically applied to all .this, overwriting any existing value. + *override* is also subject to automativ compression and resolving + +- Helper functions are moved from _helper.tpl to a new map in code, accessible via `$.component`. + if you used helper functions in your templates, you need to port them. They are still working, but are depricated. + +- *_depricated.tpl* now holds depricated functions. They resolve to the new function / value and are subject for being removed in future majors. + +- new debugging mechanism: + You might want to debug your values and functions and helm lacks some important functionality for this, like a callstack. + The new debug feature now provides this functionality. You can call `nplus.debug.enter` and `nplus.debug.leave` in your code to + add this functionality to your own definitions. +- debugging Values: + if debugging is enabled, Values are reported in the component custom resource. Just search for `DEBUG` in `helm template` code. +- to enable debug, set `debug: true` on any level. Example: + ``` + global: + environment: + utils: + debug: true + ``` +- debug also adds strict mode, so depricated functions are failing + +- *init function* + if you want to use the new functionality (.this, .component, ...) in your template, call `include "nplus.init"` as first line in your code. + It initializes automatically + +- new .component section with calculated values for you to use in your templates. +- fixed a bug, where nappl sync wave is after application sync wave (ArgoCD) +- Sorting and Documenting the default ArgoCD Waves (see quickstart-argo) + +Breaking changes: + +- renamed nstlIPRange to nstlIpRange +- In Application Chart, renamed .Values.rs to .Values.rs.host +- In Application Chart, renamed .Values.nstl to .Values.nstl.host +- changes in database Values.yaml, please check if you used it + +Non breaking changes: + +- Added nstlIpRange to the Storage Layer Chart to allow to open egress connections from internal Storage Layer to servers outside the cluster +- New *defaultConfig* possibility to add default config files to Charts that are used prior to image templates (e.g. for a common cold.xml) +- Added *sessionCacheStorageType* as a new parameter for NAPPL +- Adding *dbIpRange* to the cni security options + +## June 2024, release 1.2.1204 + +- RMS now including HA Mode (see samples) +- Fixes a problem, that the SNC Files are not in the NAPPL lib directory +- Encrypt Sample +- ZeroTrust Mode +- Code cleanup + +## June 2024, release 1.2.1203 + +- Allow Application Scripts to run before and after globally and per DocArea +- Add more logging to DAV Container +- Add PAM and SharePoint Connector to dsl + +## June 2024, release 1.2.1202 + +- Allow multiple nscale SharePoint Connector instances with a separate configuration each +- Allow Certificate Stores to be defined as configMaps OR secrets +- current alpha Version of nscale SharePoint Connector for testing + +## June 2024, release 1.2.1201 + +- Fixed a bug in nscale Web due to the read only file system +- Added SNC support to access SAP Server +- Added Java Certificate Keystores (cacerts and component.store) + +## June 2024, release 1.2.1200 + +- Update to nscale Version 9.2.1200 +- Adding nscale PAM (Process Automation Modeler) helm chart +- Adding nscale SharePoint Connector helm Chart +- Adding O365 Sample (with SP Connector) +- Support extra fonts (like Microsoft Core Fonts) +- Allow calling global or local custom installation scripts during initialization (application chart) +- Add Applications to Health Status +- Adding a *Zero Trust* Example (`zerotrust.yaml`). The functionality is not yet completely implemented, so this is alpha status. +- Temporarily adding Custom Project API container ("dms-api") to the instance +- Alpha Version of Ports cleanup + +## May 2024, Release 1.2.11xx + +- Support envFrom in all components, with secretRef. Set the secret name in `envSecret` +- Support whitelisting in ingresses +- Add Inter Pod AntiAffinity +- Now using kube-linter for pre-release checking +- Supporting CNI NetworkPolicies + +## Apr 2024, Release 1.2.1004 + +- Test with nscale 9.2 +- Operator Web GUI switch +- Deny in all ingresses +- Added Priority Classes +- Added Budgets +- Support for volumeName in PVC to supress dynamic provisioning of PVs +- Support for kubePing **and** KUBERNETES Discovery for Cluster Communication +- Documentation Updates +- Updates to dsl (nstl and operator) +- Bug Fixes + +## Mar 2024, Release 1.1.1501 + +- Added the Operator +- Web GUI for Monitoring +- RBAC enhancements +- Remote Management Server (RMS) Preview + +## Feb 2024, Release 1.1.1401 + +- Added Administrator Client + +## Jan 2024, Release 1.1.1302 + +- Changed Packaging to enable new helm Repo (gitea) +- Update dsl (C4) config files +- Added support for up to 4 Storage Layer + +## Jan 2024, Release 1.1.1301 + +- Fixed Application Chart Security Settings +- Added possibility to easily overwrite Versions + (see versions/*.yaml and e90 Example) +- Added Charts for nscale Administrator (RAP) and WebDAV Connector +- Added nstl Cluster (up to 4 Storage Layer) +- Added support for Docker Desktop Kubernetes + + +## Jan 2024, Release 1.1.1300 + +- Added Security Features: + - root-less Container + - dropped capabilities (all) + - read only root file systems on all container + - Prohibit Privilege Escalation +- New Toolbox Image + - new (controlled source) "wait" function + - new (controlled source) "webdav server" function +- Change DB Image to bitnami beacuse of better support for security features. + - User 1001 instead of 999 + - no chown necessary + - support for read-only root +- Support multi-temp paths (because of read-only root) + +## 23 December Release + +- Security Features: + - Support for Illumio Labels and Gates diff --git a/README.md b/README.md new file mode 100644 index 0000000..f8e8887 --- /dev/null +++ b/README.md @@ -0,0 +1,140 @@ +![logo_nplus](assets/logo_nplus.svg) + +The *nscale Plus Pack* (abbreviated as *nplus*) provides tools and instructions to deploy the [Ceyoniq](www.ceyoniq.com) *Enterprise Information Management* system [nscale](https://ceyoniq.com/produkte/) in a **multi-tenant** and **highly available** runtime environment in an **automated manner**. Additionally, the original **components are enhanced** to address common **enterprise requirements**. + +*nplus* is a **subscription**. The subscriber gains access to all *nplus* resources, ensuring an easy way to **protect their investment**. + +*nplus* does not include any nscale software, licenses or services, which are still to be obtained directly from Ceyoniq. + + +## TL;DR + +Use `helm install` to install an nplus Instance. Setting the domain name is optional, but nplus will automatically generate an ingress including a certificate for you. + +If you have *cert-manager* installed, it will issue a certificate for you. If not, nplus will generate a self-signed certificate. + +```bash +helm install myinstance \ + --set global.ingress.domain=myinstance.demo.nplus.cloud \ + --set global.ingress.issuer=nplus-issuer \ + nplus/nplus-instance +``` + +If you prefer to have *ArgoCD* perform the installation (instead of helm), you can use the *ArgoCD* chart to add the Argo Application: + +```bash +helm install \ + --set global.ingress.domain=myinstance-argo.demo.nplus.cloud \ + --set global.ingress.issuer=nplus-issuer \ + myinstance-argo nplus/nplus-instance-argo +``` + + + +You can check the status of the instance using: + +```bash +# kubectl get instance +NAME HANDLER VERSION TENANT STATUS +myinstance Helm 9.1.1501 default starting +``` + +And the component status with: + +```bash +# kubectl get components +NAME INSTANCE COMPONENT VERSION STATUS +myinstance-nstl myinstance nstl 9.1.1200 healthy +myinstance-rs myinstance rs 9.1.1300 healthy +myinstance-database myinstance database 15 healthy +myinstance-nappl myinstance nappl 9.1.1501 healthy +myinstance-web myinstance web 9.1.1500 healthy +myinstance-administrator myinstance administrator 9.1.1500 healthy +``` + +You can check the log files of the *Application Layer* for instance by typing: + +```bash +# kubectl logs -l nplus/instance=myinstance,nplus/component=nappl +``` + +Uninstall myinstance using the following command: + +```bash +helm uninstall myinstance +``` + + + +## Concept + +***nplus*** includes **helm charts** for individual components and umbrella charts orchestrating these components. It can be installed multiple times within a **Kubernetes cluster**, once **per namespace**. This allows the use of multiple separate *nplus* environments in a single Kubernetes cluster. For example, different **stages** (*DEV*, *QA*, *PROD*, etc.) or **tenants** (*A GmbH*, *B AG*, *C GbR*, ...) could be placed in different namespaces. + +With appropriate namespace separation, environments cannot see each other. However, it is optionally possible to create a separate namespace for **central services**, such as the *nscale Rendition Server* or the *nscale Storage Layer*, to be used across namespaces if desired. + +Within a Kubernetes namespace, the ***nplus environment*** manages any number of **instances**, **components** and **applications**: + +- An ***instance*** is a group of ***nscale**-*, ***nplus**-* and optionally ***open source**-* **components**, for example, an *nscale Application Layer* or a *KeyCloak* service. *nplus* includes separate, self-contained helm charts for each individual component, allowing a component to be deployed manually outside of an *instance*, although this is not recommended. + +- ***Applications*** are units that optionally bring *configurations* and *customizations* into the *instance*. This could include creating a document area or installing a customer record management via a ***Generic Base App***. Even ***smart apps*** can be packaged in applications. In the subscriber area, you find examples of *applications*, which are helm charts to transport your individual project specifics into an instance. + + If you have custom components, such as an API component for business applications, you can also package them into an application to install them with the suite. + +For **GitOps projects**, all charts are also available as **ArgoCD** variants. + +A **central storage** for the **configuration data** of individual *components* is provided for each *nplus environment*. This central storage is versioned using **git**. All config files from all applications of an installation are stored here. + + + +## Features + +For operation in a Kubernetes cluster, *nplus* provides: + +- Versioned *helm charts* for all *nscale* components for installation, updating, and uninstallation. +- The nscale components (Application Layer, Storage Layer, Web, CMIS, etc.) can be grouped into *instances* in any combination. +- Multiple *instances* can run in a Kubernetes namespace (e.g., *Tenant1*, *Tenant2*, and *CentralServices*). +- A namespace can represent either a tenant (e.g., *Sales*) or a stage (e.g., *prod*, *qa*, or *dev) if running multiple stages on one cluster. +- Umbrella charts for complex environments, including: + - Optional LDAP directory with openLDAP. + - Optional central Single Sign-On with Multi-Factor Authentication using KeyCloak. + - Optional PostgreSQL database. + - Optional S3 connection for the Storage Layer. + - Optional Azure Blob connection for the Storage Layer. + +- All charts are also available in an *argoCD* variant to integrate them into a GitOps deployment pipeline. +- Support for AppDynamics. +- Support for security tools, especially Illumio, Cilium, or Calico. +- Support for snc (for accessing SAP systems). +- Support for cert-manager for automatic TLS certificate generation. +- A separate application chart (*nplus Application*) for deploying and updating solutions. +- Usability of the classic *nscale Administrator* in a K8s DEV environment, eliminating the need for developers and administrators to adapt. +- Umbrella charts with tenant templates that can include and consolidate applications, solutions, and other external tools. Installing, uninstalling, or updating such tenants based on a template can then be done in a single line. +- Use of dedicated Application Layers for jobs, SAP, and users. For each use case, any number of replicas can be specified. +- Use of dedicated nscale Web instances for different departments, such as Department A and Department B. This allows loading different snippets or applying different SSO rules for each department. + + + +### Licensing + +The subscription credentials for *nplus* include access to the *nplus* (container) registry, the *nplus* (helm) repository, the *nplus* online documentation, and the *nplus* license from 42i GmbH. + +*nscale* must be obtained and licensed through the manufacturer (*Ceyoniq Technology GmbH*) as usual and is linked by *nplus*. You need access to the *nscale Container Registry* and a suitable *license.xml* for the instance. + + + +### Versioning + +The chart version of the *nplus* and *nplus-argocd* charts corresponds to the *nscale Application Layer* version. They include references to the components approved for this *nscale* version. This ensures that you always get the official versions from Ceyoniq in the official combination. This behavior can be individually adjusted, for example, if a web client needs to be tested with the latest version of the previous month's NAPPL. + +The (helm) app version corresponds to the helm git tag. + +The chart version of the components (*nappl*, *web*, ...) corresponds to the respective image version to pin them exactly. All charts can be used individually but require a suitable runtime environment (*nplus*) to run. They do not work outside of *nplus*. Within an *nplus* environment, additional individual components can be easily started. + + + +# Subscriber Area + +- The changelog is kept in the [HISTORY.md](/subscription/helm/src/branch/master/HISTORY.md). +- More information, all source code, and samples can be found at the [official nplus repo](/subscription/helm). + + diff --git a/VERSIONING.md b/VERSIONING.md new file mode 100644 index 0000000..cb2dffc --- /dev/null +++ b/VERSIONING.md @@ -0,0 +1,47 @@ + +# Versioning + +The *nplus chart versioning* is tied to the *nscale Application Layer* version, as we want to use `helm upgrade --version 9.2.1200` to upgrade to nappl 9.2.1200 for instance. As the Application Layer upgrades the database scheme in minor releases, this is the crutial version number. + +As the component charts also need to be deployable solo, so e.g. deploy a *nplus-component-web* chart into an existing instance, also the components use the version of the corresponding nscale component version. + +So we end up having an *instance chart* version that is equal to the *nplus-component-nappl* chart version and a bunch of other components that might have different versions in that bundle, all tied to the component version. + +The *nplus code versioning*, meaning the version of the chart code, is written to the `appVersion` field in the `Chart.yaml`, so with a `helm list`, you will get both versions. + +The code is versioned with tags. If different code is necessary for specific versions of nscale, this is handled by the chart. So the latest chart code should be able to handle the latest nscale version and all versions below (since 8.0, the first container release). You can always take the code tagged with version and appVersion in the Chart.yaml and mix in completely different nscale versions to deploy a specific release with the current code version. Please see the samples how to do that. + +## Version Scheduling + +nscale releases monthly versions latest on the first weekday of the month. At the end of the first week, nplus releases the corresponding chart version. Since it is tied to the nscale versioning, also minor and major releases are using the nscale schedule: April and October for minors and April of every odd year for majors. + +## Version Naming + +The versioning uses *semver 2* (see [semver.org](https://semver.org)). + +Beta Versions get tagged with `-`. In SemVer 2 syntax, these are pre-releases to the next version. In order to get the sorting correctly (so helm correctly fetches the *latest* version), pre-releases must use the version of the next release. Since these Versions are named by Ceyoniq for the nscale software, we do not know the next version for sure (but their naming theme is pretty straight and strict). + +However, what nplus does for this case is to increase the patch and use that on as the minimal next version. So after the release of version `9.2.1201` (nappl, thus als nplus), we will get the next development version `9.2.1202-1`. Until the next nscale release, probably being something like `9.2.130x`, when the pre-release then gets released and takes this version. + +## helm + +If you just use `helm install`, you will always get the latest released version available. Be carefull, as you might end up with an Application Layer version you might not want. So it is better to pin the version you want by something like `helm install --version 9.2.1200`. + +If you want to test with the latest development beta release, you can install `helm install --devel`, which gives you the latest beta. + +You can query available versions with `helm search repo nplus --versions --devel` + +So... + +- `helm search repo nplus` lists the latest released version of every component available +- `helm search repo nplus --devel` lists the latest available version of every component available, including beta versions +- `helm search repo nplus --versions --devel` lists all available versions of every component + +## Best Practise + +- use version pinning +- use the right channel (--devel for dev, released for QA and PROD) + +## Using the chart source code + +The code in the git repository is updated automatically with the build version in development. So the `Chart.yaml` files get a new version with every push. The appVersion refers to the source code in the original (private) repo, so that - in case of a support call - the exact used code can be determined. diff --git a/ai/README.md b/ai/README.md new file mode 100644 index 0000000..616c812 --- /dev/null +++ b/ai/README.md @@ -0,0 +1,3 @@ +# Ingest Formats + +This directory contains the *nplus* documentation in formats, easily digestible for AI LLMs. diff --git a/ai/jsonl/README.md b/ai/jsonl/README.md new file mode 100644 index 0000000..d305726 --- /dev/null +++ b/ai/jsonl/README.md @@ -0,0 +1,4 @@ +# Documentation in jsonl format + +This directory contains the *nplus* documentation in an jsonl format to be injested into LLMs. This idea is to be able to create a support assistent, who can help with +the *nplus* chart configuration. diff --git a/ai/jsonl/chart_administrator.jsonl b/ai/jsonl/chart_administrator.jsonl new file mode 100644 index 0000000..451fd46 --- /dev/null +++ b/ai/jsonl/chart_administrator.jsonl @@ -0,0 +1,137 @@ +{ "chart_name": "nplus-component-administrator", "chart_version": "1.2.1500-169", "chart_description": "nscale Administrator, providing the Web Version of the Administrator to be used in the Instance" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_application.jsonl b/ai/jsonl/chart_application.jsonl new file mode 100644 index 0000000..1aafde9 --- /dev/null +++ b/ai/jsonl/chart_application.jsonl @@ -0,0 +1,116 @@ +{ "chart_name": "nplus-application", "chart_version": "1.2.1500-169", "chart_description": "nplus Application, used to install Apps and Customizations into the nscale Application Layer." } +{ "key": "docAreas", "description": "Provide a list of docareas to create. Please also see the example files", "default": "" } +{ "key": "download", "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "nstl.host", "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", "default": "" } +{ "key": "prerun", "description": "A list of scripts to run before the deployment of Apps", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "rs.host", "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", "default": "" } +{ "key": "run", "description": "A list of scripts to run after the deployment of Apps", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_cmis.jsonl b/ai/jsonl/chart_cmis.jsonl new file mode 100644 index 0000000..307b2cc --- /dev/null +++ b/ai/jsonl/chart_cmis.jsonl @@ -0,0 +1,140 @@ +{ "chart_name": "nplus-component-cmis", "chart_version": "1.2.1500-169", "chart_description": "nscale CMIS Connector, provides a CMIS Interface to the Instance" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_database.jsonl b/ai/jsonl/chart_database.jsonl new file mode 100644 index 0000000..7eb4449 --- /dev/null +++ b/ai/jsonl/chart_database.jsonl @@ -0,0 +1,117 @@ +{ "chart_name": "nplus-component-database", "chart_version": "1.2.1500-169", "chart_description": "Postgres Database, deploys a DEV or TESTING environment DB" } +{ "key": "database.account", "description": "the technical account to own the nscale database, if not set by secret", "default": "" } +{ "key": "database.name", "description": "name of the nscale database", "default": "" } +{ "key": "database.password", "description": "password of the technical account, if not set by secret", "default": "" } +{ "key": "database.secret", "description": "the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password", "default": "" } +{ "key": "dbAdmin.account", "description": "the database admin account, if not set by secret", "default": "" } +{ "key": "dbAdmin.password", "description": "the database admin password, if not set by secret", "default": "" } +{ "key": "dbAdmin.secret", "description": "the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "priority", "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", "default": "" } +{ "key": "priority.className", "description": "Set the priority class for the Application Layer deployment if desired", "default": "" } +{ "key": "priority.createClass", "description": "Creates an individual PriorityClass for this instance", "default": "" } +{ "key": "priority.value", "description": "Sets the priorityValue", "default": "1000000" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_dmsapi.jsonl b/ai/jsonl/chart_dmsapi.jsonl new file mode 100644 index 0000000..38871c9 --- /dev/null +++ b/ai/jsonl/chart_dmsapi.jsonl @@ -0,0 +1,139 @@ +{ "chart_name": "eon-dms-api", "chart_version": "1.2.1500-169", "chart_description": "eon DMS-API provides a eon Standard Interface to the Instance" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_envbackend.jsonl b/ai/jsonl/chart_envbackend.jsonl new file mode 100644 index 0000000..5fe7589 --- /dev/null +++ b/ai/jsonl/chart_envbackend.jsonl @@ -0,0 +1,41 @@ +{ "chart_name": "nplus-environment-backend", "chart_version": "1.2.1500-169", "chart_description": "Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "storage.conf.name", "description": "this is the name of the common config storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "storage.conf.size", "description": "this is the size of the common config storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "storage.conf.volumeName", "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", "default": "" } +{ "key": "storage.ptemp.name", "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "storage.ptemp.size", "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "storage.ptemp.volumeName", "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_envdav.jsonl b/ai/jsonl/chart_envdav.jsonl new file mode 100644 index 0000000..7991c04 --- /dev/null +++ b/ai/jsonl/chart_envdav.jsonl @@ -0,0 +1,79 @@ +{ "chart_name": "nplus-environment-dav", "chart_version": "1.2.1500-169", "chart_description": "Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC" } +{ "key": "account", "description": "the dav user", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "password", "description": "password of the dav user", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "secret", "description": "Alternatively, define a secret", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_environment.jsonl b/ai/jsonl/chart_environment.jsonl new file mode 100644 index 0000000..4ff9c3a --- /dev/null +++ b/ai/jsonl/chart_environment.jsonl @@ -0,0 +1,13 @@ +{ "chart_name": "nplus-environment", "chart_version": "1.2.1500-169", "chart_description": "Installs Namespace-Wide Resources such as the conf PVC, the toolbox and the nplus monitoring service" } +{ "key": "components.dav", "description": "Enables WebDAV access to conf and ptemp", "default": "" } +{ "key": "components.prepper", "description": "enables an optional prepper that you can use to deploy fonts, scripts etc. during environment setup", "default": "" } +{ "key": "components.toolbox", "description": "enables the toolbox", "default": "" } +{ "key": "environmentNameOverride", "description": "If you want to override the name of the Environment for display purposes, do it here.", "default": "" } +{ "key": "global.environment.storage.conf.name", "description": "this is the name of the common config storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "global.environment.storage.conf.size", "description": "this is the size of the common config storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "global.environment.storage.conf.volumeName", "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", "default": "" } +{ "key": "global.environment.storage.ptemp.name", "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "global.environment.storage.ptemp.size", "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", "default": "" } +{ "key": "global.environment.storage.ptemp.volumeName", "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", "default": "" } +{ "key": "global.meta.isEnvironment", "description": "specifies that this is deployment is part of an Environment. Used to determine the correct name of the deployment @internal -- Do not change", "default": "" } + diff --git a/ai/jsonl/chart_envoperator.jsonl b/ai/jsonl/chart_envoperator.jsonl new file mode 100644 index 0000000..3eba376 --- /dev/null +++ b/ai/jsonl/chart_envoperator.jsonl @@ -0,0 +1,74 @@ +{ "chart_name": "nplus-environment-operator", "chart_version": "1.2.1500-169", "chart_description": "Installs the nplus operator managin the custom resource definitions for nplus and nscale" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "ui", "description": "Enables the web ui, default under /monitoring", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_envtoolbox.jsonl b/ai/jsonl/chart_envtoolbox.jsonl new file mode 100644 index 0000000..a919eae --- /dev/null +++ b/ai/jsonl/chart_envtoolbox.jsonl @@ -0,0 +1,58 @@ +{ "chart_name": "nplus-environment-toolbox", "chart_version": "1.2.1500-169", "chart_description": "Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "nstoreDownloader.enabled", "description": "enables the nstore downloader", "default": "" } +{ "key": "nstoreDownloader.nstore", "description": "set the nstore URL", "default": "`https://nstore.ceyoniq.com...`" } +{ "key": "nstoreDownloader.target", "description": "target directory in the conf pv", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_erpcmis.jsonl b/ai/jsonl/chart_erpcmis.jsonl new file mode 100644 index 0000000..5835973 --- /dev/null +++ b/ai/jsonl/chart_erpcmis.jsonl @@ -0,0 +1,157 @@ +{ "chart_name": "nplus-component-erpcmis", "chart_version": "1.2.1500-169", "chart_description": "nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access" } +{ "key": "alien.doAppend", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "alien.port", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "alien.server", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "alien.ssl", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "alien.url", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "alien.useSign", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "migration.checkDocuments", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "migration.checkIgnoreTime", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "migration.delay", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "migration.doListMigration", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "migration.enabled", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "migration.fileDelimiter", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "migration.viaFileSystem", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "sign.authID", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "sign.keyAlias", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "sign.keyPassword", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } +{ "key": "xsap.useSign", "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", "default": "" } + diff --git a/ai/jsonl/chart_erpproxy.jsonl b/ai/jsonl/chart_erpproxy.jsonl new file mode 100644 index 0000000..2ee49fa --- /dev/null +++ b/ai/jsonl/chart_erpproxy.jsonl @@ -0,0 +1,158 @@ +{ "chart_name": "nplus-component-erpproxy", "chart_version": "1.2.1500-169", "chart_description": "nscale ERP Proxy, providing SAP Archive Link access to alien Archive Components" } +{ "key": "alien.doAppend", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "alien.port", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "alien.server", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "alien.ssl", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "alien.url", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "alien.useSign", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "migration.checkDocuments", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "migration.checkIgnoreTime", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "migration.delay", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "migration.doListMigration", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "migration.enabled", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "migration.fileDelimiter", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "migration.viaFileSystem", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "sign.authID", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "sign.keyAlias", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "sign.keyPassword", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } +{ "key": "xsap.url", "description": "xsap url to use.", "default": "" } +{ "key": "xsap.useSign", "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", "default": "" } + diff --git a/ai/jsonl/chart_ilm.jsonl b/ai/jsonl/chart_ilm.jsonl new file mode 100644 index 0000000..12c6522 --- /dev/null +++ b/ai/jsonl/chart_ilm.jsonl @@ -0,0 +1,140 @@ +{ "chart_name": "nplus-component-ilm", "chart_version": "1.2.1500-169", "chart_description": "nscale ILM Connector, providing a certified SAP ILM interface" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_instance-argo.jsonl b/ai/jsonl/chart_instance-argo.jsonl new file mode 100644 index 0000000..856feb9 --- /dev/null +++ b/ai/jsonl/chart_instance-argo.jsonl @@ -0,0 +1,11 @@ +{ "chart_name": "nplus-instance-argo", "chart_version": "1.2.1500-169", "chart_description": "nplus Instance ArgoCD Edition, supporting the deployment of npus Instances through ArgoCD" } +{ "key": "argocd.chart", "description": "The name of the chart to use for the instance", "default": "" } +{ "key": "argocd.destinationNamespace", "description": "ArgoCD can deploy to any Namespace on the destination Server. You have to specify it. Default is the release namespace", "default": "" } +{ "key": "argocd.destinationServer", "description": "ArgoCD can also remote deploy Applications to alien clusters. The server specifies the API Endpoint of the Cluster, where the Application should be deployed", "default": "" } +{ "key": "argocd.namespace", "description": "The ArgoCD Namespace within the cluster. The ArgoCD Application will be deployed to this namespace You will need write privileges for this namespace", "default": "" } +{ "key": "argocd.project", "description": "ArgoCD organizes Applications in Projects. This is the name of the project, the application should be deployed to", "default": "" } +{ "key": "argocd.prune", "description": "Toggle pruning for this Application", "default": "" } +{ "key": "argocd.repo", "description": "Specifiy the helm repo, from which ArgoCD should load the chart. Please make sure ArgoCD gets access rights to this repo", "default": "" } +{ "key": "argocd.selfHeal", "description": "Toggle self healing feature for this Application", "default": "" } +{ "key": "global.meta.isArgo", "description": "specifies that this is an Argo Installation. Used to determine the correct handler in the chart @internal -- Do not change", "default": "" } + diff --git a/ai/jsonl/chart_instance.jsonl b/ai/jsonl/chart_instance.jsonl new file mode 100644 index 0000000..3c265e4 --- /dev/null +++ b/ai/jsonl/chart_instance.jsonl @@ -0,0 +1,262 @@ +{ "chart_name": "nplus-instance", "chart_version": "1.2.1500-169", "chart_description": "nplus Instance, an umbrella chart for orchestrating the components in a nplus Instance" } +{ "key": "administrator.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "administrator.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "administrator.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "administrator.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "administrator.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "administrator.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "application.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "application.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "application.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "application.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "application.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "application.nstl.host", "description": "sets the dns of the *nscale Server Storage Layer*, that should be configured", "default": "" } +{ "key": "application.rs.host", "description": "sets the dns of the *nscale Rendition Server*, that should be configured", "default": "" } +{ "key": "application.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "backend.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "cmis.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "cmis.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "cmis.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "cmis.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "cmis.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "cmis.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "components.administrator", "description": "enable a *nscale Administrator Web* component in this instance", "default": "" } +{ "key": "components.application", "description": "deploy any solution using GBA, Standard Apps or shell copy with this generic deployment chart", "default": "" } +{ "key": "components.cmis", "description": "enable a *nscale CMIS Connector* component in this instance", "default": "" } +{ "key": "components.database", "description": "enable an internal *Postgres Database* in this instance", "default": "" } +{ "key": "components.erpcmis", "description": "enable a *nscale ERP CMIS Connector* component in this instance", "default": "" } +{ "key": "components.erpproxy", "description": "enable a *nscale ERP Proxy Connector* component in this instance", "default": "" } +{ "key": "components.ilm", "description": "enable a *nscale ILM Connector* component in this instance", "default": "" } +{ "key": "components.mon", "description": "enable a *nscale Monitoring Console* component in this instance", "default": "" } +{ "key": "components.nappl", "description": "enable a consumer *nscale Application Layer* component in this instance", "default": "" } +{ "key": "components.nappljobs", "description": "enable a dedicated jobs *nscale Application Layer* component in this instance please also make sure to set the *jobs* setting", "default": "" } +{ "key": "components.nstl", "description": "enable a *nscale Server Storage Layer* component in this instance If you are in a **High Availability** scenario, disable this", "default": "" } +{ "key": "components.nstla", "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", "default": "" } +{ "key": "components.nstlb", "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", "default": "" } +{ "key": "components.nstlc", "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", "default": "" } +{ "key": "components.nstld", "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", "default": "" } +{ "key": "components.pam", "description": "enable a *nscale Process Automation Modeler* component in this instance", "default": "" } +{ "key": "components.pipeliner", "description": "enable *nscale Pipeliner* component in this instance", "default": "" } +{ "key": "components.prepper", "description": "download, deploy and run any git asset or script prior to installation of the components", "default": "" } +{ "key": "components.rms", "description": "enable a *nplus Remote Management Server* component in this instance If you are in a **High Availability** scenario, disable this", "default": "" } +{ "key": "components.rmsa", "description": "enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario.", "default": "" } +{ "key": "components.rmsb", "description": "enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario.", "default": "" } +{ "key": "components.rs", "description": "enable a *nscale Rendition Server* component in this instance", "default": "" } +{ "key": "components.sharepoint", "description": "enable a *nscale Sharepoint Connector* component in this instance", "default": "" } +{ "key": "components.sharepointa", "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", "default": "" } +{ "key": "components.sharepointb", "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", "default": "" } +{ "key": "components.sharepointc", "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", "default": "" } +{ "key": "components.sharepointd", "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", "default": "" } +{ "key": "components.sim", "description": "This section is for the single-instance-mode in which all environement components are integrated into the instance", "default": "" } +{ "key": "components.sim.backend", "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the backend components holds the common storages / PVCs for conf and ptemp umong other common environmental resources", "default": "" } +{ "key": "components.sim.dav", "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. DAV gives you WebDAV access to your conf and ptemp volumes", "default": "" } +{ "key": "components.sim.operator", "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. The Operator will let you query the Custom Resources for nscale, e.g. `kubectl get nscale`", "default": "" } +{ "key": "components.sim.toolbox", "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the toolbox has a git client installed and is suitable for pulling, pushing, copying stuff into the pool, fonts, certificates, snippets and configuration files", "default": "" } +{ "key": "components.web", "description": "enable a *nscale Web* component in this instance", "default": "" } +{ "key": "components.webdav", "description": "enable a *nscale WebDAV Connector* component in this instance", "default": "" } +{ "key": "database", "description": "For the Database, we use a postgres 16 Ceyoniq uses docker.io/bitnami/postgresql:16", "default": "" } +{ "key": "database.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "database.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "database.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "database.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "database.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "dmsapi.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "dmsapi.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "erpcmis.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "erpcmis.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "erpcmis.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "erpcmis.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "erpcmis.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "erpcmis.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "erpproxy.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "erpproxy.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "erpproxy.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "erpproxy.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "erpproxy.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "erpproxy.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "global.database.account", "description": "DB account (if not using a secret)", "default": "" } +{ "key": "global.database.dialect", "description": "nscale DB server dialect", "default": "" } +{ "key": "global.database.driverclass", "description": "nscale DB server driverclass", "default": "" } +{ "key": "global.database.name", "description": "name of the nscale DB", "default": "" } +{ "key": "global.database.password", "description": "DB password (if not using a secret)", "default": "" } +{ "key": "global.database.passwordEncoded", "description": "weather the password is stored encrypted", "default": "" } +{ "key": "global.database.schema", "description": "DB schema name", "default": "" } +{ "key": "global.database.secret", "description": "DB credential secret (account, password)", "default": "" } +{ "key": "global.database.url", "description": "The URL to the database", "default": "" } +{ "key": "global.ingress.appRoot", "description": "Sets the root for this instance, where incoming root traffic should be redirected to", "default": "" } +{ "key": "global.ingress.class", "description": "sets the global ingressclass for all components to use - if they do not define a specific one, for example if there are separate controllers for internal and external traffic", "default": "`public``" } +{ "key": "global.ingress.createSelfSignedCertificate", "description": "if you do not define an issuer to generate the tls secret for you, you still can have a self signed certificate generated for you, if you set this to true. The default is true, so either you have an issuer or not, you will always end up with a certificate. Set an empty issuer and createSelfSignedCertificate to false to have no certificate generated and use an external or existing secret. Then make sure the secret matches.", "default": "" } +{ "key": "global.ingress.domain", "description": "Sets the global domain within the instance to be used, if the component does not define any domain. If this remains empty, no ingress is generated Example: `{{ .instance.group }}.lab.nplus.cloud`", "default": "" } +{ "key": "global.ingress.issuer", "description": "Sets the name of the issuer to create the tls secret. Very common is to have it created by cert-manager. Please see the documentation how to create a cert-manager cluster issuer for example. If no issuer is set, no certificate request will be generated", "default": "" } +{ "key": "global.ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "`ingress, kube-system, ingress-nginx`" } +{ "key": "global.ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. This secret is then either generated by cert-manager or self signed by helm - or not created", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "global.ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "global.instance.group", "description": "The group of the instance. This is used for the networkPolicies. Only Pods within one group are allowed to communicate if you enable the nplus Network Policies. By default, this is set the same as the instance name", "default": "" } +{ "key": "global.instance.name", "description": "The name of the instance. Should this name be identical to the namespace name, then the prefix will be dropped. By default, this is the .Release.Name", "default": "" } +{ "key": "global.license", "description": "Globally set the license secret name", "default": "" } +{ "key": "global.logForwarderImage.name", "description": "defines the nplus toolbox name to be used for the *wait* feature", "default": "" } +{ "key": "global.logForwarderImage.pullPolicy", "description": "defines the nplus toolbox pull policy to be used for the *wait* feature", "default": "" } +{ "key": "global.logForwarderImage.repo", "description": "defines the nplus toolbox image to be used for the *wait* feature", "default": "" } +{ "key": "global.logForwarderImage.tag", "description": "defines the tag for the logforwarder (FluentBit) @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "global.meta.nscaleVersion", "description": "Sets the nscale version of this deployment / instance. This is used by the operator to display the correct version e.g. in the Web UI. @internal -- this is set by the devOps pipeline, so do not modify", "default": "" } +{ "key": "global.nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "global.nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "global.nappl.host", "description": "sets the *nscale Server Application Layer* host to be used. As this is a global option, it can be overridden at component level.", "default": "" } +{ "key": "global.nappl.instance", "description": "the instance of *nscale Server Application Layer* to be used @internal -- As this is depricated for nscale 10, you should never modify this.", "default": "" } +{ "key": "global.nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "global.nappl.port", "description": "sets the *nscale Server Application Layer* port to be used. As this is a global option, it can be overridden at component level. if you switch to zero trus mode or change the nappl backend to https, you want to modify this port to 8443", "default": "" } +{ "key": "global.nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "global.nappl.ssl", "description": "wether to use ssl or not for the advanced connector", "default": "" } +{ "key": "global.security.cni.administratorInstance", "description": "sets the instance, from which Administration is allowed", "default": "" } +{ "key": "global.security.cni.administratorNamespace", "description": "sets the namespace, from which Administration is allowed", "default": "" } +{ "key": "global.security.cni.createNetworkPolicy", "description": "creates NetworkPolicies for each component.", "default": "" } +{ "key": "global.security.cni.defaultEgressPolicy", "description": "if defined, creates a default NetworkPolicy to handle egress Traffic from the instance. Possible Values: deny, allow, none", "default": "" } +{ "key": "global.security.cni.defaultIngressPolicy", "description": "if defined, creates a default NetworkPolicy to handle ingress Traffic to the instance. Possible Values: deny, allow, none", "default": "" } +{ "key": "global.security.cni.monitoringInstance", "description": "sets the instance, from which Monitoring is allowed", "default": "" } +{ "key": "global.security.cni.monitoringNamespace", "description": "sets the namespace, from which Monitoring is allowed", "default": "" } +{ "key": "global.security.cni.pamInstance", "description": "sets the instance, from which Process Automation Modeling is allowed", "default": "" } +{ "key": "global.security.cni.pamNamespace", "description": "sets the namespace, from which Process Automation Modeling is allowed", "default": "" } +{ "key": "global.security.zeroTrust", "description": "enables zero trust on the instance. When enabled, no unencrypted http connection is allowed. This will remove all http ports from pods, services, network policies and ingress rules", "default": "" } +{ "key": "global.telemetry.openTelemetry", "description": "if you use a OpenTelemetry as a telemetry collector, you can enable it here. This will add the annotations to some known pods for the injector to use agents inside the pods for telemetry collection. This often goes along with the `language` setting in the meta section to tell the telemetry collector which agent to inject.", "default": "" } +{ "key": "global.waitImage.name", "description": "defines the nplus toolbox name to be used for the *wait* feature", "default": "" } +{ "key": "global.waitImage.pullPolicy", "description": "defines the nplus toolbox pull policy to be used for the *wait* feature", "default": "" } +{ "key": "global.waitImage.repo", "description": "defines the nplus toolbox image to be used for the *wait* feature", "default": "" } +{ "key": "global.waitImage.tag", "description": "defines the nplus toolbox tag to be used for the *wait* feature @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "ilm.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "ilm.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "ilm.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "ilm.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "ilm.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "ilm.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "mon.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "mon.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "mon.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "mon.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "mon.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nappl.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nappl.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nappl.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nappl.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nappl.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nappl.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "nappljobs.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nappljobs.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nappljobs.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nappljobs.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nappljobs.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nstl.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstl.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nstl.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstl.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstl.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nstla.clusterService.enabled", "description": "When using multiple nstl Instances with different configurations, you still might want to use a cluster service for HA access This will generate one for you.", "default": "" } +{ "key": "nstla.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstla.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nstla.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstla.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstla.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nstlb.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstlb.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nstlb.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstlb.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstlb.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nstlc.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstlc.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nstlc.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstlc.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstlc.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "nstld.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstld.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "nstld.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstld.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "nstld.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "pam.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "pam.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "pam.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "pam.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "pam.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "pam.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "pipeliner.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "pipeliner.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "pipeliner.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "pipeliner.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "pipeliner.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "pipeliner.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "prepper.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "prepper.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "prepper.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "prepper.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "prepper.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "rms", "description": "rms is not a Ceyoniq component, but a part of nplus", "default": "" } +{ "key": "rms.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rms.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "rms.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rms.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rms.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "rmsa.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rmsa.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "rmsa.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rmsa.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rmsa.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "rmsb.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rmsb.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "rmsb.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rmsb.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rmsb.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "rs.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rs.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "rs.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rs.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "rs.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "sharepoint", "description": "For SharePoint Connector, there is no entry in Github yet, so we set it hardcoded TODO: 9.3: Test again later, if there is a valid github entry.", "default": "" } +{ "key": "sharepoint.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepoint.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "sharepoint.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepoint.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepoint.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "sharepoint.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "sharepointa.clusterService.contextPath", "description": "Set the context Path for the cluster Ingress. Make sure also the members are listening to this path", "default": "" } +{ "key": "sharepointa.clusterService.enabled", "description": "When using multiple SharePoint Connectors with different configurations, you still might want to use a retrieval cluster for HA so you can enable the clusterService and define the context path.", "default": "" } +{ "key": "sharepointa.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointa.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "sharepointa.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointa.ingress.contextPath", "description": "Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created.", "default": "" } +{ "key": "sharepointa.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointa.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "sharepointa.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "sharepointb.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointb.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "sharepointb.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointb.ingress.contextPath", "description": "Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created.", "default": "" } +{ "key": "sharepointb.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointb.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "sharepointb.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "sharepointc.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointc.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "sharepointc.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointc.ingress.contextPath", "description": "Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created.", "default": "" } +{ "key": "sharepointc.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointc.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "sharepointc.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "sharepointd.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointd.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "sharepointd.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointd.ingress.contextPath", "description": "Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created.", "default": "" } +{ "key": "sharepointd.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "sharepointd.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "sharepointd.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "web.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "web.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "web.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "web.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "web.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "web.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } +{ "key": "webdav.image.name", "description": "sets the name of the image to use for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "webdav.image.repo", "description": "sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons", "default": "" } +{ "key": "webdav.image.tag", "description": "defines the tag for this component @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "webdav.meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "webdav.meta.wave", "description": "Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler", "default": "" } +{ "key": "webdav.waitFor", "description": "Defines what condition needs to be met before this components starts", "default": "" } + diff --git a/ai/jsonl/chart_mon.jsonl b/ai/jsonl/chart_mon.jsonl new file mode 100644 index 0000000..07950d4 --- /dev/null +++ b/ai/jsonl/chart_mon.jsonl @@ -0,0 +1,130 @@ +{ "chart_name": "nplus-component-mon", "chart_version": "1.2.1500-169", "chart_description": "nscale Monitoring Console, used to provide sensor information from all components to dashboards" } +{ "key": "activateRmi", "description": "Activates the RMI Interface. Due to security concern, this defaults to `false`", "default": "" } +{ "key": "activateSsl", "description": "Activates SSL / TLS communication", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_nappl.jsonl b/ai/jsonl/chart_nappl.jsonl new file mode 100644 index 0000000..ad48a03 --- /dev/null +++ b/ai/jsonl/chart_nappl.jsonl @@ -0,0 +1,155 @@ +{ "chart_name": "nplus-component-nappl", "chart_version": "1.2.1500-169", "chart_description": "nscale Server Application Layer, the central component in the nscale ecosystem" } +{ "key": "database", "description": "If you define the database in your values, this DB settings are taken. If you leave this empty, the settings from the config file are used.", "default": "" } +{ "key": "database.account", "description": "alternative 1: the account name of the technical DB user for nscale", "default": "" } +{ "key": "database.dialect", "description": "the database dialect to use", "default": "" } +{ "key": "database.driverclass", "description": "the driver class to use", "default": "" } +{ "key": "database.name", "description": "the name of the database to use", "default": "" } +{ "key": "database.password", "description": "alternative 1: the password of the technical DB user for nscale", "default": "" } +{ "key": "database.passwordEncoded", "description": "weather the DB password is stored encrypted", "default": "" } +{ "key": "database.schema", "description": "the database schema to use", "default": "" } +{ "key": "database.secret", "description": "alternative 2: use a secret for the account and password", "default": "" } +{ "key": "database.url", "description": "the DB URL", "default": "" } +{ "key": "disableSessionReplication", "description": "enables/disables the session replication for these cluster members.", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.includeDefaultPaths", "description": "toggles default paths like index.html, res and engine.properties", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "jobs", "description": "enables/disables the job affinity / priority for these cluster members", "default": "" } +{ "key": "kubePing", "description": "sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more If it is left empty, also the automountServiceAccountToken is disabled. If you set Values, they are ignored in Versions > 9.1.1200", "default": "" } +{ "key": "kubePing.create", "description": "Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices", "default": "" } +{ "key": "kubePing.name", "description": "Set the ServiceAccount Name for the kubePing Protocol", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "priority", "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", "default": "" } +{ "key": "priority.className", "description": "Set the priority class for the Application Layer deployment if desired", "default": "" } +{ "key": "priority.createClass", "description": "Creates an individual PriorityClass for this instance", "default": "" } +{ "key": "priority.value", "description": "Sets the priorityValue", "default": "1000000" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.cni.dbIpRange", "description": "defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with.", "default": "" } +{ "key": "security.cni.sapIpRange", "description": "defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with.", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "sessionCacheStorageType", "description": "Sets the Session Cache Storage Type to HEAP or OFF_HEAP", "default": "" } +{ "key": "snc.enabled", "description": "Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client.", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_nstl.jsonl b/ai/jsonl/chart_nstl.jsonl new file mode 100644 index 0000000..059dcad --- /dev/null +++ b/ai/jsonl/chart_nstl.jsonl @@ -0,0 +1,111 @@ +{ "chart_name": "nplus-component-nstl", "chart_version": "1.2.1500-169", "chart_description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server" } +{ "key": "accounting", "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", "default": "" } +{ "key": "checkHighestDocId", "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", "default": "" } +{ "key": "dvCheckPath", "description": "sets the path of the highest ID file.", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.medium", "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.cni.nstlIpRange", "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_pam.jsonl b/ai/jsonl/chart_pam.jsonl new file mode 100644 index 0000000..91cafb3 --- /dev/null +++ b/ai/jsonl/chart_pam.jsonl @@ -0,0 +1,137 @@ +{ "chart_name": "nplus-component-pam", "chart_version": "1.2.1500-169", "chart_description": "nscale Process Automation Modeler, providing Web UI Modeler for PAP" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_pipeliner.jsonl b/ai/jsonl/chart_pipeliner.jsonl new file mode 100644 index 0000000..b98e832 --- /dev/null +++ b/ai/jsonl/chart_pipeliner.jsonl @@ -0,0 +1,130 @@ +{ "chart_name": "nplus-component-pipeliner", "chart_version": "1.2.1500-169", "chart_description": "nscale Pipeliner, the mass import / export tool of nscale" } +{ "key": "dav.account", "description": "the dav user", "default": "" } +{ "key": "dav.image", "description": "the Image to use for the DAV server", "default": "" } +{ "key": "dav.image.pullPolicy", "description": "the DAV server image pull policy", "default": "" } +{ "key": "dav.password", "description": "password of the dav user", "default": "" } +{ "key": "dav.secret", "description": "Alternatively, define a secret", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.defaultConfig", "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Default ReplicaCount is 0 as the pipeliner requires a working cold.xml", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_prepper.jsonl b/ai/jsonl/chart_prepper.jsonl new file mode 100644 index 0000000..541d753 --- /dev/null +++ b/ai/jsonl/chart_prepper.jsonl @@ -0,0 +1,115 @@ +{ "chart_name": "nplus-prepper", "chart_version": "1.2.1500-169", "chart_description": "nplus Prepper, used to deploy assets prior to component deployment" } +{ "key": "download", "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "nstl.host", "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", "default": "" } +{ "key": "prerun", "description": "A list of scripts to run before the deployment of Apps", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "rs.host", "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", "default": "" } +{ "key": "run", "description": "A list of scripts to run after the deployment of Apps", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_rms.jsonl b/ai/jsonl/chart_rms.jsonl new file mode 100644 index 0000000..d740a1c --- /dev/null +++ b/ai/jsonl/chart_rms.jsonl @@ -0,0 +1,171 @@ +{ "chart_name": "nplus-component-rms", "chart_version": "1.2.1500-169", "chart_description": "nplus Remote Management Server incl. RMS and Access Proxy" } +{ "key": "comps.cmis.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.cmis.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.cmis.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.cmis.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.cmis.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.cmis.ports.http", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.cmis.ports.https", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.cmis.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.cmis.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.ilm.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.ilm.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.ilm.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.ilm.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.ilm.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.ilm.ports.http", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.ilm.ports.https", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.ilm.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.ilm.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.mon.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.mon.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.mon.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.mon.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.mon.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.mon.ports.http", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.mon.ports.https", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.mon.ports.tcp", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.mon.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.mon.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.nappl", "description": "Values for the nappl component", "default": "" } +{ "key": "comps.nappl.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.nappl.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.nappl.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.nappl.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.nappl.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.nappl.ports.http", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.nappl.ports.https", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.nappl.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.nappl.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.nstl.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.nstl.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.nstl.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.nstl.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.nstl.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.nstl.ports.tcp", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.nstl.ports.tcps", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.nstl.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.nstl.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.pipeliner.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.pipeliner.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.pipeliner.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.pipeliner.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.pipeliner.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.pipeliner.ports.tcp", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.pipeliner.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.pipeliner.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.rs.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.rs.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.rs.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.rs.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.rs.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.rs.ports.http", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.rs.ports.https", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.rs.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.rs.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "comps.web.displayName", "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", "default": "" } +{ "key": "comps.web.enabled", "description": "Toggles if this component should be available through RMS", "default": "" } +{ "key": "comps.web.host", "description": "The host, where this component runs", "default": "" } +{ "key": "comps.web.name", "description": "The internal name of the component @internal -- do not change", "default": "" } +{ "key": "comps.web.ports", "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", "default": "" } +{ "key": "comps.web.ports.http", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.web.ports.https", "description": "proxied port @internal -- do not change", "default": "" } +{ "key": "comps.web.replicaSetType", "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", "default": "" } +{ "key": "comps.web.restartReplicas", "description": "The amount of replicas to set when starting through the *nscale Administrator* client", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.medium", "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.cni.adminIpRange", "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } + diff --git a/ai/jsonl/chart_rs.jsonl b/ai/jsonl/chart_rs.jsonl new file mode 100644 index 0000000..d48bc89 --- /dev/null +++ b/ai/jsonl/chart_rs.jsonl @@ -0,0 +1,131 @@ +{ "chart_name": "nplus-component-rs", "chart_version": "1.2.1500-169", "chart_description": "nscale Rendition Server, providing means to format-convert common file types" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_sharepoint.jsonl b/ai/jsonl/chart_sharepoint.jsonl new file mode 100644 index 0000000..ed102a9 --- /dev/null +++ b/ai/jsonl/chart_sharepoint.jsonl @@ -0,0 +1,181 @@ +{ "chart_name": "nplus-component-sharepoint", "chart_version": "1.2.1500-169", "chart_description": "nscale SharePoint Connector, providing SP archiving to the Instance" } +{ "key": "clusterService.contextPath", "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", "default": "" } +{ "key": "connector.cTagPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.eTagPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.idPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.listItemIdPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.nscaleExpirationPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.nscaleGdprRelevantPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.nscaleLegalHidePropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.nscaleLegalHoldPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.nscaleRetentionPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.parentIdPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.sharePointChangeTokenPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.sharePointCreatedPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.sharePointCreatorPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.sharePointEditedPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.sharePointEditorPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.stubIdPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.stubListItemIdPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "connector.webUrlPropertyName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "doInitialCrawl", "description": "toggle initial crawling. This value is mandatory.", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "management.port", "description": "see mail from Manuel, 30.7.2024", "default": "" } +{ "key": "management.security", "description": "see mail from Manuel, 30.7.2024", "default": "" } +{ "key": "management.ssl", "description": "see mail from Manuel, 30.7.2024", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.baseFolder", "description": "The base folder, this component should write to", "default": "" } +{ "key": "nappl.docArea", "description": "The document area, this component should write to", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "parallelRequests", "description": "amount of parallel requests", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "sharepoint.clientCertPw", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.clientId", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.doCheckOut", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.secret", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.serviceBusConnectionString", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.serviceBusQueueName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.serviceBusRetentionConnectionString", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.serviceBusRetentionQueueName", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.serviceBusTopicNameConfigUpdate", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.spHost", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.tenantId", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.triggerProperty", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "sharepoint.webUserPw", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "ssl.keyAlias", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "ssl.keyPassword", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "ssl.keystore", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "ssl.keystorePassword", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "ssl.keystoreSecret", "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_web.jsonl b/ai/jsonl/chart_web.jsonl new file mode 100644 index 0000000..3b42ea6 --- /dev/null +++ b/ai/jsonl/chart_web.jsonl @@ -0,0 +1,151 @@ +{ "chart_name": "nplus-component-web", "chart_version": "1.2.1500-169", "chart_description": "nscale Web, providing a modern Web UI to nscale users" } +{ "key": "authType", "description": "Set the authentication type login, basic, negotiate, implicit ntlmv2, kerberos", "default": "" } +{ "key": "customizingMode", "description": "If this setting is enabled, layouts will update immediately when changes are made. It is no longer necessary to re-register or restart the service. If this setting is not activated, the automatic update of the metamodel is turned off. We recommend not using this setting in productive systems because it reduces system performance.", "default": "" } +{ "key": "disableUsernamePassword", "description": "surpresses the login dialog", "default": "" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "immediateFederatedLogin", "description": "directly log in via identity providers", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "metamodelMode", "description": "Refreshes the metamodel mode", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.defaultConfig", "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.medium", "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "oauthDomains", "description": "OAuth nscale domains", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "sameSite", "description": "nscale SameSite Cookie Header", "default": "" } +{ "key": "samlDomains", "description": "SAML nscale domains", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "smartCrossgrade", "description": "Enable Crossgrade for Smart Layouts", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/chart_webdav.jsonl b/ai/jsonl/chart_webdav.jsonl new file mode 100644 index 0000000..a206d0c --- /dev/null +++ b/ai/jsonl/chart_webdav.jsonl @@ -0,0 +1,140 @@ +{ "chart_name": "nplus-component-webdav", "chart_version": "1.2.1500-169", "chart_description": "nscale WebDAV Connector, providing a standard WebDAV interface to the Instance" } +{ "key": "env", "description": "Sets additional environment variables for the configuration.", "default": "" } +{ "key": "envMap", "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", "default": "" } +{ "key": "envSecret", "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", "default": "" } +{ "key": "fullnameOverride", "description": "This overrides the output of the internal fullname function", "default": "" } +{ "key": "image", "description": "provide the image to be used for this component", "default": "" } +{ "key": "image.name", "description": "the name of the image to use", "default": "" } +{ "key": "image.pullSecrets", "description": "you can provide your own pullSecrets, in case you use a private repo.", "default": "" } +{ "key": "image.repo", "description": "if you use a private repo, feel free to set it here", "default": "" } +{ "key": "image.tag", "description": "the tag of the image to use", "default": "" } +{ "key": "ingress", "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", "default": "" } +{ "key": "ingress.annotations", "description": "Adds extra Annotations to the ingress", "default": "" } +{ "key": "ingress.backendProtocol", "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", "default": "`http`
`https` in zero trust mode" } +{ "key": "ingress.class", "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", "default": "`public`" } +{ "key": "ingress.contextPath", "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", "default": "" } +{ "key": "ingress.cookie", "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", "default": "" } +{ "key": "ingress.deny", "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", "default": "" } +{ "key": "ingress.domain", "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", "default": "" } +{ "key": "ingress.enabled", "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", "default": "" } +{ "key": "ingress.inputPath", "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.namespace", "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", "default": "\"ingress, kube-system, ingress-nginx\"" } +{ "key": "ingress.proxyReadTimeout", "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", "default": "" } +{ "key": "ingress.rewriteTarget", "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", "default": "" } +{ "key": "ingress.secret", "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", "default": "`{{ .this.ingress.domain }}-tls`" } +{ "key": "ingress.whitelist", "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", "default": "" } +{ "key": "javaOpts", "description": "Options for the Java VM", "default": "" } +{ "key": "javaOpts.javaMaxMem", "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", "default": "" } +{ "key": "javaOpts.javaMaxRamPercentage", "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", "default": "" } +{ "key": "javaOpts.javaMinMem", "description": "set the minimum memory, java will consume", "default": "" } +{ "key": "javaOpts.javaMisc", "description": "Any misc Java Options that need to be passed to the container", "default": "" } +{ "key": "meta", "description": "defines internal constants for nplus. do not change these values", "default": "" } +{ "key": "meta.componentVersion", "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", "default": "" } +{ "key": "meta.language", "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", "default": "" } +{ "key": "meta.ports", "description": "lists the ports this component exposes. This is important for zero trust mode and others.", "default": "" } +{ "key": "meta.ports.http", "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.https", "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.rmi", "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcp", "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.ports.tcps", "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", "default": "" } +{ "key": "meta.provider", "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.serviceContainer", "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", "default": "" } +{ "key": "meta.stage", "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", "default": "" } +{ "key": "meta.tenant", "description": "sets tenant information to be able to invoice per use in a cloud environment", "default": "" } +{ "key": "meta.type", "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", "default": "" } +{ "key": "meta.wave", "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", "default": "" } +{ "key": "minReplicaCount", "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", "default": "" } +{ "key": "minReplicaCountType", "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", "default": "" } +{ "key": "mounts.caCerts", "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", "default": "" } +{ "key": "mounts.caCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.caCerts.paths", "description": "Sets the path to the certs folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.caCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts", "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", "default": "" } +{ "key": "mounts.componentCerts.configMap", "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.componentCerts.paths", "description": "Sets the path to the component certs. @internal -- do not change this value", "default": "" } +{ "key": "mounts.componentCerts.secret", "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", "default": "" } +{ "key": "mounts.conf", "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", "default": "" } +{ "key": "mounts.conf.path", "description": "Sets the path to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.conf.paths", "description": "Sets a list of paths to the conf files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.class", "description": "Sets the class of the data disk", "default": "" } +{ "key": "mounts.data.path", "description": "Sets the path to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.data.size", "description": "Sets the size of the data disk", "default": "" } +{ "key": "mounts.data.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.disk.class", "description": "Sets the class of the disk", "default": "" } +{ "key": "mounts.disk.enabled", "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", "default": "" } +{ "key": "mounts.disk.migration", "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", "default": "" } +{ "key": "mounts.disk.path", "description": "Sets the path to the disk files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.paths", "description": "Sets a list of paths to the data files @internal -- do not change this value", "default": "" } +{ "key": "mounts.disk.size", "description": "Sets the size of the disk", "default": "" } +{ "key": "mounts.disk.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.file.class", "description": "Sets the class of the shared disk", "default": "" } +{ "key": "mounts.file.path", "description": "Sets the path to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.paths", "description": "Sets a list of paths to the shared files @internal -- do not change this value", "default": "" } +{ "key": "mounts.file.size", "description": "Sets the size of the shared disk", "default": "" } +{ "key": "mounts.file.volumeName", "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", "default": "" } +{ "key": "mounts.fonts", "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", "default": "" } +{ "key": "mounts.fonts.path", "description": "Sets the path to the fonts folder. @internal -- do not change this value", "default": "" } +{ "key": "mounts.generic", "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", "default": "" } +{ "key": "mounts.license", "description": "some nscale Components require a license file and this defines it's location", "default": "" } +{ "key": "mounts.license.path", "description": "Sets the path to the license files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs", "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", "default": "" } +{ "key": "mounts.logs.path", "description": "Sets the path to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.paths", "description": "Sets a list of paths to the log files @internal -- do not change this value", "default": "" } +{ "key": "mounts.logs.size", "description": "Sets the size of the log disk (all paths)", "default": "" } +{ "key": "mounts.pool.path", "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.ptemp.path", "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.ptemp.paths", "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp", "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", "default": "" } +{ "key": "mounts.temp.path", "description": "Sets the path to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.paths", "description": "Sets a list of paths to the temporary files @internal -- do not change this value", "default": "" } +{ "key": "mounts.temp.size", "description": "Sets the size of the temporary disk (all paths)", "default": "" } +{ "key": "nameOverride", "description": "This overrides the output of the internal name function", "default": "" } +{ "key": "nappl", "description": "The nscale Application Layer, this component should talk to", "default": "" } +{ "key": "nappl.account", "description": "The technical account to login with", "default": "" } +{ "key": "nappl.domain", "description": "The domain of the technical account", "default": "" } +{ "key": "nappl.host", "description": "nappl host name", "default": "" } +{ "key": "nappl.instance", "description": "instance of the Application Layer, likely `instance1`", "default": "" } +{ "key": "nappl.password", "description": "The password of the technical accunt (if not set by secret)", "default": "" } +{ "key": "nappl.port", "description": "nappl port (http 8080 or https 8443)", "default": "" } +{ "key": "nappl.secret", "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", "default": "" } +{ "key": "nappl.ssl", "description": "sets the Advanced Connect to tls", "default": "" } +{ "key": "nodeSelector", "description": "select specific nodes for this component", "default": "" } +{ "key": "replicaCount", "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", "default": "" } +{ "key": "resources", "description": "Assigns hardware resources to container", "default": "" } +{ "key": "resources.limits", "description": "Limits the maximum resources", "default": "" } +{ "key": "resources.limits.cpu", "description": "The maximum allowed CPU for the container", "default": "" } +{ "key": "resources.limits.memory", "description": "The maximum allowed RAM for the container", "default": "" } +{ "key": "resources.requests", "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", "default": "" } +{ "key": "resources.requests.cpu", "description": "Set the share of guaranteed CPU to the container.", "default": "" } +{ "key": "resources.requests.memory", "description": "Set the share of guaranteed RAM to the container", "default": "" } +{ "key": "security", "description": "Security Section defining default runtime environment for your container", "default": "" } +{ "key": "security.containerSecurityContext.allowPrivilegeEscalation", "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.capabilities", "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", "default": "" } +{ "key": "security.containerSecurityContext.readOnlyRootFilesystem", "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroup", "description": "The file system group as which new files are created @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.fsGroupChangePolicy", "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.podSecurityContext.runAsUser", "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", "default": "" } +{ "key": "security.zeroTrust", "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", "default": "`false`" } +{ "key": "service.annotations", "description": "adds extra Annotations to the service", "default": "" } +{ "key": "service.enabled", "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", "default": "" } +{ "key": "service.selector", "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", "default": "" } +{ "key": "telemetry", "description": "Settings for telemetry tools", "default": "" } +{ "key": "telemetry.openTelemetry", "description": "turns Open Telemetry on", "default": "" } +{ "key": "telemetry.serviceName", "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", "default": "" } +{ "key": "template", "description": "provide extra settings for pod templates", "default": "" } +{ "key": "template.annotations", "description": "set additional annotations for pods", "default": "" } +{ "key": "template.labels", "description": "set additional labels for pods", "default": "" } +{ "key": "terminationGracePeriodSeconds", "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", "default": "" } +{ "key": "timezone", "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", "default": "`Europe/Berlin`" } +{ "key": "tolerations", "description": "Set tolerations for this component", "default": "" } +{ "key": "updateStrategy", "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", "default": "" } +{ "key": "utils.debug", "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", "default": "`false`" } +{ "key": "utils.disableWait", "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", "default": "`false`" } +{ "key": "utils.disableWave", "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", "default": "`false`" } +{ "key": "utils.includeNamespace", "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", "default": "`true`" } +{ "key": "utils.maintenance", "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", "default": "`false`" } +{ "key": "utils.renderComments", "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", "default": "`true`" } +{ "key": "waitFor", "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", "default": "" } + diff --git a/ai/jsonl/common.jsonl b/ai/jsonl/common.jsonl new file mode 100644 index 0000000..4e76521 --- /dev/null +++ b/ai/jsonl/common.jsonl @@ -0,0 +1,4 @@ +{"chapter": "Timzone (Package tzdata) setting", "level": 2, "text": "You can set the timezone in the PODs by\n- per Component:\n`timezone: \"Europe/Berlin\"`\n- per Instance:\n`global.timezone: \"Europe/Berlin\"`\n- per Environment:\n`global.environment.timezone: \"Europe/Berlin\"`\nThis is compatible to the *tzdata* package. If the image you use uses a different timezone package und thus a environment variable other than `TZ`, you can also set any global ENV Variables by\n- per Component:\n`env.TZ: \"Europe/Berlin\"`\n- per Instance:\n`global.env.TZ: \"Europe/Berlin\"`\n- per Environment:\n`global.environment.env.TZ: \"Europe/Berlin\"`\nIf you do not set the timezone, **it defaults to `Europe/Berlin`** and the `TZ` env variable.\n"} +{"chapter": "Placement", "level": 2, "text": "The inter pod anti-affinity is set by default to avoid a placement of two replicas of the same set to one node.\nThis is done for nappl, rs, ilm, cmis, web, webdav based on instance, component and type\nFor the nstl, this is handled by instance and type only, since the nstl does not use replicas and we are using different sets to ensure HA.\nAdditionally, you can set the scheduler to avoid or prefer specific nodes by setting *tolerations* and use *nodeSelectors*:\n- `tolerations`\nList of Kubernetes [`tolerations`](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) to add to the component\n- `nodeSelector`\nKubernetes [`nodeSelector`](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) to add to the component\n"} +{"chapter": "Maintenance Mode", "level": 2, "text": "You can start the component in *Maintenance Mode*, starting the pod without starting the service, providing the possibility to gain access to the container to perform recovery tasks that need to be done offline.\nIn order to do this:\n- All *waitFor* definitions are ignored\n- All *Health Checks* are ignored\n- The container starts in idle\n"} +{"chapter": "minReplicaCountType", "level": 2, "text": "If you set minReplicaCountType, a podDesruptionBudget will be created with this value as minReplicaCount. It will select pods based on the type of this component.\nThis is used for components, that do **not** support multiple replicas (for example sharepoint or storage layer).\nIf the component does in fact support replicas, it is better to use `minReplicaCount` instead.\nAlso pay attention to only set this on one ReplicaSet of this type, not all.\nPlease refer to the HA sample for more information.\n"} diff --git a/ai/jsonl/cookbook.jsonl b/ai/jsonl/cookbook.jsonl new file mode 100644 index 0000000..603b62f --- /dev/null +++ b/ai/jsonl/cookbook.jsonl @@ -0,0 +1,57 @@ +{"chapter": "Preparing the K8s Cluster", "level": 1, "text": "*nplus* Charts bring some custom resources, *Application*, *Instance* and *Component*. they are created during deployment of a chart and then updated by the environment operator every time the status changes.\nTo make this work, you will need to have the *Custom Resource Definitions* applied to your cluster prior to deploying any environment or component. This deployment is handled by the *Cluster Chart*.\n```bash\nhelm install nplus/nplus-cluster\n```\nThe *CRDs* are grouped into *nscale* and *nplus* (both synonym), so that you can either query for\n```bash\nkubectl get instance\nkubectl get component\nkubectl get application\n```\nor simply all at once with\n```bash\nkubectl get nscale -A\n```\nthe output looks like this (shortened output, showing the installed samples):\n```bash\n$ kubectl get nscale -A\nNAMESPACE NAME INSTANCE COMPONENT TYPE VERSION STATUS\nempty-sim component.nplus.cloud/database empty-sim database database 16 healthy\nempty-sim component.nplus.cloud/nappl empty-sim nappl core 9.2.1302 healthy\nlab component.nplus.cloud/demo-centralservices-s3-nstl demo-centralservices-s3 nstl nstl 9.2.1302 healthy\nlab component.nplus.cloud/demo-ha-web demo-ha web web 9.2.1300 redundant\nlab component.nplus.cloud/demo-ha-webdav demo-ha webdav webdav 9.2.1000 redundant\nlab component.nplus.cloud/demo-ha-zerotrust-administrator demo-ha-zerotrust administrator administrator 9.2.1300 healthy\nlab component.nplus.cloud/no-provisioner-nstl no-provisioner nstl nstl 9.2.1302 healthy\nlab component.nplus.cloud/no-provisioner-rs no-provisioner rs rs 9.2.1201 starting\nlab component.nplus.cloud/no-provisioner-web no-provisioner web web 9.2.1300 healthy\nlab component.nplus.cloud/sbs-nappl sbs nappl core 9.2.1302 healthy\nNAMESPACE NAME INSTANCE APPLICATION VERSION STATUS\nempty-sim application.nplus.cloud/application empty-sim application 9.2.1303-123 healthy\nempty-sim application.nplus.cloud/prepper empty-sim prepper 1.2.1300 healthy\nlab application.nplus.cloud/demo-ha-zerotrust-application demo-ha-zerotrust application 9.2.1303-123 healthy\nlab application.nplus.cloud/demo-shared-application demo-shared application 9.2.1303-123 healthy\nlab application.nplus.cloud/sbs-sbs sbs SBS 9.2.1303-123 healthy\nlab application.nplus.cloud/tenant-application tenant application 9.2.1303-123 healthy\nNAMESPACE NAME HANDLER VERSION TENANT STATUS\nempty-sim instance.nplus.cloud/empty-sim manual 9.2.1302 healthy\nlab instance.nplus.cloud/default manual 9.2.1302 healthy\nlab instance.nplus.cloud/demo-centralservices manual 9.2.1302 healthy\nlab instance.nplus.cloud/rms manual 9.2.1302 healthy\nlab instance.nplus.cloud/sbs manual 9.2.1302 healthy\nlab instance.nplus.cloud/tenant manual 9.2.1302 healthy\n```\n"} +{"chapter": "K8s namespace aka *nplus environment*", "level": 1, "text": "*nplus instances* are deployed into K8s namespaces. Always. even if you do not specify a namespace, it uses a namespace: `default`.\nIn order to use this namespace for *nplus instances*, you need to deploy some shared *nplus components* into it, which are used by the instances. This is done by the environment chart:\n```\nhelm install \\\n--values demo.yaml \\\ndemo nplus/nplus-environment\n```\nAfter that, the K8s namespace is a valid *nplus environment* that can house multiple *nplus instances*.\n"} +{"chapter": "deploying assets into the environment", "level": 2, "text": "Most likely, you will need assets to be used by your instances. Fonts for example: The *nscale Rendition Server* and die *nscale Server Application Layer* both require the Microsoft fonts, that are not allowed to be distributed by neither nscale nor nplus. So this example shows how to upload some missing pieces into the environment:\n```\nkubectl cp ./apps/app-installer-9.0.1202.jar nplus-toolbox-0:/conf/pool\nkubectl cp ./fonts nplus-toolbox-0:/conf/pool\nkubectl cp ./copy-snippet.sh nplus-toolbox-0:/conf/pool/scripts\nkubectl cp ./test.md nplus-toolbox-0:/conf/pool/snippets\nkubectl cp ./snc nplus-toolbox-0:/conf/pool\n```\nAlternatively, you can also use a `prepper` component, that you can activate on the environment chart, to download assets from any web site and deploy them into the environment:\n```\ncomponents:\nprepper: true\nprepper:\ndownload:\n- \"https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz\"\n```\nPlease see the prepper [README.md](../../charts/prepper/README.md) for more information.\n"} +{"chapter": "Operator Web UI", "level": 2, "text": "The environment comes with the operator, responsible for managing / controlling the [custom resources](../cluster/README.md). It has a Web UI, that can be enabled in the environment chart.\n![screenshot operator](assets/operator.png)\n"} +{"chapter": "*namespace*-less manifests", "level": 2, "text": "Speaking of namespaces: Sometimes you want to drop the namespace from your manifest. This can be done by\n```yaml\nutils:\nincludeNamespace: false\n```\nwhen you then call\n```bash\nhelm template myInstance nplus/nplus-instance > myInstance.yaml\n```\nthe manifest in `myInstance.yaml` will **not** have a namespace set, so you can apply it to multiple namespaces later:\n```bash\nkubectl apply --namespace dev -f myInstance.yaml\nkubectl apply --namespace qa -f myInstance.yaml\nkubectl apply --namespace prod -f myInstance.yaml\n```\n"} +{"chapter": "Installing Document Areas", "level": 1, "text": ""} +{"chapter": "Creating an empty document area while deploying an Instance", "level": 2, "text": "This is the simplest sample, just the core services with an empty document area:\n```\nhelm install \\\n--values samples/application/empty.yaml \\\n--values samples/environment/demo.yaml \\\nempty nplus/nplus-instance\n```\nThe empty Document Area is created with\n```yaml\ncomponents:\napplication: true\nprepper: true\n\napplication:\ndocAreas:\n- id: \"Sample\"\nrun:\n- \"/pool/downloads/sample.sh\"\nprepper:\ndownload:\n- \"https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz\"\n```\nThis turns on the *prepper* component, used to download a sample tarball from git. It will also extract the tarball into the `downloads` folder that is created on the *pool* automatically.\nThen, after the Application Layer is running, a document area `Sample` is created. The content of the sample script will be executed.\nIf you use **argoCD** as deployment tool, you would go with\n```\nhelm install \\\n--values samples/application/empty.yaml \\\n--values samples/environment/demo.yaml \\\nempty-argo nplus/nplus-instance-argo\n```\n"} +{"chapter": "Deploying the *SBS* Apps to a new document area", "level": 2, "text": "In the SBS scenario, some Apps are installed into the document area:\n```bash\nhelm install \\\n--values samples/applications/sbs.yaml \\\n--values samples/environment/demo.yaml \\\nsbs nplus/nplus-instance\n```\nThe values look like this:\n```yaml\ncomponents:\napplication: true\napplication:\nnameOverride: SBS\ndocAreas:\n- id: \"SBS\"\nname: \"DocArea with SBS\"\ndescription: \"This is a sample DocArea with the SBS Apps installed\"\napps:\n- \"/pool/nstore/bl-app-9.0.1202.zip\"\n- \"/pool/nstore/gdpr-app-9.0.1302.zip\"\n...\n- \"/pool/nstore/ts-app-9.0.1302.zip\"\n- \"/pool/nstore/ocr-base-9.0.1302.zip\"\n```\nThis will create a document area `SBS` and install the SBS Apps into it.\n"} +{"chapter": "Accounting in nstl", "level": 1, "text": "To collect Accounting Data in *nscale Server Storage Layer*, you can enable the nstl accouting feature by setting `accounting: true`.\nThis will create the accounting csv files in *ptemp* under `//accounting`.\nAdditionally, you can enable a log forwarder printing it to stdout.\n```\nnstl:\naccounting: true\nlogForwarder:\n- name: Accounting\npath: \"/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv\"\n```\n"} +{"chapter": "(auto-) certificates and the pitfalls of *.this*", "level": 1, "text": "*nplus* will automatically generate certificates for your ingress. It either uses an issuer like *cert-manager* or generates a *self-signed-certificate*.\nIn your production environment though, you might want to take more control over the certificate generation process and don't leave it to *nplus* to automatically take care of it.\nIn that case, you want to switch the automation *off*.\nTo do so, you need to understand what is happening internally:\n- if `.this.ingress.issuer` is set, the chart requests this issuer to generate a tls secret with the name `.this.ingress.secret`\nby creating a certificate resource with the name of the domain `.this.ingress.domain`\n- else, so no issuer is set, the chart checks wether the flag `.this.ingress.createSelfSignedCertificate` is set to `true` and\ngenerates a tls secret with the name `.this.ingress.secret`\n- else, so neither issuer nor createSelfSignedCertificate are set, the charts will not generate anything\nThe way how `.this` works is, that it gathers the key from `.Values.global.environment`, `.Values.global` and then `.Values` and flattens them merged into `.this`so that you can set your values\non different levels.\nHowever, the *merge* function overwrites non exising values and also boolean `true` overwrites a boolean `false`, not just the nil values. So to make sure we still can cancel functionality\nby setting `null`or `false`, there is a forth merge which is set to forcefully overwrite existing keys: `override`, which can also be set on *environment*, *global* or on the *component* level.\nSo the correct way to cancel the generation process is to force the issuer to null (which will cancel the *cert-manager* generation) and also force `createSelfSignedCertificate` to false (to cancel the *self-signed-certificate* generation):\n```yaml\nglobal:\noverride:\ningress:\nenabled: true\nsecret: myCertificate\nissuer: null\ncreateSelfSignedCertificate: false\n```\nThis makes sure, you will get an ingress, that uses the tls certificate in the secret `myCertificate` for encryption and does not generate anything.\n"} +{"chapter": "Grouping Instances", "level": 1, "text": "Sometimes Instances become quite large with many components. If you work on them with multiple team members, you end up having to synchronize the deployment of the Instances.\nYou can easily rip large Instances apart using the `group` tag, joining multiple Instances into one group and making sure the NetworkPolicies are opened to pods from other Instances within the Instance Group.\n```yaml\nglobal:\ninstance:\n# -- despite the instance name, all components within this group will be prefixed\n# with the group (unless the group name and the environment name are not identical)\n# Also this makes sure the network policies are acting on the group, not on the instance.\ngroup: \"sample-group\"\n```\nYou can query the instance group in your code with `.instance.group`.\nExample: We build multiple Instances in one group:\n- sample-group-backend\n- Database\n- nstl\n- rs\n- sample-group-middleware\n- nappl\n- application(s)\n- sample-group-frontend\n- web\n- cmis\nPortainer is showing the group as if it were an single instance:\n![Portainer](assets/portainer.png)\nThe nplus UI is showing the instances of the group:\n![nplus Web Monitoring](assets/monitor.png)\nAnd the nplus CLI is also showing single instances:\n```\n% kubectl get nscale\nNAME INSTANCE COMPONENT TYPE VERSION STATUS\ncomponent.nplus.cloud/sample-group-cmis sample-group-frontend cmis cmis 9.2.1200 healthy\ncomponent.nplus.cloud/sample-group-database sample-group-backend database database 16 healthy\ncomponent.nplus.cloud/sample-group-nappl sample-group-middleware nappl core 9.2.1302 healthy\ncomponent.nplus.cloud/sample-group-rs sample-group-backend rs rs 9.2.1201 healthy\ncomponent.nplus.cloud/sample-group-web sample-group-frontend web web 9.2.1300 healthy\nNAME HANDLER VERSION TENANT STATUS\ninstance.nplus.cloud/sample-group-backend manual 9.2.1302 healthy\ninstance.nplus.cloud/sample-group-frontend manual 9.2.1302 healthy\ninstance.nplus.cloud/sample-group-middleware manual 9.2.1302 healthy\n```\n"} +{"chapter": "Sharing Instances", "level": 1, "text": "Some organisations have multiple tenants that share common services, like *nscale Rendition Server* or\nhave a common IT department, thus using only a single *nscale Monitoring Console* acress all tenants.\nThis is the Central Services Part:\n```\nhelm install \\\n--values samples/shared/centralservices.yaml \\\n--values samples/environment/demo.yaml \\\nsample-shared-cs nplus/nplus-instance\n```\nAnd this is the tenant using the Central Services:\n```\nhelm install \\\n--values samples/shared/shared.yaml \\\n--values samples/environment/demo.yaml \\\nsample-shared nplus/nplus-instance\n```\nIf you enable security based on *Network Policies*, you need to add additional Policies to allow access. Please see `shared-networkpolicy.yaml` and `centralservices-networkpolicy.yaml` as an example.\nYou also want to set the *monitoringInstance* in the `global` section of the values file to enable the Network Policy for incoming monitoring traffic.\n```yaml\nglobal:\nsecurity:\ncni:\nmonitoringInstance: sample-shared-cs\n```\n"} +{"chapter": "Using detached applications", "level": 1, "text": "All the other samples use an application that is deployed **inside of an instance**. However, you can also deploy an application **detached** from the instance as a solo chart.\nThe reason for this is, that you\n- can update the instance without running the application update\n- update the application without touching the instance\n- have multiple applications deployed within one instance\nThere are two major things you need to do:\n1. make sure the application charts sets the instance name of the instance, it should connect to\n2. take the default values of the application match the ones it would get by an instance deployment\nThis is a sample: (find the complete one in the [application.yaml](application.yaml))\n```yaml\nnameOverride: SBS\ndocAreas:\n- id: \"SBS\"\nname: \"DocArea with SBS\"\ndescription: \"This is a sample DocArea with the SBS Apps installed\"\napps:\n...\ninstance:\n# this is the name of the instance, it should belong to\nname: \"sample-detached\"\n"} +{"chapter": "make sure it can wait for the nappl of the instance to be ready, before it deploys.", "level": 1, "text": "waitImage:\nrepo: cr.nplus.cloud/subscription\nname: toolbox2\ntag: 1.2.1300\npullPolicy: IfNotPresent\nwaitFor:\n- \"-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800\"\n"} +{"chapter": "Now we define where and what to deploy", "level": 1, "text": "nappl:\nhost: \"{{ .component.prefix }}nappl.{{ .Release.Namespace }}\"\nport: 8080\nssl: false\ninstance: \"nscalealinst1\"\naccount: admin\ndomain: nscale\npassword: admin\nsecret:\nnstl:\nhost: \"{{ .component.prefix }}nstl.{{ .Release.Namespace }}\"\nrs:\nhost: \"{{ .component.prefix }}rs.{{ .Release.Namespace }}\"\n```\n"} +{"chapter": "High Availability", "level": 1, "text": "To gain a higher level of availability for your Instance, you can\n- create more Kubernetes Cluster Nodes\n- create more replicas of the *nscale* and *nplus* components\n- distribute those replicas across multiple nodes using anti-affinities\nThis is how:\n```\nhelm install \\\n--values samples/ha/values.yaml\n--values samples/environment/demo.yaml \\\nsample-ha nplus/nplus-instance\n```\nThe essents of the values file is this:\n- We use three (3) *nscale Server Application Layer*, two dedicated to user access, one dedicated to jobs\n- if the jobs node fails, the user nodes take the jobs (handled by priority)\n- if one of the user nodes fail, the other one handles the load\n- Kubernetes takes care of restarting nodes should that happen\n- All components run with two replicas\n- Pod anti-affinities handle the distribution\n- any administration component only connects to the jobs nappl, leaving the user nodes to the users\n- PodDisruptionBudgets are defined for the crutial components. These are set via `minReplicaCount` for the components that can support multiple replicas, and `minReplicaCountType` for the **first** replicaSet of the components that do not support replicas, in this case nstla.\n```\nweb:\nreplicaCount: 2\nminReplicaCount: 1\nrs:\nreplicaCount: 2\nminReplicaCount: 1\nilm:\nreplicaCount: 2\nminReplicaCount: 1\ncmis:\nreplicaCount: 2\nminReplicaCount: 1\nwebdav:\nreplicaCount: 2\nminReplicaCount: 1\nnstla:\nminReplicaCountType: 1\nadministrator:\nnappl:\nhost: \"{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}\"\nwaitFor:\n- \"-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600\"\npam:\nnappl:\nhost: \"{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}\"\nwaitFor:\n- \"-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600\"\nnappl:\nreplicaCount: 2\nminReplicaCount: 1\njobs: false\nwaitFor:\n- \"-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600\"\nnappljobs:\nreplicaCount: 1\njobs: true\ndisableSessionReplication: true\ningress:\nenabled: false\nsnc:\nenabled: true\nwaitFor:\n- \"-service {{ .component.prefix }}database.{{ .Release.Namespace }}.svc.cluster.local:5432 -timeout 600\"\napplication:\nnstl:\nhost: \"{{ .component.prefix }}nstl-cluster.{{ .Release.Namespace }}\"\nnappl:\nhost: \"{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}\"\n```\n"} +{"chapter": "Assigning CPU and RAM", "level": 2, "text": "You **should** assign resources to your components, depending on the load that you expect.\nIn a dev environment, that might be very little and you may be fine with the defaults.\nin a qa or prod environment, this should be wisely controlled, like this:\n```yaml\nnappl:\nresources:\nrequests:\ncpu: \"100m\" # Minimum 1/10 CPU\nmemory: \"1024Mi\" # Minimum 1 GB\nlimits:\ncpu: \"2000m\" # Maximum 2 Cores\nmemory: \"4096Mi\" # Maximum 4 GB. Java will see this as total.\njavaOpts:\njavaMinMem: \"512m\" # tell Java to initialize the heap with 512 MB\njavaMaxMem: \"2048m\" # tell Java to use max 2 GB of heap size\n```\nThere are many discussions going on how much memory you should give to Java processes and how they react. Please see the internet for insight.\n"} +{"chapter": "Our **current** opinion is:", "level": 4, "text": "Do not limit ram. You are not able to foresee how much Java is really consuming as the heap is only part of the RAM requirement. Java also needs *metaspace*, *code cache* and *thread stack*. Also the *GC* needs some memory, as well as the *symbols*.\nJava will crash when out of memory, so even if you set javaMaxMem == 1/2 limits.memory (what many do), that guarantees nothing and might be a lot of waste.\nSo what you can consider is:\n```yaml\nnappl:\nresources:\nrequests:\ncpu: \"1000m\" # 1 Core guaranteed\nmemory: \"4096Mi\" # 4GB guaranteed\nlimits:\ncpu: \"4000m\" # Maximum 4 Cores\n"} +{"chapter": "memory: # No Limit but hardware", "level": 2, "text": "javaOpts:\njavaMinMem: \"1024m\" # Start with 1 GB\njavaMaxMem: \"3072m\" # Go up to 3GB (which is only part of it) but be able to take more (up to limit) without crash\n```\nDownside of this approach: If you have a memory leak, it might consume all of your nodes memory without being stopped by a hard limit.\n"} +{"chapter": "A possible **Alternative**:", "level": 4, "text": "You can set the RAM limit equal to the RAM request and leave the java Memory settings to *automatic*, which basically simulates a server. Java will *see* the limit as being the size of RAM installed in the machine and act accordingly.\n```yaml\nnappl:\nresources:\nrequests:\ncpu: \"1000m\" # 1 Core guaranteed\nmemory: \"4096Mi\" # 4GB guaranteed\nlimits:\ncpu: \"4000m\" # Maximum 4 Cores\nmemory: \"4096Mi\" # No Limit but hardware\n"} +{"chapter": "javaOpts:", "level": 1, "text": ""} +{"chapter": "javaMinMem: # unset, leaving it to java", "level": 2, "text": ""} +{"chapter": "javaMaxMem: # unset, leaving it to java", "level": 2, "text": "```\n"} +{"chapter": "In a **DEV** environment,", "level": 4, "text": "you might want to do more **overprovisioning**. You could even leave it completely unlimited, as in **DEV** you want to see memory and cpu leaks, so a limit might hide them from your sight.\nSo this is a possible allocation for **DEV**, defining only the bare minimum requests:\n```yaml\nnappl:\nresources:\nrequests:\ncpu: \"1m\" # 1/1000 Core guaranteed,\n# but can consume all cores of the cluster node if required and available\nmemory: \"512Mi\" # 512MB guaranteed,\n# but can consume all RAM of the cluster node if required and available\n```\nIn this case, Java will see all node RAM as the limit and use whatever it needs. But as you are in a **dev** environment, there is no load and no users on the machine, so this will not require much.\n"} +{"chapter": "Resources you should calculate", "level": 2, "text": "The default resources assigned by *nplus* are for demo / testing only and you should definitely assign more ressources to your components.\nHere is a very rough estimate of what you need:\n| Component | Minimum (Demo and Dev) | Small | Medium | Large | XL | Remark |\n| --------------- | ---------------------- | ---------------- | ----------------- | ------------------ | ---- | ----------------------------------------------------------- |\n| ADMIN | 1 GB RAM, 1 Core | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | | |\n| **Application** | - | - | - | - | | Resources required during deployment only |\n| CMIS | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | |\n| **Database** | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 8 GB RAM, 6 Core | 16 GB RAM, 8 Core | open | |\n| ILM | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | |\n| MON | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | quite fix |\n| **NAPPL** | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 8 GB RAM, 6 Core | 16 GB RAM, 8 Core | open | CPU depending on Jobs / Hooks, RAM depending on amount user |\n| **NSTL** | 500 MB RAM, 1 Core | 1 GB RAM, 2 Core | 1 GB RAM, 2 Core | 1 GB RAM, 2 Core | | quite fix |\n| PAM | | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | | |\n| PIPELINER | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 4 GB RAM, 4 Core | 4 GB RAM, 4 Core | open | Depending on Core Mode *or* AC Mode, No Session Replication |\n| **RS** | 1 GB RAM, 1 Core | 8 GB RAM, 4 Core | 32 GB RAM, 8 Core | 64 GB RAM, 12 Core | open | CPU depending on format type, RAM depending on file size |\n| SHAREPOINT | | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | |\n| WEB | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 8 GB RAM, 4 Core | open | |\n| WEBDAV | | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | |\n**Bold** components are required by a *SBS* setup, so here are some estimates per Application:\n| Component | Minimum (Demo and Dev) | Minimum (PROD) | Recommended (PROD) | Remark |\n| --------- | ---------------------- | ----------------- | ------------------ | ------------------ |\n| SBS | 6 GB RAM, 4 Core | 16 GB RAM, 8 Core | 24 GB RAM, 12 Core | Without WEB Client |\n| eGOV | TODO | TODO | TODO | eGOV needs much more CPU than a non eGOV system |\nA word on **eGOV**: The eGOV App brings hooks and jobs, that require much more resources than a *normal* nscale system even with other Apps installed.\n"} +{"chapter": "Real Resources in DEV Idle", "level": 2, "text": "```\n% kubectl top pods\n...\nsample-ha-administrator-0 2m 480Mi\nsample-ha-argo-administrator-0 2m 456Mi\nsample-ha-argo-cmis-5ff7d78c47-kgxsn 2m 385Mi\nsample-ha-argo-cmis-5ff7d78c47-whx9j 2m 379Mi\nsample-ha-argo-database-0 2m 112Mi\nsample-ha-argo-ilm-58c65bbd64-pxgdl 2m 178Mi\nsample-ha-argo-ilm-58c65bbd64-tpxfz 2m 168Mi\nsample-ha-argo-mon-0 2m 308Mi\nsample-ha-argo-nappl-0 5m 1454Mi\nsample-ha-argo-nappl-1 3m 1452Mi\nsample-ha-argo-nappljobs-0 5m 2275Mi\nsample-ha-argo-nstla-0 4m 25Mi\nsample-ha-argo-nstlb-0 6m 25Mi\nsample-ha-argo-pam-0 5m 458Mi\nsample-ha-argo-rs-7d6888d9f8-lp65s 2m 1008Mi\nsample-ha-argo-rs-7d6888d9f8-tjxh8 2m 1135Mi\nsample-ha-argo-web-f646f75b8-htn8x 4m 1224Mi\nsample-ha-argo-web-f646f75b8-nvvjf 11m 1239Mi\nsample-ha-argo-webdav-d69549bd4-nz4wn 2m 354Mi\nsample-ha-argo-webdav-d69549bd4-vrg2n 3m 364Mi\nsample-ha-cmis-5fc96b8f89-cwd62 2m 408Mi\nsample-ha-cmis-5fc96b8f89-q4nr4 3m 442Mi\nsample-ha-database-0 2m 106Mi\nsample-ha-ilm-6b599bc694-5ht57 2m 174Mi\nsample-ha-ilm-6b599bc694-ljkl4 2m 193Mi\nsample-ha-mon-0 3m 355Mi\nsample-ha-nappl-0 3m 1278Mi\nsample-ha-nappl-1 4m 1295Mi\nsample-ha-nappljobs-0 6m 1765Mi\nsample-ha-nstla-0 4m 25Mi\nsample-ha-nstlb-0 4m 25Mi\nsample-ha-pam-0 2m 510Mi\nsample-ha-rs-7b5fc586f6-49qhp 2m 951Mi\nsample-ha-rs-7b5fc586f6-nkjqb 2m 1205Mi\nsample-ha-web-7bd6ffc96b-pwvcv 3m 725Mi\nsample-ha-web-7bd6ffc96b-rktrh 9m 776Mi\nsample-ha-webdav-9df789f8-2d2wn 2m 365Mi\nsample-ha-webdav-9df789f8-psh5q 2m 345Mi\n...\n```\n"} +{"chapter": "Defaults", "level": 2, "text": "Check the file `default.yaml`. You can set default memory limits for a container. These defaults are applied if you do not specify any resources in your manifest.\n"} +{"chapter": "Single-Instance-Mode", "level": 1, "text": "If you choose to separate tenants on your system not only by *nplus Instances* but also by *nplus Environments*, thus running each tenant in a separate Kubernetes *Namespace*, you do not need to create an *nplus Environment* first, but you can rather enable the *nplus Environment Components* within your instance:\n```yaml\ncomponents:\nsim:\ndav: true\nbackend: true\noperator: true\ntoolbox: true\n```\nSteps to run a SIM Instance:\n1. Create the namespace and the necessary secrets to access the repo, registry as well as the nscale license file\n```\nSIM_NAME=\"empty-sim\"\nkubectl create ns $SIM_NAME\nkubectl create secret docker-registry nscale-cr \\\n--namespace $SIM_NAME \\\n--docker-server=ceyoniq.azurecr.io \\\n--docker-username=$NSCALE_ACCOUNT \\\n--docker-password=$NSCALE_TOKEN\nkubectl create secret docker-registry nplus-cr \\\n--namespace $SIM_NAME \\\n--docker-server=cr.nplus.cloud \\\n--docker-username=$NPLUS_ACCOUNT \\\n--docker-password=$NPLUS_TOKEN\nkubectl create secret generic nscale-license \\\n--namespace $SIM_NAME \\\n--from-file=license.xml=$NSCALE_LICENSE\n```\n2. Deploy the Instance\n```\nhelm install \\\n--values lab.yaml \\\n--values single-instance-mode.yaml \\\n--namespace $SIM_NAME \\\n$SIM_NAME nplus/nplus-instance\n```\nIf you do not have any Application that requires assets such as scripts or apps, you are good to go with this.\nHowever, if your Application does require assets, the *problem* is to get them into your (not existing) environment before the Applications is trying to access them.\nThere are three possible solutions:\n1. You create an umbrella chart and have a job installing the assets into your Instance\n2. You pull / download assets from your git server or an asset server before the Application deployment\n3. You pull / download assets from your git server or an asset server before the Component deployment, including the Application\n**Solution 1** obiously involes some implementation on your end. That is not covered in this documentation.\n**Solution 2** can be achieved by defining a downloader in your application chart (see `empty-download.yaml`):\n```yaml\ncomponents:\napplication: true\napplication:\ndocAreas:\n- id: \"Sample\"\ndownload:\n- \"https://git.nplus.cloud/public/nplus/raw/branch/master/samples/assets/sample.sh\"\nrun:\n- \"/pool/downloads/sample.sh\"\n```\n**Solutions 3** should be used if you have any assets that need to be available **before** the nscale Components start, like snippets for the web client etc.\nYou can use the *Prepper* for that purpose. The *Prepper* prepares everything required for the Instance to work as intended. It is very much like the *Application*, except that it does not connect to any nscale component (as they do not yet run by the time the prepper executes). But just like the Application, the Prepper is able to download assets and run scripts.\nYou can add this to your deployment:\n```yaml\ncomponents:\nprepper: true\nprepper:\ndownload:\n- \"https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz\"\nrun:\n- \"/pool/downloads/sample/sample.sh\"\n```\n"} +{"chapter": "Deploying with Argo", "level": 1, "text": ""} +{"chapter": "the argo version of the instance", "level": 2, "text": "Deployin with argoCD is straight forward, as there is a ready-to-run instance chart version for argo, that takes **exactly** the same values as the *normal* chart:\n```bash\nhelm install \\\n--values samples/application/empty.yaml \\\n--values samples/environment/demo.yaml \\\nsample-empty-argo nplus/nplus-instance-argo\n```\n"} +{"chapter": "Using Waves", "level": 2, "text": "The instance chart already comes with pre-defined waves. They are good to go with (can be modified though):\n```yaml\nnappl:\nmeta:\nwave: 15\n```\n**But**: You might be annoyed by ArgoCD, when some services do not come up preventing other services to not be started at all since ArgoCD operates in Waves, so later services might not be deployed at all if an early wave services fails.\nEspecially in DEV, this can become a testing problem.\nTo turn *off* Waves completely for a Stage, Environment or Instance, go\n```\nglobal:\nenvironment:\nutils:\ndisableWave: true\n```\n"} +{"chapter": "Pinning Versions", "level": 1, "text": ""} +{"chapter": "Old Version", "level": 2, "text": "If you like to test rolling updates and the updates to new minor versions, check out the *e90* sample:\nThis sample will install a version 9.0.1400 for you to test. Since the Cluster Node Discovery changed due to a new jGroups version in nscale, the chart will notice the old version and turn on the legacy discovery mechanism to allow the Pod to find its peers in Versions prior to 9.1.1200.\n```\nhelm install \\\n--values samples/empty.yaml \\\n--values samples/demo.yaml \\\n--values versions/9.0.1400.yaml \\\nsample-e90 nplus/nplus-instance\n```\n"} +{"chapter": "New Version Sample", "level": 2, "text": "Some nscale Versions are License-Compatible, meaning that for example a Version 9.1 License File will also be able to run a nscale Version 9.0 Software. But that is not always the case.\nSo you might need to set individual licenses per instance:\n```\nkubectl create secret generic nscale-license-e10 \\\n--from-file=license.xml=license10.xml\n```\nCheck, if the license has been created:\n```\n"} +{"chapter": "kubectl get secret | grep license", "level": 1, "text": "nscale-license Opaque 1 7d22h\nnscale-license-e10 Opaque 1 17s\n```\nNow, we install the instance:\n```\nhelm upgrade -i \\\n--values samples/empty.yaml \\\n--values samples/demo.yaml \\\n--values versions/10.0.yaml \\\n--set global.license=nscale-license-e10 \\\nsample-e10 nplus/nplus-instance\n```\n"} +{"chapter": "Security", "level": 1, "text": ""} +{"chapter": "All the standards", "level": 2, "text": "There are several features that will enhance the security of your system:\n- all components are running rootless by default\n- all components drop all privileges\n- all components deny escalation\n- all components have read only file systems\n- Access is restricted by NetworkPolicies\n"} +{"chapter": "Additional: The backend Protocol", "level": 2, "text": "Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https:\n```yaml\nglobal:\nnappl:\nport: 8443\nssl: true\n"} +{"chapter": "Web and PAM do not speak https by default yet, CRs have been filed.", "level": 1, "text": "nappl:\ningress:\nbackendProtocol: https\ncmis:\ningress:\nbackendProtocol: https\nilm:\ningress:\nbackendProtocol: https\nwebdav:\ningress:\nbackendProtocol: https\nrs:\ningress:\nbackendProtocol: https\nmon:\ningress:\nbackendProtocol: https\nadministrator:\ningress:\nbackendProtocol: https\n```\nThis will turn every communication to https, **but** leave the unencrypted ports (http) **open** for inter-pod communication.\n"} +{"chapter": "Zero Trust Mode", "level": 2, "text": "This will basically do the same as above, **but** also turn **off** any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages.\nThis will also affect the way how *probes* are checking the pods health: *nplus* will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in *zero trust mode*:\n```yaml\ncomponents:\npam: false #TODO: ITSMSD-8771: PAM does not yet support https backend.\nglobal:\nsecurity:\nzeroTrust: true\nnappl:\nport: 8443\nssl: true\n```\n"} +{"chapter": "(virtual-) Remote Management Server", "level": 1, "text": "The *nplus RMS* creates a virtual IP Address in your subnet. On this IP, you will find an *nscale Remote Management Service* and a Layer 4 Proxy, forwarding the ports of the components to the\nbelonging pods.\nThe result is, that under this VIP, it looks as if there is a real server with a bunch of *nscale* components installed. So you can use the desktop admin client to connect to it and configure it. Including offline configuration.\nThe offline configuration writes settings to the configuration files of the components. These files are injected into the Pods by *nplus* making the legacy magic work again.\nAlso, Shotdown, Startup and Restart buttons in the Admin client will work, as that will by translated to Kubernetes commands by *nplus*\nAnyways, there are some restrictions:\n- In a HA scenario, you need multiple virtual server, as nscale does not allow some components to deploy more than one instance per server (like nstl) and they would then also block the default ports. So better to have more RMS\n- Log Files are not written, so the Admin cannot grab them. So no log file viewing in Admin\n> Please notice that this is a BETA Feature not released for Production use.\nThis is a sample of RMS in a HA environment with two virtual servers:\n```yaml\ncomponents:\nrmsa: true\nrmsb: true\nrmsa:\ningress:\ndomain: \"server1.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud\"\ncomps:\nnappl:\nenabled: true\nrestartReplicas: 2\nnstl:\nenabled: true\nname: nstla\nrestartReplicas: 1\nhost: \"{{ .component.prefix }}nstla.{{ .Release.Namespace }}.svc.cluster.local\"\nrs:\nenabled: true\nrestartReplicas: 2\nweb:\nenabled: true\nrestartReplicas: 2\nrmsb:\ningress:\ndomain: \"server2.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud\"\ncomps:\nnappl:\nenabled: true\nname: nappljobs\nrestartReplicas: 1\nreplicaSetType: StatefulSet\nhost: \"{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local\"\nnstl:\nname: nstlb\nenabled: true\nrestartReplicas: 1\nhost: \"{{ .component.prefix }}nstlb.{{ .Release.Namespace }}.svc.cluster.local\"\n```\n"} +{"chapter": "Using Object Stores", "level": 1, "text": "Blobstores aka Objectstores have a REST Interface that you can upload your Payload to and receive an ID for it. They are normally structured into *Buckets* or *Containers* to privide\nsome sort of pooling payload within the store.\nThe *nscale Server Storage Layer* supports multiple brands of objectstores, the most popular being Amazon S3 and Microsoft Azure Blobstore.\nIn order to use them, you need to\n- get an account for the store\n- configure the *nstl* with the url, credentials etc.\n- Add firewall rules to access to store\nHave a look at the sample files\n- s3-env.yaml\nfor Amazon S3 compatible storage, and\n- azureblob.yaml\nfor Azure Blobstore\nFor S3 compatible storage, there are multiple S3 flavours available.\n"} +{"chapter": "Custom Environment Variables", "level": 1, "text": "There are multiple ways of how to set custom environment variables in addition to the named values, you set in helm:\n"} +{"chapter": "Using `env`", "level": 2, "text": "Please have a look at `s3-env.yaml` to see how custom environment variables can be injected into a component:\n```\nnstl:\nenv:\n# Archivtyp\nNSTL_ARCHIVETYPE_900_NAME: \"S3\"\nNSTL_ARCHIVETYPE_900_ID: \"900\"\nNSTL_ARCHIVETYPE_900_LOCALMIGRATION: \"0\"\nNSTL_ARCHIVETYPE_900_LOCALMIGRATIONTYPE: \"NONE\"\nNSTL_ARCHIVETYPE_900_S3MIGRATION: \"1\"\n```\nThis will set the environment variables in the storage layer to add an archive type with id 900.\n"} +{"chapter": "Using `envMap` and `envSecret`", "level": 2, "text": "Alternatively to the standard `env`setting, you can also use configmaps and secrets for additional environment variables.\nThe file `s3-envres.yaml` creates a configmap and a secret with the same variables as used in the `s3-env.yaml` sample. `s3-envfrom.yaml` shows how to import them.\nPlease be aware, that data in secrets need to be base64 encoded:\n```\necho \"xxx\" | base64\n```\nSo in order to use the envFrom mechanism,\n- prepare the resources (as in `s3-envres.yaml`)\n- upload the resources to your cluster\n```\nkubectl apply -f s3-envres.yaml\n```\n- add it to your configuration\n```\nnstl:\n# These resources are set in the s3-envres.yaml sample file\n# you can set single values (envMap or envSecret) or lists (envMaps or envSecrets)\nenvMaps:\n- env-sample-archivetype\n- env-sample-device\nenvSecret: env-sample-device-secret\n```\n"} +{"chapter": "Specifics of the Sharepoint Connector", "level": 1, "text": "Normally, you will have different configurations if you want multiple Sharepoint Connectors. This makes the *nsp* somewhat special:\n"} +{"chapter": "Multi Instance HA Sharepoint Connector", "level": 2, "text": "This sample shows how to setup a sharepoint connector with multiple instances having **different** configurations for archival, but with **High Availability** on the retrieval side.\nSharePoint is one of the few components for which is is quite common to have multiple instances instead of replicas. Replicas would include, that the configuration for all pods is identical. However, you might want to have multiple configurations as you also have multiple sharepoint sites you want to archive.\nRunning multiple instances with ingress enabled leads to the question, what the context path is for each instance. It cannot be the same as the load balancer would not be able to distinguish between them and thus refuses to add the configuration object - leading in a deadlock situation.\nSo *nplus* defined different context paths if you have multiple instances:\n- sharepointa on `/nscale_spca`\n- sharepointb on `/nscale_spcb`\n- sharepointc on `/nscale_spcc`\n- sharepointd on `/nscale_spcd`\nIf you only run one instance, it defaults to `/nscale_spc`.\n"} +{"chapter": "HA on retrieval", "level": 2, "text": "Once archived, you might want to use all instances for retrieval, since they share a common retrieval configuration (same nappl, ...). So in order to gain High Availability even across multiple instances, there are two options:\n1. You turn off the services and ingresses on any sharepoint instance but sharepointa. Then you switch sharepointa's service selector to *type mode*, selecting all pods with type `sharepoint` instead of all pods of component `sharepointa`. Then you can access this one service to reach them all.\n2. You can turn on the *clusterService*, which is an additional service that selects all `sharepoint` type pods and then adds an extra ingress on this service with the default context path `nscale_spc`\nHowever, in both scenarios, beware that the sharepoint connector can only service one context path at a time, so you will need to change the context path accordingly.\n"} +{"chapter": "Sample for solution 1", "level": 2, "text": "On the instance, define the following:\n```\ncomponents:\n# -- First, we switch the default SharePoint OFF\nsharepoint: false\n# -- Then we enable two sharepoint instances to be used with different configurations\nsharepointa: true\nsharepointb: true\nsharepointa:\nservice:\n# -- Switching the service to \"type\" makes sure we select not only the component pods (in this case all replicas of sharepointa)\n# but rather **any** pod of type sharepoint.\nselector: \"type\"\ningress:\n# -- The default contextPath for sharepointa is `nscale_spca` to make sure we have distinguishable paths for all sharepoint instances.\n# however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general\n# contextPath, as if it was a single component deployment\ncontextPath: \"/nscale_spc\"\nsharepointb:\nservice:\n# -- The other SP Instance does not need a service any more, as it is selected by the cluster service above. So we switch off the component\n# service which also switches off the ingress as it would not have a backing service any more\nenabled: false\n# -- The default contextPath for sharepointb is `nscale_spcb` to make sure we have distinguishable paths for all sharepoint instances.\n# however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general\n# contextPath, as if it was a single component deployment\ncontextPath: \"/nscale_spc\"\n```\n"} +{"chapter": "Sample for Solution 2", "level": 2, "text": "On the instance, define the following:\n```\ncomponents:\n# -- First, we switch the default SharePoint OFF\nsharepoint: false\n# -- Then we enable two sharepoint instances to be used with different configurations\nsharepointa: true\nsharepointb: true\nsharepointa:\nclusterService:\n# -- This enabled the cluster service\nenabled: true\n# -- the cluster Ingress needs to know the context path it should react on.\ncontextPath: \"/nscale_spc\"\ningress:\n# -- we turn off the original ingress as the common context path would block the deployment\nenabled: false\n# -- The default contextPath for sharepointa is `nscale_spca` to make sure we have distinguishable paths for all sharepoint instances.\n# however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general\n# contextPath, as if it was a single component deployment\ncontextPath: \"/nscale_spc\"\nsharepointb:\nclusterService:\n# -- on the second SharePoint Instance, we **disable** the cluster service, as it is already created by sharepointa.\nenabled: false\n# -- however, we need to set the context path, as this tells the networkPolicy to open up for ingress even though we switch die Ingress off in the\n# next step\ncontextPath: \"/nscale_spc\"\ningress:\n# -- we turn off the original ingress as the common context path would block the deployment\nenabled: false\n# -- The default contextPath for sharepointb is `nscale_spcb` to make sure we have distinguishable paths for all sharepoint instances.\n# however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general\n# contextPath, as if it was a single component deployment\ncontextPath: \"/nscale_spc\"\n```\n"} +{"chapter": "Static Volumes", "level": 1, "text": ""} +{"chapter": "Assigning PVs", "level": 2, "text": "For security reasons, you might want to use a storage class that does not perform automatic provisioning of PVs.\nIn that case, you want to reference a pre-created volume in the PVC.\nIn nplus, you can do so by setting the volumeName in the values.\nPlease review `values.yaml` as an example:\n```yaml\ndatabase:\nmounts:\ndata:\nvolumeName: \"pv-{{ .component.fullName }}-data\"\nnstl:\nmounts:\ndata:\nvolumeName: \"pv-{{ .component.fullName }}-data\"\n```\nYou can also set the environment config volume. Please refer to the environment documentation for that.\n```\nhelm install \\\n--values samples/environment/demo.yaml \\\n--values samples/static/values.yaml\nsample-static nplus/nplus-instance\n```\n"} +{"chapter": "Creating PVs", "level": 2, "text": "https://github.com/ceph/ceph-csi/blob/devel/docs/static-pvc.md\n"} +{"chapter": "Data Disk:", "level": 3, "text": "1. Create a pool on your cep cluster\n```\nceph osd pool create k-lab 64 64\n```\n2. Create a block device pool\n```\nrbd pool init k-lab\n```\n3. Create an image\n```\nrbd create -s 50G k-lab/pv-sample-static-database-data\nrbd create -s 50G k-lab/pv-sample-static-nstl-data\nrbd ls k-lab | grep pv-sample-static-\n```\nResize:\n```\nrbd resize --size 50G k-lab/pv-no-provisioner-database-data --allow-shrink\n```\n"} +{"chapter": "File Share:", "level": 3, "text": "1. Create a Subvolume (FS)\n```\nceph fs subvolume create cephfs pv-no-provisioner-rs-file --size 53687091200\n```\n2. Get the path of the subvolume\n```\nceph fs subvolume getpath cephfs pv-no-provisioner-rs-file\n```\n"} +{"chapter": "Troubleshooting", "level": 3, "text": "```\nkubectl describe pv/pv-no-provisioner-rs-file pvc/no-provisioner-rs-file\nkubectl get volumeattachment\n```\n"} +{"chapter": "PV Manifests", "level": 3, "text": "```yaml\napiVersion: v1\nkind: PersistentVolume\nmetadata:\nname: pv-no-provisioner-database-data\nspec:\naccessModes:\n- ReadWriteOnce\ncapacity:\nstorage: 50Gi\ncsi:\ndriver: rook-ceph.rbd.csi.ceph.com\nfsType: ext4\nnodeStageSecretRef:\n# node stage secret name\nname: rook-csi-rbd-node\n# node stage secret namespace where above secret is created\nnamespace: rook-ceph-external\nvolumeAttributes:\n# Required options from storageclass parameters need to be added in volumeAttributes\nclusterID: rook-ceph-external\npool: k-lab\nstaticVolume: \"true\"\nimageFeatures: layering\n#mounter: rbd-nbd\n# volumeHandle should be same as rbd image name\nvolumeHandle: pv-no-provisioner-database-data\npersistentVolumeReclaimPolicy: Retain\n# The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block`\nvolumeMode: Filesystem\nstorageClassName: ceph-rbd\n---\napiVersion: v1\nkind: PersistentVolume\nmetadata:\nname: pv-no-provisioner-nstl-data\nspec:\naccessModes:\n- ReadWriteOnce\ncapacity:\nstorage: 50Gi\ncsi:\ndriver: rook-ceph.cephfs.csi.ceph.com\nfsType: ext4\nnodeStageSecretRef:\n# node stage secret name\nname: rook-csi-rbd-node\n# node stage secret namespace where above secret is created\nnamespace: rook-ceph-external\nvolumeAttributes:\n# Required options from storageclass parameters need to be added in volumeAttributes\nclusterID: rook-ceph-external\npool: k-lab\nstaticVolume: \"true\"\nimageFeatures: layering\n#mounter: rbd-nbd\n# volumeHandle should be same as rbd image name\nvolumeHandle: pv-no-provisioner-nstl-data\npersistentVolumeReclaimPolicy: Retain\n# The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block`\nvolumeMode: Filesystem\nstorageClassName: ceph-rbd\n---\napiVersion: v1\nkind: PersistentVolume\nmetadata:\nname: pv-no-provisioner-rs-file\nspec:\naccessModes:\n- ReadWriteMany\ncapacity:\nstorage: 50Gi\ncsi:\ndriver: cephfs.csi.ceph.com\nnodeStageSecretRef:\nname: rook-csi-cephfs-secret\n#rook-csi-cephfs-node\nnamespace: rook-ceph-external\nvolumeAttributes:\n# Required options from storageclass parameters need to be added in volumeAttributes\nclusterID: rook-ceph-external\nfsName: cephfs\npool: cephfs_data\nstaticVolume: \"true\"\n# rootPath kriegt man per ceph fs subvolume getpath cephfs pv-no-provisioner-rs-file\nrootPath: \"/volumes/_nogroup/pv-no-provisioner-rs-file/3016f512-bc19-4bfb-8eb2-5118430fbbe5\"\n#mounter: rbd-nbd\n# volumeHandle should be same as rbd image name\nvolumeHandle: pv-no-provisioner-rs-file\npersistentVolumeReclaimPolicy: Retain\n# The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block`\nvolumeMode: Filesystem\nstorageClassName: cephfs\n```\n"} diff --git a/ai/jsonl/faq.jsonl b/ai/jsonl/faq.jsonl new file mode 100644 index 0000000..2a9ea12 --- /dev/null +++ b/ai/jsonl/faq.jsonl @@ -0,0 +1,29 @@ +{"question": "How do I add my custom Generic Base App (GBA) to the deployment?", "answer": "You can use the application chart to add your GBAs to a deployment. Please follow the instructions\nin the [chart README](../charts/application/README.md)."} +{"question": "I do not find any of my custom objects (roles, classes, ...) from my GBA in the system. Is there an install log file that I can check?", "answer": "Yes. You can either check the log of the application job with\n```\nkubectl logs -l nplus/instance=sbs,nplus/component=application\n```\nor you can check the log at `/conf//application/10init.log` from the environment toolbox.\nPlease check out the [chart README](../charts/application/README.md) for more information.\n> Please note, that the job/pod is automatically removed shortly after app installation, so the `kubectl logs` command might not find the ressource any more."} +{"question": "Network Policies", "answer": "Kubernetes CNI supports the use of `NetworkPolicy` resources. Every resource, that has a NetworkPolicy attached is monitored by a compatible CNI driver such as Calico oder Cilium and Network Filter Rules are implemented.\nBy this means, one pod can only communicate with other pods, if a network rule has explicely been applied.\nnplus supports NetworkPolicies by the following control structures:\nsecurity.cni. (on component, instance or environment level)\n- defaultIngressPolicy\n can be set to *deny*, *allow* or none.\n *deny* will drop all undefined inbound packages,\n *allow* will forward all undefined inbound packages\n If not defined, the Policy will not be created.\n- defaultEgressPolicy\n can be set to *deny*, *allow* or none.\n *deny* will drop all undefined outbound packages,\n *allow* will forward all undefined outbound packages\n If not defined, the Policy will not be created.\n- createNetworkPolicy\n toggles the policy creation in general\nFor larger projects, it is likely to have a *Central Services* Instance that hold e.g. the *Administrator* and the *Monitoring Console*. If these services are in the same namespace and within the same instance, nothing need to be done (default).\nHowever, if you use *Central Services* you can define the Namespace and the Instance of these services in order to have NetworkPolicies created for inter-namespace and inter-instance traffic.\n- administratorNamespace\n- administratorInstance\n- monitoringNamespace\n- monitoringInstance\n- pamNamespace\n- pamInstance\n> If you use a centralized *Storage Layer* and *Rendition Server*, you will have to apply extra Policies to allow access. Please remember to write ingress and egress rules.\nExample:\n```\nglobal:\n environment:\n security:\n cni:\n defaultIngressPolicy: deny\n defaultEgressPolicy: deny\n createNetworkPolicy: true\n```"} +{"question": "How can I use snc in NAPPL to access my SAP System?", "answer": "To use *snc* in NAPPL, you need to\n1. Enable it in NAPPL (`nappl.snc.enabled: true`)\n2. Add the IP Range of your SAP Systems to allow egress access (`nappl.snc.sapIpRange: \"0.0.0.0/0\"`)\n3. Copy the *snc* files to the nplus environment (`kubectl cp snc nplus-toolbox-0:/conf/pool`)\nPlease find more information in the [nappl chart README](../charts/nappl/README.md)"} +{"question": "How can I use extra fonts for rendition or OCR?", "answer": "Extra fonts, like the *mscorefonts* can be installed by copying them into the *nplus environment*. The fonts are then automatically applied to all *rendition Server* and *Application Layer* components within all *nplus Instances* within this environment.\nTo copy fonts to the pool, use\n```\nkubectl cp test/fonts nplus-toolbox-0:/conf/pool\n```\nThis copies the local *fonts* directory to the environment pool.\nThe target is `pool/fonts`, where all extra fonts must reside.\nThis is then picked up by the components."} +{"question": "How can I completely remove any trace of *nplus* from my cluster?", "answer": "1. Remove all *nplus Instances* from your *nplus Environment*:\nIf you installed with helm:\n```\nhelm uninstall myInstance\n```\nIf you installed using Argo:\n```\nhelm install myInstance-argo\n```\nor whatever the name of your instance is.\nIf you installed by kubectl:\n```\nkubectl delefe -f myInstance.yaml\n````\nDo this for all instances.\n2. Remove the *nplus Environment* from the Kubernetes Namespace\nif installed by helm:\n```\nhelm uninstall \n```\nwhere *name* is the name you used when installing\n3. Remove the *nplus Cluster* from the Kubernetes Cluster\nif installed by helm:\n```\nhelm uninstall \n```\nwhere *name* is the name you used when installing"} +{"question": "I would like to connect to the environment dav server to access the config files", "answer": "You can access the *nplus Environment conf dav server* either\n- through an ingress, if you enable it. But you might want to keep it disabled for security reasons. Instead you can access it\n- via a port forwarding from your local machine, in case you have kubectl access to the cluster:\n```\nkubectl port-forward pods/nplus-davserver-0 8080:8080\n```\nThen, you can connect to the server via http://localhost:8080/dav"} +{"question": "How can I manually delete all Resources belonging to a specific instance?", "answer": "To delete everything belonging to a specific instance, you can use:\n```\nkubectl delete $(kubectl get svc,sts,deployment,cm,secret,networkpolicy,ing,pvc,certificate,nscale -l nplus/instance= -o name)\n```"} +{"question": "I changed the image tag of *nscale Web*, but when I apply, the component stays healthy", "answer": "Even though it might seem *nscale Web* would not restart, it actually does.\n*nscale Web* is configured as a *Rolling Update DeamonSet*, so it first creates a new Pod and waits till that is ready. Then it stops the old one.\nDuring the update cycle, the services stays healthy.\nNotice, that the *Application* job (if defined) runs as well. That is, because updating the Web component might require new Snippets etc. to be installed,\nto *nplus* is giving the *Application* the chance to do so."} +{"question": "Can I check out a nappl image?", "answer": "Yes, you can:\n```sh\ndocker run --rm -it ceyoniq.azurecr.io/release/nscale/application-layer:ubi.9.2.1200.2024052713 /bin/bash\n```"} +{"question": "Can I bash into my nappljobs?", "answer": "Indeed:\n```sh\nkubectl exec --stdin --tty demo-ha-nappljobs-0 -- /bin/bash\n```"} +{"question": "I keep getting errors, that *chmod* is not allowed on the conf file system", "answer": "This might be because you might be using a CIFS / smb shared file system (like Microsoft Azure File).\nYou can switch off all internal chmod commands by setting `.Values.global.environment.storage.conf.cifs` to `true`."} +{"question": "We use multiple ingress controllers in different namespaces. How do we set that?", "answer": "You can set the ingress class per enviroment, per instance or per component.\nComponent bein the highest priority.\nAdditionally, you might want to set the namespace of your controller to allow ingress traffic from that namespace to the pods. Since you probably have multiple namespaces, this is a comma separated list:\n```\n# Set Ingress namespace per component\ningress:\n namespace: \"nginx-ingress\"\n```\nor\n```\n# Set Ingress namespaces for all instances in an environment\nglobal:\n environment:\n ingress:\n namespace: \"ingress, kube-system, external-ingress, internal-ingress, backup-ingress\"\n```"} +{"question": "How do I know which tags exist in the registry?", "answer": "You can use Skopeo:\n```\nskopeo list-tags docker://ceyoniq.azurecr.io/release/nscale/application-layer\n```\nThis lists all nappl tags in the registry"} +{"question": "We use a forward proxy in our DMZ and have problems with OAuth (or others)", "answer": "If you use a forward proxy, such as in a DMZ Scenario, you will probably need to configure your cluster Load Balancer so it forwards the real IP adress of your clients.\nIn nginx, this is done by the setting `use-forwarded-headers` which needs to be put into the clusterwide config (this is a global option):\n```\nkind: ConfigMap\napiVersion: v1\nmetadata:\n name: nginx-load-balancer-microk8s-conf\n namespace: ingress\ndata:\n use-forwarded-headers: \"true\"\n proxy-real-ip-cidr: \"\"\n```\nApply this config map to your nginx LB namespace setting the IP Adress CIDR of your DMZ Reverse Proxy.\nIn the DMZ nginx configuration, make sure you submit all necessary information:\n```\nserver {\n server_name demo.nscale.cloud;\n client_max_body_size 10G;\n proxy_set_header X-Forwarded-For $remote_addr;\n proxy_set_header X-Forwarded-Host $host;\n proxy_set_header X-Forwarded-Proto $scheme;\n if ( $is_bot ) { return 410; }\n location = / { return 301 \"/nscale_web\"; }\n location = /me { return 301 \"/auth/realms/cloud/account\"; }\n location /robots.txt { return 200 \"User-agent: *\\nDisallow: /\"; }\n location /nscale_web { proxy_pass https://dmz.lan; }\n location ~ ^/(auth/realm|auth/login|auth/resources) { proxy_pass https://centralservices.lan; }\n location /nscalealinst1 { proxy_pass https://dms.lan; }\n listen 443 ssl;\n ssl_certificate fullchain.pem;\n ssl_certificate_key privkey.pem;\n}\n```"} +{"question": "How yan I set Ressources (CPU / RAM) for the components?", "answer": "You can set the ressources in the Values:\n```yaml\nresources:\n requests:\n cpu: \"100m\" # Minimum 1/10 CPU\n memory: \"500Mi\" # Minimum 500 MB\n limits:\n cpu: \"2000m\" # Maximum 2 Cores\n memory: \"4096Mi\" # Maximum 4 GB. Java will see this as total.\n```\nIf you want to set Java Memory Options:\n```yaml\njavaOpts:\n javaMinMem: \"1024m\"\n javaMaxMem: \"2048m\"\n```"} +{"question": "How can I bash into nappl?", "answer": "This is an example of how to bash into a nappl, in this case empty-nappl-0:\n```\nkubectl exec --stdin --tty empty-nappl-0 -- /bin/bash\n```"} +{"question": "How can I set the timezone?", "answer": "You can set the timezone per component, instance and/or environment, using the `timezone` value. Please refer to the\ncomponent README.md for more information."} +{"question": "How can I use priorityClasses for the components?", "answer": "You can use an existing priorityClass by setting `priority.className: ` on the component, instance or environment.\nIf you want to have the class created for you, you can set `priority.createClass: true`.\nYou can also set the desired value.\nExample:\n```yaml\npriority:\n className: '{{ .component.fullName }}'\n createClass: true\n value: \"1000000\"\n```\n> If you omit the quotes for value, you will end up having a float64 like `1e+06` in your values, which will cause problems.\nTo forcefully switch off any previously set priority for a specific instance, you can override:\n```yaml\nglobal:\n override:\n priority:\n```\nThe **default** is to have no priorityClass at all."} +{"question": "How can I enable and access the Web Administrator?", "answer": "To enable the nscale Administrator (Web, aka *RapAdmin*), you have to first enable the *administrator* chart in your instance:\n```yaml\ncomponents.administrator: true\n```\nBy default, the Administrator will use the standard Application Layer for login. You can change that by setting\n```yaml\nadministrator:\n nappl:\n host: '{{ include \"nplus.prefix\" . }}nappljobs.{{ .Release.Namespace }}'\n waitFor:\n - '-service {{ include \"nplus.prefix\" . }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.global.nappl.port }} -timeout 600'\n```\nThis is an example, where we use multiple Application Layer and one designated Application Layer for Jobs. And we use this `nappljobs` for administration as well. So the above configuration changes the default and lets the admin client access nappljobs.\nIf you run the Administrator in another instance (Central Services or something alike), you can also cross namespaces and/or instances here to access multiple tenants if desired. But in that case you might need to add individual *networkPolicies* to allow access.\nOnce the Admin Client is running, you can reach it at `https:///rapadm`."} +{"question": "I want to use the same domain for my environment and my instance, so the certificates are created twice", "answer": "First of all, are you sure you want the same domain? Because the environment ingress is used by admins to access the config by dav or the monitoring data from the operator. You normally would not want that to use the same domain / ingress as the users of your services.\nHowever, if you decide to use the same domain, you can easily switch off certificate generation: Certificates are either generated by an issuer like cert-manager or are self-signed and generated by helm.\n- if `.this.ingress.issuer` is set, the chart requests this issuer to generate a tls secret with the name `.this.ingress.secret`\n by creating a certificate resource with the name of the domain `.this.ingress.domain`\n- else, so no issuer is set, the chart checks wether the flag `.this.ingress.createSelfSignedCertificate` is set to `true` and\n generates a tls secret with the name `.this.ingress.secret`\n- else, so neither issuer nor createSelfSignedCertificate are set, the charts will not generate anything\nAfter the instance or environment ran through the generation process, the components use the name of the tls\nsecret `.this.ingress.secret` for their ingresses, in case `.this.ingress.enabled` is `true`.\nSo to cut a long story short:\n1. You better not have the same domain for end users and admins. Please re-consider and try something like\n - `admin.my-domain.internal` for admin access and\n - `my-domain.cloud` for public access\n2. If you do want the same domain, you need to switch off the generation process in either the instance or the environment.\n You can still use the same secret. As the environment is deployed before the instance, it might be a good idea to switch off the instance:\n ```yaml\n global:\n ingress:\n issuer: null\n createSelfSignedCertificate: false\n ```"} +{"question": "How can I access my services with a browser?", "answer": "Well, that of course depends on\n- which services you enabled\n- if these services gain access through a web interface\n- this access (ingress) is enabled.\nYou can check like this:\n```bash\nkubectl get ingress -l nplus/instance=\n```\nExample using the *demo-ha* example:\n```bash\n% kubectl get ingress -l nplus/instance=demo-ha\nNAME CLASS HOSTS ADDRESS PORTS AGE\ndemo-ha-administrator public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-cmis public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-ilm public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-mon public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-nappl public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-pam public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-web public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\ndemo-ha-webdav public demo-ha.lab.nplus.cloud 127.0.0.1 80, 443 10h\n```\nThen, you can drill into an ingress, to get the paths:\n```bash\nkubectl describe ingress \n```\nYou can also get a list of all hosts + paths:\n```bash\n% kubectl get ingress -l nplus/instance=demo-ha -o json 2> /dev/null| jq -r '.items[] | .spec.rules[] | .host as $host | .http.paths[] | ( $host + .path)' | sort | grep -v ^/\ndemo-ha.lab.nplus.cloud/cmis\ndemo-ha.lab.nplus.cloud/dav\ndemo-ha.lab.nplus.cloud/engine.properties\ndemo-ha.lab.nplus.cloud/index.html\ndemo-ha.lab.nplus.cloud/modeler\ndemo-ha.lab.nplus.cloud/nscale_web\ndemo-ha.lab.nplus.cloud/nscalealinst1\ndemo-ha.lab.nplus.cloud/nscalealinst1/webb/configuration\ndemo-ha.lab.nplus.cloud/nscalealinst1/webc/configuration\ndemo-ha.lab.nplus.cloud/nscalemc\ndemo-ha.lab.nplus.cloud/rapadm\ndemo-ha.lab.nplus.cloud/res\ndemo-ha.lab.nplus.cloud/sap_ilm\n```"} +{"question": "I would like to disable the ingress on the operator, but access it through a NodePort Service", "answer": "Sure. Just disable the ingress first on your environment deployment:\n```yaml\noperator:\n ingress:\n enabled: false\n```\nThen add a NodePort Service to access it:\n```bash\ncat << EOF | kubectl apply -f -\napiVersion: v1\nkind: Service\nmetadata:\n name: nplus-operator-nodeport-access\nspec:\n type: NodePort\n selector:\n nplus/component: operator\n ports:\n - port: 8080\n targetPort: 8080\n nodePort: 31976\nEOF\n```\nAccess it:\n- `http://:31976/monitoring`\n- `https://:31977/monitoring`\nhttps://10.17.1.31:31977/monitoring/index.html?page=overview"} +{"question": "During Desaster Recovery tests we noticed that we cannot change the Document ID in runtime. What should we do?", "answer": "You can switch the component (in this case the Storage Layer as you mention the Document ID, but this method work for any component) into *Maintenance Mode*. Maintenance Mode will\n- start pods without starting the service, providing the possibility to gain access to the container to perform recovery tasks that need to be done offline. In order to do this:\n - All *waitFor* definitions are ignored\n - All *Health Checks* are ignored\n - The container starts in idle\n - Application Jobs are disabled\nYou can put a component, an instance or the whole environment into maintenance.\n```yaml\nutils:\n maintenance: true\n```\nor global for the instance:\n```yaml\nglobal:\n utils:\n maintenance: true\n```"} +{"question": "Why can't I specify pullSecrets on the waitImage?", "answer": "pullSecrets are defined at pod level, not at container level. WaitFor is a container, so it doesn't have its own pullSecrets but rather takes the pod ones."} +{"question": "We do not want to use argoCD Waves, can we switch it off?", "answer": "Yes, just add the following to the `values.yaml` to globally turn off the argoCD Wave feature:\n```yaml\nglobal:\n utils:\n disableWave: true\n```\nPlease also see the *nowaves* example"} +{"question": "Out Instances became pretty large with lots of components and multiple team members working on parts of it. Can we somehow slices it into smaller chunks?", "answer": "Yes, you can. Simply create multiple Instances with the components you like and then join them all together using a common `.instance.group` tag.\nThis will open the firewall (Network Policies) to allow traffic within the group / between multiple Instances.\nPlease see the *group* example for details"} +{"question": "I get frequent DV/DA HID check failures in nstl in my dev Environment", "answer": "In the lab / dev environment, you probably quite often throw away the data disk while keeping the conf folder. The default for the DA_HID.DAT is the conf folder, so they do not match any more. You can easily switch the check off:\n```yaml\nnstl:\n checkHighestDocId: \"0\"\nnstla:\n checkHighestDocId: \"0\"\nnstlb:\n checkHighestDocId: \"0\"\n```\nif you do this in the environment, you have globally switched all nstl da checks off."} +{"question": "We use the postgres DB for DEV and would like to get a dump. How can we do that?", "answer": "You can call pg_dump from the command line. Make sure you have the right password and pod.\n```\nkubectl exec --stdin --tty sample-empty-database-0 -- env PGPASSWORD=\"postgres\" pg_dump -U postgres -w nscale > test.dump\n```"} diff --git a/ai/jsonl/history.jsonl b/ai/jsonl/history.jsonl new file mode 100644 index 0000000..7bfaa49 --- /dev/null +++ b/ai/jsonl/history.jsonl @@ -0,0 +1,23 @@ +{"chapter": "Version History", "level": 1, "text": ""} +{"chapter": "November 2024, beta 160", "level": 2, "text": "- Added a startup probe for nstl\n"} +{"chapter": "November 2024, beta 159", "level": 2, "text": "- Added .instance.stage to identify a stage\n"} +{"chapter": "November 2024, beta 158", "level": 2, "text": "- Added service.name for Open Telemetry\n"} +{"chapter": "Oktober 2024, beta 157", "level": 2, "text": "- Latest ERP-Proxy Version by Ceyoniq. This also has been **renamed** to **erpproxy** to match the **eprcmis** connector chart naming\n- First BETA of ERP-CMIS Connector in directory **erpcmis**\n- Added the possibility to add Annotations to Payloads, for the use with OpenTelemetry\nAlso see [here](https://opentelemetry.io/docs/kubernetes/operator/automatic/)\n- Also added hard coded openTelemetry support for convenience\n- Fixed a bug where the prepper chart waited for post sync in argo deployments\n"} +{"chapter": "Oktober 2024, beta 156", "level": 2, "text": "- nscale ERP Proxy Chart now available. There is still a bug in this first image by Ceyoniq, so the chart will not bring up a running\nsystem yet. But the Values are in, so you can start setting up the instances.\n"} +{"chapter": "Oktober 2024, beta 155", "level": 2, "text": "- Added the possibility to use configMaps and secrets in the generic mount interface.\nPlease see the *generic* example for details\n"} +{"chapter": "September 2024, release 1.2.1500", "level": 2, "text": "- Update to nscale 9.2.1502\n- Added value `logForwarder.db` to set a fully qualified path to the database file, in case you do not want to have it along the logs.\nExample:\n```\nlogForwarder:\n- name: Accounting\npath: \"/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv\"\ndb: \"/opt/ceyoniq/nscale-server/storage-layer/logsdb/logs.db\"\n```\n- BASEFOLDER Value Typo corrected in SharePoint. Is now `Values.nappl.baseFolder`\n- The default value for `doInitialCrawl` was a bool. It is now a string `false` which is correct.\n- You can now add any extra Annotation to services and ingresses.\nExample:\n```\nglobal:\ningress:\nannotations:\nnginx.org/proxy-read-timeout: \"20s\"\nservice:\nannotations:\nconsul.hashicorp.com/service-sync: \"true\"\n```\n- Add `.this.ingress.proxyReadTimeout` to set this extra annotation to ingress objects\n- Ports can now be disabled in NetworkPolicies, if you use a CNI driver that does not support them.\nThis is especially for the \"endPort\" Attribute, that is currently not supported by Cilium.\n- Added port 443 to the egress in Network Policies for Pods accessing the K8s API\n- there was a duplicate podDisruptionBudget. Fixed it.\n- Fixed a bug with respect to Volume Names / Static Volumes and Storage Classes\n- Correction of documentation regarding `global.pullSecretOverride` (wrong, missing s) and `global.pullSecretsOverride` (correct)\n- Fixed a bug where PAM could not communication with JOBSNAPPL in a HA scenario\n"} +{"chapter": "August 2024, release 1.2.1400", "level": 2, "text": "- Fixed bugs regarding KubePing Protocol in Version < 9.1\n- Fixed bugs regarding tenant-chart-agro. Be aware: It was the .helmignore after all.\n- Added nscale 9.1.1506 to versions and released the chart version to repo\n- The Application Chart now waits a minute before executing to prevent race condition problems\n- Setting SERVER_BASE_URL in Application Layer for SAML redirects to work\n- Added Liveness Probes\n- Added the possibility to define *PodDisruptionBudgets* for any component.\n- Added a readyness probe to postgres\n- reviewed the resource consumption and added better requests and limits. Also see the sample *resources*\n- Working on the documentation\n- updated sharepoint chart to meet the latest specs from Ceyoniq\n- Sharepoint Connector is now a StatefulSet\n- SharePoint DoInitialCrawl now defaults to false\n- Changed nstl and sharepoint updateStrategy to OnDelete\n- Update Sharepoint to version 9.2.1400\n- Update nscale auf 9.2.1402\n- The nstl HID Check was disabled by default, as it only made sense when using multiple volumes. Now, we habe pTemp since a few builds, so it makes\nsense now to store the hid file to pTemp. Therefore a new pTemp directory *hid* has been created to hold this file. The new sample *hid* shows how to turn this feature on.\n- nstl checks the *audit.log* size when starting up. After an update, the log directory on emptydir got deleted when re-creating the new pod. This caused\nthe audit log to be empty and caused an error. The log directory of nstl has also now moved to pTemp to avoid this.\n- Added *limitations.md* to the docs directory and READMEs\n- Update jsonl structure to get AI Support Assistent running\n- Health Check des SP Connectors nun auf `/nscale_spc/images/icons/PowerPoint.svg`\n- Added *generic mounts* to be able to add any pre provisioned PV to a container. Like a smb, nfs oder cifs share with migration data for pipeliner for example.\n- Moved the nstl cluster service to the nstl chart and made sure the default ports etc. are used correctly\n- Bugfix in domain name\n- Adding *Service* configuration section to most components. This section can be used to disable a components service (along with the potential ingress) to\nbe able to configure cluster services for retrieval (used in the SharePoint scenario). Please see the sharepoint sample for more information\n- Adding a clusterService configuration as an additional option to achieve above goal\n- Commented the SharePoint Probe out, because it needs work\n- New Instance Group Feature\nYou can set an alternative `.instance.group` to bundle multiple Instances together. This will allow traffic to be passed beween all instances within this group.\nThis is ment to be used for large instances that you might want to split up. Please see the `group` sample.\n- Fixed a bug in the resolver, preventing sliced maps to be deepCopied into .this\n- Fixed a bug concerning Postgres PullSecrets\n- Added pullSecretsOverride\n- waitFor can now be turned off if you feel argoWaves are all you need:\n```\nutils.disableWait: true\n```\n- argoCD Waves can now be turned off if you feel waitFor is all you need:\n```\nutils.disableWave: true\n```\n- Added FluentBit:2.0 as default LogForwarder e.g. for the Accounting Log.\n- Changed the default argoCD waves to make sure the prepper runs first\n- Fixed a bug, where the condition of the sharepoint instances were all bound to the same key\n- Adding *Maintenance Mode*, to start pods without starting the service, providing the possibility to gain access to the container to perform recovery tasks that need to be done offline. In order to do this:\n- All *waitFor* definitions are ignored\n- All *Health Checks* are ignored\n- The container starts in idle\n- Application Jobs are disabled\nYou can put a component, an instance or the whole environment into maintenance.\n- Adding a new values map: `.instance` holding `.instance.version` currently, showing the nscale Version installed (pinning the nappl)\n- Adding downward compatability for `nscaleVersion` and `componentVersion`\n- the *nplus Environment Chart* now has a *prepper* component you can turn on if needed\n- nstore Downloader is now *disabled* by default\n- Renamed Administrator Server aka RMS to *nplus Remote Management Server*\nThis should show the proximity to the *nscale Remote Management Service* and the idea of using a *virtual Server* for the rich Admin Client\n- worked on Documentation\n- Re-Structuring the Samples Directory\nBreaking Changes\n- The **storageClass** of a static volume is now set to empty (\"\") to prevent the PV from being bound to the wrong PVC. We also recommend putting a claimRef into your PV to make sure only the correct PVC can bind to it.\nYour PV also has to set the storage class to \"\" otherwise it will not bind.\nsee https://kubernetes.io/docs/concepts/storage/persistent-volumes/\n- Slicing Environment Chart into Subcharts:\nThe Environment Chart is now an Umbrella Chart. It references the operator, toolbox, dav and backend separately. By that means, you can now also add those charts to the Instance Umbrella Chart with *SIM*\n- Adding *SIM* to Instance\nThe *Single Instance Mode* lets you run a single *nplus Instance* in your namespace. The Instance *should* be named after the namespace. You can turn on the environmental components *operator, toolbox, dav and backend* in the Instance chart to get a single chart that brings all it needs\n- Excluding \"globals\" from ArgoCD Values\nThere was a large globals section in the ArgoCD Application, that was unnecessary. It is removed\n- Adding *Prepper* as a component to deploy git assets prior to component deployment:\nSometimes you need to deploy assets like Web Snippets to the Instance *before* any other component is deployed and initially started. The prepper can be used to download assets from git, extract tarballs and then calling scripts to perform any custom action. The prepper has no waitFor condition, thus running directly after the PVs are created, which happens in the *backend* chart of the environment. *Prepper* ist much like the *Application* Chart, but it of course cannot deploy anything into an Application Layer, as the nappl not yet exists.\n- Adding download capability to the Application Chart\nYou can now define downloads, that the Application Chart should perform prior to executing any script or App Installation\n- CIFS Mode for File Storage, preventing chmod from being run in scripts, is now *on* by default.\n- Renamed the *nappl* Cluster, if there is no prefix (as in instance name == Release.namespace due to SIM)\n- fixed a bug, where some resources (defaultconfig, networkpolicies, database config, ...) were not created in the release namespace but the default\n- Added `includeNamespace`\nBy default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later\nPotentially Breaking Changes:\n- The former Environment Chart used non-Standard Labels you might have used for your firewall rules. These are now normalized and the new environmental components behave just like any other component.\n- Introduced *ptemp* as a persistent temp space, e.g. for the accounting logs or database dumps etc.\n- Accounting in Storage Layer: set `accounting: true` and the csv files will be written to *ptemp*\n"} +{"chapter": "July 2024, release 1.2.1303", "level": 2, "text": "- customizingMode as new switch in *web*\n- fixed a bug with timezone data\n- Add a key to switch off certificate generation if no issuer is set: createSelfSignedCertificate\n- Added tcps as port with 3006 to nstl\n- Fixed a bug with the resolver in combination with the instance name: Resolving was too late for some\nString operations.\n- Normalized all examples that no more includes are used in templates (are not necessary any more) and also\nsingle quotes are normalized to double quotes for strings, as we now do not need to use double quotes for the\nincludes any more.\n- Adding nscale Web tls and completing Zerotrust Mode\n- Changed the default of priorityClasses: It is now OFF. See FAQ for documentation\n- global flags and defaults for TZDATA / Timezone setting\nBig things:\n- An all new Values sub-system:\n- You can now stage **any** value!\n- You can now override **any** value on **any** stage!\n- This also works with your own values for your custom charts\n- templates used in values are automatically and recursively resolved. This also works with your custom values!\n- Update to nscale 9.2.1302\n- Many cleanups\nBreaking Changes:\n- new .Values section: *meta*\n- *nscaleVersion* is now in section meta\n- *componentVersion* is now in section meta\n- *ports* is now in section meta\n- *type* is now in section meta\n- *wave* is now in section meta\n- *commercial.tenant* is now in section meta\n- *commercial.provider* is now in section meta\nNon breaking Changes:\n- *this*\nIn code, you can now refer to `.this.*` instead of `.Values.*`.\n*this* is build from .Values (for component values), .Values.global (for instance values) and .Values.global.environment (for environment values) automatically\n- automatic resolver\nafter condensing the `.Values` into `.this`, a new recursive resolving function now looks for any template used in values and resolves it (using `.this` values)\n- new .Values section: *override*\nThis section is automatically applied to all .this, overwriting any existing value.\n*override* is also subject to automativ compression and resolving\n- Helper functions are moved from _helper.tpl to a new map in code, accessible via `$.component`.\nif you used helper functions in your templates, you need to port them. They are still working, but are depricated.\n- *_depricated.tpl* now holds depricated functions. They resolve to the new function / value and are subject for being removed in future majors.\n- new debugging mechanism:\nYou might want to debug your values and functions and helm lacks some important functionality for this, like a callstack.\nThe new debug feature now provides this functionality. You can call `nplus.debug.enter` and `nplus.debug.leave` in your code to\nadd this functionality to your own definitions.\n- debugging Values:\nif debugging is enabled, Values are reported in the component custom resource. Just search for `DEBUG` in `helm template` code.\n- to enable debug, set `debug: true` on any level. Example:\n```\nglobal:\nenvironment:\nutils:\ndebug: true\n```\n- debug also adds strict mode, so depricated functions are failing\n- *init function*\nif you want to use the new functionality (.this, .component, ...) in your template, call `include \"nplus.init\"` as first line in your code.\nIt initializes automatically\n- new .component section with calculated values for you to use in your templates.\n- fixed a bug, where nappl sync wave is after application sync wave (ArgoCD)\n- Sorting and Documenting the default ArgoCD Waves (see quickstart-argo)\nBreaking changes:\n- renamed nstlIPRange to nstlIpRange\n- In Application Chart, renamed .Values.rs to .Values.rs.host\n- In Application Chart, renamed .Values.nstl to .Values.nstl.host\n- changes in database Values.yaml, please check if you used it\nNon breaking changes:\n- Added nstlIpRange to the Storage Layer Chart to allow to open egress connections from internal Storage Layer to servers outside the cluster\n- New *defaultConfig* possibility to add default config files to Charts that are used prior to image templates (e.g. for a common cold.xml)\n- Added *sessionCacheStorageType* as a new parameter for NAPPL\n- Adding *dbIpRange* to the cni security options\n"} +{"chapter": "June 2024, release 1.2.1204", "level": 2, "text": "- RMS now including HA Mode (see samples)\n- Fixes a problem, that the SNC Files are not in the NAPPL lib directory\n- Encrypt Sample\n- ZeroTrust Mode\n- Code cleanup\n"} +{"chapter": "June 2024, release 1.2.1203", "level": 2, "text": "- Allow Application Scripts to run before and after globally and per DocArea\n- Add more logging to DAV Container\n- Add PAM and SharePoint Connector to dsl\n"} +{"chapter": "June 2024, release 1.2.1202", "level": 2, "text": "- Allow multiple nscale SharePoint Connector instances with a separate configuration each\n- Allow Certificate Stores to be defined as configMaps OR secrets\n- current alpha Version of nscale SharePoint Connector for testing\n"} +{"chapter": "June 2024, release 1.2.1201", "level": 2, "text": "- Fixed a bug in nscale Web due to the read only file system\n- Added SNC support to access SAP Server\n- Added Java Certificate Keystores (cacerts and component.store)\n"} +{"chapter": "June 2024, release 1.2.1200", "level": 2, "text": "- Update to nscale Version 9.2.1200\n- Adding nscale PAM (Process Automation Modeler) helm chart\n- Adding nscale SharePoint Connector helm Chart\n- Adding O365 Sample (with SP Connector)\n- Support extra fonts (like Microsoft Core Fonts)\n- Allow calling global or local custom installation scripts during initialization (application chart)\n- Add Applications to Health Status\n- Adding a *Zero Trust* Example (`zerotrust.yaml`). The functionality is not yet completely implemented, so this is alpha status.\n- Temporarily adding Custom Project API container (\"dms-api\") to the instance\n- Alpha Version of Ports cleanup\n"} +{"chapter": "May 2024, Release 1.2.11xx", "level": 2, "text": "- Support envFrom in all components, with secretRef. Set the secret name in `envSecret`\n- Support whitelisting in ingresses\n- Add Inter Pod AntiAffinity\n- Now using kube-linter for pre-release checking\n- Supporting CNI NetworkPolicies\n"} +{"chapter": "Apr 2024, Release 1.2.1004", "level": 2, "text": "- Test with nscale 9.2\n- Operator Web GUI switch\n- Deny in all ingresses\n- Added Priority Classes\n- Added Budgets\n- Support for volumeName in PVC to supress dynamic provisioning of PVs\n- Support for kubePing **and** KUBERNETES Discovery for Cluster Communication\n- Documentation Updates\n- Updates to dsl (nstl and operator)\n- Bug Fixes\n"} +{"chapter": "Mar 2024, Release 1.1.1501", "level": 2, "text": "- Added the Operator\n- Web GUI for Monitoring\n- RBAC enhancements\n- Remote Management Server (RMS) Preview\n"} +{"chapter": "Feb 2024, Release 1.1.1401", "level": 2, "text": "- Added Administrator Client\n"} +{"chapter": "Jan 2024, Release 1.1.1302", "level": 2, "text": "- Changed Packaging to enable new helm Repo (gitea)\n- Update dsl (C4) config files\n- Added support for up to 4 Storage Layer\n"} +{"chapter": "Jan 2024, Release 1.1.1301", "level": 2, "text": "- Fixed Application Chart Security Settings\n- Added possibility to easily overwrite Versions\n(see versions/*.yaml and e90 Example)\n- Added Charts for nscale Administrator (RAP) and WebDAV Connector\n- Added nstl Cluster (up to 4 Storage Layer)\n- Added support for Docker Desktop Kubernetes\n"} +{"chapter": "Jan 2024, Release 1.1.1300", "level": 2, "text": "- Added Security Features:\n- root-less Container\n- dropped capabilities (all)\n- read only root file systems on all container\n- Prohibit Privilege Escalation\n- New Toolbox Image\n- new (controlled source) \"wait\" function\n- new (controlled source) \"webdav server\" function\n- Change DB Image to bitnami beacuse of better support for security features.\n- User 1001 instead of 999\n- no chown necessary\n- support for read-only root\n- Support multi-temp paths (because of read-only root)\n"} +{"chapter": "23 December Release", "level": 2, "text": "- Security Features:\n- Support for Illumio Labels and Gates\n"} diff --git a/ai/jsonl/image.jsonl b/ai/jsonl/image.jsonl new file mode 100644 index 0000000..0970b75 --- /dev/null +++ b/ai/jsonl/image.jsonl @@ -0,0 +1 @@ +{"chapter": "Common Image Configuration", "level": 2, "text": "The `image` configuration consists of\n- the Image Name\n- the Image Repository\n- the Image Tag\n- the Image Pull Policy\nIf the Pull Policy is not set, it is automatically `IfNotPresent`.\nThe `Repository` can be overridden at Instance Level and Environment Level to accomodate multiple stages:\n```\nimage:\nname: test\ntag: 1.0.0\nrepo: cr.nplus.cloud # Prio 3\npullPolicy: Always\nglobal:\nrepo: myrepo_i1 # Prio 4\nrepoOverride: myrepo_i2 # Prio 2\nenvironment:\nrepo: myrepo_e1 # Prio 5\nrepoOverride: myrepo_e2 # Prio 1\n```\nIn this example, finding the repo to use would be:\n```helm\n$repo := global.environment.repoOverride | default global.repoOverride | default image.repo | default global.repo | default global.environment.repo\n```\nOnce you override the repo, you might als want to override the `pullSecrets` globally to allow login to your private registry. Since you do not want to do that per image definition, you - just like the repos - can override that globally:\n```\nglobal:\npullSecretsOverride:\n- myPrivateRegistrySecret\n```\nThe override procedure is identical to the repo example above.\n**The Use Case** is to easily enable you to download the images to a private and secure registry. *nplus* by default uses the official registries, but\nthat is most likely not wanted by enterprise customers. So you can just set your own registry in the environment and keep dev, qa and prod apart and secured.\n"} diff --git a/ai/jsonl/ingress.jsonl b/ai/jsonl/ingress.jsonl new file mode 100644 index 0000000..c8db551 --- /dev/null +++ b/ai/jsonl/ingress.jsonl @@ -0,0 +1,2 @@ +{"chapter": "Common Ingress Configuration", "level": 2, "text": "The Ingress Configuration can be performed at various levels:\n- Per Component / Chart\n`ingress.`\n- Per Instance\n`global.ingress.`\n- Per Environment\n`global.environment.ingress.`\nThis enables you to have configuration yaml files per environment (e.g. for DEV, QA and PROD) setting environment defaults.\nYou then do not have to touch the Instance configuration.\nExample:\n```\nhelm upgrade -i \\\n--values $SAMPLES/big-instance.yaml \\\n--values $SAMPLES/applications.yaml \\\n--values $SAMPLES/dev.yaml \\\ndemo nplus/instance-argo\n```\nYou might have your Instance values in the `big-instance` file, the Apps you want to have deployed to that instance\nin the `applications` file, and then you add your default setting for the `dev` stage, potentionally overwriting anything\nfrom the above. The priority in this is *last one wins*.\n> The Values are taken by the chart in the following order:\n> Component, then Instance, then Environment.\nIf no value is set, the configuration is dropped from the manifest.\nIn the following table, you see what value can be defined in which section:\n| Key | Component | Instance | Environment |\n| ---- | ----------- | ----------- | ----------- |\n| domain | ✔︎ | ✔︎ | ✔︎ |\n| issuer | ✔︎ | ✔︎ | ✔︎ |\n| class | ✔︎ | ✔︎ | `public` |\n| enabled | ✔︎ | - | - |\n| backendProtocol | ✔︎ | - | - |\n| cookie | ✔︎ | - | - |\n| inputPath | ✔︎ | - | - |\n| deny | ✔︎ | - | - |\n| whitelist | ✔︎ | ✔︎ | ✔︎ |\n| namespace | ✔︎ | ✔︎ | ✔︎ |\nFor the component ingress, you can specify the following values:\n| Key | Description | Default |\n|-----|-------------|---------|\n| backendProtocol | choose wether you want http or https as the backend protocol. This will encrypt traffic from the ingress controller to your pods if you set it to https. | `\"http\"` |\n| class | sets the ingressclass to use. e.g. `public` or `nginx` | `\"public\"` |\n| cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | component dependent |\n| domain | sets the ingress domain, like `tenant1.mydomain.com`. If no domain is set, no ingress will be configured automatically | none |\n| enabled | on component level, enable or disable the ingress | component dependent |\n| inputPath | this defines the path (on component level) for this component Example: `nscale_web` for nscale Web | component dependent |\n| issuer | if you use *cert-manager* or any other certificate issuer, you can add the class here to hand certificate issuing requests to this issuer. if you do not set any issuer, the chart will generate a self-signed certificate for your ingress (if you defined a domain) | |\n| deny | you can specify specific paths to be denied by this ingress | component dependent |\n| whitelist | optionally specify a list of allowed ip ranges to use an ingress | not restricted |\n| namespace | when securing the instance with network policies, you can specify the source namespace of the ingress controller | \"ingress\" |\n| annotations | adds extra annotations\n> Please the the FAQ for information about using a DMZ, where additional cluster configuration will be necessary\n"} +{"chapter": "Annotations", "level": 3, "text": "You can add extra Annotations to the ingress by adding\n```\nglobal:\ningress:\nannotations:\nnginx.org/proxy-connect-timeout: \"30s\"\nnginx.org/proxy-read-timeout: \"20s\"\nnginx.org/client-max-body-size: \"4m\"\nnginx.org/server-snippets: |\nlocation / {\nreturn 302 /coffee;\n}\n```\n"} diff --git a/ai/jsonl/java.jsonl b/ai/jsonl/java.jsonl new file mode 100644 index 0000000..d8bc81c --- /dev/null +++ b/ai/jsonl/java.jsonl @@ -0,0 +1 @@ +{"chapter": "Definig Java VM Resources", "level": 2, "text": "For those components implemented in Java, it is possible to set Java Options:\n- nscale CMIS Connector\n- nscale ILM Connector\n- nscale Application Layer\n- nscale Rendition Server\n- nscale Web\n| Key | Description | Default |\n|-----|-------------|---------|\n| javaOpts.javaMaxRamPercentage | Maximum memory given to Java in % | - |\n| javaOpts.javaMinMem | Minimum memory given to Java | - |\n| javaOpts.javaMaxMem | Maximum memory given to Java | - |\n| javaOpts.javaMisc | Additional Java Options | - |\n> **Note**: if you defined settings for *appDynamics*, the agent will automatically be added to the Java Options when the above components are run. Please refer to `global.appDynamics.agent` for more information.\n"} diff --git a/ai/jsonl/mounts.jsonl b/ai/jsonl/mounts.jsonl new file mode 100644 index 0000000..d32a770 --- /dev/null +++ b/ai/jsonl/mounts.jsonl @@ -0,0 +1,12 @@ +{"chapter": "Common Storage Configuration", "level": 2, "text": "This works just the same way as the Ingress settings: The Configuration can be performed at various levels:\n- Per Component / Chart\n`storage.`\n- Per Instance\n`global.storage.`\n- Per Environment\n`global.environment.storage.`\nThis enables you to have configuration yaml files per environment (e.g. for DEV, QA and PROD) setting environment defaults.\nYou then do not have to touch the Instance configuration.\nFor storage, there are several volume types:\n- **conf**, Shared File, RWX, global per environment\n- **data**, Disk, RWO, optional per component\n- **file**, Shared File, RWX, optional per ReplicaSet\n- **temp**, EmptyDir\n- **ptemp**, Shared File, RWX, global per environment\n- **log**, EmptyDir, should be empty, so just in case\n- **pool**, optional path on the conf share mounted by some components\n- **generic**, allows to mount any pre-defined PV into a container\n"} +{"chapter": "conf", "level": 3, "text": "The *conf* storage is a global PVC with RWX (file) shared by every component in the environment. The component creates a sub directory\non the share and mounts it to the config directory in the container.\n`storage.conf.name` sets the name of the PVC to be created and used.\n`mounts.conf.path` defines the target directory in the container.\nAs the environment normally provides the *conf* share, you can set the class and the size in the environment.\nIf you habe your RWX storage class provided by a CIFS / SMB shared file system, you need to disable linux commands like *chmod*.\nThis can be done in the storage environment settings:\n```\nglobal:\nenvironment:\nstorage:\nconf:\ncifs: true\n```\n"} +{"chapter": "data", "level": 3, "text": "Every component can create a data PVC with RWO (disk). You can set the `class` for this disk directly at the mount definition `mounts.data.class`. If unset, it uses the definition for the data class from `global.storage.data.class` or from the environment definition at `global.environment.storage.data.class`.\nIf the class is not defined, it is not included in the manifest and so the cluster default is taken.\nSet the size at `mounts.data.size`. No default for the size.\n"} +{"chapter": "file", "level": 3, "text": "Every component can create a file PVC with RWX (shared file). You can set the `class` for this share directly at the mount definition `mounts.file.class`. If unset, it uses the definition for the file class from `global.storage.file.class` or from the environment definition at `global.environment.storage.file.class`.\nIf the class is not defined, it is not included in the manifest and so the cluster default is taken.\nSet the size at `mounts.file.size`. No default for the size.\nThis file mount is used for example for the *nscale Rendition Server* to create a common workload directory for all PODs across cluster nodes.\n"} +{"chapter": "temp", "level": 3, "text": "If a *temp* mount point is given in the values file, it creates an `emptyDir` volume with the `sizeLimit` of `mounts.temp.size`. If no limit is given, the volume will have no limit and the cluster node default is used.\nIf you want to back this volume by memory, specify `mounts.temp.medium: memory`. Be aware, that this will utilize a RAM disk and count against your PODs resources.\n> The *nscale Application Layer* caches fulltext data in temp. Please be aware of your component behaviour when setting medium and size. Your plugins might be requireing speed or size.\n"} +{"chapter": "ptemp", "level": 3, "text": "*ptemp* is a shared, persistant version of temp. It is used to store temporary data, that needs to live beyond the life of a pod, like exports from the database or account logs from storage layer.\nThe ptemp is created by the environment and all pods are free to use it, just like conf.\n"} +{"chapter": "logs", "level": 3, "text": "If a *logs* mount point is given in the values file, it creates an `emptyDir` volume with the `sizeLimit` of `mounts.logs.size`. If no limit is given, the volume will have no limit and the cluster node default is used.\nThe components are writing logs to `stdout` and `stderr`, so the logs directory should not be necessary. This is just in case any plugin writes something to the contaainers file system.\nAdditionally, if you use the *nplus Remote Management Server* component, you might want the legacy way of reading log files, and this would be the storage for that.\n"} +{"chapter": "pool", "level": 3, "text": "You can define a path at `mount.pool`, then this component will have access. This is used to hand binary data to the components, such as plugins or *nscale Generic Base Apps* along with the *nscale App Installer*.\n"} +{"chapter": "Pre-Created Persistent Volumes", "level": 3, "text": "For security reasons, Persistent Volumes can be pre-created and then referenced by the PVC. In order to do so, you can set\n- `storage.conf.volumeName` in the environment configuration to set a specific volume reference for the config share, and\n- `mounts.data.volumeName` in each components values to set a specific volume reference for the (optional) data volume, as well as\n- `mounts.file.volumeName` in each components values to set a specific volume reference for the (optional) file volume\nAs the volume is specific to a certain volume, it cannot be set globally.\n"} +{"chapter": "Setting storage values", "level": 3, "text": "| Key | Component | Instance | Environment |\n| ---- | ----------- | ----------- | ----------- |\n| conf.name | ✔︎ | ✔︎ | `conf` |\n| data.class | ✔︎ | ✔︎ | ✔︎ |\n| data.size | ✔︎ | - | - |\n| data.paths | predefined list | - | - |\n| data.volumeName | ✔︎ | - | - |\n| file.class | ✔︎ | ✔︎ | ✔︎ |\n| file.size | ✔︎ | - | - |\n| file.paths | predefined list | - | - |\n| file.volumeName | ✔︎ | - | - |\n| temp.size | ✔︎ | - | - |\n| temp.medium | ✔︎ | - | - |\n| temp.path | predefined | - | - |\n| logs.size | ✔︎ | - | - |\n| logs.medium | ✔︎ | - | - |\n| logs.path | predefined | - | - |\nAvoid to change the values marked as *predefined*.\n"} +{"chapter": "Working with Certificates", "level": 3, "text": "There are two types of certificates than you might want to customize in your deployment:\n- (Root-) Certificate Authorities\n- Private Certificates and Key Files\n**Root CA** extensions will be needed if you want to access other services via https (egress), that have certificates signed by a non-default authority.\nIn that case, you can upload the authority (public) certificate to trust it.\nThe process differs from component to component, as some are written in java (and require the certificate to be inside a keystore)\nand others are written in C++ or else and might require a PEM certificate store (like the Storage Layer).\nFirst thing is to create the store in whatever format it is needed and then upload it into a secret. Within the helm values, you can then\nset the destination path and file name next to the secret where you stored the certificate. There can be multiple certificates.\n```\nmounts:\ncaCerts:\npaths:\n- \"/etc/pki/tls/certs/ca-bundle.crt\"\n- \"/usr/lib/jvm/jre/lib/security/cacerts\"\nsecret: ca-secret\n```\nIn this example, the secret *ca-secret* needs to hold two files:\n- a cacerts file (under that key), which is a java keystore file and will\nbe placed as the cacerts file in the Java deployment of the component (In this case the NAPPL).\n- a *ca-bundle.crt* file which is a PEM format file that holds all trusted CAs you need.\nThe *paths* list defines the path and filename of the target as well as the key of the files within the secret.\nIn Storage Layer, this might look like this:\n```\nmounts:\ncaCerts:\npaths:\n- \"/opt/ceyoniq/nscale-server/storage-layer/etc/CA.CER\"\nsecret: ca-secret\n```\nIn this case, the Sorage Layer requires the root ca certs to be a file of exactly this name in the etc directory of the deployment.\nPlease consult the storage layer manual for more information.\n**component Certificates** and Key files are normally used to hold private tls certificates to encrypt https traffic (ingress).\nThe configuration of these keystores is identical to the ca stores:\n```\nmounts:\ncomponentCerts:\npaths:\n- \"/opt/ceyoniq/nscale-server/application-layer/conf/certificates.store\"\nsecret:\n```\nIn this case, the secret must have a key named *certificates.store* that holds the java keystore with the required certificates.\n> Please note, that alternatively, you can also upload this file to the conf directory of the application layer. If you do not specify a secret, this\nmount will not be implemented.\nUploading to this file to the conf would be like this:\n```\nkubectl cp certificates.store nplus-toolbox-0:/conf//nappl\n```\n**Alternatively, you can also define a configMap** for the public CA certificates, then the configuration would be like this:\n```\nmounts:\ncaCerts:\npaths:\n- \"/opt/ceyoniq/nscale-server/storage-layer/etc/CA.CER\"\nconfigMap: ca-map\n```\n"} +{"chapter": "Using the generic mount interface", "level": 3, "text": "This allows you to mount any pre-provisioned PVs, secret or configMap as a directory or single file into any container.\nIt can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.\nUse the following format:\n```\nmounts:\ngeneric:\n- name: :\npath: \nvolumeName: \nconfigMap: \nsecret: \nsubPath: [a (optional) subpath to be used inside the PV]\naccessMode: \nsize: \n```\nPlease see the *generic* sample in the samples directory for detailes.\n"} diff --git a/ai/jsonl/operations1.jsonl b/ai/jsonl/operations1.jsonl new file mode 100644 index 0000000..e80fc7b --- /dev/null +++ b/ai/jsonl/operations1.jsonl @@ -0,0 +1,2 @@ +{"chapter": "Day 1 Ops: Install, Update, Uninstall", "level": 1, "text": "1. Install instance *sample*\nTo demonstrate, we use the sample-tenant chart we find in the samples directory. The main difference\nto the default instance chart is, that a domain is set to `*.sample.nplus.cloud`, so we will be able to\nlog into the web client right away if we redirected this domain correctly.\nYou can easily adopt the examples to your environment.\n```\nhelm install sample nplus/sample-tenant --version 9.0.1400\n```\n2. **Rolling update** of instance *sample* to a later monthly release\nAll nscale components support rolling updates, **but** the *nscale Application Layer*.\nAs the Application Layer has the connection to the database, and this depends on the DB scheme,\nonly cluster members with the same version can work with that DB at the same time.\nThere are no scheme updates in monthly releases, so we can use the default rolling updates here.\n```\nhelm upgrade sample nplus/sample-tenant --version 9.0.1501\n```\n3. **Minor / Major Update** of instance *sample*\nMinor or Major updates require the *nscale Application Layer* to have the same version on all cluster nodes. And since the *nscale Pipeliner* may also have an integrated *nappl* in core mode, we also need to update the pipeliner at the same time.\nWe first need to shut down all *nappl* cluster members, so set the *nscale Application Layer*, the potential *nappl Jobs Node* and the *nscale Pipeliner* stateful sets to replica 0.\nIn *nplus*, these replicaSets are labeled with `nplus/type=core`, so we can easily select them:\n```\nkubectl scale statefulset -l nplus/type=core,nplus/instance=sample --replicas=0\n```\nAfter that, the update is just like a monthly release:\n```\nhelm upgrade sample nplus/sample-tenant --version 9.1.1001\n```\n> As nplus does not know if you run the Pipeliner in core mode, make sure you change the default type `pipeliner` to `core` when installing, indicating that this pipeliner node needs to be scaled down as well.\n4. **Uninstall** the instance *sample*\n\n```\nhelm uninstall sample\n```\n"} +{"chapter": "Install, Update, Uninstall *with argoCD*", "level": 1, "text": "1. Install instance *sample-argo*\n```\nhelm install sample-argo nplus/sample-tenant-argo --version 9.0.1400\n```\n2. **Rolling update** of instance *sample-argo* to a later monthly release\n```\nhelm upgrade sample-argo nplus/sample-tenant-argo --version 9.0.1501\n```\n3. **Minor / Major Update** of instance *sample-argo*\nThe difference to a deployment without argoCD is, that if we manually scale down the *nappl* cluster nodes,\nargoCD tries to immediately **heal** this discrepancy between the description and the status.\nSo we first switch off this healing mechanism, to be able to scale down:\n```\nkubectl -n argocd patch --type='merge' application sample-argo -p \"{\\\"spec\\\":{\\\"syncPolicy\\\":null}}\"\n```\nAfter that, it is the same update procedure as we have with a standard deployment:\n```\nkubectl scale statefulset -l nplus/type=core,nplus/instance=sample-argo --replicas=0\nhelm upgrade sample-argo nplus/sample-tenant-argo --version 9.1.1001\n```\nWhen done, we switch the healing back on which will start to re-sync and recreate all cluster members\nwith the new version:\n```\nkubectl -n argocd patch --type=merge application sample-argo -p \"{\\\"spec\\\":{\\\"syncPolicy\\\":{\\\"automated\\\":{\\\"prune\\\":true,\\\"selfHeal\\\":true}}}}\"\n```\n4. **Uninstall** the instance *sample-argo*\n\n```\nhelm uninstall sample-argo\n```\n"} diff --git a/ai/jsonl/operations2.jsonl b/ai/jsonl/operations2.jsonl new file mode 100644 index 0000000..addbcba --- /dev/null +++ b/ai/jsonl/operations2.jsonl @@ -0,0 +1,11 @@ +{"chapter": "Day 2 Ops: Tips & Tricks", "level": 1, "text": ""} +{"chapter": "Re-Installation, re-using the former volumes", "level": 2, "text": "Whether with or without ArgoCD, the used volumes can be reattached during reinstallation. However, a few steps are required:\n1. **Before** deleting the instance, set the instance volumes to *Retain*:\n```bash\nkubectl get pv | grep Delete | grep demo-argo | cut -d' ' -f1 | xargs -I PV_NAME \\\nkubectl patch pv PV_NAME -p '{\"spec\":{\"persistentVolumeReclaimPolicy\":\"Retain\"}}'\n```\n2. **After** deletion, these volumes will be in *Released* state.\nHere, the ID of the old PVC must be deleted, but not the entire Ref, otherwise, the disk cannot be assigned to the instance and service later.\n```bash\nkubectl get pv -A | grep Released | grep demo-argo | cut -d' ' -f1 | xargs -I PV_NAME \\\nkubectl patch pv PV_NAME --type json -p '[{\"op\": \"remove\", \"path\": \"/spec/claimRef/uid\"}]'\n```\nNow, the volumes are in an *Available* state and still have the *claimRef* of the instance and the component. If you now recreate the instance, these disks/volumes will be correctly reused.\nExample:\n```bash\nhelm upgrade --install demo-argo nplus/instance-argo --version 9.1.1001\n```\nHowever, if you create an instance with a different name, the claimRefs won't match, and new volumes will be generated.\n"} +{"chapter": "Cleanup / Completely remove an instance", "level": 2, "text": "1. **Uninstall** the helm charts\nDeletion is *Cascading*, meaning it deletes everything it installed.\n```bash\nhelm uninstall demo-argo\nhelm uninstall demo\n```\n2. The **configuration** is in the **git** of the Toolbox, and it needs to be removed\n```bash\nkubectl exec --stdin --tty nplus-0 -- rm -rf /conf/demo\nkubectl exec --stdin --tty nplus-0 -- rm -rf /conf/demo-argo\n```\n3. If the volumes were **not** on *Delete* but on *Retain*, they can be deleted:\n```bash\nkubectl get pv -A | grep Released | grep \"demo\" | cut -d' ' -f1 | xargs -n1 kubectl delete pv\n```\nNow you can start over.\n"} +{"chapter": "Working with Persistent Volumes", "level": 2, "text": ""} +{"chapter": "Delete all \"Released\" PV", "level": 3, "text": "```bash\nkubectl get pv -A | grep Released | cut -d' ' -f1 | xargs -n1 kubectl delete pv\n```\n"} +{"chapter": "Delete all \"Available\" PV", "level": 3, "text": "```bash\nkubectl get pv -A | grep Available | cut -d' ' -f1 | xargs -n1 kubectl delete pv\n```\n"} +{"chapter": "Make \"Released\" PVs available again", "level": 3, "text": "1. Switch Delete to Retain:\n```bash\nkubectl get pv | grep Delete | grep demo-argo | cut -d' ' -f1 | xargs -I PV_NAME \\\nkubectl patch pv PV_NAME -p '{\"spec\":{\"persistentVolumeReclaimPolicy\":\"Retain\"}}'\n```\n2. Delete ClaimRef UID\n```bash\nkubectl get pv -A | grep Released | grep demo-argo | cut -d' ' -f1 | xargs -I PV_NAME \\\nkubectl patch pv PV_NAME --type json -p '[{\"op\": \"remove\", \"path\": \"/spec/claimRef/uid\"}]'\n```\n"} +{"chapter": "Monitoring", "level": 2, "text": "The Monitoring Console can be configured through the RAP Administrator. For each component to be monitored, an entry needs to be added in a component group (RMS doesn't exist!).\nAs a \"computer,\" FQDN, `..` can be used, for example, `demo-ha-nappl-0.demo-ha-nappl.lab`.\n"} +{"chapter": "Restart a pod", "level": 2, "text": "A Pod might be stuck and you might need to re-deploy this replicaset.\nThis example restarts the *web* component of instance *empty*:\n```\nkubectl rollout restart $(kubectl get deployment,statefulset -l nplus/component=web,nplus/instance=empty -o name)\n```\nTo restart all replicasets without available pods, use\n```\nkubectl get deployment,statefulset --field-selector=status.availableReplicas=0\n```\n"} +{"chapter": "Delete pending pods to have them re-created by the replicasets", "level": 2, "text": "When a pod gets into pending state forever, that is due to a lack of resources, tolerations or missing PVs.\nYo should correct the cause and then you can simply delete the pod and have it re-created by the RS.\nThis is how you get all pending pods:\n```bash\nkubectl get pods --field-selector status.phase=Pending\n```\nYou can delete all of them by\n```bash\nkubectl delete $(kubectl get pods --field-selector status.phase=Pending -o name)\n```\n"} +{"chapter": "Deleting all jobs", "level": 2, "text": "```bash\nkubectl delete $(kubectl get jobs -o name)\n```\n"} diff --git a/ai/jsonl/overview.jsonl b/ai/jsonl/overview.jsonl new file mode 100644 index 0000000..4c464b3 --- /dev/null +++ b/ai/jsonl/overview.jsonl @@ -0,0 +1,6 @@ +{"chapter": "Setting up a demo / dev infrastructure", "level": 1, "text": "- If you do not have a running system yet, please see the [Infrastructure Guide](docs/infrastructure.md) to install a *microk8s* based demo system\n- If you like to run a full demo system incl. ArgoCD, MetalLb, and cert-manager, please see the [Add-On Guide](docs/addons.md) and read how to add the additional components to your demo *microk8s* cluster\n"} +{"chapter": "Getting the first *nplus Instance* up and running", "level": 1, "text": "- In the [Quickstart Guide](docs/quickstart.md), you will learn how to install the first nplus system.\n- To check out the installation of an nplus Instance using ArgoCD, please see the [ArgoCD Quickstart Guide](docs/quickstart-argo.md).\n"} +{"chapter": "Examples of more complex setups", "level": 1, "text": "- Have a look at the [samples directory](samples) to see how Instances get deployed in the *nplus Demo Environment*.\n"} +{"chapter": "Operations", "level": 1, "text": "- [Day One Operations](docs/operations1) shows how to install, update and uninstall instances\n- [Day Two Operations](docs/operations2) explains how to re-use Persistent Volumes, Perform a proper cleanup after uninstall and tips on monitoring\n"} +{"chapter": "Limitations, Cookbook & FAQ", "level": 1, "text": "- please note the [limitations](docs/limitations.md) of the system\n- there is a FAQ located [here](docs/faq.md)\n- *nplus* also has a [cookbook](docs/cookbook.md), which is an *easy reading* version of all the READMEs from the samples. So basically you will get all source files of the [cookbook](docs/cookbook.md) in the [samples directory](samples)\n"} +{"chapter": "Further Reading", "level": 1, "text": "- For each component, there are corresponding instructions in the README of the chart.\nYou can always get the most up-to-date information via Helm, for example, for the Instance Chart:\n```\nhelm show readme nplus/nplus-instance\n```\nor here:\n**Environment**\n\n- [nplus Environment Chart README](charts/environment/README.md)\n\n**Instance**\n\n- [nplus Instance Chart README](charts/instance/README.md)\n- [nplus Instance ArgoCD Chart README](charts/instance-argo/README.md)\n\n**Components**\n\n- [nscale Application Layer Chart README](charts/nappl/README.md)\n- [nscale Storage Layer Chart README](charts/nstl/README.md)\n- [nscale Pipeliner Chart README](charts/pipeliner/README.md)\n- [nscale CMIS Connector Chart README](charts/cmis/README.md)\n- [nscale ILM Connector Chart README](charts/ilm/README.md)\n- [nscale Web Chart README](charts/web/README.md)\n- [nscale Monitoring Console Chart README](charts/mon/README.md)\n- [nscale Rendition Server Chart README](charts/rs/README.md)\n- [nscale Process Automation Modeler Chart README](charts/rms/README.md)\n- [nscale Sharepoint Connector Chart README](charts/sharepoint/README.md)\n- [nscale WebDAV Connector Chart README](charts/webdav/README.md)\n- [nplus Remote Management Server Chart README](charts/rms/README.md)\n- [Postgres Database Chart README](charts/database/README.md)\n\n**Application**\n\n- [nplus Application Chart README](charts/application/README.md)\n- Please see the [Version History](HISTORY.md) for a changelog\n"} diff --git a/ai/jsonl/priority.jsonl b/ai/jsonl/priority.jsonl new file mode 100644 index 0000000..b375ffa --- /dev/null +++ b/ai/jsonl/priority.jsonl @@ -0,0 +1 @@ +{"chapter": "Priority Class", "level": 2, "text": "You can select a specific *PriorityClass* which is then used for this component. If you enable `createClass`, it will be created.\n"} diff --git a/ai/jsonl/quickstart-argo.jsonl b/ai/jsonl/quickstart-argo.jsonl new file mode 100644 index 0000000..a636a90 --- /dev/null +++ b/ai/jsonl/quickstart-argo.jsonl @@ -0,0 +1,9 @@ +{"chapter": "Adding ArgoCD", "level": 1, "text": "In order to be able to deploy *nplus instances* using ArgoCD, you need to add the Chart Repository to Argo:\n```\ncat << EOF | kubectl apply -f -\napiVersion: v1\nkind: Secret\nmetadata:\nname: nplus-repo\nnamespace: argocd\nlabels:\nargocd.argoproj.io/secret-type: repository\nstringData:\ntype: helm\nurl: https://git.nplus.cloud\npassword: $NPLUS_TOKEN\nusername: $NPLUS_ACCOUNT\nEOF\n```\n> This requires the Environment Variables for the *NPLUS_ACCOUNT* and *NPLUS_TOKE* to be set. Check the Quickstart Guide if you are uncertain\nNow you are good to go adding an instance using ArgoCD. We will re-use the myinstance.yaml we created during the Quickstart Guide. You will also find it in [Samples](../samples/myinstance.yaml).\n```\nhelm upgrade -i \\\n--values myinstance.yaml \\\nmyinstance-argo nplus/nplus-instance-argo\n```\nThe only difference with ArgoCD is, that we use a different Chart for the instance: *nplus-instance-argo*.\nThe settings / values file is identical.\n![ ](assets/argo1.png)\nArgoCD will automatically pick up the new instance and start installing it.\nYou can check via command line\n```\n# kubectl get instance\nNAME HANDLER VERSION TENANT STATUS\nmyinstance Helm 9.1.1501 default healthy\nmyinstance-argo argoCD 9.1.1501 default healthy\n```\nOr via agroCD Web UI the current status of the deployment\n![ ](assets/argo2.png)\n> The Instance will report *healthy* in argoCD as well as using command line, even though the SBS Installer is not ready yet (as Applications are installed asynchronously as soon as the instance is healthy)\nAs soon as the Application Installer is done, it looks like this:\n![ ](assets/argo3.png)\n"} +{"chapter": "Monitoring ArgoCD", "level": 1, "text": "ArgoCD also has a custom resource, called *application*. The nscale argoCD Resources are created in the *argocd* Namespace. You can get them by\n```\n"} +{"chapter": "kubectl get app -n argocd", "level": 1, "text": "NAME SYNC STATUS HEALTH STATUS\nmyinstance-argo Synced Healthy\n```\nOf course you can also check with\n```\n"} +{"chapter": "kubectl get instances", "level": 1, "text": "NAME HANDLER VERSION TENANT STATUS\nmyinstance Helm 9.1.1501 default healthy\nmyinstance-argo argoCD 9.1.1501 default healthy\n```\nBut if you require detailed information, the best is to start describing the argoCD App:\n```\n"} +{"chapter": "kubectl describe app myinstance-argo -n argocd", "level": 1, "text": "```\nThis gives you a much higher level of detail.\n"} +{"chapter": "Troubleshooting ArgoCD", "level": 1, "text": ""} +{"chapter": "Cache", "level": 2, "text": "ArgoCD caches helm Chart content. This can be a problem especially during development, when you might now always increase version numbers.\nThen, you might want to hard reset an argoCD Appication to void the cache:\n```\nkubectl patch app/myinstance-argo -n argocd --type merge -p='{\"metadata\": {\"annotations\":{\"argocd.argoproj.io/refresh\": \"hard\"}}}'\n```\n"} +{"chapter": "Finalizer", "level": 2, "text": "Finalizers in Kubernetes are taking care of cleanup tasks. Sometimes, these finalizers in argoCD get stuck on deleting complex nplus instances. As a last option, you might want to try removing the finalizer and then cleaning the instance up manually:\n```\nkubectl patch app/myinstance-argo -n argocd \\\n--type json \\\n--patch='[ { \"op\": \"remove\", \"path\": \"/metadata/finalizers\" } ]'\n```\nThen delete the argoCD Application:\n```\nkubectl delete app/myinstance-argo -n argocd\n```\nSince the finalizer did not clean up, all *nplus instance* parts are still there. Luckily, they are labeled, so easy to identify:\n```\nkubectl get all,pvc,ing -l nplus/instance=myinstance-argo\n```\nWe can now use this list to delete everything:\n```\nkubectl delete $(kubectl get all,pvc,ing -l nplus/instance=myinstance-argo -o name)\n```\n> ArgoCD does not use helm to install but rather get the helm template and renders it internally. So there is no need to clean up helm after removing the argo app.\n"} +{"chapter": "Default Waves", "level": 1, "text": "The instance chart has some default waves defined. You can use them or overwrite the values with your own demands:\n- **wave 1**: prepper\n- **wave 2**: requirements: nstl, database\n- **wave 3**: essential services: rs, nappljobs, nappl (standalone, if jobs are enabled)\n- **wave 4**: hook: free to use for anything that needs to be done before the cluster starts\n- **wave 5**: consumer services: nappl (serving consumers) if jobs are disabled\n- **wave 6**: consumer services: web\n- **wave 7**: peripheral services: mon, pipeliner, ilm, cmis, webdav, sharepoint\n- **wave 8**: tools: administrator, pam\n- **wave 9**: tools: rms (Remote Management Server)\n- **wave 10**: solutions: application (incl. GBAs)\n"} diff --git a/ai/jsonl/quickstart.jsonl b/ai/jsonl/quickstart.jsonl new file mode 100644 index 0000000..f082531 --- /dev/null +++ b/ai/jsonl/quickstart.jsonl @@ -0,0 +1,17 @@ +{"chapter": "*nplus* Quickstart Guide", "level": 1, "text": "The charts are built in a way that they provide minimal functionality without any configuration, using default values.\n- If you want ingress, you have to configure the domain. Without the domain set, your charts will not have any default way to access them. However, you can still forward traffic to them or configure a *NodePort* or *LoadBalancer* manually.\n- If you want proper TLS, you need a certificate. Without the certificate provided, a self-signed certificate will secure your connection.\n- If you want specific storage, configure the storage class to use. Without it, you will get the default class for RWO and RWX.\nThis Quick Start example has nothing configured, so you will get:\n- No ingress, and\n- Default storage.\n"} +{"chapter": "Access to the *nplus* Subscription and the nscale License", "level": 1, "text": "You need access to:\n- The *nplus* Helm chart repository\n- The *nplus* container registry\n- The *nscale* license\n- The *nscale* container registry\nIn the next examples, we will use environment variables to access:\n```bash\nNPLUS_ACCOUNT=\"[your nplus subscription]\"\nNPLUS_TOKEN=\"[your nplus access token]\"\nNSCALE_ACCOUNT=\"[your account to access the Ceyoniq container registry]\"\nNSCALE_TOKEN=\"[the access token for above]\"\nNSCALE_LICENSE=\"[the path and license file to use]\"\n```\n"} +{"chapter": "The nplus helm repository", "level": 2, "text": "You can register the *nplus* Helm registry:\n```bash\nhelm repo add nplus https://git.nplus.cloud \\\n--username $NPLUS_ACCOUNT \\\n--password $NPLUS_TOKEN\nhelm repo update\n```\nYou should now be able to access the charts:\n```bash\n% helm search repo nplus --versions --devel\nNAME CHART VERSION APP VERSION DESCRIPTION\ngitea/nplus-application 9.1.1201-16 0.2.2 Application Chart\ngitea/nplus-application 9.1.1201-15 0.2.2 Application Chart\ngitea/nplus-application 9.1.1201-14 0.2.2 Application Chart\n...\n```\n> The `--devel` option gives you beta versions as well. Otherwise, you will only see release versions.\n"} +{"chapter": "The nscale license", "level": 2, "text": "Make sure you received an nscale license that fulfills the following criteria:\n- `Container: 1` - otherwise it will not allow to be run in a container environment\n- The Storage Layer `ServerID` *must not* be included in the license, as we cannot override it if it is fixed\n- `FullyQualifiedHostName: 0` - If this setting is *on*, the nstl will not work without the ServerID in the license\n- `DomainOnly: 1` - If this setting is *on*, the nstl will not work without the ServerID in the license\n- `hostname: \"*\"` - As hostnames are not really deterministic in Kubernetes, we need a license that allows the hosts to\nhave *any* name.\n- Make sure you have the storage adapter licensed, that you want to use (like S3, Azure BlobStore or Harddisk)\n- Optional: If you want High Availability with *nscale Server Storage Layer*, you need to have\n`DistributedService: 1`, otherwise the nstl instances can not communicate.\n"} +{"chapter": "*nplus* Cluster Resources", "level": 1, "text": "*nplus* also includes Cluster Resources (independent of Namespaces). These need to be installed first and globally.\n```bash\nhelm install nplus nplus/nplus-cluster\n```\nYou only need to perform this step once per Cluster, regardless of Environments/Namespaces.\n> If you don't want the *nplus* Helm application to appear in the current Namespace, you can install it as follows:\n```bash\nhelm template nplus nplus/nplus-cluster | kubectl apply -f -\n```\nAfter installing the cluster chart, you can test it by asking your cluster for deployed nscale resources:\n```bash\n$ kubectl get instance,component\nNo resources found in lab namespace.\n```\n*Instances* (also accessible via *nscale* or *nplus*) and *components* are custom resource definitions. Every Instance/Component installed will add an instance/component resource, and an *nplus operator* (which comes with the environment chart) will continuously check the instance/component health and report it via this command line or a web interface (see below).\n"} +{"chapter": "Create an *nplus* Environment", "level": 1, "text": "You can deploy *nplus* into a Kubernetes namespace. If you do not specify one, you will use the default one, which is fine for our test cluster. If you use namespaces, you can have multiple *nplus* environments in your cluster. Any environment can operate multiple *nplus* instances. Every *nplus* instance normally holds many components, each being *ReplicaSets* with multiple replicas.\nTo create a simple *nplus* environment without any additional features, deploy it into your new cluster:\n> By setting `--devel`, we are fetching the latest development version\n```bash\n% helm install --devel demo nplus/nplus-environment\nNAME: demo\nLAST DEPLOYED: Tue Dec 19 16:39:51 2023\nNAMESPACE: default\nSTATUS: deployed\nREVISION: 1\nTEST SUITE: None\nNOTES:\nnplus-environment 0.2.2-16 / 0.2.2\nThis Environment Chart provides a common config pool and administrative tools to operate all nplus instances in this namespace. There must be exactly one deployed instance of this environment chart. Without the environment, the instance and component charts will fail to deploy.\nTo uninstall, use\nhelm uninstall demo\nThe environment DAV Server is disabled.\nThe nstore Downloader is disabled.\nThe toolbox is disabled.\nProviding 10Gi of storage under the name \"conf\" of class \"default\"\n```\nNow you have an empty cluster ready to get a first instance deployment.\n"} +{"chapter": "Single Instance Mode", "level": 1, "text": "If you want to separate tenants on your system not only by instance but also by environment / namespace, you can run *nplus* in *single instance mode*.\nSIM (Single Instance Mode) lets you deploy your instance including all components of the environment in one single chart. Please see the [Instance README.md](../charts/instance/README.md) file for more details. This Quickstart Guide however is **not** using SIM.\n"} +{"chapter": "Deploy an *nplus* Instance", "level": 1, "text": "Before we can deploy the first *nplus* Instance, we need to add the Secrets for the registries and also the nscale license to the environment:\n```bash\nkubectl create secret docker-registry nscale-cr \\\n--docker-server=ceyoniq.azurecr.io \\\n--docker-username=$NSCALE_ACCOUNT \\\n--docker-password=$NSCALE_TOKEN\nkubectl create secret docker-registry nplus-cr \\\n--docker-server=cr.nplus.cloud \\\n--docker-username=$NPLUS_ACCOUNT \\\n--docker-password=$NPLUS_TOKEN\nkubectl create secret generic nscale-license \\\n--from-file=license.xml=$NSCALE_LICENSE\n```\n> Make sure the license key is called `license.xml` as that is used as the key in the charts.\nSecrets are namespace-dependent (one cannot access secrets from other namespaces), so we have to deploy them for every environment/namespace we use in our cluster.\nThere are multiple ways of deploying an *nplus* Instance, the easiest one is by simply calling the helm install on the command line:\n```bash\nhelm install --devel myinstance nplus/nplus-instance\n```\nYou can check the status of the instance using:\n```bash\n"} +{"chapter": "kubectl get instance", "level": 1, "text": "NAME HANDLER VERSION TENANT STATUS\nmyinstance Helm 9.1.1501 default starting\n```\nAnd the component status with:\n```bash\n"} +{"chapter": "kubectl get components", "level": 1, "text": "NAME INSTANCE COMPONENT TYPE VERSION STATUS\ncomponent.nplus.cloud/myinstance-nstl myinstance nstl nstl 9.1.1200 healthy\ncomponent.nplus.cloud/myinstance-rs myinstance rs rs 9.1.1300 healthy\ncomponent.nplus.cloud/myinstance-database myinstance database database 15 healthy\ncomponent.nplus.cloud/myinstance-nappl myinstance nappl\ncore 9.1.1501 healthy\ncomponent.nplus.cloud/myinstance-web myinstance web web 9.1.1500 healthy\ncomponent.nplus.cloud/myinstance-administrator myinstance administrator administrator 9.1.1500 healthy\n```\nYou can check the log files of the *Application Layer* for instance by typing:\n```bash\n"} +{"chapter": "kubectl logs -l nplus/instance=myinstance,nplus/component=nappl", "level": 1, "text": "```\n> Notice the locator in the logs example: Instead of telling kubectl the name of the pod or rs, we use locators because there may be multiple instances of these pods later, and we want to see all logs in one go (or have ELK, EFK, Splunk, or anything similar to do that for us).\n"} +{"chapter": "Adding an Ingress", "level": 1, "text": "We need to know the available ingressClasses in our new Kubernetes Cluster, so we check that:\n```bash\n"} +{"chapter": "kubectl get ingressclass", "level": 1, "text": "NAME CONTROLLER PARAMETERS AGE\npublic k8s.io/ingress-nginx 72m\nnginx k8s.io/ingress-nginx 72m\n```\n*Microk8s* comes with the most common classes, which both point to the same controller (in this case, nginx). *public* is indeed the default class for *nplus*. So we do not need to set that; it is already configured. We just need to tell the *nplus* instance to use a Domain for the ingress:\n```bash\nhelm upgrade --devel \\\n--set global.ingress.domain=myinstance.demo.nplus.cloud \\\nmyinstance nplus/nplus-instance\n```\nThis now activates an ingress for [https://myinstance.demo.nplus.cloud/nscale_web](https://myinstance.mydomain.demo.nplus.cloud/nscale_web). The easiest and fastest is probably to add the IP to the server into your `/etc/hosts` file.\n"} +{"chapter": "Adding a Certificate", "level": 1, "text": "After just adding the domain, the browser will complain about the self-signed certificate. You can easily add your certificate into the secret `myinstance.demo.nplus.cloud-tls`, which has been created for you.\nHowever, the canonical way is to have *cert-manager* or a similar tool take care of your certificates and have them generated by your CA or *Lets Encrypt* or similar.\nIf you have a running instance of cert-manager, you just need to specify the issuer:\n```bash\nhelm upgrade --devel \\\n--set global.ingress.domain=myinstance.demo.nplus.cloud \\\n--set global.ingress.issuer=nplus-issuer \\\nmyinstance nplus/nplus-instance\n```\nIn this example, *nplus-issuer* is the name of the issuer we created during the [Addons Guide](docs/addons.md).\nYou can now access your new instance with [https://myinstance.demo.nplus.cloud](https://myinstance.demo.nplus.cloud) or whatever domain you might have for it.\n"} +{"chapter": "Adding an Application", "level": 1, "text": "Trying to log in to your new instance will probably give you an error message:\n![Web Error](assets/noda.png)\nSo we need to create the Document Area and maybe even add some Business App.\nBusiness Apps can be installed from the *pool*. The *pool* is a shared file system, the *nplus environment* exposes to the *nplus instances*. This is handled by the *toolbox* feature, which is disabled by default.\nSo first, we enable it:\n```bash\nhelm upgrade --devel \\\n--set toolbox.enabled=true \\\n--set nstoreDownloader.enabled=true \\\ndemo nplus/nplus-environment\n```\nAnd while we are at it, we also enable the *nstore downloader*, which is a job running in the background automatically downloading the latest business app installer from Ceyoniq.\nIt will take a couple of minutes before the apps are downloaded by the job. You can peek into the folder:\n```bash\nkubectl exec --stdin --tty nplus-toolbox-0 -- ls -lais /conf/pool\n```\nThe Business Apps alone will not install without a proper *App-Installer*. You can download it from the Ceyoniq Service Portal. Once you have it, upload it to the pool as well:\n```bash\nkubectl cp app-installer-9.0.1202.jar nplus-toolbox-0:/conf/pool\n```\nNow, you have everything you need to get an App up:\n- The App Installer\n- Apps\nThe Command Line for installing our *myinstance* Instance is getting quite large, so here is how to put all that into one (or more) yaml files. Create a yaml called *myinstance.yaml* and add the following (which is identical to the command lines above plus the App Install)\nNotice that the domain is using a template function in this example. This adds the ability to reuse the same yaml for multiple instances. We will reuse it for the ArgoCD sample during the [ArgoCD Quickstart Guide](quickstart-argo.md).\n```yaml\nglobal:\ningress:\ndomain: \"{{ .Release.Name }}.demo.nplus.cloud\"\nissuer: \"nplus-issuer\"\ncomponents:\napplication: true\napplication:\nappInstaller: \"/pool/app-installer-9.0.1202.jar\"\ndocAreas:\n- id: \"SBS\"\nname: \"DocArea with SBS\"\ndescription: \"This is a sample DocArea with the SBS Apps installed\"\napps:\n- \"/pool/nstore/bl-app-9.0.1202.zip\"\n- \"/pool/nstore/gdpr-app-9.0.1302.zip\"\n- \"/pool/nstore/sbs-base-9.0.1302.zip\"\n- \"/pool/nstore/sbs-app-9.0.1302.zip\"\n- \"/pool/nstore/tmpl-app-9.0.1302.zip\"\n- \"/pool/nstore/cm-base-9.0.1302.zip\"\n- \"/pool/nstore/cm-app-9.0.1302.zip\"\n- \"/pool/nstore/hr-base-9.0.1302.zip\"\n- \"/pool/nstore/hr-app-9.0.1302.zip\"\n- \"/pool/nstore/pm-base-9.0.1302.zip\"\n- \"/pool/nstore/pm-app-9.0.1302.zip\"\n- \"/pool/nstore/sd-base-9.0.1302.zip\"\n- \"/pool/nstore/sd-app-9.0.1302.zip\"\n- \"/pool/nstore/kon-app-9.0.1302.zip\"\n- \"/pool/nstore/kal-app-9.0.1302.zip\"\n- \"/pool/nstore/dok-app-9.0.1302.zip\"\n- \"/pool/nstore/ts-base-9.0.1302.zip\"\n- \"/pool/nstore/ts-app-9.0.1302.zip\"\n- \"/pool/nstore/ocr-base-9.0.1302.zip\"\n```\nThis yaml will:\n- Switch on the *application chart*, which will install Apps\n- Tell the application to use the App Installer we just uploaded\n- Define a new Document Area (*SBS*) to be created\n- And then finally, in this example, we install SBS completely based on the Apps we downloaded from *nstore*. Make\nsure your license covers SBS; otherwise, it will fail.\nThen, you can upgrade *myinstance* with the new settings:\n```bash\nhelm upgrade \\\n--values myinstance.yaml \\\nmyinstance nplus/nplus-instance\n```\n> You can specify multiple values files, so it is fine to have one for the environment settings, one for the instance settings, and a third one for the application settings. This way, you can easily create multiple instances with shared settings to have maximum re-usage among instances.\nYou can follow the application installer using:\n```bash\n"} +{"chapter": "kubectl logs -l job-name=myinstance-application -f", "level": 1, "text": "...\nDefaulted container \"run\" out of: run, wait-for-myinstance-nappl (init), copy-conf (init)\n2024-03-11 16:08:33,918 [main] INFO com.ceyoniq.nscale.appconfig.NscaleServerWriter - updating CustomConfiguration Procurement to 9.0.1302\n2024-03-11 16:08:33,993 [main] INFO com.ceyoniq.nscale.appconfig.NscaleServerWriter - finished app configuration..\nApp '/pool/pm-app-9.0.1302.zip' successfully installed\ninstall App /pool/sd-base-9.0.1302.zip into SBS\nTry installation of app zip: /pool/sd-base-9.0.1302.zip\n2024-03-11 16:08:36,406 [main] INFO com.ceyoniq.nscale.businessapps.sd.base.Installer - App ('sd-app') not installed yet. Installing version 9.0.1302\n2024-03-11 16:08:43,031 [main] INFO com.ceyoniq.nscale.appconfig.NscaleMapper.Icons - Installing icons..\n2024-03-11 16:08:43,033 [main] INFO com.ceyoniq.nscale.appconfig.NscaleMapper.Folders - Installing Folders..\n2024-03-11 16:08:43,037 [main] INFO com.ceyoniq.nscale.appconfig.NscaleMapper.FolderTemplates - Installing FolderTemplates..\n...\ndone config scripts.\nrunning application scripts\nRunning /application/*.sh\ndone application scripts.\n```\nOnce it is done, close your browser (to make sure you open a fresh session) and try to log in again:\n![ ](assets/web.png)\n> Admin does not have any SBS user roles by default; that is why you do not see any Apps after login.\n"} +{"chapter": "Further Reading", "level": 1, "text": "- You will find more complex examples in the [samples directory](/samples).\n- Please have a look at the README.md of the charts to explore more configuration options:\n```bash\nhelm show readme nplus/nplus-environment\nhelm show readme nplus/nplus-instance\n```\n- There are also charts for every component used by the instance umbrella chart.\n- You can also start configuring your instance by retrieving and altering the values.yaml of the chart.\n```bash\nhelm show values --devel nplus/nplus-instance > myinstance.yaml\n```\nThen edit this file. When you are done, apply it:\n```bash\nhelm upgrade --devel \\\n-f myinstance.yaml \\\nmyinstance nplus/nplus-instance\n```\n> Please be aware that the umbrella `values.yaml` does **not** contain all possible configuration options of the child charts.\n"} diff --git a/ai/jsonl/resources.jsonl b/ai/jsonl/resources.jsonl new file mode 100644 index 0000000..b241f8e --- /dev/null +++ b/ai/jsonl/resources.jsonl @@ -0,0 +1 @@ +{"chapter": "Handing Resources to Components", "level": 2, "text": "By default, no resources are set on the container. Thus, Kubernetes handles the container with best effort.\nResources can be set at\n| Key | Description | Default |\n|-----|-------------|---------|\n| resources.requests.cpu | sets the request, which is the minimum guaranteed | - |\n| resources.requests.memory | sets the request, which is the minimum guaranteed | - |\n| resources.limits.cpu | sets the limit, which is the maximum allowed | - |\n| resources.limits.memory | sets the request, which is the maximum allowed | - |\n- if nothing is defined, Kubernetes handles it BestEffort\n- if requests are defined, but no limits, Kubernetes handles it Burstable\n- if both are defined, Kubernetes handles it Guaranteed\nPlease take caution when setting parameters and also have a look at this interesting article regarding resources and JVM resource handling:\nhttps://xebia.com/blog/kubernetes-and-the-jvm/\n"} diff --git a/ai/jsonl/security.jsonl b/ai/jsonl/security.jsonl new file mode 100644 index 0000000..fba5cc0 --- /dev/null +++ b/ai/jsonl/security.jsonl @@ -0,0 +1,6 @@ +{"chapter": "Security settings", "level": 2, "text": "You can set the security options per *component*, per *instance* or per *environment*.\nThe priority is:\n1. component\n2. instance\n3. environment\nIt is recommended to set the security per environment to make sure you do not forget a component.\n"} +{"chapter": "Illumio", "level": 3, "text": "Example `environment` setting for Illumio:\n```\nglobal:\nenvironment:\nsecurity:\nillumio:\nenabled: true\nloc: \"mylocation\"\nsupplier: \"mysupplier\"\nplatform: \"myplatform\"\nreadinessGates:\n- conditionType: \"com.illumio.policy-ready\"\n```\n"} +{"chapter": "CNI, such as Calico or Cilium", "level": 3, "text": "Example `environment` setting for CNI:\n```\nglobal:\nenvironment:\nsecurity:\ncni:\ndefaultIngressPolicy: deny\ndefaultEgressPolicy: deny\ncreateNetworkPolicy: true\nexcludeUnusedPorts: false\n```\n**excludeUnusedPorts** can add a port config to your ingress rules. However, not every CNI is capable of all Attributes (like `EndPort` is currently not supported by cilium).\nSo you can switch this off, if your CNI does not support it.\n"} +{"chapter": "zeroTrust Policy", "level": 3, "text": "Some Tools like Cilium transparently encrypt the Node to Node traffic in a Cluster. If you, however, want to aditionally deny all http traffic within a node, you can\nenable `zeroTrust` by setting:\n```\nglobal:\nsecurity:\nzeroTrust: true\n```\nPlease make sure you also set all backendProtocols to https. For a complete example, please see the sample values file `zerotrust.yaml` in the samples directory.\n"} +{"chapter": "Encrypted backend", "level": 3, "text": "An optional approach to zeroTrust (see above) is to set the backenProtocol to http. This leaves the http ports available (zeroTrust would not),\nbut switches the component backend traffic to https (for ingress, probes, ...).\nIt is not as strict as zeroTrust and can be set per component like this:\n```\ningress:\nbackendProtocol: https\n```\nPlease see the example file `encrypt.yaml` in the samles directory for more information.\n"} +{"chapter": "Security Context", "level": 3, "text": "You can add a `containerSecurityContext` to the component by adding it in the values file:\n```\nsecurity:\ncontainerSecurityContext:\ncapabilities:\ndrop: [\"ALL\"]\n```\nAdditionally, add a `podSecurityContext` if desired:\n```\nsecurity:\npodSecurityContext:\nrunAsNonRoot: true\nrunAsUser: 1000\nrunAsGroup: 1000\n```\n> **Note**: This setting can not be set on instance or environment level.\n"} diff --git a/assets/logo_nplus.svg b/assets/logo_nplus.svg new file mode 100755 index 0000000..ec29c3b --- /dev/null +++ b/assets/logo_nplus.svg @@ -0,0 +1,13 @@ + + + + + + + + + + + + + diff --git a/assets/sample.sh b/assets/sample.sh new file mode 100644 index 0000000..8e5a904 --- /dev/null +++ b/assets/sample.sh @@ -0,0 +1,2 @@ +#!/bin/bash +echo "This does nothing but showing how to call scripts during the deployment process" diff --git a/assets/sample.tar.gz b/assets/sample.tar.gz new file mode 100644 index 0000000..0cbb174 Binary files /dev/null and b/assets/sample.tar.gz differ diff --git a/charts/README.md b/charts/README.md new file mode 100644 index 0000000..b24269e --- /dev/null +++ b/charts/README.md @@ -0,0 +1,100 @@ +# nplus Charts + +These are the sources to the nplus Charts. There are 4 levels: + +1. Cluster +2. Environment +3. Instance +4. Component + +## Cluster + +The ***cluster*** chart is responsible for installing all prerequisites for nplus into the Kubernetes Cluster. This is specifically the CRDs later used by the environment. + +## Environment + +The ***environment*** chart installes the nplus operator, toolbox etc. into a Kubernetes namespace, making this namespace capable of housing nplus Instances + +## Instance + +The ***instance*** and ***instance-argo** charts install an nplus Instance into an nplus Environment. Every Instance consist of any possible combination of componens: + +## Components + +### administrator + +This is the official nscale Administrator (Web / RAP). It connects to an Application Layer to store its state in the global client settings. It can however connect to any nscale component to perform the **online** configuration. + +### Prepper + +Downloads, deploys and runs any git asset or script prior to deployment of the components + +### application + +This handles the installation of solutions / scenarios / apps into a running instance. + +### cmis + +This component exposes a CMIS compatible interface, with REST and SOAP flavours. + +### database + +The database charts installs a postgres instance into the nplus instance. It should not be used for production without further service. + +### ilm + +The ***ilm*** chart installs the *nscale ERP ILM Connector* which is a SAP certified ILM service. + +### proxy + +The ***proxy*** chart installs the *nscale ERP Proxy Connector* which is a SAP Content Service request forwarder to migrate alien Archiv Solutions to nscale + +### mon + +The ***mon*** chart adds a *nscale Monitoring Console* to the nplus instance. + +### nappl + +The ***nappl*** chart hosts an nscale Server Application Layer, which is a central component in the nscale ecosystem. Most nplus Instances should have at least one ***nappl*** instance. However, there are also scenarios like *central services* (see samples), where one would potentially not use a ***nappl*** within the nplus instance. + +### nstl + +A *nscale Server Storage Layer* is added by this ***nstl*** chart. The Storage Layer is basically a Blob Store Component, that virtualizes storage subsystems and adds a layer of legal compliance for many governmental requirements. + +In terms of storage subsystems, the ***nstl*** chart can be used to connect multiple storage subsystems like S3, Azure Blob Storage and also Hardware Stores like NetApp, EMC Centera etc. + +### pam + +This is a Chart for the *nscale Process Automation Modeler*, an administrative component that allows the definition of workflows or processes in BPMN on a web ui. + +### pipeliner + +The ***pipeliner*** chart installs the *nscale Pipeliner*. It also features an optional **WebDAV** component to provide upload capabilities. + +### rms + +The ***rms*** chart can be used as an *Adminstrator Server* for the nscale Administrator Client. The chart comes with the original nscale RMS component as well as a TCP Proxy, that allows to connect to the original component running in a container via TCP. + +The chart exposes its service through a virtual IP adress provided by a Kubernetes loadbalancer service. + +### rs + +The *nscale Rendition Server* is installed by this ***rs*** chart. It is used by the *nscale Application Layer* to render content into multiple formats. + +### sharepoint + +This is a chart for *nscale Sharepoint Connector* + +### web + +*nscale Web* is the official Web Client for *nscale*. It connects to a *nscale Application Layer* as the *EIM* backend. + +### webdav + +*nscale WebDAV Connector* is a WebDAV Client for *nscale*. It connects to a *nscale Application Layer* as the *EIM* backend. It services a standard WebDAV protocol interface to be used by any WebDAV client. + + + +# Misc + +The ***global*** chart is a library chart with common functions used by all other charts. It cannot be installed. \ No newline at end of file diff --git a/charts/administrator/Chart.yaml b/charts/administrator/Chart.yaml new file mode 100644 index 0000000..69a23ee --- /dev/null +++ b/charts/administrator/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-administrator +description: nscale Administrator, providing the Web Version of the Administrator to be used in the Instance +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/administrator/README.md b/charts/administrator/README.md new file mode 100644 index 0000000..21f766d --- /dev/null +++ b/charts/administrator/README.md @@ -0,0 +1,174 @@ + + +# nplus-component-administrator + +nscale Administrator, providing the Web Version of the Administrator to be used in the Instance + +## nplus-component-administrator Chart Configuration + +You can customize / configure nplus-component-administrator by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"administrator"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/rapadm"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | `"-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8080` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8443` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"administrator"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"administrator"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/tmp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/administrator/templates/component.tpl b/charts/administrator/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/administrator/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/administrator/templates/ingress.tpl b/charts/administrator/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/administrator/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/administrator/templates/networkpolicy.tpl b/charts/administrator/templates/networkpolicy.tpl new file mode 100644 index 0000000..9ba1d34 --- /dev/null +++ b/charts/administrator/templates/networkpolicy.tpl @@ -0,0 +1,34 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + egress: + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} +{{- end }} \ No newline at end of file diff --git a/charts/administrator/templates/pvc.tpl b/charts/administrator/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/administrator/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/administrator/templates/service.tpl b/charts/administrator/templates/service.tpl new file mode 100644 index 0000000..5afdba2 --- /dev/null +++ b/charts/administrator/templates/service.tpl @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/administrator/templates/statefulset.tpl b/charts/administrator/templates/statefulset.tpl new file mode 100644 index 0000000..9c0fe55 --- /dev/null +++ b/charts/administrator/templates/statefulset.tpl @@ -0,0 +1,116 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + + containers: + - name: administrator + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + + {{- if ($.this.nappl).host }} + - name: APPLICATION_LAYER_HOST + value: {{ ($.this.nappl).host | quote }} + {{- end }} + {{- if ($.this.nappl).port }} + - name: APPLICATION_LAYER_PORT + value: {{ ($.this.nappl).port | quote }} + {{- end }} + {{- if ($.this.nappl).ssl }} + - name: APPLICATION_LAYER_SSL + value: {{ ($.this.nappl).ssl | quote }} + {{- end }} + {{- if ($.this.nappl).instance }} + - name: APPLICATION_LAYER_INSTANCE + value: {{ ($.this.nappl).instance | quote }} + {{- end }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + + startupProbe: + httpGet: + path: /rapadm/ + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /rapadm/ + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 30 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /rapadm/ + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 10 + timeoutSeconds: 1 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/administrator/values.schema.json b/charts/administrator/values.schema.json new file mode 100644 index 0000000..3e21766 --- /dev/null +++ b/charts/administrator/values.schema.json @@ -0,0 +1,834 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "administrator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/rapadm", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "administrator", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "administrator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "There should only be a single Administrator instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/administrator/values.yaml b/charts/administrator/values.yaml new file mode 100644 index 0000000..60b3f6f --- /dev/null +++ b/charts/administrator/values.yaml @@ -0,0 +1,417 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/rapadm" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/tmp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user" +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: administrator + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale + pullPolicy: IfNotPresent +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: administrator + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8080 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8443 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: administrator + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- There should only be a single Administrator instance, so the replicaCount is +# fixed to 1 +# @ignore -- Do not change this. +replicaCount: 1 +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/application/Chart.yaml b/charts/application/Chart.yaml new file mode 100644 index 0000000..4abaa5d --- /dev/null +++ b/charts/application/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: nplus-application +description: nplus Application, used to install Apps and Customizations into the nscale Application Layer. +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/application/README.md b/charts/application/README.md new file mode 100644 index 0000000..8b3f354 --- /dev/null +++ b/charts/application/README.md @@ -0,0 +1,340 @@ + + +# nplus-application + +nplus Application, used to install Apps and Customizations into the nscale Application Layer. + +## AppInstaller + +In order to install Apps, you will need a matching AppInstaller. This can be downloaded from the Ceyoniq Service Portal. +Once you have it, copy it the pool folder (or any other place where the application chart has access to): + +``` +kubectl cp app-installer-9.0.1202.jar nplus-toolbox-0:/conf/pool +``` + +## Ceyoniq Smart Business Apps (SBS) + +The SBS Apps are automatically downloaded from the official Ceyoniq nstore by a job in the *nplus environment*, if you switched it on during the environment installation: + +``` +nstoreDownloader.enabled: true +``` + +If enabled, the Downloader job will run regularly in the background, and download the latest SBS Apps in the pool folder. +You can always enabled it in the environment chart later on if desired: + +``` +helm upgrade \ + --set toolbox.enabled=true \ + --set nstoreDownloader.enabled=true \ + dev nplus/nplus-environment +``` + +## SBS Example + +You can install SBS by adding the necessary apps to the deployment: + +```yaml +components: + application: true +application: + appInstaller: "/pool/app-installer-9.0.1202.jar" + docAreas: + - id: "SBS" + name: "DocArea with SBS" + description: "This is a sample DocArea with the SBS Apps installed" + apps: + - "/pool/nstore/bl-app-9.0.1202.zip" + - "/pool/nstore/gdpr-app-9.0.1302.zip" + - "/pool/nstore/sbs-base-9.0.1302.zip" + - "/pool/nstore/sbs-app-9.0.1302.zip" + - "/pool/nstore/tmpl-app-9.0.1302.zip" + - "/pool/nstore/cm-base-9.0.1302.zip" + - "/pool/nstore/cm-app-9.0.1302.zip" + - "/pool/nstore/hr-base-9.0.1302.zip" + - "/pool/nstore/hr-app-9.0.1302.zip" + - "/pool/nstore/pm-base-9.0.1302.zip" + - "/pool/nstore/pm-app-9.0.1302.zip" + - "/pool/nstore/sd-base-9.0.1302.zip" + - "/pool/nstore/sd-app-9.0.1302.zip" + - "/pool/nstore/kon-app-9.0.1302.zip" + - "/pool/nstore/kal-app-9.0.1302.zip" + - "/pool/nstore/dok-app-9.0.1302.zip" + - "/pool/nstore/ts-base-9.0.1302.zip" + - "/pool/nstore/ts-app-9.0.1302.zip" + - "/pool/nstore/ocr-base-9.0.1302.zip" +``` + +This will install the SBS Apps into the DocArea "SBS". The DocArea is created, if it does not exist. + +## Install custom Generic Base Apps (GBA) + +If you wish to deploy your custom GBAs, simply copy them to the pool (e.g. in the apps folder): + +``` +kubectl cp my-gba-1.0.1000.zip nplus-toolbox-0:/conf/pool/apps +``` + +Then, use the GBA file name and version in the DocArea: + +``` +application: + docAreas: + - id: "MyGBA" + name: "DocArea with my GBA" + description: "This is a sample DocArea with a custom GBA installed" + apps: + - "/pool/apps/my-gba-1.0.1000.zip" +``` + +## Downloading assets from the web, like git + +If your assets are in git, you can simply download them prior to installing. That way, you do not have to upload them manually: + +``` +application: + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/apps/my-gba-1.0.1000.zip" + docAreas: + - id: "MyGBA" + name: "DocArea with my GBA" + description: "This is a sample DocArea with a custom GBA installed" + apps: + - "/pool/downloads/my-gba-1.0.1000.zip" +``` + +> You can also use the *prepper* for downloading assets, which is useful to for example download snippets into the web client before it starts. + +## Deploying additional parts + +You might want to deploy additional parts like web snippets to your instance. This can by done by custom scripts. + +Custom scripts can be run either in *global* or in *document area* context: + +``` +application: + preRun: + - "/pool/scripts/global-init.sh" + docAreas: + - id: "MyGBA" + run: + - "/pool/scripts/da-deployment.sh" + run: + - "/pool/scripts/global-deployment.sh" +``` +In *DA* context, the script will get the NAPPL information passed to it. +In *global* context, the script does not get any application specific context. + +Example (for a global script): + +``` +#/bin/sh +cp /pool/snippets/test.jar /instance/web/snippets +``` + +This script copies the file *test.jar* to the web snippets folder, so the web containers have access to it. + +Place this script in the pool folder of your environment, like this: + +``` +kubectl cp global-deployment.sh nplus-toolbox-0:/conf/pool/scripts +``` + +Then you can run it during the initialization Job like in the example above. +Of course you also need to copy your snippet to the pool first: + +``` +kubectl cp test.jar nplus-toolbox-0:/conf/pool/snippets +``` + +Scripts can run Pre- and Post DocArea and App installs: + +- The *global preRun* scripts are run **before** any document area initialization. +- The *DA preRun* scripts are run **before** all apps are installed. +- The *DA Run* scripts are run **after** all apps are installed. +- The *global Run* scripts are run **after** any document area initialization. + +## Debugging + +The Application Chart uses a job that runs a pod once the Application Layer is available. This pod then creates document areas (if not present) and installs apps into them. + +While the job is running, you can check its log using + +``` +kubectl logs -l nplus/instance=,nplus/component=application +``` + +Please substitute `` with your instance name. + +The job/pod is automatically removed shortly after it finishes, so the `kubectl logs` command might not find the resource any more if you try this after minutes. Of course you will still find these logs in splunk, prometheus, kibana or whatever log stack you use. + +Alternatively, you can check the log at `/conf//application/10init.log` from inside the environment toolbox. + +``` +kubectl exec --stdin --tty nplus-toolbox-0 -- cat /conf//application/10init.log +``` + +## Wait-One-Minute + +If you have an update scenario (and not using argoCD with its waves) and your application is inside your instance, you might get into a race condition problem: + +Your Application Layer is still up when the job is created. The jobs waits for the Application Layer, which - since it is still there - is only a split second and then the job executes. Kubernetes might then update the Application Layer which terminates, leaving the job crashing. As the application job only tries to install once, it will be left incomplete. + +We use an init container `wait-one-minute`, which will wait a minute before the job executes, leaving Kubernetes and the Application Layer enough time to terminate for the update. + +This is the default when **not** using argoCD and waves. + +## nplus-application Chart Configuration + +You can customize / configure nplus-application by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +docAreas | Provide a list of docareas to create. Please also see the example files | | +download | A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"application-layer"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"application"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/application"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | | +**mounts**​.pool​.path | Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution
do not change this value | **info only**, do not change
`"/pool"` | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/tmp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +**nstl**​.host | The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration | | +prerun | A list of scripts to run before the deployment of Apps | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**rs**​.host | The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration | | +run | A list of scripts to run after the deployment of Apps | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/application/templates/NOTES.txt b/charts/application/templates/NOTES.txt new file mode 100644 index 0000000..9e05608 --- /dev/null +++ b/charts/application/templates/NOTES.txt @@ -0,0 +1,14 @@ +{{- if .Values.docAreas }} + {{- range $docArea := .Values.docAreas }} +Created Document Area {{ $docArea.id }} on Server {{ $.this.nappl.host }} + {{- if $docArea.apps }} + {{- range $app := $docArea.apps }} +- Installed App {{ $app }} into {{ $docArea.id }} + {{- end }} + {{- else }} +- No Apps in Document Area {{ $docArea.id }} specified + {{- end }} + {{- end }} +{{- else }} +No Document Areas specified +{{- end }} diff --git a/charts/application/templates/application.tpl b/charts/application/templates/application.tpl new file mode 100644 index 0000000..0b92e27 --- /dev/null +++ b/charts/application/templates/application.tpl @@ -0,0 +1,19 @@ +apiVersion: nplus.cloud/v1beta1 +kind: Application +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + argocd.argoproj.io/sync-wave: "1" +spec: + docAreas: + {{- toYaml .Values.docAreas | nindent 4 }} + run: + {{- toYaml .Values.run | nindent 4 }} + selector: + {{- include "nplus.selectorLabels" . | nindent 4 }} diff --git a/charts/application/templates/config.tpl b/charts/application/templates/config.tpl new file mode 100644 index 0000000..18869ce --- /dev/null +++ b/charts/application/templates/config.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-config + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "config/*" }} +{{- base $path | nindent 2 }}: | +{{- tpl ($.Files.Get $path) $ | nindent 4 }} +{{- end }} diff --git a/charts/application/templates/job.tpl b/charts/application/templates/job.tpl new file mode 100644 index 0000000..a461c81 --- /dev/null +++ b/charts/application/templates/job.tpl @@ -0,0 +1,89 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +{{- if (.this.utils).maintenance -}} +# Job must not be running, as we are in maintenance mode and there might not even be a nappl service +{{- else }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + argocd.argoproj.io/hook: PostSync + argocd.argoproj.io/hook-delete-policy: HookSucceeded + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + # Deletion ist done by Operator when successful, so no ttl necessary. + # ttlSecondsAfterFinished: 60 + template: + metadata: + labels: + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .instance.group | default .instance.name | default .Release.Name }} + app.kubernetes.io/component: {{ .component.chartName }} + {{- include "nplus.templateLabels" . | nindent 8 }} + spec: + # hostname: {{ .component.fullName }} + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + + {{- if (or .this.utils.disableWave (not (and .component.isArgo .this.meta.wave))) }} + {{- include "nplus.waitOneMinute" . | nindent 6 }} + {{- else }} + # -- wait-one-minute - not waiting as {{ .this.utils.disableWave }} {{ .component.isArgo }} {{ .this.meta.wave }} + {{- end }} + {{- include "nplus.waitFor" . | nindent 6 }} + + containers: + - name: run + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # -- NAPPL Connection Credentials + {{- include "nplus.envCredentials" (list + "APP_AL_USER" ($.this.nappl).account + "APP_AL_PASSWORD" ($.this.nappl).password + ($.this.nappl).secret + ) | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + command: ["/bin/sh", "-c", "/config/run"] + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + - name: config + mountPath: /config + - name: conf + subPath: {{ .this.instance.name }} + mountPath: /instance + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + - name: config + configMap: + name: {{ .component.fullName }}-config + defaultMode: 0777 + + restartPolicy: Never + backoffLimit: 0 +{{- end }} diff --git a/charts/application/templates/networkpolicy.tpl b/charts/application/templates/networkpolicy.tpl new file mode 100644 index 0000000..4636f1a --- /dev/null +++ b/charts/application/templates/networkpolicy.tpl @@ -0,0 +1,28 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core +{{- end }} \ No newline at end of file diff --git a/charts/application/values.schema.json b/charts/application/values.schema.json new file mode 100644 index 0000000..bfe1bba --- /dev/null +++ b/charts/application/values.schema.json @@ -0,0 +1,725 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "docAreas": { + "default": "", + "description": "Provide a list of docareas to create. Please also see the example files", + "title": "docAreas" + }, + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/application/values.yaml b/charts/application/values.yaml new file mode 100644 index 0000000..2ea1f09 --- /dev/null +++ b/charts/application/values.yaml @@ -0,0 +1,338 @@ +# yaml-language-server: $schema=values.schema.json +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: application + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +mounts: + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/application" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: "/pool" + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/tmp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + file: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +nstl: + # -- The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration + host: +rs: + # -- The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration + host: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: application-layer + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +# -- A list of scripts to run after the deployment of Apps +run: +# -- A list of scripts to run before the deployment of Apps +prerun: +# -- A list of URLs (Links) to Assets to download before anything else +# if the download is a .tar.gz, it is automatically untared to /pool/downloads +download: +# -- Provide a list of docareas to create. Please also see the example files +docAreas: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/cluster/Chart.yaml b/charts/cluster/Chart.yaml new file mode 100644 index 0000000..96416b0 --- /dev/null +++ b/charts/cluster/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: nplus-cluster +description: Installs Cluster-Wide Resources such as CRDs +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +version: 1.0.0 diff --git a/charts/cluster/README.md b/charts/cluster/README.md new file mode 100644 index 0000000..cf3a8c8 --- /dev/null +++ b/charts/cluster/README.md @@ -0,0 +1,6 @@ + + +# nplus-cluster + +Installs Cluster-Wide Resources such as CRDs + diff --git a/charts/cluster/templates/controller-rbac.tpl b/charts/cluster/templates/controller-rbac.tpl new file mode 100755 index 0000000..2294e5c --- /dev/null +++ b/charts/cluster/templates/controller-rbac.tpl @@ -0,0 +1,81 @@ +{{/* + +# +# Dieses ist erstmal ausgeschaltet, vielleicht brauchen wir das mal in einer späteren Version +# + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: nplus-role-argo + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +rules: + - apiGroups: ["argoproj.io"] + resources: ["applications"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: nplus-role-binding-argo + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: nplus-role-argo +subjects: +- kind: ServiceAccount + name: nplus-svc-account + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: nplus-argo-role + namespace: argocd + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +rules: + - apiGroups: [""] + resources: ["configmaps", "application","applicationset"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nplus-argo-role-binding + namespace: argocd + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nplus-argo-role +subjects: +- kind: ServiceAccount + name: nplus-svc-account + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + +*/}} \ No newline at end of file diff --git a/charts/cluster/templates/crd-application.tpl b/charts/cluster/templates/crd-application.tpl new file mode 100644 index 0000000..d57cf5f --- /dev/null +++ b/charts/cluster/templates/crd-application.tpl @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: applications.nplus.cloud +spec: + group: nplus.cloud + scope: Namespaced + names: + kind: Application + singular: application + plural: applications + categories: + - nplus + - nscale + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Environment + type: string + jsonPath: .metadata.labels.nplus/environment + priority: 1 + - name: Instance + type: string + jsonPath: .metadata.labels.nplus/instance + - name: Application + type: string + jsonPath: .metadata.labels.nplus/component + - name: Version + type: string + jsonPath: .metadata.annotations.nplus/componentVersion + - name: Status + type: string + jsonPath: .status.message + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + message: + description: Health human readable + type: string + id: + description: Health status id + type: integer + updateTimestamp: + description: Timestamp of last Health Change + type: string diff --git a/charts/cluster/templates/crd-component.tpl b/charts/cluster/templates/crd-component.tpl new file mode 100644 index 0000000..5d65e63 --- /dev/null +++ b/charts/cluster/templates/crd-component.tpl @@ -0,0 +1,57 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: components.nplus.cloud +spec: + group: nplus.cloud + scope: Namespaced + names: + kind: Component + singular: component + plural: components + categories: + - nplus + - nscale + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Environment + type: string + jsonPath: .metadata.labels.nplus/environment + priority: 1 + - name: Instance + type: string + jsonPath: .metadata.labels.nplus/instance + - name: Component + type: string + jsonPath: .metadata.labels.nplus/component + - name: Type + type: string + jsonPath: .metadata.labels.nplus/type + - name: Version + type: string + jsonPath: .metadata.annotations.nplus/componentVersion + - name: Status + type: string + jsonPath: .status.message + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + properties: + message: + description: Health human readable + type: string + id: + description: Health status id + type: integer + updateTimestamp: + description: Timestamp of last Health Change + type: string diff --git a/charts/cluster/templates/crd-instance.tpl b/charts/cluster/templates/crd-instance.tpl new file mode 100644 index 0000000..09da36c --- /dev/null +++ b/charts/cluster/templates/crd-instance.tpl @@ -0,0 +1,92 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: instances.nplus.cloud +spec: + group: nplus.cloud + scope: Namespaced + names: + kind: Instance + singular: instance + plural: instances + categories: + - nplus + - nscale + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Handler + type: string + jsonPath: .spec.handler + - name: Version + type: string + jsonPath: .spec.nscaleVersion + - name: Tenant + type: string + jsonPath: .spec.tenant + - name: Provider + type: string + jsonPath: .spec.provider + priority: 1 + - name: Status + type: string + jsonPath: .status.message + - name: Components + type: string + jsonPath: .spec.components + priority: 2 + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + # x-kubernetes-preserve-unknown-fields: true + properties: + nscaleVersion: + type: string + components: + type: string + handler: + type: string + tenant: + type: string + provider: + type: string + url: + type: string + expected: + type: array + items: + type: object + properties: + component: + type: string + replicaCount: + type: integer + required: + - component + - replicaCount + status: + type: object + properties: + usage: + type: object + properties: + volume: + type: integer + accounts: + type: integer + documents: + type: integer + message: + description: Health human readable + type: string + id: + description: Health status id + type: integer + updateTimestamp: + description: Timestamp of last Health Change + type: string diff --git a/charts/cluster/values.schema.json b/charts/cluster/values.schema.json new file mode 100644 index 0000000..0ea65f8 --- /dev/null +++ b/charts/cluster/values.schema.json @@ -0,0 +1,12 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/cluster/values.yaml b/charts/cluster/values.yaml new file mode 100644 index 0000000..b2b7dd8 --- /dev/null +++ b/charts/cluster/values.yaml @@ -0,0 +1,2 @@ +# yaml-language-server: $schema=values.schema.json +{} diff --git a/charts/cmis/Chart.yaml b/charts/cmis/Chart.yaml new file mode 100644 index 0000000..fbe444b --- /dev/null +++ b/charts/cmis/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-cmis +description: nscale CMIS Connector, provides a CMIS Interface to the Instance +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/cmis/README.md b/charts/cmis/README.md new file mode 100644 index 0000000..88bb746 --- /dev/null +++ b/charts/cmis/README.md @@ -0,0 +1,179 @@ + + +# nplus-component-cmis + +nscale CMIS Connector, provides a CMIS Interface to the Instance + +## nplus-component-cmis Chart Configuration + +You can customize / configure nplus-component-cmis by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"cmis-connector"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/cmis"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8096` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8196` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"cmis-connector"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"cmis"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-cmis-connector/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-cmis-connector/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-cmis-connector/temp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/cmis/templates/component.tpl b/charts/cmis/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/cmis/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/cmis/templates/deployment.tpl b/charts/cmis/templates/deployment.tpl new file mode 100644 index 0000000..21ed456 --- /dev/null +++ b/charts/cmis/templates/deployment.tpl @@ -0,0 +1,100 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: cmis-connector + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # -- NAPPL Connection Settings + {{- include "nplus.env" (dict + "CMIS_AL_HOST" ($.this.nappl).host + "CMIS_AL_PORT" ($.this.nappl).port + "CMIS_AL_INSTANCE" ($.this.nappl).instance + "CMIS_AL_SSL" ($.this.nappl).ssl + ) | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + periodSeconds: 10 + readinessProbe: + httpGet: + path: /cmis/ + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/cmis/templates/ingress.tpl b/charts/cmis/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/cmis/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/cmis/templates/networkpolicy.tpl b/charts/cmis/templates/networkpolicy.tpl new file mode 100644 index 0000000..c414672 --- /dev/null +++ b/charts/cmis/templates/networkpolicy.tpl @@ -0,0 +1,35 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/cmis/templates/pdb.tpl b/charts/cmis/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/cmis/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/cmis/templates/pvc.tpl b/charts/cmis/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/cmis/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/cmis/templates/service.tpl b/charts/cmis/templates/service.tpl new file mode 100644 index 0000000..f75d409 --- /dev/null +++ b/charts/cmis/templates/service.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/cmis/values.schema.json b/charts/cmis/values.schema.json new file mode 100644 index 0000000..cbc81eb --- /dev/null +++ b/charts/cmis/values.schema.json @@ -0,0 +1,844 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "cmis-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1200.2024112508", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/cmis", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8096", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8196", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "cmis-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "cmis", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/cmis/values.yaml b/charts/cmis/values.yaml new file mode 100644 index 0000000..8d345f4 --- /dev/null +++ b/charts/cmis/values.yaml @@ -0,0 +1,423 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/cmis" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-cmis-connector/temp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-cmis-connector/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-cmis-connector/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: cmis-connector + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale + pullPolicy: IfNotPresent +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: cmis + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8096 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8196 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: cmis-connector + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/database/Chart.yaml b/charts/database/Chart.yaml new file mode 100644 index 0000000..0be31d3 --- /dev/null +++ b/charts/database/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-database +description: Postgres Database, deploys a DEV or TESTING environment DB +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/database/README.md b/charts/database/README.md new file mode 100644 index 0000000..5de4fb7 --- /dev/null +++ b/charts/database/README.md @@ -0,0 +1,160 @@ + + +# nplus-component-database + +Postgres Database, deploys a DEV or TESTING environment DB + +## nplus-component-database Chart Configuration + +You can customize / configure nplus-component-database by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**database**​.account | the technical account to own the nscale database, if not set by secret | `"nscale"` | +**database**​.name | name of the nscale database | `"nscale"` | +**database**​.password | password of the technical account, if not set by secret | `"nscale"` | +**database**​.secret | the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password | | +**dbAdmin**​.account | the database admin account, if not set by secret | `"postgres"` | +**dbAdmin**​.password | the database admin password, if not set by secret | `"postgres"` | +**dbAdmin**​.secret | the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"bitnami/postgresql"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | | +**image**​.repo | if you use a private repo, feel free to set it here | | +**image**​.tag | the tag of the image to use | `15` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.ports​.tcp | A potential tcp port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`5432` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"database"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/bitnami/postgresql/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.paths | Sets a list of paths to the data files
do not change this value | **info only**, do not change
`["/bitnami/postgresql"]` | +**mounts**​.data​.size | Sets the size of the data disk | `"30Gi"` | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/tmp", "/opt/bitnami/postgresql/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**priority**​.className | Set the priority class for the Application Layer deployment if desired | | +**priority**​.createClass | Creates an individual PriorityClass for this instance | | +**priority**​.value | Sets the priorityValue | 1000000 | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/database/templates/component.tpl b/charts/database/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/database/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/database/templates/config.tpl b/charts/database/templates/config.tpl new file mode 100644 index 0000000..5048c2c --- /dev/null +++ b/charts/database/templates/config.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-config + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{ (.Files.Glob "config/*").AsConfig | indent 2 }} diff --git a/charts/database/templates/networkpolicy.tpl b/charts/database/templates/networkpolicy.tpl new file mode 100644 index 0000000..c13d6f6 --- /dev/null +++ b/charts/database/templates/networkpolicy.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - from: + # Allow access from NAPPL Cores + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/database/templates/pdb.tpl b/charts/database/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/database/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/database/templates/priorityClass.tpl b/charts/database/templates/priorityClass.tpl new file mode 100644 index 0000000..ecd4280 --- /dev/null +++ b/charts/database/templates/priorityClass.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.priorityClass" . }} diff --git a/charts/database/templates/pvc.tpl b/charts/database/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/database/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/database/templates/service.tpl b/charts/database/templates/service.tpl new file mode 100644 index 0000000..79f3bd8 --- /dev/null +++ b/charts/database/templates/service.tpl @@ -0,0 +1,28 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/database/templates/statefulset.tpl b/charts/database/templates/statefulset.tpl new file mode 100644 index 0000000..649e84a --- /dev/null +++ b/charts/database/templates/statefulset.tpl @@ -0,0 +1,119 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + serviceName: {{ .component.fullName }} + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + podManagementPolicy: OrderedReady + updateStrategy: + type: OnDelete + minReadySeconds: 10 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.priorityClassName" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: postgres + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.resources" . | nindent 8 }} + + env: + + # -- POSTGRES Admin Credentials + {{- include "nplus.envCredentials" (list + "POSTGRES_USERNAME" ($.this.dbAdmin).account + "POSTGRES_PASSWORD" ($.this.dbAdmin).password + ($.this.dbAdmin).secret + ) | nindent 10 }} + + # -- NAPPL Postgres Connection Credentials + {{- include "nplus.envCredentials" (list + "NSCALE_USERNAME" ($.this.database).account + "NSCALE_PASSWORD" ($.this.database).password + ($.this.database).secret + ) | nindent 10 }} + + - name: NSCALE_DATABASE + value: {{ (.this.database).name }} + + {{- include "nplus.environment" . | nindent 8 }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + exec: + command: + - sh + - -c + - exec pg_isready -U "postgres" -h 127.0.0.1 -p {{ required "Postgres Port must be set" ((.this.meta).ports).tcp }} + livenessProbe: + exec: + command: + - sh + - -c + - exec pg_isready -U "postgres" -h 127.0.0.1 -p {{ required "Postgres Port must be set" ((.this.meta).ports).tcp }} + periodSeconds: 30 + timeoutSeconds: 5 + successThreshold: 1 + failureThreshold: 6 + readinessProbe: + exec: + command: + - sh + - -c + - | + pg_isready -U "postgres" -h 127.0.0.1 -p 5432 -t 1 + [ -f /opt/bitnami/postgresql/tmp/.initialized ] + {{- end }} + volumeMounts: + # Postgres requires this directory to be **completely** empty, + # so also no lost&found directory. + {{- include "nplus.defaultMounts" . | nindent 8 }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + volumes: + - name: custom-init-scripts + configMap: + name: {{ .component.fullName }}-config + {{- include "nplus.defaultVolumes" . | nindent 6 }} diff --git a/charts/database/values.schema.json b/charts/database/values.schema.json new file mode 100644 index 0000000..57dcc2f --- /dev/null +++ b/charts/database/values.schema.json @@ -0,0 +1,750 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "database": { + "additionalProperties": false, + "properties": { + "account": { + "default": "nscale", + "description": "the technical account to own the nscale database, if not set by secret", + "title": "account" + }, + "name": { + "default": "nscale", + "description": "name of the nscale database", + "title": "name" + }, + "password": { + "default": "nscale", + "description": "password of the technical account, if not set by secret", + "title": "password" + }, + "secret": { + "default": "", + "description": "the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password", + "title": "secret" + } + }, + "title": "database", + "type": "object" + }, + "dbAdmin": { + "additionalProperties": false, + "properties": { + "account": { + "default": "postgres", + "description": "the database admin account, if not set by secret", + "title": "account" + }, + "password": { + "default": "postgres", + "description": "the database admin password, if not set by secret", + "title": "password" + }, + "secret": { + "default": "", + "description": "the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword", + "title": "secret" + } + }, + "title": "dbAdmin", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "bitnami/postgresql", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "default": "", + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "title": "pullSecrets" + }, + "repo": { + "default": "", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "15", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "5432", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "database", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/bitnami/postgresql/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "30Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "The replicaCount for the Database should never be changed @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/database/values.yaml b/charts/database/values.yaml new file mode 100644 index 0000000..bb6e4e5 --- /dev/null +++ b/charts/database/values.yaml @@ -0,0 +1,354 @@ +# yaml-language-server: $schema=values.schema.json +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: database + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: 5432 + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- The replicaCount for the Database should never be changed +# @ignore +replicaCount: 1 +mounts: + data: + # -- Sets the size of the data disk + size: "30Gi" + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + - "/bitnami/postgresql" + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/bitnami/postgresql/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/tmp" + - "/opt/bitnami/postgresql/tmp" + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + file: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +database: + # -- name of the nscale database + name: nscale + # -- the technical account to own the nscale database, if not set by secret + account: nscale + # -- password of the technical account, if not set by secret + password: nscale + # -- the secret with credentials (account, password) for the nscale technical account. + # This setting has priority over account and password + secret: +dbAdmin: + # -- the database admin account, if not set by secret + account: "postgres" + # -- the database admin password, if not set by secret + password: "postgres" + # -- the secret with credentials (account, password) for the database admin account. + # This setting has priority over adminAccount and adminPassword + secret: +# -- provide the image to be used for this component +image: + # -- the name of the image to use + name: bitnami/postgresql + # -- the tag of the image to use + tag: 15 + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + # -- if you use a private repo, feel free to set it here + repo: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- You can give a component a specific priorityClass to implement a quality of service. +# You can leave this empty, then no priority is set. If you set a class, this class is taken +# If you additionally enable create, the class is created for you with the value defined. +priority: + # -- Set the priority class for the Application Layer deployment if desired + className: + # -- Creates an individual PriorityClass for this instance + createClass: + # -- Sets the priorityValue + # @default -- 1000000 + value: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/envbackend/Chart.yaml b/charts/envbackend/Chart.yaml new file mode 100644 index 0000000..83ee43a --- /dev/null +++ b/charts/envbackend/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-environment-backend +description: Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/envbackend/README.md b/charts/envbackend/README.md new file mode 100644 index 0000000..cae1194 --- /dev/null +++ b/charts/envbackend/README.md @@ -0,0 +1,115 @@ + + +# nplus-environment-backend + +Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC + +## nplus-environment-backend Chart Configuration + +You can customize / configure nplus-environment-backend by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**storage**​.conf​.name | this is the name of the common config storage. please see section "Storage" for more information | | +**storage**​.conf​.size | this is the size of the common config storage. please see section "Storage" for more information | | +**storage**​.conf​.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | | +**storage**​.ptemp​.name | this is the name of the common persistant temp storage. please see section "Storage" for more information | | +**storage**​.ptemp​.size | this is the size of the common ptemp storage. please see section "Storage" for more information | | +**storage**​.ptemp​.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/envbackend/templates/pvc-conf.tpl b/charts/envbackend/templates/pvc-conf.tpl new file mode 100644 index 0000000..e8755d4 --- /dev/null +++ b/charts/envbackend/templates/pvc-conf.tpl @@ -0,0 +1,43 @@ +{{- include "nplus.init" $ -}} +# The "conf" PVC is used to store all config data of the nplus components. +# You may want to use a git repo on this conf store + +{{- if ((.this.storage).conf).name }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ required "You have to define a name for the conf PVC" ((.this.storage).conf).name }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.environmentLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + +spec: + {{- if ((.this.storage).conf).volumeName }} + # -- You have set storage.conf.volumeName, + # so we add the volumeName here to avoid automatic + # volume generation and rather use an existing volume + # to bind to this PVC. + volumeName: {{ tpl .this.storage.conf.volumeName . }} + # -- set an empty string must be explicitly set otherwise default StorageClass will be set + # see https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + storageClassName: "" + {{- else }} + # -- volumeName: storage.conf.volumeName + # If you set the volumeName, it appears here. You + # have not done so, so the provisioner for this + # volume class will pick up this claim and fulfill it. + {{- $scn := ((.this.storage).conf).class }} + {{- if $scn }} + storageClassName: {{ $scn | quote }} + {{- end }} + {{- end }} + accessModes: + - ReadWriteMany + resources: + requests: + storage: {{ required "You have to define a size for the conf PVC" ((.this.storage).conf).size }} +{{- end }} \ No newline at end of file diff --git a/charts/envbackend/templates/pvc-ptemp.tpl b/charts/envbackend/templates/pvc-ptemp.tpl new file mode 100644 index 0000000..293b4ab --- /dev/null +++ b/charts/envbackend/templates/pvc-ptemp.tpl @@ -0,0 +1,44 @@ +{{- include "nplus.init" $ -}} +# The "ptemp" PVC is used to persist temporary data of the nplus components. +# This is used e.g. in nstl, to store accounting.log info to make sure it is not deleted +# during a PODs recreate + +{{- if ((.this.storage).ptemp).name }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ required "You have to define a name for the ptemp PVC" ((.this.storage).ptemp).name }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.environmentLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + +spec: + {{- if ((.this.storage).ptemp).volumeName }} + # -- You have set storage.ptemp.volumeName, + # so we add the volumeName here to avoid automatic + # volume generation and rather use an existing volume + # to bind to this PVC. + volumeName: {{ tpl .this.storage.ptemp.volumeName . }} + # -- set an empty string must be explicitly set otherwise default StorageClass will be set + # see https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + storageClassName: "" + {{- else }} + # -- volumeName: storage.ptemp.volumeName + # If you set the volumeName, it appears here. You + # have not done so, so the provisioner for this + # volume class will pick up this claim and fulfill it. + {{- $scn := ((.this.storage).ptemp).class }} + {{- if $scn }} + storageClassName: {{ $scn | quote }} + {{- end }} + {{- end }} + accessModes: + - ReadWriteMany + resources: + requests: + storage: {{ required "You have to define a size for the ptemp PVC" ((.this.storage).ptemp).size }} +{{- end }} \ No newline at end of file diff --git a/charts/envbackend/values.schema.json b/charts/envbackend/values.schema.json new file mode 100644 index 0000000..11e44c6 --- /dev/null +++ b/charts/envbackend/values.schema.json @@ -0,0 +1,258 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "storage": { + "additionalProperties": false, + "properties": { + "conf": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common config storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common config storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "conf", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "ptemp", + "type": "object" + } + }, + "title": "storage", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/envbackend/values.yaml b/charts/envbackend/values.yaml new file mode 100644 index 0000000..b9fad06 --- /dev/null +++ b/charts/envbackend/values.yaml @@ -0,0 +1,131 @@ +# yaml-language-server: $schema=values.schema.json +storage: + conf: + # -- this is the name of the common config storage. + # please see section "Storage" for more information + name: + # -- this is the size of the common config storage. + # please see section "Storage" for more information + size: + # -- you can set the volumeName to the value of a pre-existing + # volume to avoid having the PV created for you by the csi driver provisioner + volumeName: + ptemp: + # -- this is the name of the common persistant temp storage. + # please see section "Storage" for more information + name: + # -- this is the size of the common ptemp storage. + # please see section "Storage" for more information + size: + # -- you can set the volumeName to the value of a pre-existing + # volume to avoid having the PV created for you by the csi driver provisioner + volumeName: +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/envdav/Chart.yaml b/charts/envdav/Chart.yaml new file mode 100644 index 0000000..05c58e0 --- /dev/null +++ b/charts/envdav/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-environment-dav +description: Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/envdav/README.md b/charts/envdav/README.md new file mode 100644 index 0000000..7dab76f --- /dev/null +++ b/charts/envdav/README.md @@ -0,0 +1,145 @@ + + +# nplus-environment-dav + +Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC + +## nplus-environment-dav Chart Configuration + +You can customize / configure nplus-environment-dav by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +account | the dav user | `"admin"` | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"toolbox2"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/dav"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8080` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8443` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"envdav"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +password | password of the dav user | `"admin"` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | `"1"` | +**resources**​.limits​.memory | The maximum allowed RAM for the container | `"512Mi"` | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | `"1m"` | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | `"64Mi"` | +secret | Alternatively, define a secret | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/envdav/templates/ingress.tpl b/charts/envdav/templates/ingress.tpl new file mode 100644 index 0000000..32f7ef3 --- /dev/null +++ b/charts/envdav/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} diff --git a/charts/envdav/templates/networkpolicy.tpl b/charts/envdav/templates/networkpolicy.tpl new file mode 100644 index 0000000..f922e7b --- /dev/null +++ b/charts/envdav/templates/networkpolicy.tpl @@ -0,0 +1,39 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + ingress: + + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + - from: + - ipBlock: + cidr: {{ ((.this.security).cni).adminIpRange | quote }} + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + policyTypes: + - Egress + - Ingress + + egress: + # -- Access DNS + - ports: + - protocol: TCP + port: 53 + - protocol: UDP + port: 53 +{{- end }} \ No newline at end of file diff --git a/charts/envdav/templates/pdb.tpl b/charts/envdav/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/envdav/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/envdav/templates/service.tpl b/charts/envdav/templates/service.tpl new file mode 100644 index 0000000..ba9db18 --- /dev/null +++ b/charts/envdav/templates/service.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/envdav/templates/statefulset.tpl b/charts/envdav/templates/statefulset.tpl new file mode 100644 index 0000000..bf79867 --- /dev/null +++ b/charts/envdav/templates/statefulset.tpl @@ -0,0 +1,89 @@ +{{- include "nplus.init" $ -}} +{{- if not ((.this.storage).conf).name -}} + {{ fail "conf name must be set" }} +{{- end -}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + minReadySeconds: 30 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + containers: + + - name: dav + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + command: [ "/nplus/davserver" ] + volumeMounts: + - name: conf + mountPath: /webdav/conf + - name: ptemp + mountPath: /webdav/ptemp + {{- include "nplus.resources" . | nindent 8 }} + + env: + # -- DAV Connection Credentials + {{- include "nplus.envCredentials" (list + "DAV_USER" $.this.account + "DAV_PASSWORD" $.this.password + $.this.secret + ) | nindent 10 }} + + - name: DAV_ROOT + value: "/dav" + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + readinessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + initialDelaySeconds: 15 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + initialDelaySeconds: 15 + periodSeconds: 10 + + volumes: + - name: conf + persistentVolumeClaim: + claimName: conf + - name: ptemp + persistentVolumeClaim: + claimName: ptemp + diff --git a/charts/envdav/values.schema.json b/charts/envdav/values.schema.json new file mode 100644 index 0000000..87bce13 --- /dev/null +++ b/charts/envdav/values.schema.json @@ -0,0 +1,489 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "account": { + "default": "admin", + "description": "the dav user", + "title": "account" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "password": { + "default": "admin", + "description": "password of the dav user", + "title": "password" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/envdav/values.yaml b/charts/envdav/values.yaml new file mode 100644 index 0000000..99bebfe --- /dev/null +++ b/charts/envdav/values.yaml @@ -0,0 +1,240 @@ +# yaml-language-server: $schema=values.schema.json +# -- provide the image to be used for this component +image: + # -- if you use a private repo, feel free to set it here + repo: cr.nplus.cloud/subscription + # -- the name of the image to use + name: toolbox2 + # -- the tag of the image to use + tag: latest + pullPolicy: IfNotPresent + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr +# -- the dav user +account: admin +# -- password of the dav user +password: admin +# -- Alternatively, define a secret +secret: +meta: + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8080 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8443 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: envdav + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/dav" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: "1m" + # -- Set the share of guaranteed RAM to the container + memory: "64Mi" + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: "1" + # -- The maximum allowed RAM for the container + memory: "512Mi" +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/environment/Chart.yaml b/charts/environment/Chart.yaml new file mode 100644 index 0000000..b912791 --- /dev/null +++ b/charts/environment/Chart.yaml @@ -0,0 +1,34 @@ +apiVersion: v2 +name: nplus-environment +description: Installs Namespace-Wide Resources such as the conf PVC, the toolbox and the nplus monitoring service +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" + - name: nplus-environment-backend + alias: backend + version: "*-0" + repository: "file://../envbackend" + - name: nplus-environment-dav + alias: dav + condition: components.dav + version: "*-0" + repository: "file://../envdav" + - name: nplus-environment-toolbox + alias: toolbox + condition: components.toolbox + version: "*-0" + repository: "file://../envtoolbox" + - name: nplus-environment-operator + alias: operator + version: "*-0" + repository: "file://../envoperator" + - name: nplus-prepper + alias: prepper + condition: components.prepper + version: "*-0" + repository: "file://../prepper" +version: 1.0.0 diff --git a/charts/environment/README.md b/charts/environment/README.md new file mode 100644 index 0000000..31da37d --- /dev/null +++ b/charts/environment/README.md @@ -0,0 +1,103 @@ + + +# nplus-environment + +Installs Namespace-Wide Resources such as the conf PVC, the toolbox and the nplus monitoring service + +This Environment Chart provides a common config pool and administrative tools to +operate all nplus instances in this namespace. +There must be exactly one deployed instance of this environment chart per kubernetes namespace. +Without the environment, the instance and component charts will fail to deploy. + +It also deployes the operator, which is a monitoring component to observe all instances and provide +healthyness information to the administrator and third party dashboards + +## nplus-environment Chart Configuration + +You can customize / configure nplus-environment by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**components**​.dav | Enables WebDAV access to conf and ptemp | `true` | +**components**​.prepper | enables an optional prepper that you can use to deploy fonts, scripts etc. during environment setup | `false` | +**components**​.toolbox | enables the toolbox | `true` | +environmentNameOverride | If you want to override the name of the Environment for display purposes, do it here. | | +**global**​.environment​.storage​.conf​.name | this is the name of the common config storage. please see section "Storage" for more information | `"conf"` | +**global**​.environment​.storage​.conf​.size | this is the size of the common config storage. please see section "Storage" for more information | `"10Gi"` | +**global**​.environment​.storage​.conf​.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | | +**global**​.environment​.storage​.ptemp​.name | this is the name of the common persistant temp storage. please see section "Storage" for more information | `"ptemp"` | +**global**​.environment​.storage​.ptemp​.size | this is the size of the common ptemp storage. please see section "Storage" for more information | `"10Gi"` | +**global**​.environment​.storage​.ptemp​.volumeName | you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner | | +**global**​.meta​.isEnvironment | specifies that this is deployment is part of an Environment. Used to determine the correct name of the deployment
Do not change | **info only**, do not change
`true` | + diff --git a/charts/environment/templates/NOTES.txt b/charts/environment/templates/NOTES.txt new file mode 100644 index 0000000..7a65a8b --- /dev/null +++ b/charts/environment/templates/NOTES.txt @@ -0,0 +1,43 @@ +{{ .component.chartName }} {{ .Chart.Version }} {{- if .Chart.AppVersion }} / {{ .Chart.AppVersion }}{{- end }} + +{{ .Chart.Description }} + +To uninstall, use + helm uninstall {{ include "nplus.cli" . }} +{{ if (.Values.dav).enabled }} +The environment DAV Server is enabled. To get logs, use + kubectl logs -n lab -l nplus/component=nplus-environment,nplus/role=davserver +to connect, browse to + https://{{ .Release.Name }}.{{ .this.ingress.domain }}/dav +{{- else }} +The environment DAV Server is disabled. +{{- end }} + +{{- if (.Values.nstoreDownloader).enabled }} +The nstore Downloader is enabled. To get logs, use + kubectl logs -n lab -l nplus/component=nplus-environment,nplus/role=downloader +{{- else }} +The nstore Downloader is disabled. +{{- end }} + +{{- if (.Values.toolbox).enabled }} +The toolbox is enabled. To get logs, use + kubectl logs -n lab -l nplus/component=nplus-environment,nplus/role=toolbox +{{- else }} +The toolbox is disabled. +{{- end }} + +{{- if (.Values.operator).enabled }} +The operator is enabled. You can get information on nscale Instances and Components using + kubectl get instances,components +{{- if (.Values.operator).ui }} +Also, the UI is enabled, access it at + https://{{ .Release.Name }}.{{ .this.ingress.domain }}/monitoring +{{- else }} +The UI is disabled. +{{- end }} +{{- else }} +The operator is disabled. +{{- end }} + +Providing {{ ((.this.storage).conf).size }} of storage under the name "{{ ((.this.storage).conf).name }}" of class "{{ ((.this.storage).conf).class | default "default" }}" diff --git a/charts/environment/templates/certificate.tpl b/charts/environment/templates/certificate.tpl new file mode 100644 index 0000000..4169e5b --- /dev/null +++ b/charts/environment/templates/certificate.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.certificate" . | nindent 0 }} \ No newline at end of file diff --git a/charts/environment/values.schema.json b/charts/environment/values.schema.json new file mode 100644 index 0000000..195d655 --- /dev/null +++ b/charts/environment/values.schema.json @@ -0,0 +1,2435 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "backend": { + "description": "Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "storage": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "conf": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common config storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common config storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "conf", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "ptemp", + "type": "object" + } + }, + "title": "storage", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-backend", + "type": "object" + }, + "components": { + "additionalProperties": false, + "properties": { + "dav": { + "default": "true", + "description": "Enables WebDAV access to conf and ptemp", + "title": "dav" + }, + "prepper": { + "default": "false", + "description": "enables an optional prepper that you can use to deploy fonts, scripts etc. during environment setup", + "title": "prepper" + }, + "toolbox": { + "default": "true", + "description": "enables the toolbox", + "title": "toolbox" + } + }, + "title": "components", + "type": "object" + }, + "dav": { + "description": "Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC", + "properties": { + "account": { + "default": "admin", + "description": "the dav user", + "title": "account" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "password": { + "default": "admin", + "description": "password of the dav user", + "title": "password" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-dav", + "type": "object" + }, + "environmentNameOverride": { + "default": "", + "description": "If you want to override the name of the Environment for display purposes, do it here.", + "title": "environmentNameOverride" + }, + "global": { + "additionalProperties": false, + "properties": { + "environment": { + "additionalProperties": false, + "properties": { + "storage": { + "additionalProperties": false, + "properties": { + "conf": { + "additionalProperties": false, + "properties": { + "name": { + "default": "conf", + "description": "this is the name of the common config storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "10Gi", + "description": "this is the size of the common config storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "conf", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "properties": { + "name": { + "default": "ptemp", + "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "10Gi", + "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "ptemp", + "type": "object" + } + }, + "title": "storage", + "type": "object" + } + }, + "title": "environment", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "isEnvironment": { + "default": "true", + "description": "specifies that this is deployment is part of an Environment. Used to determine the correct name of the deployment @internal -- Do not change", + "title": "isEnvironment" + } + }, + "title": "meta", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "operator": { + "description": "Installs the nplus operator managin the custom resource definitions for nplus and nscale", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "operator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/monitoring", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envoperator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "ui": { + "default": "true", + "description": "Enables the web ui, default under /monitoring", + "title": "ui" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-operator", + "type": "object" + }, + "prepper": { + "description": "nplus Prepper, used to deploy assets prior to component deployment", + "properties": { + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-prepper", + "type": "object" + }, + "toolbox": { + "description": "Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envtoolbox", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstoreDownloader": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "enabled": { + "default": "false", + "description": "enables the nstore downloader", + "title": "enabled" + }, + "nstore": { + "default": "`https://nstore.ceyoniq.com...`", + "description": "set the nstore URL", + "title": "nstore" + }, + "target": { + "default": "pool/nstore", + "description": "target directory in the conf pv", + "title": "target" + } + }, + "title": "nstoreDownloader", + "type": "object" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-toolbox", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/environment/values.yaml b/charts/environment/values.yaml new file mode 100644 index 0000000..6d7114b --- /dev/null +++ b/charts/environment/values.yaml @@ -0,0 +1,38 @@ +# yaml-language-server: $schema=values.schema.json +components: + # -- Enables WebDAV access to conf and ptemp + dav: true + # -- enables the toolbox + toolbox: true + # -- enables an optional prepper that you can use to deploy fonts, scripts etc. during environment setup + prepper: false +global: + environment: + storage: + conf: + # -- this is the name of the common config storage. + # please see section "Storage" for more information + name: "conf" + # -- this is the size of the common config storage. + # please see section "Storage" for more information + size: "10Gi" + # -- you can set the volumeName to the value of a pre-existing + # volume to avoid having the PV created for you by the csi driver provisioner + volumeName: + ptemp: + # -- this is the name of the common persistant temp storage. + # please see section "Storage" for more information + name: "ptemp" + # -- this is the size of the common ptemp storage. + # please see section "Storage" for more information + size: "10Gi" + # -- you can set the volumeName to the value of a pre-existing + # volume to avoid having the PV created for you by the csi driver provisioner + volumeName: + meta: + # -- specifies that this is deployment is part of an Environment. Used to determine the correct + # name of the deployment + # @internal -- Do not change + isEnvironment: true +# -- If you want to override the name of the Environment for display purposes, do it here. +environmentNameOverride: diff --git a/charts/envoperator/Chart.yaml b/charts/envoperator/Chart.yaml new file mode 100644 index 0000000..73fd5f0 --- /dev/null +++ b/charts/envoperator/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-environment-operator +description: Installs the nplus operator managin the custom resource definitions for nplus and nscale +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/envoperator/README.md b/charts/envoperator/README.md new file mode 100644 index 0000000..9b20830 --- /dev/null +++ b/charts/envoperator/README.md @@ -0,0 +1,141 @@ + + +# nplus-environment-operator + +Installs the nplus operator managin the custom resource definitions for nplus and nscale + +## nplus-environment-operator Chart Configuration + +You can customize / configure nplus-environment-operator by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"operator"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/monitoring"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8080` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8443` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"envoperator"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | `"1"` | +**resources**​.limits​.memory | The maximum allowed RAM for the container | `"512Mi"` | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | `"1m"` | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | `"64Mi"` | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +ui | Enables the web ui, default under /monitoring | `true` | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/envoperator/templates/ingress.tpl b/charts/envoperator/templates/ingress.tpl new file mode 100644 index 0000000..e79625c --- /dev/null +++ b/charts/envoperator/templates/ingress.tpl @@ -0,0 +1,18 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + {{- if .this.ui }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} + {{- end }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} diff --git a/charts/envoperator/templates/networkpolicy.tpl b/charts/envoperator/templates/networkpolicy.tpl new file mode 100644 index 0000000..e33a4c1 --- /dev/null +++ b/charts/envoperator/templates/networkpolicy.tpl @@ -0,0 +1,46 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + - from: + - ipBlock: + cidr: {{ ((.this.security).cni).adminIpRange | quote }} + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + policyTypes: + - Egress + - Ingress + + egress: + - ports: + # -- Possible K8s API + - protocol: TCP + port: 16443 + # -- Possible K8s API + - protocol: TCP + port: 443 + # -- Access DNS + - protocol: TCP + port: 53 + # -- Access DNS + - protocol: UDP + port: 53 +{{- end }} \ No newline at end of file diff --git a/charts/envoperator/templates/pdb.tpl b/charts/envoperator/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/envoperator/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/envoperator/templates/rbac.tpl b/charts/envoperator/templates/rbac.tpl new file mode 100755 index 0000000..4f2059e --- /dev/null +++ b/charts/envoperator/templates/rbac.tpl @@ -0,0 +1,60 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .component.fullName }}-svc-account + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .component.fullName }}-role + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +rules: + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets"] + verbs: ["get", "update", "patch", "list", "watch"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "update", "patch", "list", "watch", "delete"] + - apiGroups: ["nplus.cloud"] + resources: ["components", "instances", "applications"] + verbs: ["get", "update", "patch", "list", "watch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .component.fullName }}-role-binding + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .component.fullName }}-role +subjects: +- kind: ServiceAccount + name: {{ .component.fullName }}-svc-account diff --git a/charts/envoperator/templates/service.tpl b/charts/envoperator/templates/service.tpl new file mode 100644 index 0000000..22c73b1 --- /dev/null +++ b/charts/envoperator/templates/service.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + + type: ClusterIP + clusterIP: None + + + ports: + {{- if .this.ui }} + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + {{- end }} + + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} diff --git a/charts/envoperator/templates/statefulset.tpl b/charts/envoperator/templates/statefulset.tpl new file mode 100644 index 0000000..df8f474 --- /dev/null +++ b/charts/envoperator/templates/statefulset.tpl @@ -0,0 +1,72 @@ +{{- include "nplus.init" $ -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + minReadySeconds: 30 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + serviceAccountName: {{ .component.fullName }}-svc-account + + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + containers: + + - name: operator + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.resources" . | nindent 8 }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + env: + - name: OP_PREFIX + value: "/monitoring" + {{- if .this.ui }} + - name: OP_UI + value: "true" + {{- end }} + # -- feel free to switch verbode loggin ON here: + # - name: OP_VERBOSE + # value: "true" + + readinessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + initialDelaySeconds: 10 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + initialDelaySeconds: 10 + periodSeconds: 10 \ No newline at end of file diff --git a/charts/envoperator/values.schema.json b/charts/envoperator/values.schema.json new file mode 100644 index 0000000..e4ebcaa --- /dev/null +++ b/charts/envoperator/values.schema.json @@ -0,0 +1,462 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "operator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/monitoring", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envoperator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "ui": { + "default": "true", + "description": "Enables the web ui, default under /monitoring", + "title": "ui" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/envoperator/values.yaml b/charts/envoperator/values.yaml new file mode 100644 index 0000000..9eb37da --- /dev/null +++ b/charts/envoperator/values.yaml @@ -0,0 +1,230 @@ +# yaml-language-server: $schema=values.schema.json +# -- provide the image to be used for this component +image: + # -- if you use a private repo, feel free to set it here + repo: cr.nplus.cloud/subscription + # -- the name of the image to use + name: operator + # -- the tag of the image to use + tag: latest + pullPolicy: IfNotPresent + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr +# -- Enables the web ui, default under /monitoring +ui: true +meta: + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8080 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8443 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: envoperator + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/monitoring" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: "1m" + # -- Set the share of guaranteed RAM to the container + memory: "64Mi" + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: "1" + # -- The maximum allowed RAM for the container + memory: "512Mi" +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/envtoolbox/Chart.yaml b/charts/envtoolbox/Chart.yaml new file mode 100644 index 0000000..3acd8d3 --- /dev/null +++ b/charts/envtoolbox/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-environment-toolbox +description: Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/envtoolbox/README.md b/charts/envtoolbox/README.md new file mode 100644 index 0000000..34734fb --- /dev/null +++ b/charts/envtoolbox/README.md @@ -0,0 +1,126 @@ + + +# nplus-environment-toolbox + +Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline + +## nplus-environment-toolbox Chart Configuration + +You can customize / configure nplus-environment-toolbox by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"toolbox2"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"envtoolbox"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**nstoreDownloader**​.enabled | enables the nstore downloader | `false` | +**nstoreDownloader**​.nstore | set the nstore URL | `https://nstore.ceyoniq.com...` | +**nstoreDownloader**​.target | target directory in the conf pv | `"pool/nstore"` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | `"1"` | +**resources**​.limits​.memory | The maximum allowed RAM for the container | `"512Mi"` | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | `"1m"` | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | `"64Mi"` | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/envtoolbox/templates/cronjob-nstore.tpl b/charts/envtoolbox/templates/cronjob-nstore.tpl new file mode 100644 index 0000000..be18aa4 --- /dev/null +++ b/charts/envtoolbox/templates/cronjob-nstore.tpl @@ -0,0 +1,72 @@ +{{- define "nplus.environment.nstorecopy" -}} +{{- if (.Values.nstoreDownloader).enabled }} +template: + metadata: + labels: + {{- include "nplus.instanceLabels" . | nindent 6 }} + spec: + {{- include "nplus.podSecurityContext" . | nindent 4 }} + {{- include "nplus.imagePullSecrets" . | nindent 4 }} + containers: + - name: downloader + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{ include "nplus.containerSecurityContext" . | nindent 6 }} + command: [ "/bin/sh", "-c" ] + args: + - | + mkdir -p /conf/{{ .Values.nstoreDownloader.target }} + cd /conf/{{ .Values.nstoreDownloader.target }} + wget -r -np -nH -nc -nd -A zip -X '*/*/*/*/*/*/1*,*/*/*/*/*/*/2*,*/*/*/*/*/*/3*,*/*/*/*/*/*/4*,*/*/*/*/*/*/5*,*/*/*/*/*/*/6*,*/*/*/*/*/*/7*,*/*/*/*/*/*/8*' -nd {{ .Values.nstoreDownloader.nstore }} + volumeMounts: + - name: conf + mountPath: /conf + + restartPolicy: OnFailure + volumes: + - name: conf + persistentVolumeClaim: + claimName: conf +{{- end -}} +{{- end -}} +--- +{{- if .Values.nstoreDownloader.enabled }} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ .component.fullName }}-nstore + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + schedule: "0 3 * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 0 + failedJobsHistoryLimit: 1 + jobTemplate: + spec: + {{- include "nplus.environment.nstorecopy" . | nindent 6 }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .component.fullName }}-nstore-oncreate + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + ttlSecondsAfterFinished: 60 + {{- include "nplus.environment.nstorecopy" . | nindent 2 }} +{{- else }} +# nstore Downloader is disabled +{{- end }} \ No newline at end of file diff --git a/charts/envtoolbox/templates/networkpolicy.tpl b/charts/envtoolbox/templates/networkpolicy.tpl new file mode 100644 index 0000000..db7e064 --- /dev/null +++ b/charts/envtoolbox/templates/networkpolicy.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Egress + - Ingress + + egress: + - ports: + # -- Possible K8s API + - protocol: TCP + port: 16443 + # -- Possible K8s API AND potential git server + - protocol: TCP + port: 443 + # -- Access DNS + - protocol: TCP + port: 53 + # -- Access DNS + - protocol: UDP + port: 53 +{{- end }} \ No newline at end of file diff --git a/charts/envtoolbox/templates/pdb.tpl b/charts/envtoolbox/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/envtoolbox/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/envtoolbox/templates/rbac.tpl b/charts/envtoolbox/templates/rbac.tpl new file mode 100755 index 0000000..97d0c63 --- /dev/null +++ b/charts/envtoolbox/templates/rbac.tpl @@ -0,0 +1,76 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .component.fullName }}-svc-account + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .component.fullName }}-role + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +rules: + - apiGroups: [""] + resources: ["pods", "secrets","serviceaccounts", "persistentvolumeclaims", "configmaps", "services", "replicationcontrollers", "pods/log"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments", "statefulsets", "daemonsets", "replicasets"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["Role", "roles", "rolebindings"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + - apiGroups: ["batch"] + resources: ["jobs", "cronjobs"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + - apiGroups: ["autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates"] + verbs: ["create", "get", "update", "patch", "delete", "list", "watch"] + + - apiGroups: ["nplus.cloud"] + resources: ["components", "instances"] + verbs: ["get", "update", "patch", "list", "watch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .component.fullName }}-role-binding + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .component.fullName }}-role +subjects: +- kind: ServiceAccount + name: {{ .component.fullName }}-svc-account diff --git a/charts/envtoolbox/templates/statefulset.tpl b/charts/envtoolbox/templates/statefulset.tpl new file mode 100644 index 0000000..a99d866 --- /dev/null +++ b/charts/envtoolbox/templates/statefulset.tpl @@ -0,0 +1,125 @@ +{{- include "nplus.init" $ -}} + +{{- if not ((.this.storage).conf).name -}} + {{ fail "conf name must be set" }} +{{- end -}} +{{- if not ((.this.storage).ptemp).name -}} + {{ fail "ptemp name must be set" }} +{{- end -}} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: 1 + podManagementPolicy: OrderedReady + updateStrategy: + type: RollingUpdate + minReadySeconds: 30 + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + kubectl.kubernetes.io/default-container: toolbox + spec: + serviceAccountName: {{ .component.fullName }}-svc-account + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{/* + - name: deploy + image: {{ .Values.toolboxImage }} + imagePullPolicy: {{ .Values.toolboxImagePullPolicy }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + command: [ "/bin/sh", "-c" ] + args: + - | + echo "deploying to /nplus" + cp -rnxv /opt/42i/nplus/* /nplus + volumeMounts: + - name: nplus + mountPath: /nplus + {{- end }} */}} + - name: dirprepare + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.initResources" . | nindent 8 }} + command: [ "/bin/sh", "-c" ] + args: + - | + mkdir -p /conf/pool/{apps,fonts,snippets,scripts,snc} && \ + {{- if not ((.this.storage).conf).cifs }} + chmod 775 -R /conf/pool && \ + {{- end }} + echo "ok." + volumeMounts: + - name: conf + mountPath: /conf + - name: gitprepare + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.initResources" . | nindent 8 }} + command: [ "/bin/sh", "-c" ] + args: + - | + echo "checking git in /conf..." + if [ ! -f "/conf/.gitignore" ]; then + echo "writing .gitignore" + echo "/{{ .Values.nstoreDownloader.target }}/*" > /conf/.gitignore + fi + if [ ! -d "/conf/.git" ]; then + echo "init git in /conf with branch master" + git -C "/conf" init -b master + git -C "/conf" add .gitignore + echo "first commit (with .gitignore)" + git -C "/conf" commit -m "Initial commit for config of nplus environment {{ .Release.Namespace }}" + fi + echo "ok." + volumeMounts: + - name: conf + mountPath: /conf + containers: + - name: toolbox + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + command: [ "/bin/bash", "-c", "--" ] + args: [ "while true; do sleep 30; done;" ] + + volumeMounts: + - name: conf + mountPath: /conf + - name: ptemp + mountPath: /ptemp + {{- include "nplus.resources" . | nindent 8 }} + + volumes: + - name: ptemp + persistentVolumeClaim: + claimName: ptemp + - name: conf + persistentVolumeClaim: + claimName: conf + diff --git a/charts/envtoolbox/values.schema.json b/charts/envtoolbox/values.schema.json new file mode 100644 index 0000000..23ff3f8 --- /dev/null +++ b/charts/envtoolbox/values.schema.json @@ -0,0 +1,380 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envtoolbox", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstoreDownloader": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": "false", + "description": "enables the nstore downloader", + "title": "enabled" + }, + "nstore": { + "default": "`https://nstore.ceyoniq.com...`", + "description": "set the nstore URL", + "title": "nstore" + }, + "target": { + "default": "pool/nstore", + "description": "target directory in the conf pv", + "title": "target" + } + }, + "title": "nstoreDownloader", + "type": "object" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/envtoolbox/values.yaml b/charts/envtoolbox/values.yaml new file mode 100644 index 0000000..c971506 --- /dev/null +++ b/charts/envtoolbox/values.yaml @@ -0,0 +1,174 @@ +# yaml-language-server: $schema=values.schema.json +nstoreDownloader: + # -- enables the nstore downloader + enabled: false + # -- set the nstore URL + # @default -- `https://nstore.ceyoniq.com...` + nstore: "https://nstore.ceyoniq.com/repository/com/ceyoniq/nscale/businessapps/" + # -- target directory in the conf pv + target: pool/nstore +# -- provide the image to be used for this component +image: + # -- if you use a private repo, feel free to set it here + repo: cr.nplus.cloud/subscription + # -- the name of the image to use + name: toolbox2 + # -- the tag of the image to use + tag: "latest" + pullPolicy: IfNotPresent + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: "1m" + # -- Set the share of guaranteed RAM to the container + memory: "64Mi" + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: "1" + # -- The maximum allowed RAM for the container + memory: "512Mi" +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: envtoolbox + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/erpcmis/Chart.yaml b/charts/erpcmis/Chart.yaml new file mode 100644 index 0000000..fdf5511 --- /dev/null +++ b/charts/erpcmis/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-erpcmis +description: nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/erpcmis/README.md b/charts/erpcmis/README.md new file mode 100644 index 0000000..57d2576 --- /dev/null +++ b/charts/erpcmis/README.md @@ -0,0 +1,196 @@ + + +# nplus-component-erpcmis + +nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access + +## nplus-component-erpcmis Chart Configuration + +You can customize / configure nplus-component-erpcmis by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**alien**​.doAppend | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**alien**​.port | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**alien**​.server | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**alien**​.ssl | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**alien**​.url | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**alien**​.useSign | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"erp-cmis-connector"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/cmis/browser"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8096` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8196` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"erpcmis-connector"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"erpcmis"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +**migration**​.checkDocuments | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**migration**​.checkIgnoreTime | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**migration**​.delay | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**migration**​.doListMigration | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**migration**​.enabled | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**migration**​.fileDelimiter | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**migration**​.viaFileSystem | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/erp-cmis/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/erp-cmis/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/erp-cmis/temp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**sign**​.authID | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**sign**​.keyAlias | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**sign**​.keyPassword | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | +**xsap**​.useSign | Documentation pending until official release of the erp cmis image by *Ceyoniq* | | + diff --git a/charts/erpcmis/compose.yaml b/charts/erpcmis/compose.yaml new file mode 100644 index 0000000..d043f55 --- /dev/null +++ b/charts/erpcmis/compose.yaml @@ -0,0 +1,31 @@ +networks: + nscale: + +services: + cmis-connector: + image: ceyoniq.azurecr.io/release/nscale/erp-cmis-connector:ubi.9.2.1000.2024032720 + environment: + - CMIS_AL_HOST=application-layer + - CMIS_AL_PORT=8080 + - CMIS_AL_SSL=false + - CMIS_AL_INSTANCE=nscalealinst1 + - CONF_VIRUSSCAN_ACTIVE=false + - CONF_VIRUSSCAN_UNIXSOCK=false + - CONF_VIRUSSCAN_TEMP_FOLDER= + - CONF_VIRUSSCAN_SOCKPATH= + - CONF_VIRUSSCAN_HOST=clamav + - CONF_VIRUSSCAN_PORT= + ports: + - "8096:8096" # HTTP + - "8196:8196" # HTTPS + networks: + - nscale + depends_on: + - clamav + + clamav: + image: docker.io/clamav/clamav:1.2 + networks: + - nscale + volumes: + - ./config/clamav/sockets/:/tmp/ \ No newline at end of file diff --git a/charts/erpcmis/templates/component.tpl b/charts/erpcmis/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/erpcmis/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/erpcmis/templates/deployment.tpl b/charts/erpcmis/templates/deployment.tpl new file mode 100644 index 0000000..f2d39e2 --- /dev/null +++ b/charts/erpcmis/templates/deployment.tpl @@ -0,0 +1,110 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: erpcmis-connector + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # -- NAPPL Connection Settings + {{- include "nplus.env" (dict + "CMIS_AL_HOST" ($.this.nappl).host + "CMIS_AL_PORT" ($.this.nappl).port + "CMIS_AL_INSTANCE" ($.this.nappl).instance + "CMIS_AL_SSL" ($.this.nappl).ssl + ) | nindent 10 }} + + #TODO: Manuel sagt, der Virusscanner würde noch nicht gehen, daher schalten wir den hier erstmal global ab. + # -- Virus Scanner Settings + {{- include "nplus.env" (dict + "CONF_VIRUSSCAN_ACTIVE" "false" + "CONF_VIRUSSCAN_TEMP_FOLDER" "" + "CONF_VIRUSSCAN_SOCKPATH" "" + "CONF_VIRUSSCAN_HOST" "" + "CONF_VIRUSSCAN_PORT" "" + ) | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + tcpSocket: + port: {{ include "nplus.backendPort" . }} + #TODO: 9.3: Hier fehlt die echte Readiness Probe, die gibt es auch bei der CT nocht nicht. + readinessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 10 + periodSeconds: 10 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 10 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/erpcmis/templates/ingress.tpl b/charts/erpcmis/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/erpcmis/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/erpcmis/templates/networkpolicy.tpl b/charts/erpcmis/templates/networkpolicy.tpl new file mode 100644 index 0000000..78faf3a --- /dev/null +++ b/charts/erpcmis/templates/networkpolicy.tpl @@ -0,0 +1,35 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/erpcmis/templates/pdb.tpl b/charts/erpcmis/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/erpcmis/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/erpcmis/templates/pvc.tpl b/charts/erpcmis/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/erpcmis/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/erpcmis/templates/service.tpl b/charts/erpcmis/templates/service.tpl new file mode 100644 index 0000000..350f504 --- /dev/null +++ b/charts/erpcmis/templates/service.tpl @@ -0,0 +1,32 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} diff --git a/charts/erpcmis/values.schema.json b/charts/erpcmis/values.schema.json new file mode 100644 index 0000000..47b2669 --- /dev/null +++ b/charts/erpcmis/values.schema.json @@ -0,0 +1,952 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "alien": { + "additionalProperties": false, + "properties": { + "doAppend": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "doAppend" + }, + "port": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "port" + }, + "server": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "server" + }, + "ssl": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "ssl" + }, + "url": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "alien", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "erp-cmis-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1000.2024032720", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/cmis/browser", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8096", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8196", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "erpcmis-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "erpcmis", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "migration": { + "additionalProperties": false, + "properties": { + "checkDocuments": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "checkDocuments" + }, + "checkIgnoreTime": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "checkIgnoreTime" + }, + "delay": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "delay" + }, + "doListMigration": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "doListMigration" + }, + "enabled": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "enabled" + }, + "fileDelimiter": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "fileDelimiter" + }, + "viaFileSystem": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "viaFileSystem" + } + }, + "title": "migration", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sign": { + "additionalProperties": false, + "properties": { + "authID": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "authID" + }, + "keyAlias": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "keyPassword" + } + }, + "title": "sign", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + }, + "xsap": { + "additionalProperties": false, + "properties": { + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "xsap", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/erpcmis/values.yaml b/charts/erpcmis/values.yaml new file mode 100644 index 0000000..79b017f --- /dev/null +++ b/charts/erpcmis/values.yaml @@ -0,0 +1,460 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/cmis/browser" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/erp-cmis/temp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/erp-cmis/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/erp-cmis/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: erp-cmis-connector + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: erpcmis + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8096 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8196 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: erpcmis-connector + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +xsap: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + useSign: +alien: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + server: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + port: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + url: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + useSign: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + ssl: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + doAppend: +sign: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + keyAlias: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + keyPassword: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + authID: +migration: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + enabled: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + delay: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + doListMigration: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + fileDelimiter: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + checkDocuments: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + checkIgnoreTime: + # -- Documentation pending until official release of the erp cmis image by *Ceyoniq* + viaFileSystem: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/erpproxy/Chart.yaml b/charts/erpproxy/Chart.yaml new file mode 100644 index 0000000..087acc1 --- /dev/null +++ b/charts/erpproxy/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-erpproxy +description: nscale ERP Proxy, providing SAP Archive Link access to alien Archive Components +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/erpproxy/README.md b/charts/erpproxy/README.md new file mode 100644 index 0000000..9c9858a --- /dev/null +++ b/charts/erpproxy/README.md @@ -0,0 +1,197 @@ + + +# nplus-component-erpproxy + +nscale ERP Proxy, providing SAP Archive Link access to alien Archive Components + +## nplus-component-erpproxy Chart Configuration + +You can customize / configure nplus-component-erpproxy by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**alien**​.doAppend | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**alien**​.port | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**alien**​.server | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**alien**​.ssl | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**alien**​.url | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**alien**​.useSign | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"sap-proxy-connector"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/pre-release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/sap_proxy"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8097` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8197` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"erpproxy-connector"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"erpproxy"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +**migration**​.checkDocuments | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**migration**​.checkIgnoreTime | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**migration**​.delay | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**migration**​.doListMigration | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**migration**​.enabled | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**migration**​.fileDelimiter | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**migration**​.viaFileSystem | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/sap-proxy/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/sap-proxy/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/sap-proxy/temp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**sign**​.authID | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**sign**​.keyAlias | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**sign**​.keyPassword | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | +**xsap**​.url | xsap url to use. | `"{{ printf \"%s/%s\" ($.this.nappl).instance \"xsap/cs/xsap\"}}"` | +**xsap**​.useSign | Documentation pending until official release of the erp proxy image by *Ceyoniq* | | + diff --git a/charts/erpproxy/compose.yaml b/charts/erpproxy/compose.yaml new file mode 100644 index 0000000..e62b2f8 --- /dev/null +++ b/charts/erpproxy/compose.yaml @@ -0,0 +1,45 @@ +networks: + nscale: + +services: + erp-proxy: + image: ceyoniq.azurecr.io/release/nscale/sap-proxy-connector:ubi.9.2.1500.2024090301 + volumes: + - ./license.xml:/opt/ceyoniq/nscale-for-sap/sap-proxy/conf/license.xml:ro + - ./dsaKeystore.ks:/opt/ceyoniq/nscale-for-sap/sap-proxy/bin/dsaKeystore.ks:rw + - ./log4j2_stdout.xml:/opt/ceyoniq/nscale-for-sap/sap-proxy/temp/tomcat.8097/conf/log4j2.xml:ro + - ./log4j2_stdout.xml:/opt/ceyoniq/nscale-for-sap/sap-proxy/conf/log4j2.xml:ro + - ./sap_proxy:/opt/ceyoniq/nscale-for-sap/sap-proxy/temp/tomcat.8097/work/nscaleSapProxy/localhost/sap_proxy:rw + environment: + # target system + - SAPPROXY_XSAP_SERVER=10.1.150.133 + - SAPPROXY_XSAP_PORT=8080 + - SAPPROXY_XSAP_URL=nscalealinst1/xsap/cs/xsap + - SAPPROXY_XSAP_USE_SIGN=false + - SAPPROXY_XSAP_USE_SSL=false + # source system + - SAPPROXY_ALIEN_SERVER=10.1.150.133 + - SAPPROXY_ALIEN_PORT=8082 + - SAPPROXY_ALIEN_URL=ctsapcs/ContentService + - SAPPROXY_ALIEN_USE_SIGN=false + - SAPPROXY_ALIEN_USE_SSL=false + - SAPPROXY_ALIEN_DO_APPEND=false + # signature check + - SAPPROXY_SIGN_KEY_ALIAS=sap_proxy + - SAPPROXY_SIGN_KEY_PASSWORD=drowssap + - SAPPROXY_SIGN_AUTHID=CN\=Test Leerzeichen,OU\=Test + # migration + - SAPPROXY_MIGRATION_DO_MIGRATION=false + - SAPPROXY_MIGRATION_DELAY_SEC=30 + - SAPPROXY_MIGRATION_DO_LIST_MIGRATION=false + - SAPPROXY_MIGRATION_FILE_DELIMITER=_ + - SAPPROXY_MIGRATION_CHECK_DOCUMENTS=false + - SAPPROXY_MIGRATION_CHECK_IGNORETIME=true + - SAPPROXY_MIGRATION_VIA_FILESYSTEM=false + # servlet path, must only be changed if web.xml is changed accordingly + - SAPPROXY_SERVLET_PATH=sap_proxy/ContentService + ports: + - "8097:8097" # HTTP + - "8197:8197" # HTTPS + networks: + - nscale diff --git a/charts/erpproxy/templates/component.tpl b/charts/erpproxy/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/erpproxy/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/erpproxy/templates/deployment.tpl b/charts/erpproxy/templates/deployment.tpl new file mode 100644 index 0000000..7776cc4 --- /dev/null +++ b/charts/erpproxy/templates/deployment.tpl @@ -0,0 +1,134 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: erpproxy-connector + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # -- NAPPL Connection Settings + # TODO: Die URL nach außen führen + {{- include "nplus.env" (dict + "SAPPROXY_XSAP_SERVER" ($.this.nappl).host + "SAPPROXY_XSAP_PORT" ($.this.nappl).port + "SAPPROXY_XSAP_URL" ($.this.nappl).url + "SAPPROXY_XSAP_USE_SSL" ($.this.nappl).ssl + ) | nindent 10 }} + + # -- XSAP Settings + {{- include "nplus.env" (dict + "SAPPROXY_XSAP_USE_SIGN" ($.this.xsap).useSign + ) | nindent 10 }} + + # -- Alien Settings + {{- include "nplus.env" (dict + "SAPPROXY_ALIEN_SERVER" ($.this.alien).server + "SAPPROXY_ALIEN_PORT" ($.this.alien).port + "SAPPROXY_ALIEN_URL" ($.this.alien).url + "SAPPROXY_ALIEN_USE_SIGN" ($.this.alien).useSign + "SAPPROXY_ALIEN_USE_SSL" ($.this.alien).ssl + "SAPPROXY_ALIEN_DO_APPEND" ($.this.alien).doAppend + ) | nindent 10 }} + + # -- Signature Check Settings + {{- include "nplus.env" (dict + "SAPPROXY_SIGN_KEY_ALIAS" ($.this.sign).keyAlias + "SAPPROXY_SIGN_KEY_PASSWORD" ($.this.sign).keyPassword + "SAPPROXY_SIGN_AUTHID" ($.this.sign).authID + ) | nindent 10 }} + + # -- Migration Settings + {{- include "nplus.env" (dict + "SAPPROXY_MIGRATION_DO_MIGRATION" ($.this.migration).enabled + "SAPPROXY_MIGRATION_DELAY_SEC" ($.this.migration).delay + "SAPPROXY_MIGRATION_DO_LIST_MIGRATION" ($.this.migration).doListMigration + "SAPPROXY_MIGRATION_FILE_DELIMITER" ($.this.migration).fileDelimiter + "SAPPROXY_MIGRATION_CHECK_DOCUMENTS" ($.this.migration).checkDocuments + "SAPPROXY_MIGRATION_CHECK_IGNORETIME" ($.this.migration).checkIgnoreTime + "SAPPROXY_MIGRATION_VIA_FILESYSTEM" ($.this.migration).viaFileSystem + ) | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + tcpSocket: + port: {{ include "nplus.backendPort" . }} + #TODO: 9.3: Hier fehlt die echte Readiness Probe, die gibt es auch bei der CT nocht nicht. + readinessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 20 + periodSeconds: 10 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 20 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/erpproxy/templates/ingress.tpl b/charts/erpproxy/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/erpproxy/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/erpproxy/templates/networkpolicy.tpl b/charts/erpproxy/templates/networkpolicy.tpl new file mode 100644 index 0000000..78faf3a --- /dev/null +++ b/charts/erpproxy/templates/networkpolicy.tpl @@ -0,0 +1,35 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/erpproxy/templates/pdb.tpl b/charts/erpproxy/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/erpproxy/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/erpproxy/templates/pvc.tpl b/charts/erpproxy/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/erpproxy/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/erpproxy/templates/service.tpl b/charts/erpproxy/templates/service.tpl new file mode 100644 index 0000000..350f504 --- /dev/null +++ b/charts/erpproxy/templates/service.tpl @@ -0,0 +1,32 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} diff --git a/charts/erpproxy/values.schema.json b/charts/erpproxy/values.schema.json new file mode 100644 index 0000000..06bf202 --- /dev/null +++ b/charts/erpproxy/values.schema.json @@ -0,0 +1,957 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "alien": { + "additionalProperties": false, + "properties": { + "doAppend": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "doAppend" + }, + "port": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "port" + }, + "server": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "server" + }, + "ssl": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "ssl" + }, + "url": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "alien", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sap-proxy-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/pre-release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024092409", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/sap_proxy", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8097", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8197", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "erpproxy-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "erpproxy", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "migration": { + "additionalProperties": false, + "properties": { + "checkDocuments": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "checkDocuments" + }, + "checkIgnoreTime": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "checkIgnoreTime" + }, + "delay": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "delay" + }, + "doListMigration": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "doListMigration" + }, + "enabled": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "enabled" + }, + "fileDelimiter": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "fileDelimiter" + }, + "viaFileSystem": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "viaFileSystem" + } + }, + "title": "migration", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sign": { + "additionalProperties": false, + "properties": { + "authID": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "authID" + }, + "keyAlias": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "keyPassword" + } + }, + "title": "sign", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + }, + "xsap": { + "additionalProperties": false, + "properties": { + "url": { + "default": "{{ printf \"%s/%s\" ($.this.nappl).instance \"xsap/cs/xsap\"}}", + "description": "xsap url to use.", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "xsap", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/erpproxy/values.yaml b/charts/erpproxy/values.yaml new file mode 100644 index 0000000..003a5d3 --- /dev/null +++ b/charts/erpproxy/values.yaml @@ -0,0 +1,462 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/sap_proxy" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/sap-proxy/temp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/sap-proxy/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/sap-proxy/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: sap-proxy-connector + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/pre-release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: erpproxy + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8097 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8197 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: erpproxy-connector + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +xsap: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + useSign: + # -- xsap url to use. + url: '{{ printf "%s/%s" ($.this.nappl).instance "xsap/cs/xsap"}}' +alien: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + server: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + port: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + url: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + useSign: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + ssl: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + doAppend: +sign: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + keyAlias: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + keyPassword: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + authID: +migration: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + enabled: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + delay: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + doListMigration: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + fileDelimiter: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + checkDocuments: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + checkIgnoreTime: + # -- Documentation pending until official release of the erp proxy image by *Ceyoniq* + viaFileSystem: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/ilm/Chart.yaml b/charts/ilm/Chart.yaml new file mode 100644 index 0000000..3dbca65 --- /dev/null +++ b/charts/ilm/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-ilm +description: nscale ILM Connector, providing a certified SAP ILM interface +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/ilm/README.md b/charts/ilm/README.md new file mode 100644 index 0000000..c5ac7f9 --- /dev/null +++ b/charts/ilm/README.md @@ -0,0 +1,179 @@ + + +# nplus-component-ilm + +nscale ILM Connector, providing a certified SAP ILM interface + +## nplus-component-ilm Chart Configuration + +You can customize / configure nplus-component-ilm by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"ilm-connector"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/sap_ilm"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8297` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8397` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"ilm-connector"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"ilm"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/temp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/ilm/templates/component.tpl b/charts/ilm/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/ilm/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/ilm/templates/deployment.tpl b/charts/ilm/templates/deployment.tpl new file mode 100644 index 0000000..5f4671b --- /dev/null +++ b/charts/ilm/templates/deployment.tpl @@ -0,0 +1,106 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: ilm-connector + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # -- NAPPL Connection Settings + {{- include "nplus.env" (dict + "ILM_AL_HOST" ($.this.nappl).host + "ILM_AL_PORT" ($.this.nappl).port + "ILM_AL_INSTANCE" ($.this.nappl).instance + "ILM_AL_SSL" ($.this.nappl).ssl + ) | nindent 10 }} + # -- NAPPL Connection Credentials + {{- include "nplus.envCredentials" (list + "ILM_AL_USER" ($.this.nappl).account + "ILM_AL_PASSWORD" ($.this.nappl).password + ($.this.nappl).secret + ) | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + tcpSocket: + port: {{ include "nplus.backendPort" . }} + #TODO: 9.3: Hier fehlt die echte Readiness Probe, die gibt es auch bei der CT nocht nicht. + readinessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 20 + periodSeconds: 10 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 20 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/ilm/templates/ingress.tpl b/charts/ilm/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/ilm/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/ilm/templates/networkpolicy.tpl b/charts/ilm/templates/networkpolicy.tpl new file mode 100644 index 0000000..78faf3a --- /dev/null +++ b/charts/ilm/templates/networkpolicy.tpl @@ -0,0 +1,35 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/ilm/templates/pdb.tpl b/charts/ilm/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/ilm/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/ilm/templates/pvc.tpl b/charts/ilm/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/ilm/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/ilm/templates/service.tpl b/charts/ilm/templates/service.tpl new file mode 100644 index 0000000..350f504 --- /dev/null +++ b/charts/ilm/templates/service.tpl @@ -0,0 +1,32 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} diff --git a/charts/ilm/values.schema.json b/charts/ilm/values.schema.json new file mode 100644 index 0000000..adacf00 --- /dev/null +++ b/charts/ilm/values.schema.json @@ -0,0 +1,839 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "ilm-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024091702", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/sap_ilm", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8297", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8397", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "ilm-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "ilm", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/ilm/values.yaml b/charts/ilm/values.yaml new file mode 100644 index 0000000..7326331 --- /dev/null +++ b/charts/ilm/values.yaml @@ -0,0 +1,422 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/sap_ilm" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/temp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: ilm-connector + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: ilm + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8297 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8397 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: ilm-connector + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/instance-argo/Chart.yaml b/charts/instance-argo/Chart.yaml new file mode 100644 index 0000000..fe954b2 --- /dev/null +++ b/charts/instance-argo/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +name: nplus-instance-argo +description: nplus Instance ArgoCD Edition, supporting the deployment of npus Instances through ArgoCD +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +home: "https://git.nplus.cloud" +maintainers: + - email: a.ahmann@4i.org + name: Andreas Ahmann + url: "https://www.nplus.cloud" +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/instance-argo/README.md b/charts/instance-argo/README.md new file mode 100644 index 0000000..e141a90 --- /dev/null +++ b/charts/instance-argo/README.md @@ -0,0 +1,93 @@ + + +# nplus-instance-argo + +nplus Instance ArgoCD Edition, supporting the deployment of npus Instances through ArgoCD + +## nplus-instance-argo Chart Configuration + +You can customize / configure nplus-instance-argo by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**argocd**​.chart | The name of the chart to use for the instance | `"nplus-instance"` | +**argocd**​.destinationNamespace | ArgoCD can deploy to any Namespace on the destination Server. You have to specify it. Default is the release namespace | `"{{ .Release.Namespace }}"` | +**argocd**​.destinationServer | ArgoCD can also remote deploy Applications to alien clusters. The server specifies the API Endpoint of the Cluster, where the Application should be deployed | `"https://kubernetes.default.svc"` | +**argocd**​.namespace | The ArgoCD Namespace within the cluster. The ArgoCD Application will be deployed to this namespace You will need write privileges for this namespace | `"argocd"` | +**argocd**​.project | ArgoCD organizes Applications in Projects. This is the name of the project, the application should be deployed to | `"default"` | +**argocd**​.prune | Toggle pruning for this Application | `true` | +**argocd**​.repo | Specifiy the helm repo, from which ArgoCD should load the chart. Please make sure ArgoCD gets access rights to this repo | `"https://git.nplus.cloud"` | +**argocd**​.selfHeal | Toggle self healing feature for this Application | `true` | +**global**​.meta​.isArgo | specifies that this is an Argo Installation. Used to determine the correct handler in the chart
Do not change | **info only**, do not change
`true` | + diff --git a/charts/instance-argo/templates/application.tpl b/charts/instance-argo/templates/application.tpl new file mode 100644 index 0000000..3205faa --- /dev/null +++ b/charts/instance-argo/templates/application.tpl @@ -0,0 +1,41 @@ +{{- include "nplus.initOnly" $ -}} +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: {{ .Release.Name }} + namespace: {{ (.this.argocd).namespace }} + labels: + # Common Kubernetes Lables are not allowed here for ArgoCD Application Manifests, + # as ArgoCD then tries to immediately delete the synced Application + # so we just use minimal Labels, which are the selectorLabels + {{- include "nplus.selectorLabels" . | nindent 4 }} + finalizers: + # The default behaviour is foreground cascading deletion + # - resources-finalizer.argocd.argoproj.io + # Alternatively, you can use background cascading deletion + - resources-finalizer.argocd.argoproj.io/background +spec: + {{- if or (.this.argocd).selfHeal (.this.argocd).prune }} + syncPolicy: + automated: + {{- if (.this.argocd).selfHeal }} + selfHeal: {{ (.this.argocd).selfHeal }} + {{- end }} + {{- if (.this.argocd).prune }} + prune: {{ (.this.argocd).prune }} + {{- end }} + {{- end }} + {{- if (.this.argocd).project }} + project: {{ (.this.argocd).project }} + {{- end }} + source: + chart: {{ required "you must set the name of the chart to use" (.this.argocd).chart }} + targetRevision: "{{ .Chart.Version }}" + repoURL: {{ required "you must set the repo url to your charts repo" (.this.argocd).repo | quote }} + helm: + releaseName: {{ .Release.Name }} + values: | + {{- toYaml (omit .Values "globals" "argocd") | nindent 8 }} + destination: + server: {{ tpl (required "you must set the name of the destination server" ((.this.argocd).destinationServer | default (.this.argocd).server)) . | quote }} + namespace: {{ tpl (required "you must set the name of the destination namespace" (.this.argocd).destinationNamespace) . | quote }} diff --git a/charts/instance-argo/values.schema.json b/charts/instance-argo/values.schema.json new file mode 100644 index 0000000..d5f3e99 --- /dev/null +++ b/charts/instance-argo/values.schema.json @@ -0,0 +1,85 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "argocd": { + "additionalProperties": false, + "properties": { + "chart": { + "default": "nplus-instance", + "description": "The name of the chart to use for the instance", + "title": "chart" + }, + "destinationNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "ArgoCD can deploy to any Namespace on the destination Server. You have to specify it. Default is the release namespace", + "title": "destinationNamespace" + }, + "destinationServer": { + "default": "https://kubernetes.default.svc", + "description": "ArgoCD can also remote deploy Applications to alien clusters. The server specifies the API Endpoint of the Cluster, where the Application should be deployed", + "title": "destinationServer" + }, + "namespace": { + "default": "argocd", + "description": "The ArgoCD Namespace within the cluster. The ArgoCD Application will be deployed to this namespace You will need write privileges for this namespace", + "title": "namespace" + }, + "project": { + "default": "default", + "description": "ArgoCD organizes Applications in Projects. This is the name of the project, the application should be deployed to", + "title": "project" + }, + "prune": { + "default": "true", + "description": "Toggle pruning for this Application", + "title": "prune" + }, + "repo": { + "default": "https://git.nplus.cloud", + "description": "Specifiy the helm repo, from which ArgoCD should load the chart. Please make sure ArgoCD gets access rights to this repo", + "title": "repo" + }, + "selfHeal": { + "default": "true", + "description": "Toggle self healing feature for this Application", + "title": "selfHeal" + } + }, + "title": "argocd", + "type": "object" + }, + "global": { + "additionalProperties": false, + "properties": { + "meta": { + "additionalProperties": false, + "properties": { + "isArgo": { + "default": "true", + "description": "specifies that this is an Argo Installation. Used to determine the correct handler in the chart @internal -- Do not change", + "title": "isArgo" + } + }, + "title": "meta", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/instance-argo/values.yaml b/charts/instance-argo/values.yaml new file mode 100644 index 0000000..611801b --- /dev/null +++ b/charts/instance-argo/values.yaml @@ -0,0 +1,26 @@ +# yaml-language-server: $schema=values.schema.json +argocd: + # -- The name of the chart to use for the instance + chart: nplus-instance + # -- The ArgoCD Namespace within the cluster. The ArgoCD Application will be deployed to this namespace + # You will need write privileges for this namespace + namespace: argocd + # -- ArgoCD organizes Applications in Projects. This is the name of the project, the application should be deployed to + project: default + # -- ArgoCD can also remote deploy Applications to alien clusters. The server specifies the API Endpoint of the Cluster, where + # the Application should be deployed + destinationServer: "https://kubernetes.default.svc" + # -- ArgoCD can deploy to any Namespace on the destination Server. You have to specify it. + # Default is the release namespace + destinationNamespace: "{{ .Release.Namespace }}" + # -- Toggle self healing feature for this Application + selfHeal: true + # -- Toggle pruning for this Application + prune: true + # -- Specifiy the helm repo, from which ArgoCD should load the chart. Please make sure ArgoCD gets access rights to this repo + repo: "https://git.nplus.cloud" +global: + meta: + # -- specifies that this is an Argo Installation. Used to determine the correct handler in the chart + # @internal -- Do not change + isArgo: true diff --git a/charts/instance/Chart.yaml b/charts/instance/Chart.yaml new file mode 100644 index 0000000..ed733c2 --- /dev/null +++ b/charts/instance/Chart.yaml @@ -0,0 +1,186 @@ +apiVersion: v2 +name: nplus-instance +description: nplus Instance, an umbrella chart for orchestrating the components in a nplus Instance +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +home: "https://git.nplus.cloud" +maintainers: + - email: a.ahmann@4i.org + name: Andreas Ahmann + url: "https://www.nplus.cloud" +dependencies: + - name: nplus-component-database + alias: database + condition: components.database + version: "*-0" + repository: "file://../database" + - name: nplus-component-nappl + alias: nappl + condition: components.nappl + version: "*-0" + repository: "file://../nappl" + - name: nplus-component-nstl + alias: nstl + condition: components.nstl + version: "*-0" + repository: "file://../nstl" + - name: nplus-component-nstl + alias: nstla + condition: components.nstla + version: "*-0" + repository: "file://../nstl" + - name: nplus-component-nstl + alias: nstlb + condition: components.nstlb + version: "*-0" + repository: "file://../nstl" + - name: nplus-component-nstl + alias: nstlc + condition: components.nstlc + version: "*-0" + repository: "file://../nstl" + - name: nplus-component-nstl + alias: nstld + condition: components.nstld + version: "*-0" + repository: "file://../nstl" + - name: nplus-component-nappl + alias: nappljobs + condition: components.nappljobs + version: "*-0" + repository: "file://../nappl" + - name: nplus-component-cmis + alias: cmis + condition: components.cmis + version: "*-0" + repository: "file://../cmis" + - name: nplus-component-ilm + alias: ilm + condition: components.ilm + version: "*-0" + repository: "file://../ilm" + - name: nplus-component-erpproxy + alias: erpproxy + condition: components.erpproxy + version: "*-0" + repository: "file://../erpproxy" + - name: nplus-component-erpcmis + alias: erpcmis + condition: components.erpcmis + version: "*-0" + repository: "file://../erpcmis" + - name: nplus-component-webdav + alias: webdav + condition: components.webdav + version: "*-0" + repository: "file://../webdav" + - name: nplus-component-sharepoint + alias: sharepoint + condition: components.sharepoint + version: "*-0" + repository: "file://../sharepoint" + - name: nplus-component-sharepoint + alias: sharepointa + condition: components.sharepointa + version: "*-0" + repository: "file://../sharepoint" + - name: nplus-component-sharepoint + alias: sharepointb + condition: components.sharepointb + version: "*-0" + repository: "file://../sharepoint" + - name: nplus-component-sharepoint + alias: sharepointc + condition: components.sharepointc + version: "*-0" + repository: "file://../sharepoint" + - name: nplus-component-sharepoint + alias: sharepointd + condition: components.sharepointd + version: "*-0" + repository: "file://../sharepoint" + - name: nplus-component-rs + alias: rs + condition: components.rs + version: "*-0" + repository: "file://../rs" + - name: nplus-component-web + alias: web + condition: components.web + version: "*-0" + repository: "file://../web" + - name: nplus-component-mon + alias: mon + condition: components.mon + version: "*-0" + repository: "file://../mon" + - name: nplus-component-administrator + alias: administrator + condition: components.administrator + version: "*-0" + repository: "file://../administrator" + - name: nplus-component-pipeliner + alias: pipeliner + condition: components.pipeliner + version: "*-0" + repository: "file://../pipeliner" + - name: nplus-component-rms + alias: rms + condition: components.rms + version: "*-0" + repository: "file://../rms" + - name: nplus-component-rms + alias: rmsa + condition: components.rmsa + version: "*-0" + repository: "file://../rms" + - name: nplus-component-rms + alias: rmsb + condition: components.rmsb + version: "*-0" + repository: "file://../rms" + - name: nplus-application + alias: application + condition: components.application + version: "*-0" + repository: "file://../application" + - name: nplus-prepper + alias: prepper + condition: components.prepper + version: "*-0" + repository: "file://../prepper" + - name: nplus-component-pam + alias: pam + condition: components.pam + version: "*-0" + repository: "file://../pam" + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" + - name: eon-dms-api + alias: dmsapi + condition: components.dmsapi + version: "*-0" + repository: "file://../dmsapi" + - name: nplus-environment-backend + condition: components.sim.backend + alias: backend + version: "*-0" + repository: "file://../envbackend" + - name: nplus-environment-dav + condition: components.sim.dav + alias: dav + version: "*-0" + repository: "file://../envdav" + - name: nplus-environment-toolbox + alias: toolbox + condition: components.sim.toolbox + version: "*-0" + repository: "file://../envtoolbox" + - name: nplus-environment-operator + condition: components.sim.operator + alias: operator + version: "*-0" + repository: "file://../envoperator" +version: 1.0.0 diff --git a/charts/instance/README.md b/charts/instance/README.md new file mode 100644 index 0000000..03dbc24 --- /dev/null +++ b/charts/instance/README.md @@ -0,0 +1,359 @@ + + +# nplus-instance + +nplus Instance, an umbrella chart for orchestrating the components in a nplus Instance + +# Single Instance Mode + +If you want to separate tenants on your system not only by instance but also by environment / namespace, you can run *nplus* in *single instance mode*. + +SIM (Single Instance Mode) lets you deploy your instance including all components of the environment in one single chart. + +Steps to turn on single instance mode: + +- Create your Namespace +- Upload the secrets you need to access the repos, registries as well as the nscale license file +- Turn on the sim components in your instance values file +- deploy your instance (under the same name as your namespace) to the new namespace + +In this case, no separate deployment of the environment is necessary and the environment components will show up as parts of the instance. + +Please also see the example *Single-Instance-Mode* for a detailed How-To. + +## nplus-instance Chart Configuration + +You can customize / configure nplus-instance by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**administrator**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"administrator"` | +**administrator**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**administrator**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1201"` | +**administrator**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1201"` | +**administrator**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `9` | +**administrator**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**application**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"application-layer"` | +**application**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**application**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1300.2024121814"` | +**application**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1300"` | +**application**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `11` | +**application**​.nstl​.host | sets the dns of the *nscale Server Storage Layer*, that should be configured | `"{{ .component.prefix }}nstl.{{ .Release.Namespace }}"` | +**application**​.rs​.host | sets the dns of the *nscale Rendition Server*, that should be configured | `"{{ .component.prefix }}rs.{{ .Release.Namespace }}"` | +**application**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**backend**​.meta​.componentVersion | | `"1.2.1400-124"` | +**backend**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `1` | +**cmis**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"cmis-connector"` | +**cmis**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**cmis**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1200.2024112508"` | +**cmis**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1200"` | +**cmis**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**cmis**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**components**​.administrator | enable a *nscale Administrator Web* component in this instance | `false` | +**components**​.application | deploy any solution using GBA, Standard Apps or shell copy with this generic deployment chart | `false` | +**components**​.cmis | enable a *nscale CMIS Connector* component in this instance | `false` | +**components**​.database | enable an internal *Postgres Database* in this instance | `true` | +**components**​.dmsapi | | `false` | +**components**​.erpcmis | enable a *nscale ERP CMIS Connector* component in this instance | `false` | +**components**​.erpproxy | enable a *nscale ERP Proxy Connector* component in this instance | `false` | +**components**​.ilm | enable a *nscale ILM Connector* component in this instance | `false` | +**components**​.mon | enable a *nscale Monitoring Console* component in this instance | `false` | +**components**​.nappl | enable a consumer *nscale Application Layer* component in this instance | `true` | +**components**​.nappljobs | enable a dedicated jobs *nscale Application Layer* component in this instance please also make sure to set the *jobs* setting | `false` | +**components**​.nstl | enable a *nscale Server Storage Layer* component in this instance If you are in a **High Availability** scenario, disable this | `true` | +**components**​.nstla | enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario. | `false` | +**components**​.nstlb | enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario. | `false` | +**components**​.nstlc | enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario. | `false` | +**components**​.nstld | enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario. | `false` | +**components**​.pam | enable a *nscale Process Automation Modeler* component in this instance | `false` | +**components**​.pipeliner | enable *nscale Pipeliner* component in this instance | `false` | +**components**​.prepper | download, deploy and run any git asset or script prior to installation of the components | `false` | +**components**​.rms | enable a *nplus Remote Management Server* component in this instance If you are in a **High Availability** scenario, disable this | `false` | +**components**​.rmsa | enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario. | `false` | +**components**​.rmsb | enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario. | `false` | +**components**​.rs | enable a *nscale Rendition Server* component in this instance | `true` | +**components**​.sharepoint | enable a *nscale Sharepoint Connector* component in this instance | `false` | +**components**​.sharepointa | enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters | `false` | +**components**​.sharepointb | enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters | `false` | +**components**​.sharepointc | enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters | `false` | +**components**​.sharepointd | enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters | `false` | +**components**​.sim​.backend | This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the backend components holds the common storages / PVCs for conf and ptemp umong other common environmental resources | `false` | +**components**​.sim​.dav | This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. DAV gives you WebDAV access to your conf and ptemp volumes | `false` | +**components**​.sim​.operator | This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. The Operator will let you query the Custom Resources for nscale, e.g. `kubectl get nscale` | `false` | +**components**​.sim​.toolbox | This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the toolbox has a git client installed and is suitable for pulling, pushing, copying stuff into the pool, fonts, certificates, snippets and configuration files | `false` | +**components**​.web | enable a *nscale Web* component in this instance | `true` | +**components**​.webdav | enable a *nscale WebDAV Connector* component in this instance | `false` | +**database**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"bitnami/postgresql"` | +**database**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | | +**database**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"16"` | +**database**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"16"` | +**database**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `3` | +**dmsapi**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**dmsapi**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**erpcmis**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"erp-cmis-connector"` | +**erpcmis**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**erpcmis**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.2.1000.2024032720"` | +**erpcmis**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.2.1000"` | +**erpcmis**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**erpcmis**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**erpproxy**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"sap-proxy-connector"` | +**erpproxy**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/pre-release/nscale"` | +**erpproxy**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1000.2024092409"` | +**erpproxy**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1000"` | +**erpproxy**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**erpproxy**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**global**​.database​.account | DB account (if not using a secret) | `"nscale"` | +**global**​.database​.dialect | nscale DB server dialect | `"PostgreSQL"` | +**global**​.database​.driverclass | nscale DB server driverclass | `"org.postgresql.Driver"` | +**global**​.database​.name | name of the nscale DB | `"nscale"` | +**global**​.database​.password | DB password (if not using a secret) | `"nscale"` | +**global**​.database​.passwordEncoded | weather the password is stored encrypted | `"false"` | +**global**​.database​.schema | DB schema name | `"public"` | +**global**​.database​.secret | DB credential secret (account, password) | | +**global**​.database​.url | The URL to the database | `"jdbc:postgresql://{{ .component.prefix }}database:5432/{{ .this.database.name }}"` | +**global**​.ingress​.appRoot | Sets the root for this instance, where incoming root traffic should be redirected to | `"/nscale_web"` | +**global**​.ingress​.class | sets the global ingressclass for all components to use - if they do not define a specific one, for example if there are separate controllers for internal and external traffic | `public`` | +**global**​.ingress​.createSelfSignedCertificate | if you do not define an issuer to generate the tls secret for you, you still can have a self signed certificate generated for you, if you set this to true. The default is true, so either you have an issuer or not, you will always end up with a certificate. Set an empty issuer and createSelfSignedCertificate to false to have no certificate generated and use an external or existing secret. Then make sure the secret matches. | `true` | +**global**​.ingress​.domain | Sets the global domain within the instance to be used, if the component does not define any domain. If this remains empty, no ingress is generated Example: `{{ .instance.group }}.lab.nplus.cloud` | | +**global**​.ingress​.issuer | Sets the name of the issuer to create the tls secret. Very common is to have it created by cert-manager. Please see the documentation how to create a cert-manager cluster issuer for example. If no issuer is set, no certificate request will be generated | | +**global**​.ingress​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | `ingress, kube-system, ingress-nginx` | +**global**​.ingress​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. This secret is then either generated by cert-manager or self signed by helm - or not created | `{{ .this.ingress.domain }}-tls` | +**global**​.ingress​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**global**​.instance​.group | The group of the instance. This is used for the networkPolicies. Only Pods within one group are allowed to communicate if you enable the nplus Network Policies. By default, this is set the same as the instance name | | +**global**​.instance​.name | The name of the instance. Should this name be identical to the namespace name, then the prefix will be dropped. By default, this is the .Release.Name | `"{{ .Release.Name }}"` | +**global**​.license | Globally set the license secret name | `"nscale-license"` | +**global**​.logForwarderImage​.name | defines the nplus toolbox name to be used for the *wait* feature | `"fluent-bit"` | +**global**​.logForwarderImage​.pullPolicy | defines the nplus toolbox pull policy to be used for the *wait* feature | `"IfNotPresent"` | +**global**​.logForwarderImage​.repo | defines the nplus toolbox image to be used for the *wait* feature | `"cr.fluentbit.io/fluent"` | +**global**​.logForwarderImage​.tag | defines the tag for the logforwarder (FluentBit)
set by devOps pipeline, so do not modify | **info only**, do not change
`"2.0"` | +**global**​.meta​.nscaleVersion | Sets the nscale version of this deployment / instance. This is used by the operator to display the correct version e.g. in the Web UI.
this is set by the devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1300"` | +**global**​.nappl​.account | The technical account to login with | `"admin"` | +**global**​.nappl​.domain | The domain of the technical account | `"nscale"` | +**global**​.nappl​.host | sets the *nscale Server Application Layer* host to be used. As this is a global option, it can be overridden at component level. | `"{{ .component.prefix }}nappl.{{ .Release.Namespace }}"` | +**global**​.nappl​.instance | the instance of *nscale Server Application Layer* to be used
As this is depricated for nscale 10, you should never modify this. | **info only**, do not change
`"nscalealinst1"` | +**global**​.nappl​.password | The password of the technical accunt (if not set by secret) | `"admin"` | +**global**​.nappl​.port | sets the *nscale Server Application Layer* port to be used. As this is a global option, it can be overridden at component level. if you switch to zero trus mode or change the nappl backend to https, you want to modify this port to 8443 | `8080` | +**global**​.nappl​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**global**​.nappl​.ssl | wether to use ssl or not for the advanced connector | `false` | +**global**​.security​.cni​.administratorInstance | sets the instance, from which Administration is allowed | `"{{ .this.instance.name }}"` | +**global**​.security​.cni​.administratorNamespace | sets the namespace, from which Administration is allowed | `"{{ .Release.Namespace }}"` | +**global**​.security​.cni​.createNetworkPolicy | creates NetworkPolicies for each component. | | +**global**​.security​.cni​.defaultEgressPolicy | if defined, creates a default NetworkPolicy to handle egress Traffic from the instance. Possible Values: deny, allow, none | | +**global**​.security​.cni​.defaultIngressPolicy | if defined, creates a default NetworkPolicy to handle ingress Traffic to the instance. Possible Values: deny, allow, none | | +**global**​.security​.cni​.monitoringInstance | sets the instance, from which Monitoring is allowed | `"{{ .this.instance.name }}"` | +**global**​.security​.cni​.monitoringNamespace | sets the namespace, from which Monitoring is allowed | `"{{ .Release.Namespace }}"` | +**global**​.security​.cni​.pamInstance | sets the instance, from which Process Automation Modeling is allowed | `"{{ .this.instance.name }}"` | +**global**​.security​.cni​.pamNamespace | sets the namespace, from which Process Automation Modeling is allowed | `"{{ .Release.Namespace }}"` | +**global**​.security​.zeroTrust | enables zero trust on the instance. When enabled, no unencrypted http connection is allowed. This will remove all http ports from pods, services, network policies and ingress rules | | +**global**​.telemetry​.openTelemetry | if you use a OpenTelemetry as a telemetry collector, you can enable it here. This will add the annotations to some known pods for the injector to use agents inside the pods for telemetry collection. This often goes along with the `language` setting in the meta section to tell the telemetry collector which agent to inject. | | +**global**​.waitImage​.name | defines the nplus toolbox name to be used for the *wait* feature | `"toolbox2"` | +**global**​.waitImage​.pullPolicy | defines the nplus toolbox pull policy to be used for the *wait* feature | `"IfNotPresent"` | +**global**​.waitImage​.repo | defines the nplus toolbox image to be used for the *wait* feature | `"cr.nplus.cloud/subscription"` | +**global**​.waitImage​.tag | defines the nplus toolbox tag to be used for the *wait* feature
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1300"` | +**ilm**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ilm-connector"` | +**ilm**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**ilm**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1000.2024091702"` | +**ilm**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1000"` | +**ilm**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**ilm**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**mon**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"monitoring-console"` | +**mon**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**mon**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1000.2024092618"` | +**mon**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1000"` | +**mon**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**nappl**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"application-layer"` | +**nappl**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nappl**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1300.2024121814"` | +**nappl**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1300"` | +**nappl**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `"{{ if .this.jobs }}4{{ else }}6{{ end }}"` | +**nappl**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}database.{{ .Release.Namespace }}.svc.cluster.local:5432 -timeout 600"]` | +**nappljobs**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"application-layer"` | +**nappljobs**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nappljobs**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1300.2024121814"` | +**nappljobs**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1300"` | +**nappljobs**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `4` | +**nstl**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"storage-layer"` | +**nstl**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nstl**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1201.2024112518"` | +**nstl**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1201"` | +**nstl**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `3` | +**nstla**​.clusterService​.enabled | When using multiple nstl Instances with different configurations, you still might want to use a cluster service for HA access This will generate one for you. | `true` | +**nstla**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"storage-layer"` | +**nstla**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nstla**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1201.2024112518"` | +**nstla**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1201"` | +**nstla**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `3` | +**nstlb**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"storage-layer"` | +**nstlb**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nstlb**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1201.2024112518"` | +**nstlb**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1201"` | +**nstlb**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `3` | +**nstlc**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"storage-layer"` | +**nstlc**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nstlc**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1201.2024112518"` | +**nstlc**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1201"` | +**nstlc**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `3` | +**nstld**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"storage-layer"` | +**nstld**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**nstld**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1201.2024112518"` | +**nstld**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1201"` | +**nstld**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `3` | +**pam**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"process-automation-modeler"` | +**pam**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**pam**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1200.63696"` | +**pam**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1200"` | +**pam**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `9` | +**pam**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**pipeliner**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"pipeliner"` | +**pipeliner**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**pipeliner**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1300.2024121815"` | +**pipeliner**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1300"` | +**pipeliner**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**pipeliner**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**prepper**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"toolbox2"` | +**prepper**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"cr.nplus.cloud/subscription"` | +**prepper**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1300"` | +**prepper**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1300"` | +**prepper**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `2` | +**rms**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"admin-server"` | +**rms**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"cr.nplus.cloud/subscription"` | +**rms**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1200"` | +**rms**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1200"` | +**rms**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `10` | +**rmsa**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"admin-server"` | +**rmsa**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"cr.nplus.cloud/subscription"` | +**rmsa**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1200"` | +**rmsa**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1200"` | +**rmsa**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `10` | +**rmsb**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"admin-server"` | +**rmsb**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"cr.nplus.cloud/subscription"` | +**rmsb**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1200"` | +**rmsb**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"1.2.1200"` | +**rmsb**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `10` | +**rs**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"rendition-server"` | +**rs**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**rs**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1301.2024121910"` | +**rs**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1301"` | +**rs**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `4` | +**sharepoint**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"sharepoint-connector"` | +**sharepoint**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**sharepoint**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.2.1400.2024073012"` | +**sharepoint**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.2.1400"` | +**sharepoint**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**sharepoint**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**sharepointa**​.clusterService​.contextPath | Set the context Path for the cluster Ingress. Make sure also the members are listening to this path | `"/nscale_spc"` | +**sharepointa**​.clusterService​.enabled | When using multiple SharePoint Connectors with different configurations, you still might want to use a retrieval cluster for HA so you can enable the clusterService and define the context path. | `false` | +**sharepointa**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"sharepoint-connector"` | +**sharepointa**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**sharepointa**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.2.1400.2024073012"` | +**sharepointa**​.ingress​.contextPath | Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created. | `"/nscale_spca"` | +**sharepointa**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.2.1400"` | +**sharepointa**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**sharepointa**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**sharepointb**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"sharepoint-connector"` | +**sharepointb**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**sharepointb**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.2.1400.2024073012"` | +**sharepointb**​.ingress​.contextPath | Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created. | `"/nscale_spcb"` | +**sharepointb**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.2.1400"` | +**sharepointb**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**sharepointb**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**sharepointc**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"sharepoint-connector"` | +**sharepointc**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**sharepointc**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.2.1400.2024073012"` | +**sharepointc**​.ingress​.contextPath | Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created. | `"/nscale_spcc"` | +**sharepointc**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.2.1400"` | +**sharepointc**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**sharepointc**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**sharepointd**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"sharepoint-connector"` | +**sharepointd**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**sharepointd**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.2.1400.2024073012"` | +**sharepointd**​.ingress​.contextPath | Defines the context path of this sharepoint instance, in case you might have multiple instances. We do not want them to consume the same ingress path, because it would block the ingress from being created. | `"/nscale_spcd"` | +**sharepointd**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.2.1400"` | +**sharepointd**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**sharepointd**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | +**web**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"application-layer-web"` | +**web**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**web**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1300.2024121620"` | +**web**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1300"` | +**web**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `7` | +**web**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 900"]` | +**webdav**​.image​.name | sets the name of the image to use for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"webdav-connector"` | +**webdav**​.image​.repo | sets the repo from where to load the image. This can be overridden on environment or instance level in case you have your own repo for caching and security reasons | `"ceyoniq.azurecr.io/release/nscale"` | +**webdav**​.image​.tag | defines the tag for this component
set by devOps pipeline, so do not modify | **info only**, do not change
`"ubi.9.3.1000.2024091609"` | +**webdav**​.meta​.componentVersion | This is the version of the component, used for display
set by devOps pipeline, so do not modify | **info only**, do not change
`"9.3.1000"` | +**webdav**​.meta​.wave | Defines the ArgoCD wave in which this component should be installed. This setting only applies to scenarios, where ArgoCD is used as handler | `8` | +**webdav**​.waitFor | Defines what condition needs to be met before this components starts | `["-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800"]` | + diff --git a/charts/instance/templates/NOTES.txt b/charts/instance/templates/NOTES.txt new file mode 100644 index 0000000..1e329e0 --- /dev/null +++ b/charts/instance/templates/NOTES.txt @@ -0,0 +1,11 @@ +CHART NAME: {{ .component.chart }} +CHART VERSION: {{ .Chart.Version }} +{{- if .Chart.AppVersion }} +APP VERSION: {{ .Chart.AppVersion }} +{{- end }} + +** Please be patient while the chart is being deployed ** + +uninstall {{ .Release.Name }} using + + helm uninstall {{ include "nplus.cli" . }} diff --git a/charts/instance/templates/certificate.tpl b/charts/instance/templates/certificate.tpl new file mode 100644 index 0000000..5d85b44 --- /dev/null +++ b/charts/instance/templates/certificate.tpl @@ -0,0 +1 @@ +{{- include "nplus.certificate" . | nindent 0 }} diff --git a/charts/instance/templates/instance.tpl b/charts/instance/templates/instance.tpl new file mode 100644 index 0000000..7e8e22a --- /dev/null +++ b/charts/instance/templates/instance.tpl @@ -0,0 +1,54 @@ +{{- include "nplus.init" $ -}} + +{{/* +Assemble List of Components +*/}} +{{- define "nplus.instance.getComponents" -}} +{{- $mylist := list -}} +{{- range $key, $value := .Values.components }} + {{- if $value }} + {{- $replicas := (( index $.Values $key ).replicaCount | default 1) | int }} + {{- if (gt $replicas 1) }} + {{- $mylist = append $mylist (printf "%s(%d)" ($key) $replicas) }} + {{- else }} + {{- $mylist = append $mylist (printf "%s" ($key)) }} + {{- end }} + {{- end }} +{{- end }} +{{- join "," $mylist -}} +{{- end -}} + +{{/* +Assemble List of Expectations +*/}} +{{- define "nplus.instance.getExpected" -}} +{{- range $key, $value := .Values.components }} + {{- if $value }} + {{- $replicas := (( index $.Values $key ).replicaCount | default 1) | int }} +- component: {{ $key }} + replicaCount: {{ $replicas }} + {{- end }} +{{- end }} +{{- end -}} + +apiVersion: nplus.cloud/v1beta1 +kind: Instance +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .Release.Name }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + argocd.argoproj.io/sync-wave: "1" +spec: + nscaleVersion: {{ .instance.version | quote }} + components: {{ include "nplus.instance.getComponents" . }} + handler: {{ .component.handler }} + expected: + {{- include "nplus.instance.getExpected" . | indent 2 }} + tenant: {{ (.this.meta).tenant }} + provider: {{ (.this.meta).provider }} + url: {{ include "nplus.url" . | quote }} diff --git a/charts/instance/templates/nappl-cluster-service.tpl b/charts/instance/templates/nappl-cluster-service.tpl new file mode 100644 index 0000000..c22f9da --- /dev/null +++ b/charts/instance/templates/nappl-cluster-service.tpl @@ -0,0 +1,39 @@ +{{- include "nplus.init" $ -}} +{{- if or (.Values.components).nappl (.Values.components).nappljobs -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .component.prefix }}nappl-cluster + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service. + # It is purely used to collect the EndPointSlices + type: ClusterIP + clusterIP: None + + ports: + {{- if not (.this.security).zeroTrust }} + - name: http + port: 8080 + targetPort: http + protocol: TCP + {{- end }} + - name: https + port: 8443 + targetPort: https + protocol: TCP + + selector: + nplus/group: {{ .instance.group }} + nplus/type: core +{{- end -}} \ No newline at end of file diff --git a/charts/instance/templates/networkpolicy.tpl b/charts/instance/templates/networkpolicy.tpl new file mode 100644 index 0000000..9eed1ef --- /dev/null +++ b/charts/instance/templates/networkpolicy.tpl @@ -0,0 +1,115 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} + +{{- if ((.this.security).cni).defaultIngressPolicy }} +{{- if eq ((.this.security).cni).defaultIngressPolicy "deny" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.prefix }}default-deny-ingress + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + policyTypes: + - Ingress +{{- end }} +--- +{{- if eq ((.this.security).cni).defaultIngressPolicy "allow" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.prefix }}default-allow-ingress + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + policyTypes: + - Ingress + ingress: + - {} +{{- end }} + +{{- end }} +--- +{{- if ((.this.security).cni).defaultEgressPolicy }} +{{- if eq ((.this.security).cni).defaultEgressPolicy "deny" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.prefix }}default-deny-egress + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + policyTypes: + - Egress +{{- end }} +--- +{{- if eq ((.this.security).cni).defaultEgressPolicy "allow" }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ .component.prefix }}default-allow-egress + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + policyTypes: + - Egress + ingress: + - {} +{{- end }} + +{{- end }} + + + + +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.prefix }}allow-dns + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} +spec: + podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + + +{{- end }} \ No newline at end of file diff --git a/charts/instance/templates/sanity.tpl b/charts/instance/templates/sanity.tpl new file mode 100644 index 0000000..0d963d2 --- /dev/null +++ b/charts/instance/templates/sanity.tpl @@ -0,0 +1,7 @@ +{{- if (and (.Values.components).nstl ( or (.Values.components).nstla (.Values.components).nstlb (.Values.components).nstlc (.Values.components).nstld)) -}} +{{- fail "You can only choose nstl or nstl[a-d], not both" -}} +{{- end -}} + +{{- if (and (.Values.components).sharepoint ( or (.Values.components).sharepointa (.Values.components).sharepointb (.Values.components).sharepointc (.Values.components).sharepointd)) -}} +{{- fail "You can only choose sharepoint or sharepoint[a-d], not both" -}} +{{- end -}} diff --git a/charts/instance/values.schema.json b/charts/instance/values.schema.json new file mode 100644 index 0000000..58e5e53 --- /dev/null +++ b/charts/instance/values.schema.json @@ -0,0 +1,29266 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "administrator": { + "description": "nscale Administrator, providing the Web Version of the Administrator to be used in the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "administrator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/rapadm", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "administrator", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "administrator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "There should only be a single Administrator instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-administrator", + "type": "object" + }, + "application": { + "description": "nplus Application, used to install Apps and Customizations into the nscale Application Layer.", + "properties": { + "docAreas": { + "default": "", + "description": "Provide a list of docareas to create. Please also see the example files", + "title": "docAreas" + }, + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-application", + "type": "object" + }, + "backend": { + "description": "Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "storage": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "conf": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common config storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common config storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "conf", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "ptemp", + "type": "object" + } + }, + "title": "storage", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-backend", + "type": "object" + }, + "cmis": { + "description": "nscale CMIS Connector, provides a CMIS Interface to the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "cmis-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1200.2024112508", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/cmis", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8096", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8196", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "cmis-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "cmis", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-cmis", + "type": "object" + }, + "components": { + "additionalProperties": false, + "properties": { + "administrator": { + "default": "false", + "description": "enable a *nscale Administrator Web* component in this instance", + "title": "administrator" + }, + "application": { + "default": "false", + "description": "deploy any solution using GBA, Standard Apps or shell copy with this generic deployment chart", + "title": "application" + }, + "cmis": { + "default": "false", + "description": "enable a *nscale CMIS Connector* component in this instance", + "title": "cmis" + }, + "database": { + "default": "true", + "description": "enable an internal *Postgres Database* in this instance", + "title": "database" + }, + "dmsapi": { + "default": false, + "description": "TODO: remove", + "title": "dmsapi", + "type": "boolean" + }, + "erpcmis": { + "default": "false", + "description": "enable a *nscale ERP CMIS Connector* component in this instance", + "title": "erpcmis" + }, + "erpproxy": { + "default": "false", + "description": "enable a *nscale ERP Proxy Connector* component in this instance", + "title": "erpproxy" + }, + "ilm": { + "default": "false", + "description": "enable a *nscale ILM Connector* component in this instance", + "title": "ilm" + }, + "mon": { + "default": "false", + "description": "enable a *nscale Monitoring Console* component in this instance", + "title": "mon" + }, + "nappl": { + "default": "true", + "description": "enable a consumer *nscale Application Layer* component in this instance", + "title": "nappl" + }, + "nappljobs": { + "default": "false", + "description": "enable a dedicated jobs *nscale Application Layer* component in this instance please also make sure to set the *jobs* setting", + "title": "nappljobs" + }, + "nstl": { + "default": "true", + "description": "enable a *nscale Server Storage Layer* component in this instance If you are in a **High Availability** scenario, disable this", + "title": "nstl" + }, + "nstla": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstla" + }, + "nstlb": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstlb" + }, + "nstlc": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstlc" + }, + "nstld": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstld" + }, + "pam": { + "default": "false", + "description": "enable a *nscale Process Automation Modeler* component in this instance", + "title": "pam" + }, + "pipeliner": { + "default": "false", + "description": "enable *nscale Pipeliner* component in this instance", + "title": "pipeliner" + }, + "prepper": { + "default": "false", + "description": "download, deploy and run any git asset or script prior to installation of the components", + "title": "prepper" + }, + "rms": { + "default": "false", + "description": "enable a *nplus Remote Management Server* component in this instance If you are in a **High Availability** scenario, disable this", + "title": "rms" + }, + "rmsa": { + "default": "false", + "description": "enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario.", + "title": "rmsa" + }, + "rmsb": { + "default": "false", + "description": "enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario.", + "title": "rmsb" + }, + "rs": { + "default": "true", + "description": "enable a *nscale Rendition Server* component in this instance", + "title": "rs" + }, + "sharepoint": { + "default": "false", + "description": "enable a *nscale Sharepoint Connector* component in this instance", + "title": "sharepoint" + }, + "sharepointa": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointa" + }, + "sharepointb": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointb" + }, + "sharepointc": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointc" + }, + "sharepointd": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointd" + }, + "sim": { + "additionalProperties": false, + "description": "This section is for the single-instance-mode in which all environement components are integrated into the instance", + "properties": { + "backend": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the backend components holds the common storages / PVCs for conf and ptemp umong other common environmental resources", + "title": "backend" + }, + "dav": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. DAV gives you WebDAV access to your conf and ptemp volumes", + "title": "dav" + }, + "operator": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. The Operator will let you query the Custom Resources for nscale, e.g. `kubectl get nscale`", + "title": "operator" + }, + "toolbox": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the toolbox has a git client installed and is suitable for pulling, pushing, copying stuff into the pool, fonts, certificates, snippets and configuration files", + "title": "toolbox" + } + }, + "title": "sim" + }, + "web": { + "default": "true", + "description": "enable a *nscale Web* component in this instance", + "title": "web" + }, + "webdav": { + "default": "false", + "description": "enable a *nscale WebDAV Connector* component in this instance", + "title": "webdav" + } + }, + "title": "components", + "type": "object" + }, + "database": { + "description": "Postgres Database, deploys a DEV or TESTING environment DB", + "properties": { + "database": { + "additionalProperties": false, + "properties": { + "account": { + "default": "nscale", + "description": "the technical account to own the nscale database, if not set by secret", + "title": "account" + }, + "name": { + "default": "nscale", + "description": "name of the nscale database", + "title": "name" + }, + "password": { + "default": "nscale", + "description": "password of the technical account, if not set by secret", + "title": "password" + }, + "secret": { + "default": "", + "description": "the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password", + "title": "secret" + } + }, + "title": "database", + "type": "object" + }, + "dbAdmin": { + "additionalProperties": false, + "properties": { + "account": { + "default": "postgres", + "description": "the database admin account, if not set by secret", + "title": "account" + }, + "password": { + "default": "postgres", + "description": "the database admin password, if not set by secret", + "title": "password" + }, + "secret": { + "default": "", + "description": "the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword", + "title": "secret" + } + }, + "title": "dbAdmin", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "bitnami/postgresql", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "default": "", + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "title": "pullSecrets" + }, + "repo": { + "default": "", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "15", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "5432", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "database", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/bitnami/postgresql/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "30Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "The replicaCount for the Database should never be changed @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-database", + "type": "object" + }, + "dav": { + "description": "Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC", + "properties": { + "account": { + "default": "admin", + "description": "the dav user", + "title": "account" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "password": { + "default": "admin", + "description": "password of the dav user", + "title": "password" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-dav", + "type": "object" + }, + "dmsapi": { + "description": "eon DMS-API provides a eon Standard Interface to the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "dms-api", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "9.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dms_api", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "9443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "dms-api", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "dmsapi", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/tomcat/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/tomcat/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "eon-dms-api", + "type": "object" + }, + "erpcmis": { + "description": "nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access", + "properties": { + "alien": { + "additionalProperties": false, + "properties": { + "doAppend": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "doAppend" + }, + "port": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "port" + }, + "server": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "server" + }, + "ssl": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "ssl" + }, + "url": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "alien", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "erp-cmis-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1000.2024032720", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/cmis/browser", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8096", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8196", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "erpcmis-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "erpcmis", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "migration": { + "additionalProperties": false, + "properties": { + "checkDocuments": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "checkDocuments" + }, + "checkIgnoreTime": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "checkIgnoreTime" + }, + "delay": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "delay" + }, + "doListMigration": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "doListMigration" + }, + "enabled": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "enabled" + }, + "fileDelimiter": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "fileDelimiter" + }, + "viaFileSystem": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "viaFileSystem" + } + }, + "title": "migration", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sign": { + "additionalProperties": false, + "properties": { + "authID": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "authID" + }, + "keyAlias": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "keyPassword" + } + }, + "title": "sign", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + }, + "xsap": { + "additionalProperties": false, + "properties": { + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "xsap", + "type": "object" + } + }, + "title": "nplus-component-erpcmis", + "type": "object" + }, + "erpproxy": { + "description": "nscale ERP Proxy, providing SAP Archive Link access to alien Archive Components", + "properties": { + "alien": { + "additionalProperties": false, + "properties": { + "doAppend": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "doAppend" + }, + "port": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "port" + }, + "server": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "server" + }, + "ssl": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "ssl" + }, + "url": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "alien", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sap-proxy-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/pre-release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024092409", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/sap_proxy", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8097", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8197", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "erpproxy-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "erpproxy", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "migration": { + "additionalProperties": false, + "properties": { + "checkDocuments": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "checkDocuments" + }, + "checkIgnoreTime": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "checkIgnoreTime" + }, + "delay": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "delay" + }, + "doListMigration": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "doListMigration" + }, + "enabled": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "enabled" + }, + "fileDelimiter": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "fileDelimiter" + }, + "viaFileSystem": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "viaFileSystem" + } + }, + "title": "migration", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sign": { + "additionalProperties": false, + "properties": { + "authID": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "authID" + }, + "keyAlias": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "keyPassword" + } + }, + "title": "sign", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + }, + "xsap": { + "additionalProperties": false, + "properties": { + "url": { + "default": "{{ printf \"%s/%s\" ($.this.nappl).instance \"xsap/cs/xsap\"}}", + "description": "xsap url to use.", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "xsap", + "type": "object" + } + }, + "title": "nplus-component-erpproxy", + "type": "object" + }, + "global": { + "additionalProperties": false, + "properties": { + "database": { + "additionalProperties": false, + "properties": { + "account": { + "default": "nscale", + "description": "DB account (if not using a secret)", + "title": "account" + }, + "dialect": { + "default": "PostgreSQL", + "description": "nscale DB server dialect", + "title": "dialect" + }, + "driverclass": { + "default": "org.postgresql.Driver", + "description": "nscale DB server driverclass", + "title": "driverclass" + }, + "name": { + "default": "nscale", + "description": "name of the nscale DB", + "title": "name" + }, + "password": { + "default": "nscale", + "description": "DB password (if not using a secret)", + "title": "password" + }, + "passwordEncoded": { + "default": "false", + "description": "weather the password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "public", + "description": "DB schema name", + "title": "schema" + }, + "secret": { + "default": "", + "description": "DB credential secret (account, password)", + "title": "secret" + }, + "url": { + "default": "jdbc:postgresql://{{ .component.prefix }}database:5432/{{ .this.database.name }}", + "description": "The URL to the database", + "title": "url" + } + }, + "title": "database", + "type": "object" + }, + "ingress": { + "additionalProperties": false, + "properties": { + "appRoot": { + "default": "/nscale_web", + "description": "Sets the root for this instance, where incoming root traffic should be redirected to", + "title": "appRoot" + }, + "class": { + "default": "`public``", + "description": "sets the global ingressclass for all components to use - if they do not define a specific one, for example if there are separate controllers for internal and external traffic", + "title": "class" + }, + "createSelfSignedCertificate": { + "default": "true", + "description": "if you do not define an issuer to generate the tls secret for you, you still can have a self signed certificate generated for you, if you set this to true. The default is true, so either you have an issuer or not, you will always end up with a certificate. Set an empty issuer and createSelfSignedCertificate to false to have no certificate generated and use an external or existing secret. Then make sure the secret matches.", + "title": "createSelfSignedCertificate" + }, + "domain": { + "default": "", + "description": "Sets the global domain within the instance to be used, if the component does not define any domain. If this remains empty, no ingress is generated Example: `{{ .instance.group }}.lab.nplus.cloud`", + "title": "domain" + }, + "issuer": { + "default": "", + "description": "Sets the name of the issuer to create the tls secret. Very common is to have it created by cert-manager. Please see the documentation how to create a cert-manager cluster issuer for example. If no issuer is set, no certificate request will be generated", + "title": "issuer" + }, + "namespace": { + "default": "`ingress, kube-system, ingress-nginx`", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. This secret is then either generated by cert-manager or self signed by helm - or not created", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress", + "type": "object" + }, + "instance": { + "additionalProperties": false, + "properties": { + "group": { + "default": "", + "description": "The group of the instance. This is used for the networkPolicies. Only Pods within one group are allowed to communicate if you enable the nplus Network Policies. By default, this is set the same as the instance name", + "title": "group" + }, + "name": { + "default": "{{ .Release.Name }}", + "description": "The name of the instance. Should this name be identical to the namespace name, then the prefix will be dropped. By default, this is the .Release.Name", + "title": "name" + } + }, + "title": "instance", + "type": "object" + }, + "license": { + "default": "nscale-license", + "description": "Globally set the license secret name", + "title": "license" + }, + "logForwarderImage": { + "additionalProperties": false, + "properties": { + "name": { + "default": "fluent-bit", + "description": "defines the nplus toolbox name to be used for the *wait* feature", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "defines the nplus toolbox pull policy to be used for the *wait* feature", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.fluentbit.io/fluent", + "description": "defines the nplus toolbox image to be used for the *wait* feature", + "title": "repo" + }, + "tag": { + "default": "2.0", + "description": "defines the tag for the logforwarder (FluentBit) @internal -- set by devOps pipeline, so do not modify", + "title": "tag" + } + }, + "title": "logForwarderImage", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "nscaleVersion": { + "default": "9.3.1300", + "description": "Sets the nscale version of this deployment / instance. This is used by the operator to display the correct version e.g. in the Web UI. @internal -- this is set by the devOps pipeline, so do not modify", + "title": "nscaleVersion" + } + }, + "title": "meta", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "properties": { + "account": { + "default": "admin", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "nscale", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}", + "description": "sets the *nscale Server Application Layer* host to be used. As this is a global option, it can be overridden at component level.", + "title": "host" + }, + "instance": { + "default": "nscalealinst1", + "description": "the instance of *nscale Server Application Layer* to be used @internal -- As this is depricated for nscale 10, you should never modify this.", + "title": "instance" + }, + "password": { + "default": "admin", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "8080", + "description": "sets the *nscale Server Application Layer* port to be used. As this is a global option, it can be overridden at component level. if you switch to zero trus mode or change the nappl backend to https, you want to modify this port to 8443", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "false", + "description": "wether to use ssl or not for the advanced connector", + "title": "ssl" + } + }, + "title": "nappl", + "type": "object" + }, + "security": { + "additionalProperties": false, + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "administratorInstance": { + "default": "{{ .this.instance.name }}", + "description": "sets the instance, from which Administration is allowed", + "title": "administratorInstance" + }, + "administratorNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "sets the namespace, from which Administration is allowed", + "title": "administratorNamespace" + }, + "createNetworkPolicy": { + "default": "", + "description": "creates NetworkPolicies for each component.", + "title": "createNetworkPolicy" + }, + "defaultEgressPolicy": { + "default": "", + "description": "if defined, creates a default NetworkPolicy to handle egress Traffic from the instance. Possible Values: deny, allow, none", + "title": "defaultEgressPolicy" + }, + "defaultIngressPolicy": { + "default": "", + "description": "if defined, creates a default NetworkPolicy to handle ingress Traffic to the instance. Possible Values: deny, allow, none", + "title": "defaultIngressPolicy" + }, + "monitoringInstance": { + "default": "{{ .this.instance.name }}", + "description": "sets the instance, from which Monitoring is allowed", + "title": "monitoringInstance" + }, + "monitoringNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "sets the namespace, from which Monitoring is allowed", + "title": "monitoringNamespace" + }, + "pamInstance": { + "default": "{{ .this.instance.name }}", + "description": "sets the instance, from which Process Automation Modeling is allowed", + "title": "pamInstance" + }, + "pamNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "sets the namespace, from which Process Automation Modeling is allowed", + "title": "pamNamespace" + } + }, + "title": "cni", + "type": "object" + }, + "zeroTrust": { + "default": "", + "description": "enables zero trust on the instance. When enabled, no unencrypted http connection is allowed. This will remove all http ports from pods, services, network policies and ingress rules", + "title": "zeroTrust" + } + }, + "title": "security", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "properties": { + "openTelemetry": { + "default": "", + "description": "if you use a OpenTelemetry as a telemetry collector, you can enable it here. This will add the annotations to some known pods for the injector to use agents inside the pods for telemetry collection. This often goes along with the `language` setting in the meta section to tell the telemetry collector which agent to inject.", + "title": "openTelemetry" + } + }, + "title": "telemetry", + "type": "object" + }, + "waitImage": { + "additionalProperties": false, + "properties": { + "name": { + "default": "toolbox2", + "description": "defines the nplus toolbox name to be used for the *wait* feature", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "defines the nplus toolbox pull policy to be used for the *wait* feature", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "defines the nplus toolbox image to be used for the *wait* feature", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "defines the nplus toolbox tag to be used for the *wait* feature @internal -- set by devOps pipeline, so do not modify", + "title": "tag" + } + }, + "title": "waitImage", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "ilm": { + "description": "nscale ILM Connector, providing a certified SAP ILM interface", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "ilm-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024091702", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/sap_ilm", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8297", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8397", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "ilm-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "ilm", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-ilm", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + } + }, + "title": "meta", + "type": "object" + }, + "mon": { + "description": "nscale Monitoring Console, used to provide sensor information from all components to dashboards", + "properties": { + "activateRmi": { + "default": "false", + "description": "Activates the RMI Interface. Due to security concern, this defaults to `false`", + "title": "activateRmi" + }, + "activateSsl": { + "default": "true", + "description": "Activates SSL / TLS communication", + "title": "activateSsl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "monitoring-console", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024092618", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalemc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8387", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8388", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "8389", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "monitoring-console", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "mon", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-monitoring/workspace", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-monitoring/workspace/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "There should only be a single Monitoring instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-mon", + "type": "object" + }, + "nappl": { + "description": "nscale Server Application Layer, the central component in the nscale ecosystem", + "properties": { + "database": { + "additionalProperties": false, + "description": "If you define the database in your values, this DB settings are taken. If you leave this empty, the settings from the config file are used.", + "properties": { + "account": { + "default": "", + "description": "alternative 1: the account name of the technical DB user for nscale", + "title": "account" + }, + "dialect": { + "default": "", + "description": "the database dialect to use", + "title": "dialect" + }, + "driverclass": { + "default": "", + "description": "the driver class to use", + "title": "driverclass" + }, + "name": { + "default": "", + "description": "the name of the database to use", + "title": "name" + }, + "password": { + "default": "", + "description": "alternative 1: the password of the technical DB user for nscale", + "title": "password" + }, + "passwordEncoded": { + "default": "", + "description": "weather the DB password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "", + "description": "the database schema to use", + "title": "schema" + }, + "secret": { + "default": "", + "description": "alternative 2: use a secret for the account and password", + "title": "secret" + }, + "url": { + "default": "", + "description": "the DB URL", + "title": "url" + } + }, + "title": "database" + }, + "disableSessionReplication": { + "default": "", + "description": "enables/disables the session replication for these cluster members.", + "title": "disableSessionReplication" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalealinst1", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "includeDefaultPaths": { + "default": "true", + "description": "toggles default paths like index.html, res and engine.properties", + "title": "includeDefaultPaths" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "jobs": { + "default": "true", + "description": "enables/disables the job affinity / priority for these cluster members", + "title": "jobs" + }, + "kubePing": { + "additionalProperties": false, + "description": "sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more If it is left empty, also the automountServiceAccountToken is disabled. If you set Values, they are ignored in Versions > 9.1.1200", + "properties": { + "create": { + "default": "true", + "description": "Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices", + "title": "create" + }, + "name": { + "default": "{{ .component.fullName }}-kubeping", + "description": "Set the ServiceAccount Name for the kubePing Protocol", + "title": "name" + } + }, + "title": "kubePing" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "application-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "core", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "additionalProperties": false, + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "true", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "dbIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with.", + "title": "dbIpRange" + }, + "sapIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with.", + "title": "sapIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sessionCacheStorageType": { + "default": "", + "description": "Sets the Session Cache Storage Type to HEAP or OFF_HEAP", + "title": "sessionCacheStorageType" + }, + "snc": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": "false", + "description": "Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client.", + "title": "enabled" + } + }, + "title": "snc", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "description": "Set tolerations for this component", + "items": {}, + "title": "tolerations" + }, + "updateStrategy": { + "default": "RollingUpdate", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-nappl", + "type": "object" + }, + "nappljobs": { + "description": "nscale Server Application Layer, the central component in the nscale ecosystem", + "properties": { + "database": { + "additionalProperties": false, + "description": "If you define the database in your values, this DB settings are taken. If you leave this empty, the settings from the config file are used.", + "properties": { + "account": { + "default": "", + "description": "alternative 1: the account name of the technical DB user for nscale", + "title": "account" + }, + "dialect": { + "default": "", + "description": "the database dialect to use", + "title": "dialect" + }, + "driverclass": { + "default": "", + "description": "the driver class to use", + "title": "driverclass" + }, + "name": { + "default": "", + "description": "the name of the database to use", + "title": "name" + }, + "password": { + "default": "", + "description": "alternative 1: the password of the technical DB user for nscale", + "title": "password" + }, + "passwordEncoded": { + "default": "", + "description": "weather the DB password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "", + "description": "the database schema to use", + "title": "schema" + }, + "secret": { + "default": "", + "description": "alternative 2: use a secret for the account and password", + "title": "secret" + }, + "url": { + "default": "", + "description": "the DB URL", + "title": "url" + } + }, + "title": "database" + }, + "disableSessionReplication": { + "default": "", + "description": "enables/disables the session replication for these cluster members.", + "title": "disableSessionReplication" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalealinst1", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "includeDefaultPaths": { + "default": "true", + "description": "toggles default paths like index.html, res and engine.properties", + "title": "includeDefaultPaths" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "jobs": { + "default": "true", + "description": "enables/disables the job affinity / priority for these cluster members", + "title": "jobs" + }, + "kubePing": { + "additionalProperties": false, + "description": "sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more If it is left empty, also the automountServiceAccountToken is disabled. If you set Values, they are ignored in Versions > 9.1.1200", + "properties": { + "create": { + "default": "true", + "description": "Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices", + "title": "create" + }, + "name": { + "default": "{{ .component.fullName }}-kubeping", + "description": "Set the ServiceAccount Name for the kubePing Protocol", + "title": "name" + } + }, + "title": "kubePing" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "application-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "core", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "additionalProperties": false, + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "true", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "dbIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with.", + "title": "dbIpRange" + }, + "sapIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with.", + "title": "sapIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sessionCacheStorageType": { + "default": "", + "description": "Sets the Session Cache Storage Type to HEAP or OFF_HEAP", + "title": "sessionCacheStorageType" + }, + "snc": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": "false", + "description": "Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client.", + "title": "enabled" + } + }, + "title": "snc", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "description": "Set tolerations for this component", + "items": {}, + "title": "tolerations" + }, + "updateStrategy": { + "default": "RollingUpdate", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-nappl", + "type": "object" + }, + "nstl": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstla": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstlb": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstlc": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstld": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "operator": { + "description": "Installs the nplus operator managin the custom resource definitions for nplus and nscale", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "operator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/monitoring", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envoperator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "ui": { + "default": "true", + "description": "Enables the web ui, default under /monitoring", + "title": "ui" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-operator", + "type": "object" + }, + "pam": { + "description": "nscale Process Automation Modeler, providing Web UI Modeler for PAP", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "process-automation-modeler", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1200.63696", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/modeler", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8092", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "pam", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "pam", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/process-automation-modeler/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "As this is a Admin component, there is no HA or anything so we stick to exactly 1 replica. @ignore -- Fix Value", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-pam", + "type": "object" + }, + "pipeliner": { + "description": "nscale Pipeliner, the mass import / export tool of nscale", + "properties": { + "dav": { + "additionalProperties": false, + "properties": { + "account": { + "default": "pipeliner", + "description": "the dav user", + "title": "account" + }, + "image": { + "additionalProperties": false, + "description": "the Image to use for the DAV server", + "properties": { + "name": { + "default": "toolbox2", + "title": "name", + "type": "string" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "the DAV server image pull policy", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "title": "repo", + "type": "string" + }, + "tag": { + "default": "1.2.1300", + "title": "tag", + "type": "string" + } + }, + "title": "image" + }, + "password": { + "default": "pipeliner", + "description": "password of the dav user", + "title": "password" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + } + }, + "title": "dav", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "pipeliner", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121815", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/{{ .component.name }}", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "4173", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "pipeliner", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "pipeliner", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "defaultConfig": { + "default": "{{ .component.fullName }}-defaultconfig", + "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", + "title": "defaultConfig" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "0", + "description": "Default ReplicaCount is 0 as the pipeliner requires a working cold.xml", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-pipeliner", + "type": "object" + }, + "prepper": { + "description": "nplus Prepper, used to deploy assets prior to component deployment", + "properties": { + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-prepper", + "type": "object" + }, + "rms": { + "description": "nplus Remote Management Server incl. RMS and Access Proxy", + "properties": { + "comps": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-rms", + "type": "object" + }, + "rmsa": { + "description": "nplus Remote Management Server incl. RMS and Access Proxy", + "properties": { + "comps": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-rms", + "type": "object" + }, + "rmsb": { + "description": "nplus Remote Management Server incl. RMS and Access Proxy", + "properties": { + "comps": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-rms", + "type": "object" + }, + "rs": { + "description": "nscale Rendition Server, providing means to format-convert common file types", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "rendition-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1301.2024121910", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8192", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8193", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "rendition-server", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rs", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-rs", + "type": "object" + }, + "sharepoint": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointa": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointb": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointc": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointd": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "toolbox": { + "description": "Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envtoolbox", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstoreDownloader": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "enabled": { + "default": "false", + "description": "enables the nstore downloader", + "title": "enabled" + }, + "nstore": { + "default": "`https://nstore.ceyoniq.com...`", + "description": "set the nstore URL", + "title": "nstore" + }, + "target": { + "default": "pool/nstore", + "description": "target directory in the conf pv", + "title": "target" + } + }, + "title": "nstoreDownloader", + "type": "object" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-toolbox", + "type": "object" + }, + "web": { + "description": "nscale Web, providing a modern Web UI to nscale users", + "properties": { + "authType": { + "default": "", + "description": "Set the authentication type login, basic, negotiate, implicit ntlmv2, kerberos", + "title": "authType" + }, + "customizingMode": { + "default": "", + "description": "If this setting is enabled, layouts will update immediately when changes are made. It is no longer necessary to re-register or restart the service. If this setting is not activated, the automatic update of the metamodel is turned off. We recommend not using this setting in productive systems because it reduces system performance.", + "title": "customizingMode" + }, + "disableUsernamePassword": { + "default": "", + "description": "surpresses the login dialog", + "title": "disableUsernamePassword" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer-web", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121620", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "immediateFederatedLogin": { + "default": "", + "description": "directly log in via identity providers", + "title": "immediateFederatedLogin" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_web", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "XtConLoadBalancerSession", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8090", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8453", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "web-client", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "web", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "metamodelMode": { + "default": "", + "description": "Refreshes the metamodel mode", + "title": "metamodelMode" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer-web/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "defaultConfig": { + "default": "{{ .component.fullName }}-defaultconfig", + "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", + "title": "defaultConfig" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer-web/apache/logs/", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "oauthDomains": { + "default": "", + "description": "OAuth nscale domains", + "title": "oauthDomains" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "sameSite": { + "default": "", + "description": "nscale SameSite Cookie Header", + "title": "sameSite" + }, + "samlDomains": { + "default": "", + "description": "SAML nscale domains", + "title": "samlDomains" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "smartCrossgrade": { + "default": "", + "description": "Enable Crossgrade for Smart Layouts", + "title": "smartCrossgrade" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-web", + "type": "object" + }, + "webdav": { + "description": "nscale WebDAV Connector, providing a standard WebDAV interface to the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "webdav-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024091609", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8088", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8488", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "webdav-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "webdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-webdav/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-webdav/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-webdav", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/instance/values.yaml b/charts/instance/values.yaml new file mode 100644 index 0000000..b54d18d --- /dev/null +++ b/charts/instance/values.yaml @@ -0,0 +1,878 @@ +# yaml-language-server: $schema=values.schema.json +components: + # -- enable a consumer *nscale Application Layer* component in this instance + nappl: true + # -- enable a dedicated jobs *nscale Application Layer* component in this instance + # please also make sure to set the *jobs* setting + nappljobs: false + # -- enable a *nscale Web* component in this instance + web: true + # -- enable a *nscale Monitoring Console* component in this instance + mon: false + # -- enable a *nscale Rendition Server* component in this instance + rs: true + # -- enable a *nscale ILM Connector* component in this instance + ilm: false + # -- enable a *nscale ERP Proxy Connector* component in this instance + erpproxy: false + # -- enable a *nscale ERP CMIS Connector* component in this instance + erpcmis: false + # -- enable a *nscale CMIS Connector* component in this instance + cmis: false + # -- enable an internal *Postgres Database* in this instance + database: true + # -- enable a *nscale Server Storage Layer* component in this instance + # If you are in a **High Availability** scenario, disable this + nstl: true + # -- enable an additional *nscale Server Storage Layer* node in this instance + # within a **High Availability** scenario. + nstla: false + # -- enable an additional *nscale Server Storage Layer* node in this instance + # within a **High Availability** scenario. + nstlb: false + # -- enable an additional *nscale Server Storage Layer* node in this instance + # within a **High Availability** scenario. + nstlc: false + # -- enable an additional *nscale Server Storage Layer* node in this instance + # within a **High Availability** scenario. + nstld: false + # -- enable *nscale Pipeliner* component in this instance + pipeliner: false + # -- deploy any solution using GBA, Standard Apps or shell copy with this generic deployment + # chart + application: false + # -- download, deploy and run any git asset or script prior to installation of the components + prepper: false + # -- enable a *nscale WebDAV Connector* component in this instance + webdav: false + # -- enable a *nscale Administrator Web* component in this instance + administrator: false + # -- enable a *nplus Remote Management Server* component in this instance + # If you are in a **High Availability** scenario, disable this + rms: false + # -- enable an additional *nplus Remote Management Server* in this instance + # within a **High Availability** scenario. + rmsa: false + # -- enable an additional *nplus Remote Management Server* in this instance + # within a **High Availability** scenario. + rmsb: false + # -- enable a *nscale Process Automation Modeler* component in this instance + pam: false + # -- enable a *nscale Sharepoint Connector* component in this instance + sharepoint: false + # -- enable an additional *nscale Sharepoint Connector* component in this instance for + # another set of configuration parameters + sharepointa: false + # -- enable an additional *nscale Sharepoint Connector* component in this instance for + # another set of configuration parameters + sharepointb: false + # -- enable an additional *nscale Sharepoint Connector* component in this instance for + # another set of configuration parameters + sharepointc: false + # -- enable an additional *nscale Sharepoint Connector* component in this instance for + # another set of configuration parameters + sharepointd: false + # -- This section is for the single-instance-mode in which all environement components are integrated + # into the instance + sim: + # -- This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. + # DAV gives you WebDAV access to your conf and ptemp volumes + dav: false + # -- This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. + # the backend components holds the common storages / PVCs for conf and ptemp + # umong other common environmental resources + backend: false + # -- This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. + # The Operator will let you query the Custom Resources for nscale, e.g. + # `kubectl get nscale` + operator: false + # -- This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. + # the toolbox has a git client installed and is suitable for pulling, pushing, copying + # stuff into the pool, fonts, certificates, snippets and configuration files + toolbox: false + #TODO: remove + dmsapi: false +meta: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: +global: + telemetry: + # -- if you use a OpenTelemetry as a telemetry collector, you can enable it here. + # This will add the annotations to some known pods for the injector to use + # agents inside the pods for telemetry collection. + # This often goes along with the `language` setting in the meta section to tell the + # telemetry collector which agent to inject. + openTelemetry: + security: + # -- enables zero trust on the instance. + # When enabled, no unencrypted http connection is allowed. + # This will remove all http ports from pods, services, network policies and ingress rules + zeroTrust: + cni: + # -- if defined, creates a default NetworkPolicy to handle + # ingress Traffic to the instance. + # Possible Values: deny, allow, none + defaultIngressPolicy: + # -- if defined, creates a default NetworkPolicy to handle + # egress Traffic from the instance. + # Possible Values: deny, allow, none + defaultEgressPolicy: + # -- creates NetworkPolicies for each + # component. + createNetworkPolicy: + # -- sets the namespace, from which Administration is + # allowed + administratorNamespace: "{{ .Release.Namespace }}" + # -- sets the instance, from which Administration is + # allowed + administratorInstance: "{{ .this.instance.name }}" + # -- sets the namespace, from which Monitoring is + # allowed + monitoringNamespace: "{{ .Release.Namespace }}" + # -- sets the instance, from which Monitoring is + # allowed + monitoringInstance: "{{ .this.instance.name }}" + # -- sets the namespace, from which Process Automation Modeling is + # allowed + pamNamespace: "{{ .Release.Namespace }}" + # -- sets the instance, from which Process Automation Modeling is + # allowed + pamInstance: "{{ .this.instance.name }}" + instance: + # -- The name of the instance. Should this name be identical to the namespace name, then + # the prefix will be dropped. + # By default, this is the .Release.Name + name: "{{ .Release.Name }}" + # -- The group of the instance. This is used for the networkPolicies. Only Pods within one group are allowed to communicate + # if you enable the nplus Network Policies. + # By default, this is set the same as the instance name + group: + ingress: + # -- Sets the global domain within the instance to be used, if the component does not define any domain. + # If this remains empty, no ingress is generated + # Example: `{{ .instance.group }}.lab.nplus.cloud` + domain: + # -- Sets the root for this instance, where incoming root traffic should be redirected to + appRoot: /nscale_web + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. This secret is then either + # generated by cert-manager or self signed by helm - or not created + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- sets the global ingressclass for all components to use - if they do not define a specific + # one, for example if there are separate controllers for internal and external traffic + # @default -- `public`` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Sets the name of the issuer to create the tls secret. Very common is to have it created by + # cert-manager. Please see the documentation how to create a cert-manager cluster issuer for example. + # If no issuer is set, no certificate request will be generated + issuer: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- `ingress, kube-system, ingress-nginx` + namespace: + # -- if you do not define an issuer to generate the tls secret for you, you still can have a self signed certificate + # generated for you, if you set this to true. The default is true, so either you have an issuer or not, you will always + # end up with a certificate. Set an empty issuer and createSelfSignedCertificate to false to have no certificate generated + # and use an external or existing secret. Then make sure the secret matches. + createSelfSignedCertificate: true + # -- Globally set the license secret name + license: nscale-license + waitImage: + # -- defines the nplus toolbox image to be used for the *wait* feature + repo: cr.nplus.cloud/subscription + # -- defines the nplus toolbox name to be used for the *wait* feature + name: toolbox2 + # -- defines the nplus toolbox tag to be used for the *wait* feature + # @internal -- set by devOps pipeline, so do not modify + tag: 1.2.1300 + # -- defines the nplus toolbox pull policy to be used for the *wait* feature + pullPolicy: IfNotPresent + logForwarderImage: + # -- defines the nplus toolbox image to be used for the *wait* feature + repo: cr.fluentbit.io/fluent + # -- defines the nplus toolbox name to be used for the *wait* feature + name: fluent-bit + # -- defines the tag for the logforwarder (FluentBit) + # @internal -- set by devOps pipeline, so do not modify + tag: "2.0" + # -- defines the nplus toolbox pull policy to be used for the *wait* feature + pullPolicy: IfNotPresent + nappl: + # -- sets the *nscale Server Application Layer* host to be used. As this is a global option, + # it can be overridden at component level. + host: "{{ .component.prefix }}nappl.{{ .Release.Namespace }}" + # -- sets the *nscale Server Application Layer* port to be used. As this is a global option, + # it can be overridden at component level. + # if you switch to zero trus mode or change the nappl backend to https, you want to modify this + # port to 8443 + port: 8080 + # -- wether to use ssl or not for the advanced connector + ssl: false + # -- the instance of *nscale Server Application Layer* to be used + # @internal -- As this is depricated for nscale 10, you should never modify this. + instance: "nscalealinst1" + # -- The technical account to login with + account: admin + # -- The domain of the technical account + domain: nscale + # -- The password of the technical accunt (if not set by secret) + password: admin + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: + database: + # -- name of the nscale DB + name: "nscale" + # -- nscale DB server dialect + dialect: "PostgreSQL" + # -- nscale DB server driverclass + driverclass: "org.postgresql.Driver" + # -- The URL to the database + url: "jdbc:postgresql://{{ .component.prefix }}database:5432/{{ .this.database.name }}" + # -- DB schema name + schema: "public" + # -- DB account (if not using a secret) + account: "nscale" + # -- DB password (if not using a secret) + password: "nscale" + # -- weather the password is stored encrypted + passwordEncoded: "false" + # -- DB credential secret (account, password) + secret: + meta: + # -- Sets the nscale version of this deployment / instance. This is used by the operator to display + # the correct version e.g. in the Web UI. + # @internal -- this is set by the devOps pipeline, so do not modify + nscaleVersion: "9.3.1300" +nappl: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1300.2024121814 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: application-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}database.{{ .Release.Namespace }}.svc.cluster.local:5432 -timeout 600" + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: "{{ if .this.jobs }}4{{ else }}6{{ end }}" + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1300" +web: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1300.2024121620 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: application-layer-web + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 900" + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 7 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1300" +mon: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1000.2024092618 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: monitoring-console + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1000" +rs: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1301.2024121910 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: rendition-server + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 4 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1301" +nstl: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1201.2024112518 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: storage-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 3 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1201" +pipeliner: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1300.2024121815 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: pipeliner + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1300" +administrator: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1201 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: administrator + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 9 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1201" + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +cmis: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1200.2024112508 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: cmis-connector + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1200" +ilm: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1000.2024091702 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: ilm-connector + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1000" + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +# -- For the Database, we use a postgres 16 +# Ceyoniq uses docker.io/bitnami/postgresql:16 +database: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: "16" + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: bitnami/postgresql + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 3 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "16" +application: + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + nstl: + # -- sets the dns of the *nscale Server Storage Layer*, that should be configured + host: "{{ .component.prefix }}nstl.{{ .Release.Namespace }}" + rs: + # -- sets the dns of the *nscale Rendition Server*, that should be configured + host: "{{ .component.prefix }}rs.{{ .Release.Namespace }}" + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 11 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1300" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1300.2024121814 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: application-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale +nappljobs: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1300.2024121814 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: application-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 4 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1300" +webdav: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1000" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1000.2024091609 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: webdav-connector + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +nstla: + clusterService: + # -- When using multiple nstl Instances with different configurations, you still might want to use a cluster service for HA access + # This will generate one for you. + enabled: true + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1201.2024112518 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: storage-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 3 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1201" +nstlb: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1201.2024112518 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: storage-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 3 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1201" +# -- rms is not a Ceyoniq component, but a part of nplus +rms: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 10 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "1.2.1200" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: admin-server + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: 1.2.1200 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: cr.nplus.cloud/subscription +rmsa: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 10 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "1.2.1200" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: admin-server + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: 1.2.1200 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: cr.nplus.cloud/subscription +rmsb: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 10 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "1.2.1200" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: admin-server + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: 1.2.1200 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: cr.nplus.cloud/subscription +nstlc: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 3 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1201" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1201.2024112518 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: storage-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale +nstld: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 3 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1201" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1201.2024112518 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: storage-layer + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale +pam: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 9 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1200" + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1200.63696 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: process-automation-modeler + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale +# -- For SharePoint Connector, there is no entry in Github yet, so we set it hardcoded +# TODO: 9.3: Test again later, if there is a valid github entry. +sharepoint: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.2.1400" + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: sharepoint-connector + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.2.1400.2024073012 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale +dmsapi: + meta: + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +sharepointa: + clusterService: + # -- When using multiple SharePoint Connectors with different configurations, you still might want to use a retrieval cluster for HA + # so you can enable the clusterService and define the context path. + enabled: false + # -- Set the context Path for the cluster Ingress. + # Make sure also the members are listening to this path + contextPath: "/nscale_spc" + ingress: + # -- Defines the context path of this sharepoint instance, in case you might have multiple instances. + # We do not want them to consume the same ingress path, because it would block the ingress from being + # created. + contextPath: "/nscale_spca" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: sharepoint-connector + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.2.1400.2024073012 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.2.1400" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +sharepointb: + ingress: + # -- Defines the context path of this sharepoint instance, in case you might have multiple instances. + # We do not want them to consume the same ingress path, because it would block the ingress from being + # created. + contextPath: "/nscale_spcb" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: sharepoint-connector + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.2.1400.2024073012 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.2.1400" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +sharepointc: + ingress: + # -- Defines the context path of this sharepoint instance, in case you might have multiple instances. + # We do not want them to consume the same ingress path, because it would block the ingress from being + # created. + contextPath: "/nscale_spcc" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: sharepoint-connector + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.2.1400.2024073012 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.2.1400" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +sharepointd: + ingress: + # -- Defines the context path of this sharepoint instance, in case you might have multiple instances. + # We do not want them to consume the same ingress path, because it would block the ingress from being + # created. + contextPath: "/nscale_spcd" + image: + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: sharepoint-connector + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.2.1400.2024073012 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.2.1400" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +prepper: + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: 1.2.1300 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: toolbox2 + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: cr.nplus.cloud/subscription + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "1.2.1300" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 2 +backend: + meta: + componentVersion: 1.2.1400-124 + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 1 +erpproxy: + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.3.1000" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.3.1000.2024092409 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: sap-proxy-connector + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/pre-release/nscale +erpcmis: + meta: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: "9.2.1000" + # -- Defines the ArgoCD wave in which this component should be installed. + # This setting only applies to scenarios, where ArgoCD is used as handler + wave: 8 + # -- Defines what condition needs to be met before this components starts + waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + image: + # -- defines the tag for this component + # @internal -- set by devOps pipeline, so do not modify + tag: ubi.9.2.1000.2024032720 + # -- sets the name of the image to use for this component + # @internal -- set by devOps pipeline, so do not modify + name: erp-cmis-connector + # -- sets the repo from where to load the image. This can be overridden on environment or instance level + # in case you have your own repo for caching and security reasons + repo: ceyoniq.azurecr.io/release/nscale diff --git a/charts/mon/Chart.yaml b/charts/mon/Chart.yaml new file mode 100644 index 0000000..e36ca0d --- /dev/null +++ b/charts/mon/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-mon +description: nscale Monitoring Console, used to provide sensor information from all components to dashboards +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/mon/README.md b/charts/mon/README.md new file mode 100644 index 0000000..a13dba3 --- /dev/null +++ b/charts/mon/README.md @@ -0,0 +1,179 @@ + + +# nplus-component-mon + +nscale Monitoring Console, used to provide sensor information from all components to dashboards + +## Generelle Informationen + +- Wenn Ressourcen im Admin hinzugefügt werden, müssen nachträglich die Namen der Server geändert werden. + Diese heißen üblicherweise -nappl oder -nstl. + Also z.B. rms-nappl und rms-nstl + + + +## nplus-component-mon Chart Configuration + +You can customize / configure nplus-component-mon by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +activateRmi | Activates the RMI Interface. Due to security concern, this defaults to `false` | `false` | +activateSsl | Activates SSL / TLS communication | `true` | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"monitoring-console"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/nscalemc"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8387` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8388` | +**meta**​.ports​.tcp | A potential tcp port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8389` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"monitoring-console"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"mon"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-monitoring/workspace"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.paths | Sets a list of paths to the data files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-monitoring/workspace/.metadata"]` | +**mounts**​.data​.size | Sets the size of the data disk | `"10Gi"` | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.license​.path | Sets the path to the license files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-monitoring/workspace/license.xml"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/mon/templates/component.tpl b/charts/mon/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/mon/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/mon/templates/ingress.tpl b/charts/mon/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/mon/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/mon/templates/networkpolicy.tpl b/charts/mon/templates/networkpolicy.tpl new file mode 100644 index 0000000..0c969b5 --- /dev/null +++ b/charts/mon/templates/networkpolicy.tpl @@ -0,0 +1,44 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + + - from: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/component: administrator + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + egress: + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} +{{- end }} \ No newline at end of file diff --git a/charts/mon/templates/pdb.tpl b/charts/mon/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/mon/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/mon/templates/pvc.tpl b/charts/mon/templates/pvc.tpl new file mode 100644 index 0000000..b7ac9a2 --- /dev/null +++ b/charts/mon/templates/pvc.tpl @@ -0,0 +1 @@ +{{- include "nplus.pvc" . }} diff --git a/charts/mon/templates/service.tpl b/charts/mon/templates/service.tpl new file mode 100644 index 0000000..3413b6e --- /dev/null +++ b/charts/mon/templates/service.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service. + # It is purely used to collect the EndPointSlices + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/mon/templates/statefulset.tpl b/charts/mon/templates/statefulset.tpl new file mode 100644 index 0000000..98406be --- /dev/null +++ b/charts/mon/templates/statefulset.tpl @@ -0,0 +1,100 @@ +{{- include "nplus.init" $ -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: monitoring-console + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # -- MC Configuration Settings + {{- include "nplus.env" (dict + "RMI_ACTIVE" (.this.activateRmi | default "false") + "SSL_ACTIVE" (.this.activateSsl | default "true") + ) | nindent 10 }} + # -- undocumented MC Configuration Settings, found in github + #TODO: pls. see "ITSMSD-8923 ENV Variablen nscale MC" for current status + {{- include "nplus.env" (dict + "MC_APPENDER" "Console" + "INITIALIZE_COMPOSE" "true" + "MC_PASSWORD" "admin" + ) | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + httpGet: + path: /nscalemc/ + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /nscalemc/ + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 20 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/mon/values.schema.json b/charts/mon/values.schema.json new file mode 100644 index 0000000..7fd32db --- /dev/null +++ b/charts/mon/values.schema.json @@ -0,0 +1,798 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "activateRmi": { + "default": "false", + "description": "Activates the RMI Interface. Due to security concern, this defaults to `false`", + "title": "activateRmi" + }, + "activateSsl": { + "default": "true", + "description": "Activates SSL / TLS communication", + "title": "activateSsl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "monitoring-console", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024092618", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalemc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8387", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8388", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "8389", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "monitoring-console", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "mon", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-monitoring/workspace", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-monitoring/workspace/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "There should only be a single Monitoring instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/mon/values.yaml b/charts/mon/values.yaml new file mode 100644 index 0000000..e06a9fd --- /dev/null +++ b/charts/mon/values.yaml @@ -0,0 +1,403 @@ +# yaml-language-server: $schema=values.schema.json +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-monitoring/workspace" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-monitoring/workspace/license.xml" + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- Sets the size of the data disk + size: "10Gi" + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-monitoring/workspace/.metadata" + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: monitoring-console + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: mon + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8387 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8388 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: 8389 # rmi + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: monitoring-console + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- There should only be a single Monitoring instance, so the replicaCount is +# fixed to 1 +# @ignore -- Do not change this. +replicaCount: 1 +# -- Activates the RMI Interface. Due to security concern, this defaults to `false` +activateRmi: false +# -- Activates SSL / TLS communication +activateSsl: true +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/nscalemc" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/nappl/Chart.yaml b/charts/nappl/Chart.yaml new file mode 100644 index 0000000..52db35b --- /dev/null +++ b/charts/nappl/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-nappl +description: nscale Server Application Layer, the central component in the nscale ecosystem +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/nappl/README.md b/charts/nappl/README.md new file mode 100644 index 0000000..6e42e75 --- /dev/null +++ b/charts/nappl/README.md @@ -0,0 +1,251 @@ + + +# nplus-component-nappl + +nscale Server Application Layer, the central component in the nscale ecosystem + +## nplus-component-nappl Chart Configuration + +You can customize / configure nplus-component-nappl by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**database**​.account | alternative 1: the account name of the technical DB user for nscale | | +**database**​.dialect | the database dialect to use | | +**database**​.driverclass | the driver class to use | | +**database**​.name | the name of the database to use | | +**database**​.password | alternative 1: the password of the technical DB user for nscale | | +**database**​.passwordEncoded | weather the DB password is stored encrypted | | +**database**​.schema | the database schema to use | | +**database**​.secret | alternative 2: use a secret for the account and password | | +**database**​.url | the DB URL | | +disableSessionReplication | enables/disables the session replication for these cluster members. | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"application-layer"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/nscalealinst1"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | `["/nscalealinst1/webc/configuration", "/nscalealinst1/webb/configuration"]` | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `false` | +**ingress**​.includeDefaultPaths | toggles default paths like index.html, res and engine.properties | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +jobs | enables/disables the job affinity / priority for these cluster members | `true` | +**kubePing**​.create | Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices | `true` | +**kubePing**​.name | Set the ServiceAccount Name for the kubePing Protocol | `"{{ .component.fullName }}-kubeping"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8080` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8443` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"application-layer"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"core"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.paths | Sets the path to the certs folder.
do not change this value | **info only**, do not change
`["/etc/pki/tls/certs/ca-bundle.crt", "/usr/lib/jvm/jre/lib/security/cacerts"]` | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.paths | Sets the path to the component certs.
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/application-layer/conf/certificates.store"]` | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/application-layer/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.fonts​.path | Sets the path to the fonts folder.
do not change this value | **info only**, do not change
`"/usr/share/fonts/truetype/nplus"` | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.license​.path | Sets the path to the license files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/application-layer/conf/license.xml"` | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/application-layer/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/application-layer/temp", "/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"5Gi"` | +nameOverride | This overrides the output of the internal name function | | +**priority**​.className | Set the priority class for the Application Layer deployment if desired | | +**priority**​.createClass | Creates an individual PriorityClass for this instance | `true` | +**priority**​.value | Sets the priorityValue | 1000000 | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.cni​.dbIpRange | defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with. | | +**security**​.cni​.sapIpRange | defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with. | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +sessionCacheStorageType | Sets the Session Cache Storage Type to HEAP or OFF_HEAP | | +**snc**​.enabled | Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client. | `false` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | `[]` | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | `"RollingUpdate"` | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + +## Working with SNC (SAP Secure Network Communication) + +If you want to send data back to an SAP System, you can use SNC for that. The Configuration can be done in *nscale Administrator*, but you will need some SAP Components that are required in the NAPPL container. + +So enable *snc* in the Application Layer, turn it on: + +``` +nappl: + snc: + enabled: true +``` + +After turning this on, the Application Layer Container will mount the *snc* directory from the *configuration pool* of the environment. You can upload the required *SAP* components there: + +``` +kubectl cp snc nplus-toolbox-0:/conf/pool +``` + +An example directory would look like this: + +``` +$ cd /conf/pool/snc +$ ls -lah +total 12M +drwxrwsr-x 2 nplus nplus 6 Jun 7 13:20 . +drwxrwsr-x 8 nplus nplus 7 Jun 7 13:19 .. +-rwxr-xr-x 1 nplus nplus 128 Jun 7 13:20 cred_v2 +-rwxr-xr-x 1 nplus nplus 5.3M Jun 7 13:20 libsapcrypto.so +-rwxr-xr-x 1 nplus nplus 5.2M Jun 7 13:20 libsapjco3.so +-rwxr-xr-x 1 nplus nplus 38K Jun 7 13:20 sapgenpse +-rwxr-xr-x 1 nplus nplus 1.5M Jun 7 13:20 sapjco3.jar +-rw-r--r-- 1 nplus nplus 5.5K Jun 7 13:20 snc.pse +``` + +This pool directory is automatically mounted to the Application Layer in `/opt/snc`, if `snc.enabled` is set to `true`. +Aditionally, the `SECUDIR` environment variable is set to `/opt/snc`in the container, telling SNC where to find the libraries and credentials. + +You can add an IP Range to Whitelist the SAP Systems and allow egress traffic to pass. + +``` +nappl: + snc: + sapIpRange: "10.17.23.0/24" +``` + +This creates an egress Network Policy that allows access to the SAP Systems in the specified IP Range. + +> You can als set this on +> - security.cni.sapIpRange +> - global.security.cni.sapIpRange +> - global.environment.security.cni.sapIpRange + +### Notes + +- Please be aware, that *currently* the *nscale Server Application Layer* Image provided by Ceyoniq has no username set. That results in the user being called *default* in the image, which is set by the *currently* used UBI Base Image. This might change in the future. **When you generate the SNC Certificate**, you need to use this username **default** however, as otherwise the certificate will not be accepted. + diff --git a/charts/nappl/templates/component.tpl b/charts/nappl/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/nappl/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/nappl/templates/hpa.tpl b/charts/nappl/templates/hpa.tpl new file mode 100644 index 0000000..27cba95 --- /dev/null +++ b/charts/nappl/templates/hpa.tpl @@ -0,0 +1,20 @@ +{{- if .Values.autoScale }} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ .component.fullName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.argoWave" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ .component.fullName }} + minReplicas: {{ .Values.replicaCount }} + maxReplicas: {{ .Values.autoScale }} + targetCPUUtilizationPercentage: 80 +{{- end }} \ No newline at end of file diff --git a/charts/nappl/templates/ingress.tpl b/charts/nappl/templates/ingress.tpl new file mode 100644 index 0000000..0c07d42 --- /dev/null +++ b/charts/nappl/templates/ingress.tpl @@ -0,0 +1,39 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} + {{- if .Values.ingress.includeDefaultPaths }} + - path: /index.html + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} + - path: /res + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} + - path: /engine.properties + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} + {{- end }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/nappl/templates/networkpolicy.tpl b/charts/nappl/templates/networkpolicy.tpl new file mode 100644 index 0000000..e5e94dc --- /dev/null +++ b/charts/nappl/templates/networkpolicy.tpl @@ -0,0 +1,210 @@ +{{- include "nplus.init" $ -}} +{{- $sapIpRange := ( (.Values.snc).sapIpRange | default ((.this.security).cni).sapIpRange ) }} + +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + - from: + # access from nappl core in the same instance to setup a cluster + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + ports: + {{- include "nplus.napplClusterPolicyPorts" . | nindent 4 }} + + - from: + # access from application-layer-setup container in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: application + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + - from: + # access from application-layer-web in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: web + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + - from: + # access from pipeliner in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + # Allow both, Core Mode and AC Mode. + # Core Mode Cluster ist handles above + nplus/component: pipeliner + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + - from: + # access from cmis-connector in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: cmis + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + - from: + # access from ilm-connector in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: ilm + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + - from: + # access from webdav-connector in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: webdav + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + +# - from: +# # access from xta-connector in the same instance +# - podSelector: +# matchLabels: +# app: xta-connector +# ports: +# - protocol: TCP +# port: {{ (.this.meta).ports.http }} +# - from: +# # access from process-automation-modeler in the same namespace +# - podSelector: +# matchLabels: +# app: process-automation-modeler +# ports: +# - protocol: TCP +# port: {{ (.this.meta).ports.http }} + + - from: + # PAM Access + - namespaceSelector: + matchExpressions: + - {key: kubernetes.io/metadata.name, operator: In, values: [{{ .this.security.cni.pamNamespace }}]} + - podSelector: + matchLabels: + nplus/instance: {{ .this.security.cni.pamInstance }} + nplus/component: pam + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + + {{- if and (.Values.snc).enabled $sapIpRange }} + # + # Allow access to out-of-cluster SAP Systems for SNC + # + - to: + - ipBlock: + cidr: {{ $sapIpRange }} + {{- end }} + + {{- with ((.this.security).cni).dbIpRange }} + # + # Allow access to out-of-cluster DB Systems + # + - to: + - ipBlock: + cidr: {{ . }} + {{- end }} + + # + # allow database access in the same instance + # + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: database + # + # allow access to other cluster pods + # + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + # + # access to storage-layer in the same instance + # + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: nstl + # + # access to rendition server in the same instance + # + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: rs + + {{- if eq ((semver .component.version) | (semver "9.1.1200").Compare) 1 }} + # + # access to Kubernetes API for KubePing in older versions of nappl + # + # {{ .component.version }} is less than 9.1.1200 ({{ semver .component.version | (semver "9.1.1200").Compare }}) + # so we add the old kubePing mechanics. + - ports: + - protocol: TCP + port: 16443 + - protocol: TCP + port: 443 + {{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/nappl/templates/pdb.tpl b/charts/nappl/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/nappl/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/nappl/templates/priorityclass.tpl b/charts/nappl/templates/priorityclass.tpl new file mode 100644 index 0000000..ecd4280 --- /dev/null +++ b/charts/nappl/templates/priorityclass.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.priorityClass" . }} diff --git a/charts/nappl/templates/pvc.tpl b/charts/nappl/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/nappl/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/nappl/templates/rbackubeping.tpl b/charts/nappl/templates/rbackubeping.tpl new file mode 100755 index 0000000..53cd813 --- /dev/null +++ b/charts/nappl/templates/rbackubeping.tpl @@ -0,0 +1,60 @@ +{{- include "nplus.init" $ -}} +{{- if eq ((semver .component.version) | (semver "9.1.1200").Compare) 1 -}} +{{- if (.Values.kubePing).name -}} +{{- if (.Values.kubePing).create -}} +# {{ .component.version }} is less than 9.1.1200 ({{ semver .component.version | (semver "9.1.1200").Compare }}) +# so we add the old kubePing mechanics. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ tpl .Values.kubePing.name . }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} +--- +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ tpl .Values.kubePing.name . }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ tpl .Values.kubePing.name . }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ tpl .Values.kubePing.name . }} +subjects: +- kind: ServiceAccount + name: {{ tpl .Values.kubePing.name . }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/nappl/templates/service.tpl b/charts/nappl/templates/service.tpl new file mode 100644 index 0000000..bf14425 --- /dev/null +++ b/charts/nappl/templates/service.tpl @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + type: ClusterIP + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + sessionAffinity: ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 1800 diff --git a/charts/nappl/templates/statefulset.tpl b/charts/nappl/templates/statefulset.tpl new file mode 100644 index 0000000..4c0a088 --- /dev/null +++ b/charts/nappl/templates/statefulset.tpl @@ -0,0 +1,281 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + {{- if not .Values.autoScale }} + replicas: {{ .Values.replicaCount }} + {{- end }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + ceyoniq.com/application-layer-cluster-name: "{{ .Release.Name }}" + nplus/jobs: {{ .this.jobs | quote }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.priorityClassName" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + {{- if eq ((semver .component.version) | (semver "9.1.1200").Compare) 1 }} + serviceAccountName: {{ tpl .Values.kubePing.name . }} + {{- else }} + automountServiceAccountToken: false + {{- end }} + + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + # 1. RMS / Administrator funktionieren nicht, wenn die service.conf nicht existiert. + # Die darf leer sein, wird aber wohl vom Admin auf Anwesenheit geprüft. + # 2. Man kann im Admin den NAPPL nicht hochfahren, wenn die dbUrl leer ist. Also füllen wir sie, + # falls sie per ENV gesetzt wird. + - name: make-rms-work + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.initResources" . | nindent 8 }} + command: [ "/bin/sh", "-c" ] + args: + - | + echo "Touching service.conf" + touch /mnt/conf/service.conf + {{- if (.this.database).url }} + echo "dbUrl is set per ENV to {{ (.this.database).url }}" + echo "testing and patching templates/instance1.conf.template" + test -f /mnt/conf/templates/instance1.conf.template \ + && sed -i 's#^core.db.url=$#core.db.url={{ (.this.database).url }}#g' /mnt/conf/templates/instance1.conf.template \ + || echo "/mnt/conf/templates/instance1.conf.template not found. Make sure you run copyconf first" + echo "testing and patching instance1.conf" + test -f /mnt/conf/instance1.conf \ + && sed -i 's#^core.db.url=$#core.db.url={{ (.this.database).url }}#g' /mnt/conf/instance1.conf \ + || echo "/mnt/conf/instance1.conf not found. This is ok, if it is the first start." + echo "done." + {{- end }} + volumeMounts: + - name: conf + subPath: {{ .component.storagePath | quote }} + mountPath: /mnt/conf + + containers: + - name: application-layer + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + + env: + {{- if (.this.ingress).domain }} + # -- if you use SAML, it is important, that the Application Layer knows its external URL to be able + # to redirect the SAML request correctly. So we provide it here: + - name: SERVER_BASE_URL + value: "https://{{ .this.ingress.domain }}" + {{- end }} + + # -- SAP SNC Values + {{- if (.Values.snc).enabled }} + - name: SECUDIR + value: "/opt/snc" + - name: SNC_LIB + value: "/opt/snc/libsapcrypto.so" + {{- else }} + # there is no definition for .Values.snc, so no snc features are rendered + {{- end }} + # -- Instance Configuration Values + - name: AL_APPENDER + value: "stdout" + + {{- if (.this.database).url }} + # -- the database definition for the application layer is made within + # the values file or command line settings. Another option would be + # to leave out the database definition completely, then it would read + # the definition from the config file + - name: INSTANCE1_CORE_DB_DIALECT + value: "{{ required "if database.Url is defined, .dialect is required" (.this.database).dialect }}" + - name: INSTANCE1_CORE_DB_DRIVERCLASS + value: "{{ required "if database.Url is defined, .driverclass is required" (.this.database).driverclass }}" + - name: INSTANCE1_CORE_DB_URL + value: "{{ tpl (required "if database.Url is defined, .url is required" (.this.database).url ) . }}" + {{- if (.this.database).secret }} + # -- username and password are taken from a secret + - name: INSTANCE1_CORE_DB_USERNAME + valueFrom: + secretKeyRef: + name: {{ (.this.database).secret }} + key: account + - name: INSTANCE1_CORE_DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (.this.database).secret }} + key: password + {{- else }} + # -- username and password are taken from + # the manifest. You should not do this in production + # but rather define a secret for it. + - name: INSTANCE1_CORE_DB_USERNAME + value: {{ required "if database.Url is defined, .username (or Secret) is required" (.this.database).account | quote}} + - name: INSTANCE1_CORE_DB_PASSWORD + value: {{ required "if database.Url is defined, .password (or Secret) is required" (.this.database).password | quote }} + {{- end }} + - name: INSTANCE1_CORE_DB_PASSWORD_ENCODED + value: {{ required "if database.Url is defined, .passwordEncoded is required to be true or false" (.this.database).passwordEncoded | quote }} + - name: INSTANCE1_CORE_DB_PASSWORD_ENCODED_STRONG + value: "false" + - name: INSTANCE1_CORE_DB_SCHEMA + value: {{ required "if database.Url is defined, .schema is required" (.this.database).schema | quote }} + {{- else }} + # there is no definition for the database, so no the database definition is left to be defined + # at some other place (ENV Variables in Values File or NAPPL Config File) + {{- end }} + # + # nappl Cluster-Settings. Should be the same for all potential cluster nodes, + # including nappljobs and pipeliner core mode. + # + {{- if lt ((semver .component.version) | (semver "9.1.1200").Compare) 1 }} + # Starting Version 9.1, we need to switch the cluster communication to + # the new jgroups + - name: INSTANCE1_CLUSTER_CORE_STACKTYPE + value: "KUBERNETES" + - name: INSTANCE1_JGROUPS_DNS_QUERY + value: "{{ .component.prefix }}nappl-cluster" + {{- else }} + # Not generating INSTANCE1_CLUSTER_CORE_STACKTYPE into manifest, as this component + # version is {{ .component.version }} so before 9.1.1200 when the new jGroups was + # deployed. + {{- end }} + + - name: INSTANCE1_CLUSTER_CORE_CLUSTER_ID + value: "{{ .Release.Namespace }}_{{ .Release.Name }}" + - name: INSTANCE1_CLUSTER_CORE_NAME + value: "{{ .Release.Namespace }}_{{ .Release.Name }}" + - name: INSTANCE1_CLUSTER_CORE_DESCRIPTION + value: "{{ .Release.Name }} Cluster in {{ .Release.Namespace }} namespace" + + # -- Jobs + {{- if .Values.jobs }} + # This is a cluster member that is allowed to run jobs, so no changes to the default behaviour + {{- else }} + # These cluster members should not run jobs, only if necessary + - name: INSTANCE1_CLUSTER_CORE_JOB_COORDINATOR_PRIORITY + value: "0" + {{- end }} + # -- # Session Settings + {{- if .Values.disableSessionReplication }} + - name: INSTANCE1_CORE_CLUSTER_SESSION_REPLICATION_DISABLE + value: {{ .Values.disableSessionReplication | quote }} + {{- end }} + {{- if .Values.sessionCacheStorageType }} + - name: SESSION_CACHE_STORAGE_TYPE + value: {{ .Values.sessionCacheStorageType | quote }} + {{- end }} + + # TODO: Muss das hier nun rein oder raus? + # + # In der nscalealinst1.conf steht dazu: + # Fulltext index mirror localcache, (on|off) default off + # Instructs the server to write the fulltext index on the local + # file system if set to on. + # It is recommended to set index.mirror.localcache to on when activating + # fulltext for repository or workflow, because this will + # increase the fulltext search performance significantly (see public documentation + # to get information about needed harddisk space). + # The pipeliner has to set this parameter to off. + # + # - name: INSTANCE1_CORE_FULLTEST_INDEX_MIRROR_LOCALCACHE + # value: "off" + + - name: METRICS_ALLOW_REMOTE_REQUESTS + value: "true" + + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + + {{- include "nplus.appDynamicsEnv" . | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + httpGet: + path: /jmx/status + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + initialDelaySeconds: 30 + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /jmx/status + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + livenessProbe: + httpGet: + path: /jmx/status + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 60 + timeoutSeconds: 5 + failureThreshold: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + {{- if (.Values.snc).enabled }} + - name: conf + subPath: "pool/snc" + mountPath: "/opt/snc" + - name: conf + subPath: "pool/snc/libsapcrypto.so" + mountPath: "/opt/ceyoniq/nscale-server/application-layer/lib/libsapcrypto.so" + - name: conf + subPath: "pool/snc/sapjco3.jar" + mountPath: "/opt/ceyoniq/nscale-server/application-layer/lib/sapjco3.jar" + - name: conf + subPath: "pool/snc/libsapjco3.so" + mountPath: "/opt/ceyoniq/nscale-server/application-layer/lib/libsapjco3.so" + {{- end }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} diff --git a/charts/nappl/values.schema.json b/charts/nappl/values.schema.json new file mode 100644 index 0000000..5c4468e --- /dev/null +++ b/charts/nappl/values.schema.json @@ -0,0 +1,965 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "database": { + "additionalProperties": false, + "description": "If you define the database in your values, this DB settings are taken. If you leave this empty, the settings from the config file are used.", + "properties": { + "account": { + "default": "", + "description": "alternative 1: the account name of the technical DB user for nscale", + "title": "account" + }, + "dialect": { + "default": "", + "description": "the database dialect to use", + "title": "dialect" + }, + "driverclass": { + "default": "", + "description": "the driver class to use", + "title": "driverclass" + }, + "name": { + "default": "", + "description": "the name of the database to use", + "title": "name" + }, + "password": { + "default": "", + "description": "alternative 1: the password of the technical DB user for nscale", + "title": "password" + }, + "passwordEncoded": { + "default": "", + "description": "weather the DB password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "", + "description": "the database schema to use", + "title": "schema" + }, + "secret": { + "default": "", + "description": "alternative 2: use a secret for the account and password", + "title": "secret" + }, + "url": { + "default": "", + "description": "the DB URL", + "title": "url" + } + }, + "title": "database" + }, + "disableSessionReplication": { + "default": "", + "description": "enables/disables the session replication for these cluster members.", + "title": "disableSessionReplication" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalealinst1", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "includeDefaultPaths": { + "default": "true", + "description": "toggles default paths like index.html, res and engine.properties", + "title": "includeDefaultPaths" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "jobs": { + "default": "true", + "description": "enables/disables the job affinity / priority for these cluster members", + "title": "jobs" + }, + "kubePing": { + "additionalProperties": false, + "description": "sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more If it is left empty, also the automountServiceAccountToken is disabled. If you set Values, they are ignored in Versions > 9.1.1200", + "properties": { + "create": { + "default": "true", + "description": "Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices", + "title": "create" + }, + "name": { + "default": "{{ .component.fullName }}-kubeping", + "description": "Set the ServiceAccount Name for the kubePing Protocol", + "title": "name" + } + }, + "title": "kubePing" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "application-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "core", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "additionalProperties": false, + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "true", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "dbIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with.", + "title": "dbIpRange" + }, + "sapIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with.", + "title": "sapIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sessionCacheStorageType": { + "default": "", + "description": "Sets the Session Cache Storage Type to HEAP or OFF_HEAP", + "title": "sessionCacheStorageType" + }, + "snc": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": "false", + "description": "Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client.", + "title": "enabled" + } + }, + "title": "snc", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "description": "Set tolerations for this component", + "items": {}, + "title": "tolerations" + }, + "updateStrategy": { + "default": "RollingUpdate", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/nappl/values.yaml b/charts/nappl/values.yaml new file mode 100644 index 0000000..32d36f3 --- /dev/null +++ b/charts/nappl/values.yaml @@ -0,0 +1,473 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: false + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + - "/nscalealinst1/webc/configuration" + - "/nscalealinst1/webb/configuration" + # -- toggles default paths like index.html, res and engine.properties + includeDefaultPaths: true + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/nscalealinst1" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: RollingUpdate +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + cni: + # -- defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with. + sapIpRange: + # -- defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with. + dbIpRange: + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/application-layer/temp" + - "/tmp" + # -- Sets the size of the temporary disk (all paths) + size: "5Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: /opt/ceyoniq/nscale-server/application-layer/conf + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: /opt/ceyoniq/nscale-server/application-layer/logs + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: /opt/ceyoniq/nscale-server/application-layer/conf/license.xml + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: /usr/share/fonts/truetype/nplus + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + - "/etc/pki/tls/certs/ca-bundle.crt" + - "/usr/lib/jvm/jre/lib/security/cacerts" + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/application-layer/conf/certificates.store" + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: application-layer + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- You can give a component a specific priorityClass to implement a quality of service. +# You can leave this empty, then no priority is set. If you set a class, this class is taken +# If you additionally enable create, the class is created for you with the value defined. +priority: + # -- Set the priority class for the Application Layer deployment if desired + className: + # -- Creates an individual PriorityClass for this instance + createClass: true + # -- Sets the priorityValue + # @default -- 1000000 + value: +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: core + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8080 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8443 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: application-layer + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: [] +# -- select specific nodes for this component +nodeSelector: {} +# -- sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for +# the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more +# If it is left empty, also the automountServiceAccountToken is disabled. +# If you set Values, they are ignored in Versions > 9.1.1200 +kubePing: + # -- Set the ServiceAccount Name for the kubePing Protocol + name: "{{ .component.fullName }}-kubeping" + # -- Creates the ServiceAccount (only if Version < 9.1.1200) + # Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices + create: true +snc: + # -- Enables the NAPPL SNC to access SAP Systems. + # Since nscale 8, the configuration is done in the Administration Client. + enabled: false +# -- enables/disables the job affinity / priority for these cluster +# members +jobs: true +# -- enables/disables the session replication for these cluster +# members. +disableSessionReplication: +# -- Sets the Session Cache Storage Type to +# HEAP or OFF_HEAP +sessionCacheStorageType: +# -- If you define the database in your values, this DB settings are taken. +# If you leave this empty, the settings from the config file are used. +database: + # -- the name of the database to use + name: + # -- the database schema to use + schema: + # -- the database dialect to use + dialect: + # -- the driver class to use + driverclass: + # -- the DB URL + url: + # -- alternative 1: the account name of the technical DB user for nscale + account: + # -- alternative 1: the password of the technical DB user for nscale + password: + # -- weather the DB password is stored encrypted + passwordEncoded: + # -- alternative 2: use a secret for the account and password + secret: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/nstl/Chart.yaml b/charts/nstl/Chart.yaml new file mode 100644 index 0000000..81eea24 --- /dev/null +++ b/charts/nstl/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-nstl +description: nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/nstl/README.md b/charts/nstl/README.md new file mode 100644 index 0000000..8bf01a0 --- /dev/null +++ b/charts/nstl/README.md @@ -0,0 +1,246 @@ + + +# nplus-component-nstl + +nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server + +## Server Ids + +if you use nstlHA, both server must have unique server IDs. +Since the probaly use the same license file, you can set it via +``` +nstla: + serverId: 4711 +nstlb: + serverId: 4712 +``` +to make this work, you **must** have a license without nstl ServerID in it. + +## High Availability + +*nscale Server Storage Layer* does not support multiple replicas because of configuration restraints. To get HA, +nplus defines nstl[a-d]. + +If you want multiple server, just switch the single server *nstl* off and turn on *nstla* and *nstlb* [..] and configure them individually. You will find individual config directories on the `conf` shared volume for each nstl instance. + +## Cluster Service + +in HA mode, the Instance Chart deploys a cluster service that balances across nstl A and B. +You **can** use it if you want, or you use the services for nstla and nstlb and load balance via nappl. +Both is ok, it just uses different load balancers. + +## Remote Servers + +If you want to connect to nscale Storage Layer servers outside the cluster, you can add the IP Range of those +server to open the firewall (if used): + +``` +nstla: + security: + cni: + nstlIpRange: 89.207.132.170/24 +``` + +## Accounting + +You can enable accouting by setting `accounting: true`. This will create the accounting csv files in *ptemp* under `//accounting`. + +Additionally, a log forwarder can be implemented to output the accounting log to stdout, so that your log aggregator is able to collect that information and add +it to whatever tool you use for log monitoring / analysis. + +You can *optionally* set the db path, where the logForwarder stores the information which log entry has been collected. If you do not set this, the default value is `logs.db` in the path of the log Pattern (of the `path`value). + +Example: (in Instance Chart) + +``` +nstl: + accounting: true + logForwarder: + - name: Accounting + path: "/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv" + db: "/opt/ceyoniq/nscale-server/storage-layer/logsdb/logs.db" +``` + +## The DA_HID.DAT + +the *nscale Server Storage Layer* offers a safety net, storing the latest ever assigned highest Document ID into a file called `DA_HID.DAT`. +This file normally resides next to the Document Administration. However, in a production environment, you want to place this file on a separate disk to build a safety net +for the case that you restore the DA to a former version so the counter starts assigning a document ID twice. So in *nappl*, you end up having documents with the same storage layer doc id. + +This must not happen, so a good practise is to store the `DA_HID.DAT` on a second disk and have the nstl check it during startup. +This is not the default, as it would not make a lot of sense until you really have a second disk. + +To switch this on, you can place the hid file on the secondary disk (like in the example below). The path is mounted by default. Just set it and turn it on like this: + +```yaml +# -- enables checking the highest DocID when starting the server. +# this only makes sense, if you also set a separate volume for the highest ID +# This is a backup / restore feature to avoid data mangling +checkHighestDocId: "1" +# -- sets the path of the highest ID file. +dvCheckPath: "/opt/ceyoniq/nscale-server/storage-layer/hid" +``` + +## Updating from Releases < 9.3 to 9.3 + +With version 9.3, nplus introduces a new *disk* volume, to separate the *arc Buffer* and the *retrieval Buffer* from the *data* volume that holds the *DA*. This is necessary, as under heavy load it may result in performance loss because some cloud providers have iop limitations on volumes. + +To make sure we stay compatible though, there is a new init container that copies the buffers from the old location on *data* over to the new location on *disk*. + +Please make sure, you set the size, class and optionally the volumeName (in case of static volumes) according to your requirements. + +## nplus-component-nstl Chart Configuration + +You can customize / configure nplus-component-nstl by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +accounting | sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths` | | +checkHighestDocId | enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling | | +dvCheckPath | sets the path of the highest ID file. | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"storage-layer"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +logForwarder | | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"cpp"` | +**meta**​.ports​.tcp | A potential tcp port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`3005` | +**meta**​.ports​.tcps | A potential tls / tcps port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`3006` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"storage-layer"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"nstl"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.paths | Sets the path to the certs folder.
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/storage-layer/etc/CA.CER"]` | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/storage-layer/etc"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.paths | Sets a list of paths to the data files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/storage-layer/da", "/opt/ceyoniq/nscale-server/storage-layer/hd", "/opt/ceyoniq/nscale-server/storage-layer/logsdb"]` | +**mounts**​.data​.size | Sets the size of the data disk | `"50Gi"` | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.paths | Sets a list of paths to the data files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/storage-layer/arc", "/opt/ceyoniq/nscale-server/storage-layer/ret", "/opt/ceyoniq/nscale-server/storage-layer/hid"]` | +**mounts**​.disk​.size | Sets the size of the disk | `"50Gi"` | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.license​.path | Sets the path to the license files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml"` | +**mounts**​.logs​.medium | the medium for the emptyDisk volume if you unset it, it drops it from the manifest | | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"5Gi"` | +**mounts**​.ptemp​.paths | Sets a list of paths for temporary files that are persisted
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/storage-layer/accounting", "/opt/ceyoniq/nscale-server/storage-layer/log", "/var/crash"]` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/storage-layer/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"500Mi"` | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.cni​.nstlIpRange | You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy. | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/nstl/templates/NOTES.txt b/charts/nstl/templates/NOTES.txt new file mode 100644 index 0000000..69429f5 --- /dev/null +++ b/charts/nstl/templates/NOTES.txt @@ -0,0 +1,8 @@ +{{ .component.chartName }} {{ .Chart.Version }} {{- if .Chart.AppVersion }} / {{ .Chart.AppVersion }}{{- end }} + +{{ .Chart.Description }} + +This chart uses {{ .Values.image }} + +To uninstall, use + helm uninstall {{ include "nplus.cli" . }} diff --git a/charts/nstl/templates/clusterservice.tpl b/charts/nstl/templates/clusterservice.tpl new file mode 100644 index 0000000..fe87850 --- /dev/null +++ b/charts/nstl/templates/clusterservice.tpl @@ -0,0 +1,32 @@ +{{- include "nplus.init" $ -}} +{{- $name := (print .component.prefix "nstl-cluster") -}} +{{- if (.Values.clusterService).enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ $name }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + type: ClusterIP + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + sessionAffinity: ClientIP + sessionAffinityConfig: + clientIP: + timeoutSeconds: 1800 +{{- else }} +# kind: Service +# Not Generating any Service for {{ $name }} as the Cluster Service is not enabled on component {{ .component.fullName }} +# clusterService: {{ .Values.clusterService }} +{{- end }} \ No newline at end of file diff --git a/charts/nstl/templates/component.tpl b/charts/nstl/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/nstl/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/nstl/templates/networkpolicy.tpl b/charts/nstl/templates/networkpolicy.tpl new file mode 100644 index 0000000..91b25c3 --- /dev/null +++ b/charts/nstl/templates/networkpolicy.tpl @@ -0,0 +1,58 @@ +{{- include "nplus.init" $ -}} + +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + + # + # access to other storage-layer in the same instance + # + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: nstl + + {{- if ((.this.security).cni).nstlIpRange }} + # + # Allow access to out-of-cluster Storage Layer + # + - to: + - ipBlock: + cidr: {{ .this.security.cni.nstlIpRange | quote }} + {{- end }} + +{{- end }} \ No newline at end of file diff --git a/charts/nstl/templates/pdb.tpl b/charts/nstl/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/nstl/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/nstl/templates/pvc.tpl b/charts/nstl/templates/pvc.tpl new file mode 100644 index 0000000..b7ac9a2 --- /dev/null +++ b/charts/nstl/templates/pvc.tpl @@ -0,0 +1 @@ +{{- include "nplus.pvc" . }} diff --git a/charts/nstl/templates/sanity.tpl b/charts/nstl/templates/sanity.tpl new file mode 100644 index 0000000..f1c544e --- /dev/null +++ b/charts/nstl/templates/sanity.tpl @@ -0,0 +1,3 @@ +{{- if ne (.Values.replicaCount | int) 1 -}} +{{- fail "nstl replicaCount must be 1. If you want HA, go for nstlHA instead" -}} +{{- end -}} diff --git a/charts/nstl/templates/service.tpl b/charts/nstl/templates/service.tpl new file mode 100644 index 0000000..f89ad2a --- /dev/null +++ b/charts/nstl/templates/service.tpl @@ -0,0 +1,29 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + type: ClusterIP + + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/nstl/templates/statefulset.tpl b/charts/nstl/templates/statefulset.tpl new file mode 100644 index 0000000..78ee775 --- /dev/null +++ b/charts/nstl/templates/statefulset.tpl @@ -0,0 +1,202 @@ +{{- include "nplus.init" $ -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + kubectl.kubernetes.io/default-container: storage-layer + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + {{- if and ((.Values.mounts).disk).enabled ((.Values.mounts).disk).migration }} + {{- if or ((.Values.mounts).disk).path ((.Values.mounts).disk).paths }} + #TODO: Das könnte man auch noch dynamischer machen. + - name: migration + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.initResources" . | nindent 8 }} + + command: [ "/bin/sh", "-c" ] + args: + - | + set -e + if [ -z "$( ls -A '/mnt/arc_old' )" ]; then + echo "No arc migration necessary" + else + if [ -f "/mnt/arc_old/.migrated" ]; then + echo "Content of arc already migrated to new location on disk. .migrated file found on old location." + else + echo "Copying content of arc on data to new location on disk (without overwriting files)" + cp -rnxv /mnt/arc_old/* /mnt/arc_new/ + echo "Writing .migrated file to prevent re-migration" + echo "migrated" > /mnt/arc_old/.migrated + fi + fi + if [ -z "$( ls -A '/mnt/ret_old' )" ]; then + echo "No ret migration necessary" + else + if [ -f "/mnt/ret_old/.migrated" ]; then + echo "Content of ret already migrated to new location on disk. .migrated file found on old location." + else + echo "Copying content of ret on data to new location on disk (without overwriting files)" + cp -rnxv /mnt/ret_old/* /mnt/ret_new/ + echo "Writing .migrated file to prevent re-migration" + echo "migrated" > /mnt/ret_old/.migrated + fi + fi + echo "done." + volumeMounts: + - name: data + subPath: arc + mountPath: /mnt/arc_old + - name: disk + subPath: arc + mountPath: /mnt/arc_new + - name: data + subPath: ret + mountPath: /mnt/ret_old + - name: disk + subPath: ret + mountPath: /mnt/ret_new + {{- end }}{{/* disk mount definition */}} + {{- end }}{{/* Migration and Disk enabled */}} + + {{- if .this.dvCheckPath }} + - name: copy-hid + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.initResources" . | nindent 8 }} + + command: [ "/bin/sh", "-c" ] + args: + - | + set -e + echo "Checking for DA_HID.DAT in {{ .this.dvCheckPath }}" + if [ -f "{{ .this.dvCheckPath }}/DA_HID.DAT" ]; then + echo "{{ .this.dvCheckPath }}/DA_HID.DAT found" + else + echo "{{ .this.dvCheckPath }}/DA_HID.DAT not found, trying to copy from etc" + if [ -f "/opt/ceyoniq/nscale-server/storage-layer/etc/DA_HID.DAT" ]; then + echo "/opt/ceyoniq/nscale-server/storage-layer/etc/DA_HID.DAT found" + echo "copying it" + cp -n /opt/ceyoniq/nscale-server/storage-layer/etc/DA_HID.DAT {{ .this.dvCheckPath }}/DA_HID.DAT + else + echo "/opt/ceyoniq/nscale-server/storage-layer/etc/DA_HID.DAT not found" + fi + fi + echo "done." + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + {{- end }} + + containers: + {{- include "nplus.logForwarder" . | nindent 6 }} + - name: storage-layer + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + # - name: NSTL_INTERFACE_SSLINTERFACE + # value: "1" + - name: LOG_APPENDER + value: "Console" + - name: NSTL_STORAGE-LAYER_LOGLEVEL + value: "4" + {{- if .this.dvCheckPath }} + - name: NSTL_STORAGE-LAYER_DVCHECKPATH + value: "{{ .this.dvCheckPath }}" + {{- end }} + {{- if .this.checkHighestDocId }} + - name: NSTL_STORAGE-LAYER_CHECKHIGHESTDOCID + value: "{{ .this.checkHighestDocId }}" + {{- end }} + {{- if .Values.serverID }} + - name: NSTL_STORAGE-LAYER_SERVERID + value: "{{ .Values.serverID }}" + {{- end }} + {{- if .this.accounting }} + - name: NSTL_ACCOUNTING_ACTIVE + value: "1" + # This is the base path. In this directory, accounting will create a folder + # accounting if not present and publish the csv files there. + - name: NSTL_ACCOUNTING_BASEPATH + value: "/opt/ceyoniq/nscale-server/storage-layer" + {{- end }} + + {{- include "nplus.environment" . | nindent 8 }} + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + tcpSocket: + port: tcp + initialDelaySeconds: 5 + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: tcp + # initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + exec: + command: + - /opt/ceyoniq/nscale-server/storage-layer/bin/cstool + - srv + - -m1 + - -c + - sock + # initialDelaySeconds: 1 + failureThreshold: 1 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} diff --git a/charts/nstl/values.schema.json b/charts/nstl/values.schema.json new file mode 100644 index 0000000..9ae8064 --- /dev/null +++ b/charts/nstl/values.schema.json @@ -0,0 +1,775 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/nstl/values.yaml b/charts/nstl/values.yaml new file mode 100644 index 0000000..a829ac7 --- /dev/null +++ b/charts/nstl/values.yaml @@ -0,0 +1,421 @@ +# yaml-language-server: $schema=values.schema.json +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: true + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + cni: + # -- You might want to access storage layer outside the cluster (proxy concept) + # To do so, you can add a specific IP Range here, which is set within the + # network policy. + nstlIpRange: + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/storage-layer/tmp" + # -- Sets the size of the temporary disk (all paths) + size: "500Mi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-server/storage-layer/etc" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "5Gi" + # -- the medium for the emptyDisk volume + # if you unset it, it drops it from the manifest + medium: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml" + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/storage-layer/etc/CA.CER" + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- Sets the size of the data disk + size: "50Gi" + # -- Sets the class of the data disk + class: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/storage-layer/da" + - "/opt/ceyoniq/nscale-server/storage-layer/hd" + - "/opt/ceyoniq/nscale-server/storage-layer/logsdb" + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + disk: + # -- Sets the size of the disk + size: "50Gi" + # -- Sets the class of the disk + class: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/storage-layer/arc" + - "/opt/ceyoniq/nscale-server/storage-layer/ret" + - "/opt/ceyoniq/nscale-server/storage-layer/hid" + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/storage-layer/accounting" + - "/opt/ceyoniq/nscale-server/storage-layer/log" + - "/var/crash" + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: storage-layer + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: nstl + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: 3005 + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: 3006 + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: cpp + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: storage-layer + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- the replicaCount for the Storage Layer. This does not make sense, so +# leave this at 1 at any time, unless you know exactly what you are doing. +# @ignore +replicaCount: 1 +# -- ingress settings. +# however, the nstl does not use http, so a layer 7 LB +# does not make any sense. +# @ignore +ingress: + # -- enables ingress on this component + # do not change this! + # @ignore + enabled: false +# -- enables checking the highest DocID when starting the server. +# this only makes sense, if you also set a separate volume for the highest ID +# This is a backup / restore feature to avoid data mangling +checkHighestDocId: +# -- sets the path of the highest ID file. +dvCheckPath: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- sets and enables / disables the accounting function. +# If enabled, it writes the csv files to *ptemp* (`//accounting`) +# The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths` +accounting: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +logForwarder: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/pam/Chart.yaml b/charts/pam/Chart.yaml new file mode 100644 index 0000000..770db0d --- /dev/null +++ b/charts/pam/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-pam +description: nscale Process Automation Modeler, providing Web UI Modeler for PAP +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/pam/README.md b/charts/pam/README.md new file mode 100644 index 0000000..3a98b0d --- /dev/null +++ b/charts/pam/README.md @@ -0,0 +1,175 @@ + + +# nplus-component-pam + +nscale Process Automation Modeler, providing Web UI Modeler for PAP + +## nplus-component-pam Chart Configuration + +You can customize / configure nplus-component-pam by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"process-automation-modeler"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/modeler"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8092` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"pam"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"pam"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/process-automation-modeler/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/process-automation-modeler/apache/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/process-automation-modeler/apache/webapps", "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/temp", "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/work/Catalina/localhost"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/pam/templates/component.tpl b/charts/pam/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/pam/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/pam/templates/ingress.tpl b/charts/pam/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/pam/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/pam/templates/networkpolicy.tpl b/charts/pam/templates/networkpolicy.tpl new file mode 100644 index 0000000..1c5c861 --- /dev/null +++ b/charts/pam/templates/networkpolicy.tpl @@ -0,0 +1,41 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + - to: + # Allow Access to nappl and nappljobs + - podSelector: + matchLabels: + nplus/type: core + nplus/group: {{ .instance.group }} +{{- end }} diff --git a/charts/pam/templates/pdb.tpl b/charts/pam/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/pam/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/pam/templates/pvc.tpl b/charts/pam/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/pam/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/pam/templates/service.tpl b/charts/pam/templates/service.tpl new file mode 100644 index 0000000..624ee1a --- /dev/null +++ b/charts/pam/templates/service.tpl @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/pam/templates/statefulset.tpl b/charts/pam/templates/statefulset.tpl new file mode 100644 index 0000000..e5c3102 --- /dev/null +++ b/charts/pam/templates/statefulset.tpl @@ -0,0 +1,119 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + {{- if not .Values.autoScale }} + replicas: {{ .Values.replicaCount }} + {{- end }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: pam + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + + {{- if ($.this.nappl).host }} + - name: NSCALE_HOST + value: {{ ($.this.nappl).host | quote }} + {{- end }} + {{- if ($.this.nappl).port }} + - name: NSCALE_PORT + value: {{ ($.this.nappl).port | quote }} + {{- end }} + {{- if ($.this.nappl).ssl }} + - name: NSCALE_SSL + value: {{ ($.this.nappl).ssl | quote }} + {{- end }} + {{- if ($.this.nappl).instance }} + - name: NSCALE_INSTANCE + value: {{ ($.this.nappl).instance | quote }} + {{- end }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + httpGet: + path: /modeler + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + initialDelaySeconds: 30 + failureThreshold: 12 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /modeler + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 10 + timeoutSeconds: 1 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 20 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/pam/values.schema.json b/charts/pam/values.schema.json new file mode 100644 index 0000000..cce2e21 --- /dev/null +++ b/charts/pam/values.schema.json @@ -0,0 +1,846 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "process-automation-modeler", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1200.63696", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/modeler", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8092", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "pam", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "pam", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/process-automation-modeler/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "As this is a Admin component, there is no HA or anything so we stick to exactly 1 replica. @ignore -- Fix Value", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/pam/values.yaml b/charts/pam/values.yaml new file mode 100644 index 0000000..41c4399 --- /dev/null +++ b/charts/pam/values.yaml @@ -0,0 +1,419 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/modeler" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/webapps" + - "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/temp" + - "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/work/Catalina/localhost" + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-server/process-automation-modeler/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: process-automation-modeler + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale + pullPolicy: IfNotPresent +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: pam + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8092 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: pam + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- As this is a Admin component, there is no HA or anything so we stick to exactly 1 replica. +# @ignore -- Fix Value +replicaCount: 1 +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/pipeliner/Chart.yaml b/charts/pipeliner/Chart.yaml new file mode 100644 index 0000000..8a999cc --- /dev/null +++ b/charts/pipeliner/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-pipeliner +description: nscale Pipeliner, the mass import / export tool of nscale +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/pipeliner/README.md b/charts/pipeliner/README.md new file mode 100644 index 0000000..a8bdd2e --- /dev/null +++ b/charts/pipeliner/README.md @@ -0,0 +1,171 @@ + + +# nplus-component-pipeliner + +nscale Pipeliner, the mass import / export tool of nscale + +## nplus-component-pipeliner Chart Configuration + +You can customize / configure nplus-component-pipeliner by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**dav**​.account | the dav user | `"pipeliner"` | +**dav**​.image​.pullPolicy | the DAV server image pull policy | `"IfNotPresent"` | +**dav**​.password | password of the dav user | `"pipeliner"` | +**dav**​.secret | Alternatively, define a secret | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"pipeliner"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/{{ .component.name }}"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"cpp"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8080` | +**meta**​.ports​.tcp | A potential tcp port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`4173` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"pipeliner"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"pipeliner"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-pipeliner/workdir"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.paths | Sets a list of paths to the data files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-pipeliner/workdir/data"]` | +**mounts**​.data​.size | Sets the size of the data disk | `"10Gi"` | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.defaultConfig | Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten. | `"{{ .component.fullName }}-defaultconfig"` | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.license​.path | Sets the path to the license files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-pipeliner/workdir/license.xml"` | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-pipeliner/workdir/log"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +replicaCount | Default ReplicaCount is 0 as the pipeliner requires a working cold.xml | `0` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/pipeliner/templates/component.tpl b/charts/pipeliner/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/pipeliner/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/pipeliner/templates/defaultconfig.tpl b/charts/pipeliner/templates/defaultconfig.tpl new file mode 100644 index 0000000..24601f9 --- /dev/null +++ b/charts/pipeliner/templates/defaultconfig.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-defaultconfig + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "defaultconfig/*" }} +{{- base $path | nindent 2 }}: | +{{- tpl ($.Files.Get $path) $ | nindent 4 }} +{{- end }} diff --git a/charts/pipeliner/templates/ingress.tpl b/charts/pipeliner/templates/ingress.tpl new file mode 100644 index 0000000..566199e --- /dev/null +++ b/charts/pipeliner/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ .Values.ingress.backendProtocol | default "http" }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/pipeliner/templates/networkpolicy.tpl b/charts/pipeliner/templates/networkpolicy.tpl new file mode 100644 index 0000000..4fa4d96 --- /dev/null +++ b/charts/pipeliner/templates/networkpolicy.tpl @@ -0,0 +1,69 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + + # This is for the WebDAV Service + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + - from: + # access from nappl core in the same instance to setup a cluster + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + ports: + {{- include "nplus.napplClusterPolicyPorts" . | nindent 4 }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + + egress: + - to: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: database + - to: + # access to application-layer in the same instance to setup a cluster + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + - to: + # access to storage-layer in the same instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: nstl + - to: + # access to rendition-server in the same namespace + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: rs +{{- end }} \ No newline at end of file diff --git a/charts/pipeliner/templates/pdb.tpl b/charts/pipeliner/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/pipeliner/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/pipeliner/templates/pvc.tpl b/charts/pipeliner/templates/pvc.tpl new file mode 100644 index 0000000..b7ac9a2 --- /dev/null +++ b/charts/pipeliner/templates/pvc.tpl @@ -0,0 +1 @@ +{{- include "nplus.pvc" . }} diff --git a/charts/pipeliner/templates/service.tpl b/charts/pipeliner/templates/service.tpl new file mode 100644 index 0000000..f05a9a0 --- /dev/null +++ b/charts/pipeliner/templates/service.tpl @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service. + # It is purely used to collect the EndPointSlices + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/pipeliner/templates/statefulset.tpl b/charts/pipeliner/templates/statefulset.tpl new file mode 100644 index 0000000..7129329 --- /dev/null +++ b/charts/pipeliner/templates/statefulset.tpl @@ -0,0 +1,134 @@ +{{- include "nplus.init" $ -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: pipeliner + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + exec: + command: + - "java" + - "-jar" + - "/opt/ceyoniq/nscale-pipeliner/javalibs/PipelinerCheck.jar" + - "localhost" + - "4173" + initialDelaySeconds: 10 + failureThreshold: 12 + periodSeconds: 10 + readinessProbe: + exec: + command: + - "java" + - "-jar" + - "/opt/ceyoniq/nscale-pipeliner/javalibs/PipelinerCheck.jar" + - "localhost" + - "4173" + periodSeconds: 30 + timeoutSeconds: 3 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: tcp + # initialDelaySeconds: 20 + periodSeconds: 10 + {{- end }} + + ports: + - containerPort: {{ required "Pipeliner tcp port must be set" ((.this.meta).ports).tcp }} + name: tcp + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + {{- if .Values.dav }} + - name: {{ .Release.Namespace }}-nplus-webdav-container + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.dav.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.dav.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.sidecarResources" . | nindent 8 }} + + command: [ "/nplus/davserver" ] + + volumeMounts: + - name: data + mountPath: "/webdav" + subPath: {{ .component.storagePath | quote }} + + env: + # -- DAV Connection Credentials + {{- include "nplus.envCredentials" (list + "DAV_USER" ($.this.dav).account + "DAV_PASSWORD" ($.this.dav).password + ($.this.dav).secret + ) | nindent 10 }} + + - name: DAV_ROOT + value: "/{{ .component.name }}" + + ports: + {{- if not (.this.security).zeroTrust }} + - containerPort: 8080 + name: http + {{- end }} + + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 15 + periodSeconds: 10 + + {{- end }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/pipeliner/values.schema.json b/charts/pipeliner/values.schema.json new file mode 100644 index 0000000..5b7b5ca --- /dev/null +++ b/charts/pipeliner/values.schema.json @@ -0,0 +1,815 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "dav": { + "additionalProperties": false, + "properties": { + "account": { + "default": "pipeliner", + "description": "the dav user", + "title": "account" + }, + "image": { + "additionalProperties": false, + "description": "the Image to use for the DAV server", + "properties": { + "name": { + "default": "toolbox2", + "title": "name", + "type": "string" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "the DAV server image pull policy", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "title": "repo", + "type": "string" + }, + "tag": { + "default": "1.2.1300", + "title": "tag", + "type": "string" + } + }, + "title": "image" + }, + "password": { + "default": "pipeliner", + "description": "password of the dav user", + "title": "password" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + } + }, + "title": "dav", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "pipeliner", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121815", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/{{ .component.name }}", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "4173", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "pipeliner", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "pipeliner", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "defaultConfig": { + "default": "{{ .component.fullName }}-defaultconfig", + "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", + "title": "defaultConfig" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "0", + "description": "Default ReplicaCount is 0 as the pipeliner requires a working cold.xml", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/pipeliner/values.yaml b/charts/pipeliner/values.yaml new file mode 100644 index 0000000..97c1f9d --- /dev/null +++ b/charts/pipeliner/values.yaml @@ -0,0 +1,401 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/{{ .component.name }}" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-pipeliner/workdir" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-pipeliner/workdir/log" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-pipeliner/workdir/license.xml" + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- Sets a configMap with default configuration files that get copied + # to a new and empty container just before the template folder gets copied. + # Existing files are not overwritten. + defaultConfig: "{{ .component.fullName }}-defaultconfig" + data: + # -- Sets the size of the data disk + size: "10Gi" + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-pipeliner/workdir/data" + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: pipeliner + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: pipeliner + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8080 # webdav + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: 4173 # for admin and mon + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: cpp + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: pipeliner + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +dav: + # -- the Image to use for the DAV server + image: + repo: cr.nplus.cloud/subscription + name: toolbox2 + tag: "latest" + # -- the DAV server image pull policy + pullPolicy: IfNotPresent + # -- the dav user + account: pipeliner + # -- password of the dav user + password: pipeliner + # -- Alternatively, define a secret + secret: +# -- Default ReplicaCount is 0 as the pipeliner requires a working cold.xml +replicaCount: 0 +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/prepper/Chart.yaml b/charts/prepper/Chart.yaml new file mode 100644 index 0000000..e9a61a4 --- /dev/null +++ b/charts/prepper/Chart.yaml @@ -0,0 +1,15 @@ +apiVersion: v2 +name: nplus-prepper +description: nplus Prepper, used to deploy assets prior to component deployment +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/prepper/README.md b/charts/prepper/README.md new file mode 100644 index 0000000..3eea3d1 --- /dev/null +++ b/charts/prepper/README.md @@ -0,0 +1,179 @@ + + +# nplus-prepper + +nplus Prepper, used to deploy assets prior to component deployment + +The *Prepper* prepares everything required for the Instance to work as intended. It is very much like the *Application*, except that it does not connect to any nscale component (as they do not yet run by the time the prepper executes). But just like the Application, the Prepper is able to download assets and run scripts. + +You can add this to your (instance-) deployment: + +```yaml +components: + prepper: true +prepper: + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz" + run: + - "/pool/downloads/sample.sh" +``` + +This will +1. download the *sample.tar.gz* file from the git server, +2. Extract the tar.gz into the downloads folder +3. Run the contained sample.sh script + +If you need to deploy Snippets prior to your *nscale Web* deployment, simply download them from your git, extract and then copy or move them over to your web config folder, that gets mounted by the web client upon pod creation. + +## nplus-prepper Chart Configuration + +You can customize / configure nplus-prepper by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +download | A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"toolbox2"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"cr.nplus.cloud/subscription"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"application"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/application"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | | +**mounts**​.pool​.path | Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution
do not change this value | **info only**, do not change
`"/pool"` | +**mounts**​.temp​.path | Sets the path to the temporary files
do not change this value | **info only**, do not change
`"/tmp"` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +**nstl**​.host | The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration | | +prerun | A list of scripts to run before the deployment of Apps | | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**rs**​.host | The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration | | +run | A list of scripts to run after the deployment of Apps | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/prepper/templates/application.tpl b/charts/prepper/templates/application.tpl new file mode 100644 index 0000000..9ce1b1d --- /dev/null +++ b/charts/prepper/templates/application.tpl @@ -0,0 +1,19 @@ +apiVersion: nplus.cloud/v1beta1 +kind: Application +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.annotations" . | nindent 4 }} + argocd.argoproj.io/sync-wave: "1" +spec: + download: + {{- toYaml .Values.download | nindent 4 }} + run: + {{- toYaml .Values.run | nindent 4 }} + selector: + {{- include "nplus.selectorLabels" . | nindent 4 }} diff --git a/charts/prepper/templates/config.tpl b/charts/prepper/templates/config.tpl new file mode 100644 index 0000000..18869ce --- /dev/null +++ b/charts/prepper/templates/config.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-config + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "config/*" }} +{{- base $path | nindent 2 }}: | +{{- tpl ($.Files.Get $path) $ | nindent 4 }} +{{- end }} diff --git a/charts/prepper/templates/job.tpl b/charts/prepper/templates/job.tpl new file mode 100644 index 0000000..ca70604 --- /dev/null +++ b/charts/prepper/templates/job.tpl @@ -0,0 +1,65 @@ +{{- include "nplus.init" $ -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + # Deletion ist done by Operator when successful, so no ttl necessary. + # ttlSecondsAfterFinished: 60 + template: + metadata: + labels: + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .instance.group | default .instance.name | default .Release.Name }} + app.kubernetes.io/component: {{ .component.chartName }} + {{- include "nplus.templateLabels" . | nindent 8 }} + spec: + # hostname: {{ .component.fullName }} + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: run + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + {{- include "nplus.environment" . | nindent 8 }} + + command: ["/bin/bash", "-c", "/config/run"] + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + - name: config + mountPath: /config + - name: conf + subPath: {{ .this.instance.name }} + mountPath: /instance + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + - name: config + configMap: + name: {{ .component.fullName }}-config + defaultMode: 0777 + + restartPolicy: Never + backoffLimit: 0 + diff --git a/charts/prepper/templates/networkpolicy.tpl b/charts/prepper/templates/networkpolicy.tpl new file mode 100644 index 0000000..f6d9110 --- /dev/null +++ b/charts/prepper/templates/networkpolicy.tpl @@ -0,0 +1,38 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Egress + + egress: + - ports: + # -- Allow https access for downloading + - protocol: TCP + port: 443 + # -- Allow http access for downloading + - protocol: TCP + port: 80 + # -- Allow access to DNS + - protocol: TCP + port: 53 + # -- Allow access to DNS + - protocol: UDP + port: 53 +{{- end }} \ No newline at end of file diff --git a/charts/prepper/values.schema.json b/charts/prepper/values.schema.json new file mode 100644 index 0000000..58f914f --- /dev/null +++ b/charts/prepper/values.schema.json @@ -0,0 +1,720 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/prepper/values.yaml b/charts/prepper/values.yaml new file mode 100644 index 0000000..1022b4d --- /dev/null +++ b/charts/prepper/values.yaml @@ -0,0 +1,397 @@ +# yaml-language-server: $schema=values.schema.json +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: application + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +mounts: + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/application" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: "/pool" + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: "/tmp" + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + # -- Sets the size of the temporary disk (all paths) + size: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + file: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +nstl: + # -- The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration + host: +rs: + # -- The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration + host: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: toolbox2 + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: cr.nplus.cloud/subscription +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +# -- A list of URLs (Links) to Assets to download before anything else +# if the download is a .tar.gz, it is automatically untared to /pool/downloads +download: +# -- A list of scripts to run after the deployment of Apps +run: +# -- A list of scripts to run before the deployment of Apps +prerun: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/rms/Chart.yaml b/charts/rms/Chart.yaml new file mode 100644 index 0000000..ad0dad7 --- /dev/null +++ b/charts/rms/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-rms +description: nplus Remote Management Server incl. RMS and Access Proxy +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/rms/README.md b/charts/rms/README.md new file mode 100644 index 0000000..209609a --- /dev/null +++ b/charts/rms/README.md @@ -0,0 +1,228 @@ + + +# nplus-component-rms + +nplus Remote Management Server incl. RMS and Access Proxy + +## Generelle Informationen + +Das RMS Chart simuliert einen Server, auf dem alle nscale Komponenten installiert sind. Dieser kann dann per +nscale Administrator zugegriffen werden. Der Ingress dafür ist admin.. + +Das funktioniert nur mit RMS 2 und einem neuen Admin ab Version 9.2 + +## Bash into + +```sh +kubectl exec --stdin --tty rms-rms-0 -- bash +``` + +## Logs + +```sh +kubectl logs rms-rms-0 -c proxy +kubectl logs rms-rms-0 -c rms +``` + +## nplus-component-rms Chart Configuration + +You can customize / configure nplus-component-rms by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**comps**​.cmis​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"CMIS Connector"` | +**comps**​.cmis​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.cmis​.host | The host, where this component runs | `"{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.cmis​.name | The internal name of the component
do not change | **info only**, do not change
`"cmis"` | +**comps**​.cmis​.ports​.http | proxied port
do not change | **info only**, do not change
`8096` | +**comps**​.cmis​.ports​.https | proxied port
do not change | **info only**, do not change
`8196` | +**comps**​.cmis​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"Deployment"` | +**comps**​.cmis​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.ilm​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"SAP ILM Connector"` | +**comps**​.ilm​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.ilm​.host | The host, where this component runs | `"{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.ilm​.name | The internal name of the component
do not change | **info only**, do not change
`"ilm"` | +**comps**​.ilm​.ports​.http | proxied port
do not change | **info only**, do not change
`8297` | +**comps**​.ilm​.ports​.https | proxied port
do not change | **info only**, do not change
`8397` | +**comps**​.ilm​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"Deployment"` | +**comps**​.ilm​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.mon​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"Monitoring Console"` | +**comps**​.mon​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.mon​.host | The host, where this component runs | `"{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.mon​.name | The internal name of the component
do not change | **info only**, do not change
`"mon"` | +**comps**​.mon​.ports​.http | proxied port
do not change | **info only**, do not change
`8387` | +**comps**​.mon​.ports​.https | proxied port
do not change | **info only**, do not change
`8388` | +**comps**​.mon​.ports​.tcp | proxied port
do not change | **info only**, do not change
`8389` | +**comps**​.mon​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"StatefulSet"` | +**comps**​.mon​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.nappl​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"Application Layer"` | +**comps**​.nappl​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.nappl​.host | The host, where this component runs | `"{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.nappl​.name | The internal name of the component
do not change | **info only**, do not change
`"nappl"` | +**comps**​.nappl​.ports​.http | proxied port
do not change | **info only**, do not change
`8080` | +**comps**​.nappl​.ports​.https | proxied port
do not change | **info only**, do not change
`8443` | +**comps**​.nappl​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"StatefulSet"` | +**comps**​.nappl​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.nstl​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"Storage Layer"` | +**comps**​.nstl​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.nstl​.host | The host, where this component runs | `"{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.nstl​.name | The internal name of the component
do not change | **info only**, do not change
`"nstl"` | +**comps**​.nstl​.ports​.tcp | proxied port
do not change | **info only**, do not change
`3005` | +**comps**​.nstl​.ports​.tcps | proxied port
do not change | **info only**, do not change
`3006` | +**comps**​.nstl​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"StatefulSet"` | +**comps**​.nstl​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.pipeliner​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"Pipeliner"` | +**comps**​.pipeliner​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.pipeliner​.host | The host, where this component runs | `"{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.pipeliner​.name | The internal name of the component
do not change | **info only**, do not change
`"pipeliner"` | +**comps**​.pipeliner​.ports​.tcp | proxied port
do not change | **info only**, do not change
`4173` | +**comps**​.pipeliner​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"StatefulSet"` | +**comps**​.pipeliner​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.rs​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"Rendition Server"` | +**comps**​.rs​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.rs​.host | The host, where this component runs | `"{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.rs​.name | The internal name of the component
do not change | **info only**, do not change
`"rs"` | +**comps**​.rs​.ports​.http | proxied port
do not change | **info only**, do not change
`8192` | +**comps**​.rs​.ports​.https | proxied port
do not change | **info only**, do not change
`8193` | +**comps**​.rs​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"Deployment"` | +**comps**​.rs​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +**comps**​.web​.displayName | The displayName name of the component as it appears in the RMS Server Properties
do not change | **info only**, do not change
`"Application Layer Web"` | +**comps**​.web​.enabled | Toggles if this component should be available through RMS | `false` | +**comps**​.web​.host | The host, where this component runs | `"{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local"` | +**comps**​.web​.name | The internal name of the component
do not change | **info only**, do not change
`"web"` | +**comps**​.web​.ports​.http | proxied port
do not change | **info only**, do not change
`8090` | +**comps**​.web​.ports​.https | proxied port
do not change | **info only**, do not change
`8453` | +**comps**​.web​.replicaSetType | The type of the replicaSet - important for the kubectl command
do not change | **info only**, do not change
`"Deployment"` | +**comps**​.web​.restartReplicas | The amount of replicas to set when starting through the *nscale Administrator* client | `1` | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"admin-server"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"git.nplus.cloud/subscription"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"rms"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.medium | the medium for the emptyDisk volume if you unset it, it drops it from the manifest | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-rms/log"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-rms/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"100Mi"` | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +**security**​.cni​.adminIpRange | defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server. | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | + diff --git a/charts/rms/templates/component.tpl b/charts/rms/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/rms/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/rms/templates/configmap-haproxy.tpl b/charts/rms/templates/configmap-haproxy.tpl new file mode 100644 index 0000000..830a15a --- /dev/null +++ b/charts/rms/templates/configmap-haproxy.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-haproxy + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "haproxy/*" }} +{{- base $path | nindent 2 }}: | +{{- tpl ($.Files.Get $path) $ | nindent 4 }} +{{- end }} diff --git a/charts/rms/templates/configmap-repository.tpl b/charts/rms/templates/configmap-repository.tpl new file mode 100644 index 0000000..f4e64ce --- /dev/null +++ b/charts/rms/templates/configmap-repository.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-repository + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "repository/*" }} +{{- base $path | nindent 2 }}: | +{{- tpl ($.Files.Get $path) $ | nindent 4 }} +{{- end }} diff --git a/charts/rms/templates/networkpolicy.tpl b/charts/rms/templates/networkpolicy.tpl new file mode 100644 index 0000000..56be557 --- /dev/null +++ b/charts/rms/templates/networkpolicy.tpl @@ -0,0 +1,42 @@ +{{- include "nplus.init" $ -}} + +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + - Egress + ingress: + - from: + # Access from out of Cluster (Admin Desktop) + - ipBlock: + cidr: {{ ((.this.security).cni).adminIpRange | quote }} + egress: + - to: + # All Pods in Instance + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + + # Allow API Access + - ports: + - protocol: TCP + port: 16443 + - protocol: TCP + port: 443 +{{- end }} \ No newline at end of file diff --git a/charts/rms/templates/pdb.tpl b/charts/rms/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/rms/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/rms/templates/rms-rbac.tpl b/charts/rms/templates/rms-rbac.tpl new file mode 100755 index 0000000..d520592 --- /dev/null +++ b/charts/rms/templates/rms-rbac.tpl @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .component.fullName }}-svc-account + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .component.fullName }}-role + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +rules: + - apiGroups: ["apps"] + resources: ["deployments","deployments/scale", "statefulsets","statefulsets/scale", "replicasets"] + verbs: ["get", "patch", "list"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .component.fullName }}-role-binding + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoSharedResource" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .component.fullName }}-role +subjects: +- kind: ServiceAccount + name: {{ .component.fullName }}-svc-account diff --git a/charts/rms/templates/service.tpl b/charts/rms/templates/service.tpl new file mode 100644 index 0000000..321e0c6 --- /dev/null +++ b/charts/rms/templates/service.tpl @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }}-admin + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + type: LoadBalancer + {{- if .Values.externalIp }} + loadBalancerIP: {{ .Values.externalIp }} + {{- end }} + ports: + - protocol: TCP + port: 3120 + targetPort: 3120 + name: rms + + {{- range $ckey, $component := .Values.comps }} + {{- if $component.enabled }} + {{- range $pkey, $port := .ports }} + - protocol: TCP + port: {{ $port }} + targetPort: {{ $port }} + name: {{ $ckey }}-{{ $pkey }} + {{- end }} + {{- end }} + {{- end }} diff --git a/charts/rms/templates/statefulset.tpl b/charts/rms/templates/statefulset.tpl new file mode 100644 index 0000000..f2888a3 --- /dev/null +++ b/charts/rms/templates/statefulset.tpl @@ -0,0 +1,128 @@ +{{- include "nplus.init" $ -}} + +{{- range $key, $component := .Values.components }} + {{- range $port := .ports }} +# {{ $key }}/{{ $port }} + {{- end }} +{{- end }} + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + serviceName: {{ .component.fullName }} + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + serviceAccountName: {{ .component.fullName }}-svc-account + + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + + containers: + - name: rms + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + + command: ["/opt/ceyoniq/nscale-rms/bin/rms.bin"] + + ports: + - containerPort: 3120 + name: rms + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + - name: conf + subPath: {{ .this.instance.name | quote }} + mountPath: /conf + + {{- if ($.this.ingress).domain }} + - name: cert + subPath: tls.crt + mountPath: "/opt/ceyoniq/nscale-rms/bin/tls.cer" + readOnly: true + - name: cert + subPath: tls.key + mountPath: "/opt/ceyoniq/nscale-rms/bin/tls.key" + readOnly: true + {{- end }} + - name: repository + mountPath: /etc/ceyoniq/nscale-rms/repository + + - name: proxy + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + + command: ["haproxy", "-f", "/etc/haproxy/haproxy.cfg", "-d"] + + ports: + {{- range $ckey, $component := .Values.comps }} + {{- if $component.enabled }} + {{- range $pkey, $port := .ports }} + - containerPort: {{ $port }} + name: {{ $ckey }}-{{ $pkey }} + protocol: TCP + {{- end }} + {{- end }} + {{- end }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + - name: haproxy + subPath: haproxy.cfg + mountPath: /etc/haproxy/haproxy.cfg + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + - name: conf + persistentVolumeClaim: + claimName: conf + {{- if ($.this.ingress).domain }} + - name: cert + secret: + secretName: {{ ($.this.ingress).secret }} + {{- end }} + - name: repository + configMap: + name: {{ .component.fullName }}-repository + defaultMode: 0777 + - name: haproxy + configMap: + name: {{ .component.fullName }}-haproxy + defaultMode: 0777 diff --git a/charts/rms/values.schema.json b/charts/rms/values.schema.json new file mode 100644 index 0000000..06a3ae4 --- /dev/null +++ b/charts/rms/values.schema.json @@ -0,0 +1,1082 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "comps": { + "additionalProperties": false, + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "type": "object" +} diff --git a/charts/rms/values.yaml b/charts/rms/values.yaml new file mode 100644 index 0000000..eceeede --- /dev/null +++ b/charts/rms/values.yaml @@ -0,0 +1,516 @@ +# yaml-language-server: $schema=values.schema.json +comps: + # -- Values for the nappl component + nappl: + # -- The internal name of the component + # @internal -- do not change + name: nappl + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "Application Layer" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: StatefulSet + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + http: 8080 + # -- proxied port + # @internal -- do not change + https: 8443 + # -- The host, where this component runs + host: "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local" + nstl: + # -- The internal name of the component + # @internal -- do not change + name: nstl + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "Storage Layer" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: StatefulSet + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + tcp: 3005 + # -- proxied port + # @internal -- do not change + tcps: 3006 + # -- The host, where this component runs + host: "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local" + rs: + # -- The internal name of the component + # @internal -- do not change + name: rs + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "Rendition Server" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: Deployment + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + http: 8192 + # -- proxied port + # @internal -- do not change + https: 8193 + # -- The host, where this component runs + host: "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local" + mon: + # -- The internal name of the component + # @internal -- do not change + name: mon + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "Monitoring Console" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: StatefulSet + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + http: 8387 + # -- proxied port + # @internal -- do not change + https: 8388 + # -- proxied port + # @internal -- do not change + tcp: 8389 # rmi + # -- The host, where this component runs + host: "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local" + ilm: + # -- The internal name of the component + # @internal -- do not change + name: ilm + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "SAP ILM Connector" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: Deployment + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + http: 8297 + # -- proxied port + # @internal -- do not change + https: 8397 + # -- The host, where this component runs + host: "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local" + cmis: + # -- The internal name of the component + # @internal -- do not change + name: cmis + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "CMIS Connector" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: Deployment + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + http: 8096 + # -- proxied port + # @internal -- do not change + https: 8196 + # -- The host, where this component runs + host: "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local" + web: + # -- The internal name of the component + # @internal -- do not change + name: web + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "Application Layer Web" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: Deployment + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + http: 8090 + # -- proxied port + # @internal -- do not change + https: 8453 + # -- The host, where this component runs + host: "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local" + pipeliner: + # -- The internal name of the component + # @internal -- do not change + name: pipeliner + # -- The displayName name of the component as it appears in the RMS Server Properties + # @internal -- do not change + displayName: "Pipeliner" + # -- The amount of replicas to set when starting through the *nscale Administrator* client + restartReplicas: 1 + # -- The type of the replicaSet - important for the kubectl command + # @internal -- do not change + replicaSetType: StatefulSet + # -- Toggles if this component should be available through RMS + enabled: false + # -- The ports exposed by the L4 Load Balancer / Reverse Proxy + # @internal -- do not change + ports: + # -- proxied port + # @internal -- do not change + tcp: 4173 # for admin and mon + # -- The host, where this component runs + host: "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local" +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: rms + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- the replicaCount for the Storage Layer. This does not make sense, so +# leave this at 1 at any time, unless you know exactly what you are doing. +# @ignore +replicaCount: 1 +mounts: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- the medium for the emptyDisk volume + # if you unset it, it drops it from the manifest + medium: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-rms/log" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-rms/tmp" + # -- Sets the size of the temporary disk (all paths) + size: "100Mi" + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + file: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: admin-server + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: git.nplus.cloud/subscription + pullPolicy: IfNotPresent +# -- Security Section defining default runtime environment for your container +security: + cni: + # -- defines the IP Range of out-of-cluster Administrator Workplaces that are + # allowed to access the RMS Server. + adminIpRange: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/rs/Chart.yaml b/charts/rs/Chart.yaml new file mode 100644 index 0000000..305797c --- /dev/null +++ b/charts/rs/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-rs +description: nscale Rendition Server, providing means to format-convert common file types +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/rs/README.md b/charts/rs/README.md new file mode 100644 index 0000000..a068d03 --- /dev/null +++ b/charts/rs/README.md @@ -0,0 +1,174 @@ + + +# nplus-component-rs + +nscale Rendition Server, providing means to format-convert common file types + +## nplus-component-rs Chart Configuration + +You can customize / configure nplus-component-rs by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"rendition-server"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `false` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8192` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8193` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"rendition-server"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"rs"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-rendition-server/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.paths | Sets a list of paths to the shared files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-rendition-server/work"]` | +**mounts**​.file​.size | Sets the size of the shared disk | `"10Gi"` | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.fonts​.path | Sets the path to the fonts folder.
do not change this value | **info only**, do not change
`"/usr/share/fonts/truetype/nplus"` | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.license​.path | Sets the path to the license files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-rendition-server/conf/license.xml"` | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-rendition-server/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"5Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"10Gi"` | +nameOverride | This overrides the output of the internal name function | | +nodeSelector | select specific nodes for this component | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/rs/templates/component.tpl b/charts/rs/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/rs/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/rs/templates/deployment.tpl b/charts/rs/templates/deployment.tpl new file mode 100644 index 0000000..9017d3f --- /dev/null +++ b/charts/rs/templates/deployment.tpl @@ -0,0 +1,93 @@ +{{- include "nplus.init" $ -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: rendition-server + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + + - name: RSX_APPENDER + value: Console + - name: RSX_PASSWORD + value: "admin" + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + httpGet: + path: /rs + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + initialDelaySeconds: 20 + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /rs + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 30 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + + diff --git a/charts/rs/templates/networkpolicy.tpl b/charts/rs/templates/networkpolicy.tpl new file mode 100644 index 0000000..a0b3c02 --- /dev/null +++ b/charts/rs/templates/networkpolicy.tpl @@ -0,0 +1,53 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + + ingress: + + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + - from: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/type: core + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + - from: + - podSelector: + matchLabels: + nplus/group: {{ .instance.group }} + nplus/component: pipeliner + {{- if ((.this.security).cni).excludeUnusedPorts }} + ports: + {{- include "nplus.defaultPolicyPorts" . | nindent 4 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + +{{- end }} \ No newline at end of file diff --git a/charts/rs/templates/pdb.tpl b/charts/rs/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/rs/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/rs/templates/pvc.tpl b/charts/rs/templates/pvc.tpl new file mode 100644 index 0000000..b7ac9a2 --- /dev/null +++ b/charts/rs/templates/pvc.tpl @@ -0,0 +1 @@ +{{- include "nplus.pvc" . }} diff --git a/charts/rs/templates/service.tpl b/charts/rs/templates/service.tpl new file mode 100644 index 0000000..86382ee --- /dev/null +++ b/charts/rs/templates/service.tpl @@ -0,0 +1,28 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + type: ClusterIP + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/rs/values.schema.json b/charts/rs/values.schema.json new file mode 100644 index 0000000..806ed79 --- /dev/null +++ b/charts/rs/values.schema.json @@ -0,0 +1,804 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "rendition-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1301.2024121910", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8192", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8193", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "rendition-server", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rs", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/rs/values.yaml b/charts/rs/values.yaml new file mode 100644 index 0000000..20fee87 --- /dev/null +++ b/charts/rs/values.yaml @@ -0,0 +1,406 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: false + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - /tmp + # -- Sets the size of the temporary disk (all paths) + size: "10Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: /opt/ceyoniq/nscale-rendition-server/conf + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: /opt/ceyoniq/nscale-rendition-server/logs + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "5Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: /opt/ceyoniq/nscale-rendition-server/conf/license.xml + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: /usr/share/fonts/truetype/nplus + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + file: + # -- Sets the size of the shared disk + size: "10Gi" + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + - /opt/ceyoniq/nscale-rendition-server/work + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: rendition-server + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: rs + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8192 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8193 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: rendition-server + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/sharepoint/Chart.yaml b/charts/sharepoint/Chart.yaml new file mode 100644 index 0000000..a1260a1 --- /dev/null +++ b/charts/sharepoint/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-sharepoint +description: nscale SharePoint Connector, providing SP archiving to the Instance +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/sharepoint/README.md b/charts/sharepoint/README.md new file mode 100644 index 0000000..75640fa --- /dev/null +++ b/charts/sharepoint/README.md @@ -0,0 +1,293 @@ + + +# nplus-component-sharepoint + +nscale SharePoint Connector, providing SP archiving to the Instance + +# Single Server with multiple Replicas (and same Config) + +In the instance, configure + +``` +components: + sharepoint: true +sharepoint: + replicas: 2 +``` + +# Multiple Servers with different Configs + +``` +components: + sharepointa: true + sharepointb: true +sharepointa: + replicas: 1 +sharepointb: + replicas: 1 +``` + +this way, you will have two sharepoint instances with different config. + +# Cluster Service + +in multi server mode, the Instance Chart deploys a sharepoint cluster service that balances across sharepoint A and B. + +You **can** use it if you want, or you use the services for sharepointa and sharepointb and load balance manually. + +# Working with multiple SharePoint Connectors and Ingresses + +If you are working with multiple Sharepoint Connectors (a,b,c,d), you do not want them all to define the same ingress path, as it would block the ingress from being created. + +There are two solutions to this: + +1. Disable the ingress on the sharepoint connectors you do not want an ingress to be created. You can still create an ingress manually, either routing traffic via the sharepoint component service, or alternatively routing the traffic via the global cluster service (see above) that is coming with the instance chart. + +2. Instead of disabling the ingress, you can also change the path for each sharepoint instance. Then you could still connect to an individual SP service via the path given, or alternatively route the traffic via the global cluster service that is coming with the instance chart. (same as above) + +**When would you consider this?** + +You would want this, if you have multiple instances, each with a completely different archiving configuration, **but** a common retrieval schedule. You would gain a high availability retrieval scenario, even if you only have a single service for archiving, as archiving does not necessarily needs to be HA. + +## nplus-component-sharepoint Chart Configuration + +You can customize / configure nplus-component-sharepoint by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**clusterService**​.contextPath | set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances) | | +**clusterService**​.enabled | | `false` | +**connector**​.cTagPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"cTag"` | +**connector**​.eTagPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"eTag"` | +**connector**​.idPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"sharePointId"` | +**connector**​.listItemIdPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointListItemId"` | +**connector**​.nscaleExpirationPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**connector**​.nscaleGdprRelevantPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**connector**​.nscaleLegalHidePropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**connector**​.nscaleLegalHoldPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**connector**​.nscaleRetentionPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**connector**​.parentIdPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"sharePointParentId"` | +**connector**​.sharePointChangeTokenPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**connector**​.sharePointCreatedPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointCreated"` | +**connector**​.sharePointCreatorPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointCreator"` | +**connector**​.sharePointEditedPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointLastModified"` | +**connector**​.sharePointEditorPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointEditor"` | +**connector**​.stubIdPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointStubId"` | +**connector**​.stubListItemIdPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"SharePointStubListItemId"` | +**connector**​.webUrlPropertyName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"sharePointWebUrl"` | +doInitialCrawl | toggle initial crawling. This value is mandatory. | `"false"` | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"sharepoint-connector"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/nscale_spc"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**management**​.port | see mail from Manuel, 30.7.2024 | `"18098"` | +**management**​.security | see mail from Manuel, 30.7.2024 | `"false"` | +**management**​.ssl | see mail from Manuel, 30.7.2024 | `"false"` | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8098` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8498` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"sharepoint-connector"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"sharepoint"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.paths | Sets the path to the component certs.
do not change this value | **info only**, do not change
`["/opt/ceyoniq/sharepoint-connector/conf/apicert.pfx", "/opt/ceyoniq/sharepoint-connector/conf/apicert.pem", "/opt/ceyoniq/sharepoint-connector/conf/keystore.ks"]` | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/sharepoint-connector/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/sharepoint-connector/bin/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/sharepoint-connector/temp", "/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.baseFolder | The base folder, this component should write to | | +**nappl**​.docArea | The document area, this component should write to | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +parallelRequests | amount of parallel requests | `5` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**sharepoint**​.clientCertPw | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.clientId | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.doCheckOut | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `false` | +**sharepoint**​.secret | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.serviceBusConnectionString | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.serviceBusQueueName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.serviceBusRetentionConnectionString | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.serviceBusRetentionQueueName | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.serviceBusTopicNameConfigUpdate | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.spHost | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"https://example.com"` | +**sharepoint**​.tenantId | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**sharepoint**​.triggerProperty | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"toBeArchived"` | +**sharepoint**​.webUserPw | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**ssl**​.keyAlias | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"https"` | +**ssl**​.keyPassword | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"secret"` | +**ssl**​.keystore | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**ssl**​.keystorePassword | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | `"secret"` | +**ssl**​.keystoreSecret | Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* | | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + +## Secrets in this components + +If you use secrets to store credentials, please make sure that you create the secrets in the same namespace as the deployment. + +In this component, the nappl secret also nneeds to contain the domain of the acessing user: + +- account +- password +- domain + +Also, there is a second secret that can be used to store credentials for the sharepoint system. If used, it needs to comtain: + +- clientId +- tenantId +- clientCertPw +- webUserPw + +The https / tls certificates are stored in a keystore to which we might need a password. You can set it by value, by env variable, by envSecret, by envconfigMap or by secret (`.Values.ssl.keystoreSecret`). + +If you set it by secret, please have + +- keyPassword (`SERVER_SSL_KEYPASSWORD`) +- keystorePassword (`SERVER_SSL_KEYSTOREPASSWORD`) + +as keys in the secret. + diff --git a/charts/sharepoint/templates/clusteringress.tpl b/charts/sharepoint/templates/clusteringress.tpl new file mode 100644 index 0000000..074aee9 --- /dev/null +++ b/charts/sharepoint/templates/clusteringress.tpl @@ -0,0 +1,22 @@ +{{- include "nplus.init" $ -}} +{{- $name := (print .component.prefix "sharepoint-cluster") -}} +{{- if (.Values.clusterService).enabled }} +{{- if (.Values.clusterService).contextPath }} +{{- include "nplus.ingress" (list . $name) | nindent 0 }} + - path: {{ .Values.clusterService.contextPath }} + pathType: Prefix + backend: + service: + name: {{ $name }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: Ingress +# Not Generating any Ingress for {{ $name }} as the context Path is unset on component {{ .component.fullName }} +# clusterService: {{ .Values.clusterService }} +{{- end }} +{{- else }} +# kind: Ingress +# Not Generating any Ingress for {{ $name }} as the Cluster Service is not enabled on component {{ .component.fullName }} +# clusterService: {{ .Values.clusterService }} +{{- end }} \ No newline at end of file diff --git a/charts/sharepoint/templates/clusterservice.tpl b/charts/sharepoint/templates/clusterservice.tpl new file mode 100644 index 0000000..5415e89 --- /dev/null +++ b/charts/sharepoint/templates/clusterservice.tpl @@ -0,0 +1,33 @@ +{{- include "nplus.init" $ -}} +{{- $name := (print .component.prefix "sharepoint-cluster") -}} +{{- if (.Values.clusterService).enabled }} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ $name }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} +{{- else }} +# kind: Service +# Not Generating any Service for {{ $name }} as the Cluster Service is not enabled on component {{ .component.fullName }} +# clusterService: {{ .Values.clusterService }} +{{- end }} \ No newline at end of file diff --git a/charts/sharepoint/templates/component.tpl b/charts/sharepoint/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/sharepoint/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/sharepoint/templates/ingress.tpl b/charts/sharepoint/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/sharepoint/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/sharepoint/templates/networkpolicy.tpl b/charts/sharepoint/templates/networkpolicy.tpl new file mode 100644 index 0000000..35b47b3 --- /dev/null +++ b/charts/sharepoint/templates/networkpolicy.tpl @@ -0,0 +1,36 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + + {{- if or ( include "nplus.ingressEnabled" . ) ( (.Values.clusterService).contextPath ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/sharepoint/templates/pdb.tpl b/charts/sharepoint/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/sharepoint/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/sharepoint/templates/pvc.tpl b/charts/sharepoint/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/sharepoint/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/sharepoint/templates/service.tpl b/charts/sharepoint/templates/service.tpl new file mode 100644 index 0000000..e6b19bc --- /dev/null +++ b/charts/sharepoint/templates/service.tpl @@ -0,0 +1,32 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} \ No newline at end of file diff --git a/charts/sharepoint/templates/statefulset.tpl b/charts/sharepoint/templates/statefulset.tpl new file mode 100644 index 0000000..fa444f2 --- /dev/null +++ b/charts/sharepoint/templates/statefulset.tpl @@ -0,0 +1,422 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + podManagementPolicy: OrderedReady + updateStrategy: + type: {{ .Values.updateStrategy | default "OnDelete" }} + minReadySeconds: 5 + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: sharepoint-connector + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + # -- Ceyoniq does currently not define an *official* startupProbe, so we use + # one that quickly checks the main socket on Layer 4. + startupProbe: + initialDelaySeconds: 10 + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + httpGet: + path: '/actuator/health/liveness' + port: {{ ($.this.management).port }} + livenessProbe: + httpGet: + path: '/actuator/health/liveness' + port: {{ ($.this.management).port }} + # initialDelaySeconds: 10 + readinessProbe: + httpGet: + path: '/actuator/health/readiness' + port: {{ ($.this.management).port }} + # initialDelaySeconds: 10 + {{- end }} + + env: + + # -- Management Port Settings, for Probes + {{- include "nplus.env" (dict + "MANAGEMENT_SERVER_PORT" ($.this.management).port + "MANAGEMENT_SERVER_SSL_ENABLED" ($.this.management).ssl + "MANAGEMENT_SECURITY_ENABLED" ($.this.management).security + ) | nindent 10 }} + + # + # Service Settings + # + + - name: SERVER_SERVLET_CONTEXT_PATH + value: {{ .Values.ingress.contextPath | quote }} + + - name: LOGGING_CONFIG + value: "/opt/ceyoniq/sharepoint-connector/conf/log4j2.xml" + + {{- if ((.Values.ingress).ssl).keystore }} + - name: SERVER_SSL_KEYSTORE + value: {{ .Values.ingress.ssl.keystore | quote }} + {{- end }} + + {{- if or (($.this.security).zeroTrust) (eq .Values.ingress.backendProtocol "https") }} + - name: SERVER_SSL_ENABLED + value: "true" + - name: SERVER_PORT + value: {{ (.this.meta).ports.https | quote }} + - name: SERVER_SSL_KEYALIAS + value: "https" + + {{- if ((.Values.ingress).ssl).keystoreSecret }} + + - name: SERVER_SSL_KEYSTOREPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.ingress.ssl.keystoreSecret }} + key: keystorePassword + + - name: SERVER_SSL_KEYPASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.ingress.ssl.keystoreSecret }} + key: keyPassword + + {{- else }} + + {{- if ((.Values.ingress).ssl).keystorePassword }} + - name: SERVER_SSL_KEYSTOREPASSWORD + value: {{ .Values.ingress.ssl.keystorePassword | quote }} + {{- end }} + {{- if ((.Values.ingress).ssl).keyPassword }} + - name: SERVER_SSL_KEYPASSWORD + value: {{ .Values.ingress.ssl.keyPassword | quote }} + {{- end }} + + {{- end }} + + {{- if ((.Values.ingress).ssl).keyAlias }} + - name: SERVER_SSL_KEYALIAS + value: {{ .Values.ingress.ssl.keyAlias | quote }} + {{- end }} + + {{- else }} + - name: SERVER_SSL_ENABLED + value: "false" + - name: SERVER_PORT + value: {{ (.this.meta).ports.http | quote }} + {{- end }} + + # + # NAPPL Settings + # + + {{- if ($.this.nappl).host }} + - name: HOST + value: {{ ($.this.nappl).host | quote }} + {{- end }} + {{- if ($.this.nappl).port }} + - name: PORT + value: {{ ($.this.nappl).port | quote }} + - name: USESSL + value: "{{ if ($.this.nappl).ssl }}true{{- else -}}false{{- end -}}" + {{- end }} + {{- if ($.this.nappl).instance }} + - name: INSTANCE + value: {{ ($.this.nappl).instance | quote }} + {{- end }} + + # -- setting the credentials for the technical user to access the application layer + {{- if ($.this.nappl).secret }} + # using a secret to get the functional nappl user for ILM + - name: NSCALEUSER + valueFrom: + secretKeyRef: + name: {{ ($.this.nappl).secret }} + key: account + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ ($.this.nappl).secret }} + key: password + - name: DOMAIN + valueFrom: + secretKeyRef: + name: {{ ($.this.nappl).secret }} + key: domain + + {{- else }} + + {{- if ($.this.nappl).account }} + # Account is defined in manifest. That is ok for dev environments, but you should + # switch to secrets for productive environments. + - name: NSCALEUSER + value: {{ ($.this.nappl).account }} + {{- else }} + # nappl user is not defined in manifest (and also no secret). Using the config file settings. + {{- end }} + + {{- if ($.this.nappl).password }} + # The password is defined in manifest. That is ok for dev environments, but you should + # switch to secrets for productive environments. + - name: PASSWORD + value: {{ ($.this.nappl).password }} + {{- else }} + # nappl password is not defined in manifest (and also no secret). Using the config file settings. + {{- end }} + + {{- if ($.this.nappl).domain }} + - name: DOMAIN + value: {{ ($.this.nappl).domain }} + {{- else }} + # nappl password is not defined in manifest (and also no secret). Using the config file settings. + {{- end }} + + {{- end }} + + {{- if (.Values.nappl).baseFolder }} + - name: BASEFOLDER + value: {{ .Values.nappl.baseFolder | quote }} + {{- end }} + + {{- if (.Values.nappl).docArea }} + - name: DOCAREA + value: {{ .Values.nappl.docArea | quote }} + {{- end }} + + # + # Service Settings + # + - name: DOINITIALCRAWL + value: {{ .Values.doInitialCrawl | quote }} + + {{- if .Values.parallelRequests }} + - name: PARALLELREQUESTS + value: {{ .Values.parallelRequests | quote }} + {{- end }} + + + # + # O365 AZURE SharePoint Settings + # + {{- if (.Values.sharepoint).doCheckOut }} + - name: DOCHECKOUT + value: {{ .Values.sharepoint.doCheckOut | quote }} + {{- end }} + {{- if (.Values.sharepoint).spHost }} + - name: SPHOST + value: {{ .Values.sharepoint.spHost | quote }} + {{- end }} + {{- if (.Values.sharepoint).triggerProperty }} + - name: TRIGGERPROPERTY + value: {{ .Values.sharepoint.triggerProperty | quote }} + {{- end }} + {{- if (.Values.sharepoint).serviceBusQueueName }} + - name: SERVICEBUSQUEUENAME + value: {{ .Values.sharepoint.serviceBusQueueName | quote }} + {{- end }} + {{- if (.Values.sharepoint).serviceBusConnectionString }} + - name: SERVICEBUSCONNECTIONSTRING + value: {{ .Values.sharepoint.serviceBusConnectionString | quote }} + {{- end }} + {{- if (.Values.sharepoint).serviceBusRetentionConnectionString }} + - name: SERVICEBUSRETENTIONCONNECTIONSTRING + value: {{ .Values.sharepoint.serviceBusRetentionConnectionString | quote }} + {{- end }} + {{- if (.Values.sharepoint).serviceBusRetentionQueueName }} + - name: SERVICEBUSRETENTIONQUEUENAME + value: {{ .Values.sharepoint.serviceBusRetentionQueueName | quote }} + {{- end }} + {{- if (.Values.sharepoint).serviceBusTopicNameConfigUpdate }} + - name: SERVICEBUSTOPICNAMECONFIGUPDATE + value: {{ .Values.sharepoint.serviceBusTopicNameConfigUpdate | quote }} + {{- end }} + + # + # O365 SharePoint Credentials + # + {{- if (.Values.sharepoint).secret }} + # using a secret to get the functional access to SharePoint + - name: TENANTID + valueFrom: + secretKeyRef: + name: {{ .Values.sharepoint.secret }} + key: tenantId + - name: CLIENTID + valueFrom: + secretKeyRef: + name: {{ .Values.sharepoint.secret }} + key: clientId + - name: WEBUSERPW + valueFrom: + secretKeyRef: + name: {{ .Values.sharepoint.secret }} + key: webUserPw + - name: CLIENTCERTPW + valueFrom: + secretKeyRef: + name: {{ .Values.sharepoint.secret }} + key: clientCertPw + + {{- else }} + + {{- if (.Values.sharepoint).tenantId }} + - name: TENANTID + value: {{ .Values.sharepoint.tenantId | quote }} + {{- end }} + {{- if (.Values.sharepoint).clientId }} + - name: CLIENTID + value: {{ .Values.sharepoint.clientId | quote }} + {{- end }} + {{- if (.Values.sharepoint).clientCertPw }} + - name: CLIENTCERTPW + value: {{ .Values.sharepoint.clientCertPw | quote }} + {{- end }} + {{- if (.Values.sharepoint).webUserPw }} + - name: WEBUSERPW + value: {{ .Values.sharepoint.webUserPw | quote }} + {{- end }} + + {{- end }} + + # + # nscale Connector Settings + # + {{- if (.Values.connector).sharePointCreatorPropertyName }} + - name: SHAREPOINTCREATORPROPERTYNAME + value: {{ .Values.connector.sharePointCreatorPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).sharePointCreatedPropertyName }} + - name: SHAREPOINTCREATEDPROPERTYNAME + value: {{ .Values.connector.sharePointCreatedPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).sharePointEditorPropertyName }} + - name: SHAREPOINTEDITORPROPERTYNAME + value: {{ .Values.connector.sharePointEditorPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).sharePointEditedPropertyName }} + - name: SHAREPOINTEDITEDPROPERTYNAME + value: {{ .Values.connector.sharePointEditedPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).sharePointChangeTokenPropertyName }} + - name: SHAREPOINTCHANGETOKENPROPERTYNAME + value: {{ .Values.connector.sharePointChangeTokenPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).idPropertyName }} + - name: IDPROPERTYNAME + value: {{ .Values.connector.idPropertyName | quote }} + {{- end }} + + {{- if (.Values.connector).stubIdPropertyName }} + - name: STUBIDPROPERTYNAME + value: {{ .Values.connector.stubIdPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).stubListItemIdPropertyName }} + - name: STUBLISTITEMIDPROPERTYNAME + value: {{ .Values.connector.stubListItemIdPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).parentIdPropertyName }} + - name: PARENTIDPROPERTYNAME + value: {{ .Values.connector.parentIdPropertyName | quote }} + {{- end }} + + {{- if (.Values.connector).cTagPropertyName }} + - name: CTAGPROPERTYNAME + value: {{ .Values.connector.cTagPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).eTagPropertyName }} + - name: ETAGPROPERTYNAME + value: {{ .Values.connector.eTagPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).webUrlPropertyName }} + - name: WEBURLPROPERTYNAME + value: {{ .Values.connector.webUrlPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).listItemIdPropertyName }} + - name: LISTITEMIDPROPERTYNAME + value: {{ .Values.connector.listItemIdPropertyName | quote }} + {{- end }} + + {{- if (.Values.connector).nscaleRetentionPropertyName }} + - name: NSCALERETENTIONPROPERTYNAME + value: {{ .Values.connector.nscaleRetentionPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).nscaleExpirationPropertyName }} + - name: NSCALEEXPIRATIONPROPERTYNAME + value: {{ .Values.connector.nscaleExpirationPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).nscaleLegalHoldPropertyName }} + - name: NSCALELEGALHOLDPROPERTYNAME + value: {{ .Values.connector.nscaleLegalHoldPropertyName | quote }} + {{- end }} + {{- if (.Values.connector).nscaleLegalHidePropertyName }} + - name: NSCALELEGALHIDEPROPERTYNAME + value: {{ .Values.connector.nscaleLegalHidePropertyName | quote }} + {{- end }} + {{- if (.Values.connector).nscaleGdprRelevantPropertyName }} + - name: NSCALEGDPRRELEVANTPROPERTYNAME + value: {{ .Values.connector.nscaleGdprRelevantPropertyName | quote }} + {{- end }} + + {{- include "nplus.environment" . | nindent 8 }} + + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + # -- Setting the management port for the probes to use + - name: management + containerPort: {{ required "setting the management port is required for the probes" ($.this.management).port }} + protocol: TCP + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/sharepoint/values.schema.json b/charts/sharepoint/values.schema.json new file mode 100644 index 0000000..7c2c33f --- /dev/null +++ b/charts/sharepoint/values.schema.json @@ -0,0 +1,1115 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/sharepoint/values.yaml b/charts/sharepoint/values.yaml new file mode 100644 index 0000000..8015b94 --- /dev/null +++ b/charts/sharepoint/values.yaml @@ -0,0 +1,517 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/nscale_spc" + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +ssl: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + keyAlias: https + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + keyPassword: secret + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + keystorePassword: secret + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + keystoreSecret: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + keystore: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/sharepoint-connector/temp" + - "/tmp" + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- Sets the path to the conf files + + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/sharepoint-connector/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/sharepoint-connector/bin/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/sharepoint-connector/conf/apicert.pfx" + - "/opt/ceyoniq/sharepoint-connector/conf/apicert.pem" + - "/opt/ceyoniq/sharepoint-connector/conf/keystore.ks" + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: sharepoint-connector + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale + pullPolicy: IfNotPresent +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: sharepoint + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8098 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8498 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: sharepoint-connector + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- this is fix to 1 +# @ignore +replicaCount: 1 +sharepoint: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + spHost: https://example.com + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + serviceBusConnectionString: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + serviceBusQueueName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + serviceBusRetentionConnectionString: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + serviceBusRetentionQueueName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + serviceBusTopicNameConfigUpdate: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + triggerProperty: toBeArchived + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + doCheckOut: false + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + tenantId: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + clientId: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + clientCertPw: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + webUserPw: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + secret: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- The base folder, this component should write to + baseFolder: + # -- The document area, this component should write to + docArea: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- toggle initial crawling. This value is mandatory. +doInitialCrawl: "false" +# -- amount of parallel requests +parallelRequests: 5 +connector: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + sharePointCreatorPropertyName: "SharePointCreator" + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + sharePointCreatedPropertyName: SharePointCreated + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + sharePointEditorPropertyName: SharePointEditor + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + sharePointEditedPropertyName: SharePointLastModified + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + sharePointChangeTokenPropertyName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + idPropertyName: sharePointId + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + stubIdPropertyName: SharePointStubId + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + stubListItemIdPropertyName: SharePointStubListItemId + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + parentIdPropertyName: sharePointParentId + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + cTagPropertyName: cTag + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + eTagPropertyName: eTag + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + webUrlPropertyName: sharePointWebUrl + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + listItemIdPropertyName: SharePointListItemId + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + nscaleRetentionPropertyName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + nscaleExpirationPropertyName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + nscaleLegalHoldPropertyName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + nscaleLegalHidePropertyName: + # -- Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq* + nscaleGdprRelevantPropertyName: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: component + # -- adds extra Annotations to the service + annotations: +clusterService: + enabled: false + # -- set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances) + contextPath: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +management: + # -- see mail from Manuel, 30.7.2024 + port: "18098" + # -- see mail from Manuel, 30.7.2024 + ssl: "false" + # -- see mail from Manuel, 30.7.2024 + security: "false" +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/web/Chart.yaml b/charts/web/Chart.yaml new file mode 100644 index 0000000..75c776f --- /dev/null +++ b/charts/web/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-web +description: nscale Web, providing a modern Web UI to nscale users +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/web/README.md b/charts/web/README.md new file mode 100644 index 0000000..bdb69e0 --- /dev/null +++ b/charts/web/README.md @@ -0,0 +1,198 @@ + + +# nplus-component-web + +nscale Web, providing a modern Web UI to nscale users + +## tls / https + +nscale Web is **not** automatically enabling tls / https and also does currently **not** automatically generate a certificate for tls. + +However, the nplus Web Chart does, and stores it in `conf/keystore.jks`. Additionally, if there is no `server.xml` in the conf directory, nplus copies a custom `server.xml` to conf, that has tls enabled and references `conf/keystore.jks`. + +If you already have a running web componenent, and want to use tls with web, you will need to edit this file manually. See ITSMSD-8772. + +## nplus-component-web Chart Configuration + +You can customize / configure nplus-component-web by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +authType | Set the authentication type login, basic, negotiate, implicit ntlmv2, kerberos | | +customizingMode | If this setting is enabled, layouts will update immediately when changes are made. It is no longer necessary to re-register or restart the service. If this setting is not activated, the automatic update of the metamodel is turned off. We recommend not using this setting in productive systems because it reduces system performance. | | +disableUsernamePassword | surpresses the login dialog | | +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"application-layer-web"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +immediateFederatedLogin | directly log in via identity providers | | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/nscale_web"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | `"XtConLoadBalancerSession"` | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8090` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8453` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"web-client"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"web"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +metamodelMode | Refreshes the metamodel mode | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/application-layer-web/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.defaultConfig | Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten. | `"{{ .component.fullName }}-defaultconfig"` | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.medium | the medium for the emptyDisk volume if you unset it, it drops it from the manifest | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-server/application-layer-web/apache/logs/"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"5Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-server/application-layer-web/apache/work/Catalina/localhost", "/opt/ceyoniq/nscale-server/application-layer-web/apache/conf/Catalina/localhost", "/opt/ceyoniq/nscale-server/application-layer-web/apache/webapps", "/opt/ceyoniq/nscale-server/application-layer-web/apache/temp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +oauthDomains | OAuth nscale domains | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +sameSite | nscale SameSite Cookie Header | | +samlDomains | SAML nscale domains | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +smartCrossgrade | Enable Crossgrade for Smart Layouts | | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/web/templates/component.tpl b/charts/web/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/web/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/web/templates/defaultconfig.tpl b/charts/web/templates/defaultconfig.tpl new file mode 100644 index 0000000..24601f9 --- /dev/null +++ b/charts/web/templates/defaultconfig.tpl @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .component.fullName }}-defaultconfig + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +data: +{{- range $path, $bytes := .Files.Glob "defaultconfig/*" }} +{{- base $path | nindent 2 }}: | +{{- tpl ($.Files.Get $path) $ | nindent 4 }} +{{- end }} diff --git a/charts/web/templates/deployment.tpl b/charts/web/templates/deployment.tpl new file mode 100644 index 0000000..0b59c44 --- /dev/null +++ b/charts/web/templates/deployment.tpl @@ -0,0 +1,199 @@ +{{- include "nplus.init" $ -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + {{- if not .Values.autoScale }} + replicas: {{ .Values.replicaCount }} + {{- end }} + strategy: + type: {{ .Values.updateStrategy | default "RollingUpdate" }} + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + # nscale Web does not enable tls / https by default. + # TODO: observe ITSMSD-8772 + # So we need to perform the steps described in the manual to enable it. + # We will do this, if this is a new installation (and the keystore does not exist yet) + - name: enable-https + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + {{- include "nplus.initResources" . | nindent 8 }} + command: [ "/bin/sh", "-c" ] + args: + - | + set -e + KEYSTORE="/mnt/conf/keystore.jks" + KEYPASS="changeit" + + if [ ! -f "$KEYSTORE" ]; then + echo "Creating input for keytool" + cat << EOM > /tmp/keyinput + $KEYPASS + $KEYPASS + {{ .this.ingress.domain }} + Development Department + 42i GmbH + Bad Lippspringe + NRW + DE + yes + EOM + echo "Creating Keystore at $KEYSTORE using $KEYTOOL" + keytool -genkeypair -alias tomcat -keyalg RSA -keystore $KEYSTORE < /tmp/keyinput + else + echo "Keystore at $KEYSTORE already exists. Leaving as is." + fi + echo "Done." + volumeMounts: + - name: conf + subPath: {{ .component.storagePath | quote }} + mountPath: /mnt/conf + - name: temp + mountPath: /tmp + + containers: + - name: web-client + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + {{- if ($.this.nappl).host }} + - name: NSCALE_HOST + value: {{ ($.this.nappl).host | quote }} + {{- end }} + {{- if ($.this.nappl).port }} + - name: NSCALE_PORT + value: {{ ($.this.nappl).port | quote }} + {{- end }} + {{- if ($.this.nappl).ssl }} + - name: NSCALE_SSL + value: {{ ($.this.nappl).ssl | quote }} + {{- end }} + {{- if ($.this.nappl).instance }} + - name: NSCALE_INSTANCE + value: {{ ($.this.nappl).instance | quote }} + {{- end }} + + - name: LOG4JCONFIGLOCATION + value: "../conf/log4j/nscale_stdout_log_conf.xml" + + {{- if .Values.metamodelMode }} + - name: REFRESH_METAMODEL_MODE + value: {{ .Values.metamodelMode | quote }} + {{- end }} + {{- if .Values.sameSite }} + - name: NSACLE_SAMESITE + value: {{ .Values.sameSite | quote }} + {{- end }} + {{- if .Values.disableUsernamePassword }} + - name: NSCALE_DISABLEUSERNAMEPASSWORD + value: {{ .Values.disableUsernamePassword | quote }} + {{- end }} + {{- if .Values.oauthDomains }} + - name: NSCALE_OAUTH_DOMAINS + value: {{ .Values.oauthDomains | quote }} + {{- end }} + {{- if .Values.samlDomains }} + - name: NSCALE_SAML_DOMAINS + value: {{ .Values.samlDomains | quote }} + {{- end }} + {{- if .Values.immediateFederatedLogin }} + - name: NSCALE_IMMEDIATE_FEDERATED_LOGIN + value: {{ .Values.immediateFederatedLogin | quote }} + {{- end }} + {{- if .Values.samlDomains }} + - name: NSCALE_ENABLE_SAML + value: {{ if .Values.samlDomains }}"true"{{ else }}"false"{{ end }} + {{- end }} + {{- if .Values.oauthDomains }} + - name: NSCALE_ENABLE_OAUTH + value: {{ if .Values.oauthDomains }}"true"{{ else }}"false"{{ end }} + {{- end }} + {{- if .Values.authType }} + - name: NSCALE_AUTHTYPE + value: {{ .Values.authType | quote }} + {{- end }} + {{- if .Values.authType }} + - name: NSCALE_SMART_CROSSGRADE + value: {{ .Values.smartCrossgrade | quote }} + {{- end }} + {{- if .Values.customizingMode }} + - name: NSCALE_CUSTOMIZINGMODE + value: {{ if .Values.customizingMode }}"true"{{ else }}"false"{{ end }} + {{- end }} + + {{ include "nplus.appDynamicsEnv" . | nindent 10 }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} + startupProbe: + httpGet: + path: /nscale_web/systemConfiguration.xml + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + initialDelaySeconds: 10 + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: /nscale_web/systemConfiguration.xml + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 10 + timeoutSeconds: 2 + readinessProbe: + httpGet: + path: /nscale_web/systemConfiguration.xml + port: {{ include "nplus.backendPort" . }} + scheme: {{ include "nplus.backendProtocol" . | upper }} + periodSeconds: 10 + timeoutSeconds: 2 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + + diff --git a/charts/web/templates/ingress.tpl b/charts/web/templates/ingress.tpl new file mode 100644 index 0000000..32f7ef3 --- /dev/null +++ b/charts/web/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} diff --git a/charts/web/templates/networkpolicy.tpl b/charts/web/templates/networkpolicy.tpl new file mode 100644 index 0000000..a9f00aa --- /dev/null +++ b/charts/web/templates/networkpolicy.tpl @@ -0,0 +1,35 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} diff --git a/charts/web/templates/pdb.tpl b/charts/web/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/web/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/web/templates/pvc.tpl b/charts/web/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/web/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/web/templates/service.tpl b/charts/web/templates/service.tpl new file mode 100644 index 0000000..6bff67f --- /dev/null +++ b/charts/web/templates/service.tpl @@ -0,0 +1,34 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/web/values.schema.json b/charts/web/values.schema.json new file mode 100644 index 0000000..6a1a180 --- /dev/null +++ b/charts/web/values.schema.json @@ -0,0 +1,909 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "authType": { + "default": "", + "description": "Set the authentication type login, basic, negotiate, implicit ntlmv2, kerberos", + "title": "authType" + }, + "customizingMode": { + "default": "", + "description": "If this setting is enabled, layouts will update immediately when changes are made. It is no longer necessary to re-register or restart the service. If this setting is not activated, the automatic update of the metamodel is turned off. We recommend not using this setting in productive systems because it reduces system performance.", + "title": "customizingMode" + }, + "disableUsernamePassword": { + "default": "", + "description": "surpresses the login dialog", + "title": "disableUsernamePassword" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer-web", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121620", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "immediateFederatedLogin": { + "default": "", + "description": "directly log in via identity providers", + "title": "immediateFederatedLogin" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_web", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "XtConLoadBalancerSession", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8090", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8453", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "web-client", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "web", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "metamodelMode": { + "default": "", + "description": "Refreshes the metamodel mode", + "title": "metamodelMode" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer-web/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "defaultConfig": { + "default": "{{ .component.fullName }}-defaultconfig", + "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", + "title": "defaultConfig" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer-web/apache/logs/", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "oauthDomains": { + "default": "", + "description": "OAuth nscale domains", + "title": "oauthDomains" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "sameSite": { + "default": "", + "description": "nscale SameSite Cookie Header", + "title": "sameSite" + }, + "samlDomains": { + "default": "", + "description": "SAML nscale domains", + "title": "samlDomains" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "smartCrossgrade": { + "default": "", + "description": "Enable Crossgrade for Smart Layouts", + "title": "smartCrossgrade" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/web/values.yaml b/charts/web/values.yaml new file mode 100644 index 0000000..fcc4f21 --- /dev/null +++ b/charts/web/values.yaml @@ -0,0 +1,510 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: XtConLoadBalancerSession + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/nscale_web" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - /opt/ceyoniq/nscale-server/application-layer-web/apache/work/Catalina/localhost + - /opt/ceyoniq/nscale-server/application-layer-web/apache/conf/Catalina/localhost + - /opt/ceyoniq/nscale-server/application-layer-web/apache/webapps + - /opt/ceyoniq/nscale-server/application-layer-web/apache/temp + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-server/application-layer-web/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-server/application-layer-web/apache/logs/" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "5Gi" + # -- the medium for the emptyDisk volume + # if you unset it, it drops it from the manifest + medium: + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- Sets a configMap with default configuration files that get copied + # to a new and empty container just before the template folder gets copied. + # Existing files are not overwritten. + defaultConfig: "{{ .component.fullName }}-defaultconfig" + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: application-layer-web + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: web + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8090 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8453 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: web-client + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Enable Crossgrade for Smart Layouts +smartCrossgrade: +# -- Refreshes the metamodel mode +metamodelMode: +# -- nscale SameSite Cookie Header +sameSite: +# -- surpresses the login dialog +disableUsernamePassword: +# -- OAuth nscale domains +oauthDomains: +# -- SAML nscale domains +samlDomains: +# -- directly log in via identity providers +immediateFederatedLogin: +# -- Set the authentication type +# login, basic, negotiate, implicit +# ntlmv2, kerberos +authType: +# -- If this setting is enabled, layouts will update immediately when changes are made. It is no longer necessary to re-register or restart the service. If this setting is not activated, the automatic update of the metamodel is turned off. +# We recommend not using this setting in productive systems because it reduces system performance. +customizingMode: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: +# # : +# # path: +# # volumeName: +# # subPath: + +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/charts/webdav/Chart.yaml b/charts/webdav/Chart.yaml new file mode 100644 index 0000000..abf0c37 --- /dev/null +++ b/charts/webdav/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: nplus-component-webdav +description: nscale WebDAV Connector, providing a standard WebDAV interface to the Instance +icon: data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPHN2ZyB2ZXJzaW9uPSIxLjEiIGlkPSJFYmVuZV8xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIKCSB2aWV3Qm94PSIwIDAgNTEuMDI0IDUxLjAyNCIgZW5hYmxlLWJhY2tncm91bmQ9Im5ldyAwIDAgNTEuMDI0IDUxLjAyNCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+CjxnPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIzMi4zMjIsMTkuNzQ0IDIwLjY0OSwxOS43NDQgMTguNTkxLDMxLjQxNyAzMC4yNjQsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iNDcuMTg1LDE5Ljc0NCAzNS41MTIsMTkuNzQ0IDMzLjQ1NCwzMS40MTcgNDUuMTI2LDMxLjQxNyAJIi8+Cgk8cG9seWdvbiBmaWxsPSIjQTRCRkU0IiBwb2ludHM9IjI5Ljc2NiwzNC41NTEgMTguMDk0LDM0LjU1MSAxNi4wMzUsNDYuMjI0IDI3LjcwOCw0Ni4yMjQgCSIvPgoJPHBvbHlnb24gZmlsbD0iI0E0QkZFNCIgcG9pbnRzPSIxNy41NywxOS43NDQgNS44OTcsMTkuNzQ0IDMuODM5LDMxLjQxNyAxNS41MTIsMzEuNDE3IAkiLz4KCTxwb2x5Z29uIGZpbGw9IiNBNEJGRTQiIHBvaW50cz0iMzUuMTUsNC43OTkgMjMuNDc3LDQuNzk5IDIxLjQxOSwxNi40NzIgMzMuMDkyLDE2LjQ3MiAJIi8+Cjwvc3ZnPgo= +type: application +dependencies: + - name: nplus-globals + alias: globals + version: "*-0" + repository: "file://../globals" +version: 1.0.0 diff --git a/charts/webdav/README.md b/charts/webdav/README.md new file mode 100644 index 0000000..c169a17 --- /dev/null +++ b/charts/webdav/README.md @@ -0,0 +1,183 @@ + + +# nplus-component-webdav + +nscale WebDAV Connector, providing a standard WebDAV interface to the Instance + +## Usage + +`https://empty.lab.nplus.cloud/dav/nscalealinst1/Sample` + +## nplus-component-webdav Chart Configuration + +You can customize / configure nplus-component-webdav by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +env | Sets additional environment variables for the configuration. | | +envMap | Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container. | | +envSecret | Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container. | | +fullnameOverride | This overrides the output of the internal fullname function | | +**image**​.name | the name of the image to use | `"webdav-connector"` | +**image**​.pullSecrets | you can provide your own pullSecrets, in case you use a private repo. | `["nscale-cr", "nplus-cr"]` | +**image**​.repo | if you use a private repo, feel free to set it here | `"ceyoniq.azurecr.io/release/nscale"` | +**image**​.tag | the tag of the image to use | `"latest"` | +**ingress**​.annotations | Adds extra Annotations to the ingress | | +**ingress**​.backendProtocol | Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically. | `http`
`https` in zero trust mode | +**ingress**​.class | The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one | `public` | +**ingress**​.contextPath | The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts. | `"/dav"` | +**ingress**​.cookie | on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web | | +**ingress**​.deny | deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client. | | +**ingress**​.domain | Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here | | +**ingress**​.enabled | You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not. | `true` | +**ingress**​.namespace | Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list | "ingress, kube-system, ingress-nginx" | +**ingress**​.proxyReadTimeout | Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. | | +**ingress**​.secret | Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance | `{{ .this.ingress.domain }}-tls` | +**ingress**​.whitelist | optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers | | +**javaOpts**​.javaMaxMem | set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed | | +**javaOpts**​.javaMaxRamPercentage | set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any. | | +**javaOpts**​.javaMinMem | set the minimum memory, java will consume | | +**javaOpts**​.javaMisc | Any misc Java Options that need to be passed to the container | | +**meta**​.language | Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container. | `"java"` | +**meta**​.ports​.http | The http port this component uses (if any). In zero trust mode, this will be disabled.
this is a constant value of the component and should not be changed. | **info only**, do not change
`8088` | +**meta**​.ports​.https | The tls / https port, this component uses (if any)
this is a constant value of the component and should not be changed. | **info only**, do not change
`8488` | +**meta**​.provider | sets provider (partner, reseller) information to be able to invoice per use in a cloud environment | | +**meta**​.serviceContainer | The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any | `"webdav-connector"` | +**meta**​.stage | A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example) | | +**meta**​.tenant | sets tenant information to be able to invoice per use in a cloud environment | | +**meta**​.type | the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service. | `"webdav"` | +**meta**​.wave | Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation | | +minReplicaCount | if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas. | | +minReplicaCountType | if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer | | +**mounts**​.caCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.caCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.configMap | Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting | | +**mounts**​.componentCerts​.secret | Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting | | +**mounts**​.conf​.path | Sets the path to the conf files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-webdav/conf"` | +**mounts**​.data​.class | Sets the class of the data disk | | +**mounts**​.data​.size | Sets the size of the data disk | | +**mounts**​.data​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.disk​.class | Sets the class of the disk | | +**mounts**​.disk​.enabled | enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk. | `false` | +**mounts**​.disk​.migration | Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten! | `false` | +**mounts**​.disk​.size | Sets the size of the disk | | +**mounts**​.disk​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.file​.class | Sets the class of the shared disk | | +**mounts**​.file​.size | Sets the size of the shared disk | | +**mounts**​.file​.volumeName | If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one | | +**mounts**​.generic | Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. | | +**mounts**​.logs​.path | Sets the path to the log files
do not change this value | **info only**, do not change
`"/opt/ceyoniq/nscale-webdav/logs"` | +**mounts**​.logs​.size | Sets the size of the log disk (all paths) | `"1Gi"` | +**mounts**​.temp​.paths | Sets a list of paths to the temporary files
do not change this value | **info only**, do not change
`["/opt/ceyoniq/nscale-webdav/temp", "/opt/ceyoniq/nscale-webdav/apache/temp", "/tmp"]` | +**mounts**​.temp​.size | Sets the size of the temporary disk (all paths) | `"1Gi"` | +nameOverride | This overrides the output of the internal name function | | +**nappl**​.account | The technical account to login with | | +**nappl**​.domain | The domain of the technical account | | +**nappl**​.host | nappl host name | | +**nappl**​.instance | instance of the Application Layer, likely `instance1` | | +**nappl**​.password | The password of the technical accunt (if not set by secret) | | +**nappl**​.port | nappl port (http 8080 or https 8443) | | +**nappl**​.secret | An optional secret that holds the credentials (the keys must be `account` and `password`) | | +**nappl**​.ssl | sets the Advanced Connect to tls | | +nodeSelector | select specific nodes for this component | | +replicaCount | Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1. | `1` | +**resources**​.limits​.cpu | The maximum allowed CPU for the container | | +**resources**​.limits​.memory | The maximum allowed RAM for the container | | +**resources**​.requests​.cpu | Set the share of guaranteed CPU to the container. | | +**resources**​.requests​.memory | Set the share of guaranteed RAM to the container | | +**security**​.containerSecurityContext​.allowPrivilegeEscalation | Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
you should not change this | **info only**, do not change
`false` | +**security**​.containerSecurityContext​.readOnlyRootFilesystem | sets the container root file system to read only. This should be the case in production environment
you should not change this | **info only**, do not change
`true` | +**security**​.podSecurityContext​.fsGroup | The file system group as which new files are created
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.podSecurityContext​.fsGroupChangePolicy | Under which condition should the fsGroup be changed
there is normally no need to change this | **info only**, do not change
`"OnRootMismatch"` | +**security**​.podSecurityContext​.runAsUser | The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security
there is normally no need to change this | **info only**, do not change
`1001` | +**security**​.zeroTrust | turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes | `false` | +**service**​.annotations | adds extra Annotations to the service | | +**service**​.enabled | enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress. | `true` | +**service**​.selector | The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type | `"component"` | +**telemetry**​.openTelemetry | turns Open Telemetry on | | +**telemetry**​.serviceName | Sets the service name for the telemetry service to more convenient identify the displayed component Example: "{{ .this.meta.type }}-{{ .instance.name }}" | | +**template**​.annotations | set additional annotations for pods | | +**template**​.labels | set additional labels for pods | | +terminationGracePeriodSeconds | Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults | | +timezone | set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc. | `Europe/Berlin` | +tolerations | Set tolerations for this component | | +updateStrategy | the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures. | | +**utils**​.debug | Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide | `false` | +**utils**​.disableWait | in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet. | `false` | +**utils**​.disableWave | If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet. | `false` | +**utils**​.includeNamespace | By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later | `true` | +**utils**​.maintenance | in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up. | `false` | +**utils**​.renderComments | You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD | `true` | +waitFor | Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed. | | + diff --git a/charts/webdav/templates/component.tpl b/charts/webdav/templates/component.tpl new file mode 100644 index 0000000..54ff97e --- /dev/null +++ b/charts/webdav/templates/component.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.component" . -}} diff --git a/charts/webdav/templates/deployment.tpl b/charts/webdav/templates/deployment.tpl new file mode 100644 index 0000000..79f8573 --- /dev/null +++ b/charts/webdav/templates/deployment.tpl @@ -0,0 +1,123 @@ +{{- include "nplus.init" $ -}} +# Component: {{ .component.chartName }} +# will connect to: +{{- if (.this.nappl).host }} +# nappl: {{ if ($.this.nappl).ssl -}}https{{- else -}}http{{- end -}}://{{ ($.this.nappl).host }}:{{ (.this.nappl).port }}/{{ (.this.nappl).instance }} +{{- else }} +# defined by config file in conf PV. +{{- end }} +# +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + +spec: + selector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + replicas: {{ .Values.replicaCount }} + strategy: + type: RollingUpdate + + template: + metadata: + labels: + {{- include "nplus.templateLabels" . | nindent 8 }} + annotations: + {{- include "nplus.templateAnnotations" . | nindent 8 }} + {{- include "nplus.securityAnnotations" . | nindent 8 }} + spec: + {{- include "nplus.imagePullSecrets" . | nindent 6 }} + {{- include "nplus.securityIllumioReadinessGates" . | nindent 6 }} + {{- include "nplus.podSecurityContext" . | nindent 6 }} + {{- include "nplus.templateAffinity" . | nindent 6 }} + {{- include "nplus.terminationGracePeriodSeconds" . | nindent 6 }} + + initContainers: + {{- include "nplus.waitFor" . | nindent 6 }} + {{- include "nplus.copyConfig" . | nindent 6 }} + + containers: + - name: webdav-connector + image: {{ include "nplus.image" (dict "global" .Values.global "image" .Values.image) }} + imagePullPolicy: {{ include "nplus.imagePullPolicy" .Values.image }} + {{- include "nplus.containerSecurityContext" . | nindent 8 }} + env: + + {{- if ($.this.nappl).host }} + - name: WEBDAV_AL_HOST + value: {{ ($.this.nappl).host | quote }} + {{- end }} + {{- if ($.this.nappl).port }} + - name: WEBDAV_AL_PORT + value: {{ ($.this.nappl).port | quote }} + {{- end }} + {{- if ($.this.nappl).ssl }} + - name: WEBDAV_AL_SSL + value: {{ ($.this.nappl).ssl | quote }} + {{- end }} + {{- if ($.this.nappl).instance }} + - name: WEBDAV_AL_INSTANCE + value: {{ ($.this.nappl).instance | quote }} + {{- end }} + + {{- include "nplus.environment" . | nindent 8 }} + + {{- if .this.utils.maintenance }} + {{- include "nplus.idle" . | nindent 8 }} + {{- else }} +# TODO Das hier funktioniert nicht. Es kommt eine 401 zurück. Das ist gut, wird aber als Fehler gesehen. +# Die Ceyoniq hat hier auch noch die Probe auskommentiert: +# https://github.com/ceyoniq/container/blob/main/kubernetes/kustomize/nscale/base/webdav-connector.yaml +# readinessProbe: +# httpGet: +# path: /dav +# port: 8088 +# initialDelaySeconds: 20 +# periodSeconds: 10 + # -- Ceyoniq does currently not define an *official* startupProbe, so we use + # one that quickly checks the main socket on Layer 4. + startupProbe: + initialDelaySeconds: 10 + failureThreshold: 30 + periodSeconds: 10 + timeoutSeconds: 5 + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # -- Ceyoniq does currently not define an *official* readynessProbe, so we use + # one that quickly checks the main socket on Layer 4. + readinessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 10 + periodSeconds: 10 + # -- Ceyoniq does currently not define an *official* livenessProbe, so we use + # one that quickly checks the main socket on Layer 4. + livenessProbe: + tcpSocket: + port: {{ include "nplus.backendPort" . }} + # initialDelaySeconds: 10 + periodSeconds: 10 + {{- end }} + + ports: + {{- include "nplus.defaultContainerPorts" . | nindent 8 }} + + {{- include "nplus.resources" . | nindent 8 }} + + volumeMounts: + {{- include "nplus.defaultMounts" . | nindent 8 }} + + volumes: + {{- include "nplus.defaultVolumes" . | nindent 6 }} + diff --git a/charts/webdav/templates/ingress.tpl b/charts/webdav/templates/ingress.tpl new file mode 100644 index 0000000..293d27f --- /dev/null +++ b/charts/webdav/templates/ingress.tpl @@ -0,0 +1,16 @@ +{{- include "nplus.init" $ -}} +{{- if ( include "nplus.ingressEnabled" . ) }} +{{- include "nplus.ingress" (list . .component.fullName) | nindent 0 }} + - path: {{ .Values.ingress.contextPath }} + pathType: Prefix + backend: + service: + name: {{ .component.fullName }} + port: + name: {{ include "nplus.backendProtocol" . }} +{{- else }} +# kind: ingress +# Not Generating any Ingress for {{ .component.fullName }} as +# Ingress = {{ .this.ingress }} +# Service = {{ .this.service }} +{{- end }} \ No newline at end of file diff --git a/charts/webdav/templates/networkpolicy.tpl b/charts/webdav/templates/networkpolicy.tpl new file mode 100644 index 0000000..149ce45 --- /dev/null +++ b/charts/webdav/templates/networkpolicy.tpl @@ -0,0 +1,35 @@ +{{- include "nplus.init" $ -}} +{{- if ((.this.security).cni).createNetworkPolicy }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ .component.fullName }} + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "nplus.selectorLabels" . | nindent 6 }} + + policyTypes: + - Ingress + - Egress + + ingress: + + {{- if ( include "nplus.ingressEnabled" . ) }} + {{- include "nplus.networkpolicy.allowFromIngress" . | nindent 2 }} + {{- end }} + {{- include "nplus.networkpolicy.allowFromAdmin" . | nindent 2 }} + {{- include "nplus.networkpolicy.allowFromMon" . | nindent 2 }} + + egress: + {{- include "nplus.networkpolicy.allowToNappl" . | nindent 2 }} +{{- end }} \ No newline at end of file diff --git a/charts/webdav/templates/pdb.tpl b/charts/webdav/templates/pdb.tpl new file mode 100644 index 0000000..ce31727 --- /dev/null +++ b/charts/webdav/templates/pdb.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.podDisruptionBudget" . -}} diff --git a/charts/webdav/templates/pvc.tpl b/charts/webdav/templates/pvc.tpl new file mode 100644 index 0000000..b79132a --- /dev/null +++ b/charts/webdav/templates/pvc.tpl @@ -0,0 +1,2 @@ +{{- include "nplus.init" $ -}} +{{- include "nplus.pvc" . }} diff --git a/charts/webdav/templates/service.tpl b/charts/webdav/templates/service.tpl new file mode 100644 index 0000000..babecac --- /dev/null +++ b/charts/webdav/templates/service.tpl @@ -0,0 +1,32 @@ +{{- include "nplus.init" $ -}} +apiVersion: v1 +kind: Service +metadata: + {{- if .this.utils.includeNamespace }} + namespace: {{ .Release.Namespace }} + {{- end }} + name: {{ .component.fullName }} + labels: + {{- include "nplus.instanceLabels" . | nindent 4 }} + annotations: + {{- include "nplus.argoWave" . | nindent 4 }} + {{- include "nplus.annotations" . | nindent 4 }} + {{- include "nplus.securityAnnotations" . | nindent 4 }} + {{- include "nplus.serviceAnnotations" . | nindent 4 }} +spec: + # this is a "headless service", no cluster IP is defined + # as none of the internal components need to access this service, + # access is purely through an ingress if desired. + type: ClusterIP + clusterIP: None + ports: + {{- include "nplus.defaultServicePorts" . | nindent 4 }} + selector: + {{- if eq .this.service.selector "component" }} + {{- include "nplus.selectorLabels" . | nindent 4 }} + {{- else if eq .this.service.selector "type" }} + {{- include "nplus.selectorLabelsNc" . | nindent 4 }} + {{- else }} + {{- fail (printf "Unknown Service Selector Type: %s - must be component or type" .this.service.selector) }} + {{- end }} + diff --git a/charts/webdav/values.schema.json b/charts/webdav/values.schema.json new file mode 100644 index 0000000..06f0041 --- /dev/null +++ b/charts/webdav/values.schema.json @@ -0,0 +1,856 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "webdav-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024091609", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8088", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8488", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "webdav-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "webdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-webdav/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-webdav/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "type": "object" +} diff --git a/charts/webdav/values.yaml b/charts/webdav/values.yaml new file mode 100644 index 0000000..52c2f36 --- /dev/null +++ b/charts/webdav/values.yaml @@ -0,0 +1,428 @@ +# yaml-language-server: $schema=values.schema.json +# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s) +ingress: + # -- You can toggle the ingress on wether you'd like this component + # to be reachable through an ingress or not. + enabled: true + # -- Overrides the default backend protocol. The default is http, + # unless in zeroTrust Mode, then it is switched to https automatically. + # @default -- `http`
`https` in zero trust mode + backendProtocol: + # -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason + # Example: `/nscalealinst1(/\|$)(.*)` + # @internal -- This is an alpha feature - do not use it. + inputPath: + # -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason + # Example: `/nscalealinst1/$2` + # @internal -- This is an alpha feature - do not use it. + rewriteTarget: + # -- deny is used to exclude specific paths from public access, such as + # administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is + # the burlap protocol. The configuration service is the endpoint used by + # the Admin client. + deny: + # -- on component level, set cookie affinity for the ingress + # example: `XtConLoadBalancerSession` for nscale Web + cookie: + # -- Sets the name of the tls secret to be used for this ingress, that contains + # the private and public key. These secrets can optionally be provided by the instance + # @default -- `{{ .this.ingress.domain }}-tls` + secret: + # -- Sets the domain to be used. This domain should be provided by the instance globally + # for all components, but you are free to override it here + domain: + # -- The ingressclass to use for this ingress. Most likely, this is provided globally by the + # instance, but you are free to override it here if this component should use a different class + # e.g. if you have separated ingress controllers, like a public and an internal one + # @default -- `public` + class: + # -- optionally sets a whitelist of ip ranges (CIDR format, comma separated) + # from which ingress is allowed. This is an annotation for nginx, so won't work with other + # ingress controllers + whitelist: + # -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy + # to allow traffic from this namespace to our pods. This may be a comma separated list + # @default -- "ingress, kube-system, ingress-nginx" + namespace: + # -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the + # most though this is only a constant used in the scripts. + contextPath: "/dav" + # -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set. + proxyReadTimeout: + # -- Adds extra Annotations to the ingress + annotations: +# -- Sets the number of replicas in this replicaSet. +# Some Components (like nstl or sharepoint) only allow a count of 1. +replicaCount: 1 +# -- the update Strategy for this component. Normally, you can update all components +# rolling, except for nappl, where you need to follow the documented update procedures. +updateStrategy: +# -- Security Section defining default runtime environment for your container +security: + podSecurityContext: + # -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context + # for security + # @internal -- there is normally no need to change this + runAsUser: 1001 + # -- The file system group as which new files are created + # @internal -- there is normally no need to change this + fsGroup: 1001 + # -- Under which condition should the fsGroup be changed + # @internal -- there is normally no need to change this + fsGroupChangePolicy: OnRootMismatch + containerSecurityContext: + # -- sets the container root file system to read only. This should be the case in production environment + # @internal -- you should not change this + readOnlyRootFilesystem: true + # -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive + # @internal -- you should not change this + allowPrivilegeEscalation: false + # -- Capabilities this container should have. Only allow the necessity, and drop as many as possible + # @internal -- you should not change this + capabilities: + drop: + - ALL + # -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes + # @default -- `false` + zeroTrust: +# # : +# # path: +# # volumeName: +# # subPath: + +mounts: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + temp: + # -- Sets the path to the temporary files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the temporary files + # @internal -- do not change this value + paths: + - "/opt/ceyoniq/nscale-webdav/temp" + - "/opt/ceyoniq/nscale-webdav/apache/temp" + - "/tmp" + # -- Sets the size of the temporary disk (all paths) + size: "1Gi" + # -- Sets the path to the conf files + + # -- The conf volume is a RWX volume mounted by the environment, that holds + # all configurations of all instances and components in this environment + conf: + # -- Sets the path to the conf files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-webdav/conf" + # -- Sets a list of paths to the conf files + # @internal -- do not change this value + paths: + # -- The log volume is used to take any left-over logging in the container. + # The container should log to stdout, but if any component still tries to log to disk + # this disk needs to be writeable + logs: + # -- Sets the path to the log files + # @internal -- do not change this value + path: "/opt/ceyoniq/nscale-webdav/logs" + # -- Sets a list of paths to the log files + # @internal -- do not change this value + paths: + # -- Sets the size of the log disk (all paths) + size: "1Gi" + # -- some nscale Components require a license file and this + # defines it's location + license: + # -- Sets the path to the license files + # @internal -- do not change this value + path: + # -- If you want to use additional + # fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the + # fonts directory from the environment pool + fonts: + # -- Sets the path to the fonts folder. + # @internal -- do not change this value + path: + # -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to + # connect to alien services via https. If you have a self-signed root certificate, + # you can also add it here. + caCerts: + # -- Sets the path to the certs folder. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + # -- the java based nscale components have their own certificates, that you might want to upload. + # You can normally do so via the environment configuration, but should you want to use a secret, + # you can set it here + componentCerts: + # -- Sets the path to the component certs. + # @internal -- do not change this value + paths: + # -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting + secret: + # -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting + configMap: + data: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the data disk + size: + # -- Sets the class of the data disk + class: + # -- Sets the path to the data files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + file: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- Sets the size of the shared disk + size: + # -- Sets the class of the shared disk + class: + # -- Sets the path to the shared files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the shared files + # @internal -- do not change this value + paths: + pool: + # -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. + # this is used to store scripts, apps and assets that are required to deploy an application / solution + # @internal -- do not change this value + path: + # -- The temp volume is used to hold any superflues and temporary data. + # it is deleted when the pod terminates. However, it is extremely important + # as all pods filesystems are read only + ptemp: + # -- Sets the path for temporary files that are persisted + # @internal -- do not change this value + path: + # -- Sets a list of paths for temporary files that are persisted + # @internal -- do not change this value + paths: + # -- Allows to define generic mounts of pre-provisioned PVs into any container. + # This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + generic: + disk: + # -- Sets the size of the disk + size: + # -- Sets the class of the disk + class: + # -- Sets the path to the disk files + # @internal -- do not change this value + path: + # -- Sets a list of paths to the data files + # @internal -- do not change this value + paths: + # -- If you do not want to have a Volume created by the provisioner, + # you can set the name of your volume here to attach to this pre-existing one + volumeName: + # -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk. + # In case of the (default) disabled, the paths will be added to the primaty data disk. + enabled: false + # -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. + # This is done only once and only if there is legacy data at all. No files are overwritten! + migration: false +# -- Options for the Java VM +javaOpts: + # -- set the percentage of RAM, Java will use of the total. + # The total amount is the amount installed in the K8s Cluster Node, + # OR the Memory Limit set (see resources), if any. + javaMaxRamPercentage: + # -- set the minimum memory, java will consume + javaMinMem: + # -- set the maximum memory, java will consume. + # Attention: This is NOT the real maximum and it does not include any non Java memory. + # Please read google, as this is highly discussed + javaMaxMem: + # -- Any misc Java Options that need to be passed to the container + javaMisc: +# -- provide the image to be used for this component +image: + # -- you can provide your own pullSecrets, in case you use + # a private repo. + pullSecrets: + - nscale-cr + - nplus-cr + # -- the name of the image to use + name: webdav-connector + # -- the tag of the image to use + tag: latest + # -- if you use a private repo, feel free to set it here + repo: ceyoniq.azurecr.io/release/nscale + pullPolicy: IfNotPresent +# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) +# etc. +# @default -- `Europe/Berlin` +timezone: +# -- defines internal constants for nplus. +# do not change these values +meta: + # -- the type of the component. You should not change this value, except if + # you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* + # This type is used to create cluster communication for nappl and nstl and potentially + # group multiple replicaSets into one service. + type: webdav + # -- lists the ports this component exposes. This is important for zero trust mode and others. + ports: + # -- The http port this component uses (if any). In zero trust mode, this will be disabled. + # @internal -- this is a constant value of the component and should not be changed. + http: 8088 + # -- The tls / https port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + https: 8488 + # -- A potential tcp port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcp: + # -- A potential rmi port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + rmi: + # -- A potential tls / tcps port, this component uses (if any) + # @internal -- this is a constant value of the component and should not be changed. + tcps: + # -- sets tenant information to be able to invoice per use in a cloud environment + tenant: + # -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment + provider: + # -- Sets the wave in which this component should be deployed within an ArgoCD deployment + # if unset, it uses the default wave thus all components are installed in one wave, then relying + # on correct wait settings just like in a helm installation + wave: + # -- Sets the language of the main service (in the *service* container). This is used for instance + # if you turn OpenTelemetry on, to know which Agent to inject into the container. + language: java + # -- The container name of the main service for this component. This is used to define where to + # inject the telemetry agents, if any + serviceContainer: webdav-connector + # -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment + # runs in. This can be used in template functions to add the stage to for instance the service name of + # telemetry services like open telemetry. (see telemetry example) + stage: + # -- This is the version of the component, used for display + # @internal -- set by devOps pipeline, so do not modify + componentVersion: +# -- Set tolerations for this component +tolerations: +# -- select specific nodes for this component +nodeSelector: +# -- Sets the name of a secret, which holds additional environment variables for +# the configuration. It is added as envFrom secretRef to the container. +envSecret: +# -- Sets the name of a configMap, which holds additional environment variables for +# the configuration. It is added as envFrom configMap to the container. +envMap: +# -- Sets additional environment variables for +# the configuration. +env: +# -- The nscale Application Layer, this component should talk to +nappl: + # -- nappl host name + host: + # -- nappl port (http 8080 or https 8443) + port: + # -- sets the Advanced Connect to tls + ssl: + # -- instance of the Application Layer, likely `instance1` + instance: + # -- The technical account to login with + account: + # -- The domain of the technical account + domain: + # -- The password of the technical accunt (if not set by secret) + password: + # -- An optional secret that holds the credentials (the keys must be `account` and `password`) + secret: +# -- Assigns hardware resources to container +resources: + # -- Requests are used to assign a minimum to a container. This is the guaranteed amount + requests: + # -- Set the share of guaranteed CPU to the container. + cpu: + # -- Set the share of guaranteed RAM to the container + memory: + # -- Limits the maximum resources + limits: + # -- The maximum allowed CPU for the container + cpu: + # -- The maximum allowed RAM for the container + memory: +# -- This overrides the output of the internal name function +nameOverride: +# -- This overrides the output of the internal fullname function +fullnameOverride: +utils: + # -- Turn debugging *on* will give you stack trace etc. + # Please check out the Chart Developer Guide + # @default -- `false` + debug: + # -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It + # will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD + # @default -- `true` + renderComments: + # -- By default, the namespace is rendered into the manifest. However, if you want to use + # `helm template` and store manifests for later applying them to multiple namespaces, you might + # want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later + # @default -- `true` + includeNamespace: + # -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the + # pods will start in idle, not starting the service at all. This will allow you to gain access to the container + # to perform recovery and maintenance tasks while having the real container up. + # @default -- `false` + maintenance: + # -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components + # of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components + # while previous waves are not finished yet. + # @default -- `false` + disableWave: + # -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are + # only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might + # start components even if they are not intended to run yet. + # @default -- `false` + disableWait: +service: + # -- enables the service to be consumed by group components and a potential ingress + # Disabling the service also disables the ingress. + enabled: true + # -- The selector can be `component` or `type` + # *component* selects only pods that are in the replicaset. + # *type* selects any pod that has the given type + selector: "component" + # -- adds extra Annotations to the service + annotations: +# -- Defines a list of conditions that need to be met before this components starts. +# The condition must be a network port that opens, when the master component is ready. +# Mostly, this will be a service, since a component is only added to a service if the +# probes succeed. +waitFor: +# -- if you set minReplicaCount, a podDesruptionBudget will be created with this value as +# minAvailable, using the full component as selector. This is useful for components, that are +# using multiple replicas. +minReplicaCount: +# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as +# minAvailable, using the component type as selector. This is useful for components, that are spread +# across multiple replicaSets, like sharepoint or storage layer +minReplicaCountType: +# -- provide extra settings for pod templates +template: + # -- set additional annotations for pods + annotations: + # -- set additional labels for pods + labels: +# -- Settings for telemetry tools +telemetry: + # -- turns Open Telemetry on + openTelemetry: + # -- Sets the service name for the telemetry service to more convenient + # identify the displayed component + # Example: "{{ .this.meta.type }}-{{ .instance.name }}" + serviceName: +# -- Sets the terminationGracePeriodSeconds for the component +# If not set, it uses the Kubernetes defaults +terminationGracePeriodSeconds: diff --git a/dsl/README.md b/dsl/README.md new file mode 100644 index 0000000..7eedafc --- /dev/null +++ b/dsl/README.md @@ -0,0 +1,38 @@ +# DSL + +https://structurizr.com/dsl + +# Strukturizr Lite + +``` +docker run -it --rm -p 8080:8080 -v $(pwd):/usr/local/structurizr structurizr/lite +``` + +# Export + +``` +https://github.com/structurizr/puppeteer +``` + +Install + +``` +brew install node +npm i puppeteer +``` + +Export + +``` +node export-diagrams.js http://localhost:8080/workspace/diagrams svg +``` + +## K8s Theme: + +https://structurizr.com/help/theme?url=https://static.structurizr.com/themes/kubernetes-v0.3/theme.json + + +## Shapes + +https://docs.structurizr.com/ui/diagrams/notation + diff --git a/dsl/adminserver.dsl b/dsl/adminserver.dsl new file mode 100644 index 0000000..5837ccf --- /dev/null +++ b/dsl/adminserver.dsl @@ -0,0 +1,32 @@ +adminserver = softwareSystem "nplus Remote Management Server" { + tags "nplus" + description "Layer 4 Proxy with RMS to simulate a classic environment to allow offline configuration" + + replicaset = Container "ReplicaSet" "StatefulSet Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "RMS Container" "Container Template with official Image" { + technology "Java" + tags "nplus" + -> nplus.confpvc "mount global Instance conf" + -> nstlA.svc "remote Administration" + -> nstlB.svc "remote Administration" + -> rs.svc "remote Administration" + -> nappl.svc "remote Administration" + -> nappljobs.svc "remote Administration" + -> pipelinercm.svc "remote Administration" + -> pipelinerac.svc "remote Administration" + -> ilm.svc "remote Administration" + -> cmis.svc "remote Administration" + -> mon.svc "remote Administration" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + l3lb = Container "LoadBalancer Service" "Kubernetes Service with Layer 3 Load Balancer" { + technology "Kubernetes" + this -> replicaset.main "balance Layer 3 traffic" +} +} \ No newline at end of file diff --git a/dsl/application.dsl b/dsl/application.dsl new file mode 100644 index 0000000..bcb4bd9 --- /dev/null +++ b/dsl/application.dsl @@ -0,0 +1,16 @@ +application = softwareSystem "Application" { + description "Initialize Document Areas and (Re-) Import Generic Base Apps when updates occur" + tags "nplus" + job = Container "Job" "PostSync Job" { + technology "Kubernetes" + tags "Kubernetes - job" + + main = component "NAPPL Container" "Container Template with official Image Running AppInstaller" { + technology "Java" + tags "nscale" + -> nappljobs.svc "consume" "Advanced Connect Protocol Adapter" + -> nplus.confpvc "mount pool" + } + !include "waitFor.dsl" + } +} \ No newline at end of file diff --git a/dsl/clusterService.dsl b/dsl/clusterService.dsl new file mode 100644 index 0000000..48fb732 --- /dev/null +++ b/dsl/clusterService.dsl @@ -0,0 +1,13 @@ +clusterService = element "nscale Cluster Service" { + tags "Kubernetes - svc" + description "selects all cluster members, nappl and pipeliner" + -> nappl "discover" + -> nappljobs "discover" + -> pipelinercm "discover" +} +nappl.replicaset.main -> nappljobs.replicaset.main "cluster communication" +nappl.replicaset.main -> pipelinercm.replicaset.pl "cluster communication" +nappljobs.replicaset.main -> nappl.replicaset.main "cluster communication" +nappljobs.replicaset.main -> pipelinercm.replicaset.pl "cluster communication" +pipelinercm.replicaset.pl -> nappl.replicaset.main "cluster communication" +pipelinercm.replicaset.pl -> nappljobs.replicaset.main "cluster communication" diff --git a/dsl/cmis.dsl b/dsl/cmis.dsl new file mode 100644 index 0000000..cad9b00 --- /dev/null +++ b/dsl/cmis.dsl @@ -0,0 +1,18 @@ +cmis = softwareSystem "nscale CMIS Connector" { + tags "nscale" + replicaset = Container "ReplicaSet" "StatefulSet with default Replica 2" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "CMIS Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connect Protocol Adapter" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} \ No newline at end of file diff --git a/dsl/copyConf.dsl b/dsl/copyConf.dsl new file mode 100644 index 0000000..82c16ec --- /dev/null +++ b/dsl/copyConf.dsl @@ -0,0 +1,6 @@ +copyConf = component "init:copyConfig" "Init-Container that extracts the initial configuration from the main component and copies it to the central config git share" { + technology "bash" + tags "nplus" + -> nplus.confpvc "mount etc" + main -> this "copy initial config" +} diff --git a/dsl/dataPvc.dsl b/dsl/dataPvc.dsl new file mode 100644 index 0000000..66b2d75 --- /dev/null +++ b/dsl/dataPvc.dsl @@ -0,0 +1,4 @@ +datapvc = Container "Data Volume" "Persistent Volume Claim for a fast RWO Data Volume" { + technology "PVC" + tags "Kubernetes - pvc" +} diff --git a/dsl/database.dsl b/dsl/database.dsl new file mode 100644 index 0000000..a9210cd --- /dev/null +++ b/dsl/database.dsl @@ -0,0 +1,11 @@ +database = softwareSystem "Database" { + tags "Database" + replicaset = Container "ReplicaSet" "StatefulSet with Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "Postgres Container" "Container Template with official Image" { + } + } + !include "service.dsl" +} \ No newline at end of file diff --git a/dsl/environment.dsl b/dsl/environment.dsl new file mode 100644 index 0000000..9594ff8 --- /dev/null +++ b/dsl/environment.dsl @@ -0,0 +1,27 @@ +nplus = softwareSystem "nplus Environment" { + tags "nplus" + description "provides global configuration git and web ui" + toolbox = Container "nplus Toolbox"{ + tags "Kubernetes - sts, nplus" + description "provides Tools for Admin Tasks" + } + davserver = Container "nplus DAV Server"{ + tags "Kubernetes - sts, nplus" + description "provides Config DAV Access for Admins to upload snippets etc." + } + operator = Container "nplus Operator"{ + tags "Kubernetes - sts, nplus" + description "controlls the nplus Custom Resources and provides status information for instances and components" + } + confpvc = Container "conf" { + tags "Kubernetes - pvc" + description "common store for file based configuration data, versioned in git" + toolbox -> this "attach" + davserver -> this "attach" + } + Container "nstore Downloader" { + description "cron Job downloading Apps from nstore" + tags "Kubernetes - cronjob, nplus" + -> confpvc "pool" + } +} diff --git a/dsl/export/c_nplus-key.svg b/dsl/export/c_nplus-key.svg new file mode 100644 index 0000000..a76e3ff --- /dev/null +++ b/dsl/export/c_nplus-key.svg @@ -0,0 +1 @@ +Kubernetes - cronjob,nplusKubernetes - pvcKubernetes - sts, nplusnplusPersonrichclient, nscaleRelationship \ No newline at end of file diff --git a/dsl/export/c_nplus.svg b/dsl/export/c_nplus.svg new file mode 100644 index 0000000..96b92b5 --- /dev/null +++ b/dsl/export/c_nplus.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timethe Environment handles multiple Inances running in a Kubernetes Namespacenplus EnvironmentApplication[Software System]Initialize Document Areas and (Re-)Import Generic Base Apps whenupdates occurnplus AdministratorServer[Software System]Layer 4 Proxy with RMS to simulatea classic environment to allowoffline configurationnscale Administrator[Software System]Eclipse RCP Administrator Clientnplus Environment[Software System]nplus Toolbox[Container]provides Tools for Admin Tasksnplus DAV Server[Container]provides Config DAV Access forAdmins to upload snippets etc.conf[Container]common store for file basedconfiguration data, versioned in gitnstore Downloader[Container]cron Job downloading Apps fromnstoreAdmin[Person]Maintains and Operates theEnvironmentuseRemove link.Link options.mount poolRemove vertex.Remove link.Link options.attachRemove link.Link options.attachRemove link.Link options.mount globalInstance confRemove vertex.Remove link.Link options.poolRemove link.Link options.mountRemove link.Link options.useRemove link.Link options.RemoteManagement[RMS and https Protocols]Remove link.Link options. \ No newline at end of file diff --git a/dsl/export/export-diagrams.js b/dsl/export/export-diagrams.js new file mode 100644 index 0000000..3c2849d --- /dev/null +++ b/dsl/export/export-diagrams.js @@ -0,0 +1,152 @@ +const puppeteer = require('puppeteer'); +const fs = require('fs'); + +const FILENAME_SUFFIX = ''; + +const PNG_FORMAT = 'png'; +const SVG_FORMAT = 'svg'; + +const IGNORE_HTTPS_ERRORS = true; +const HEADLESS = true; + +const IMAGE_VIEW_TYPE = 'Image'; + +if (process.argv.length < 4) { + console.log("Usage: [username] [password]") + process.exit(1); +} + +const url = process.argv[2]; +const format = process.argv[3]; + +if (format !== PNG_FORMAT && format !== SVG_FORMAT) { + console.log("The output format must be ' + PNG_FORMAT + ' or ' + SVG_FORMAT + '."); + process.exit(1); +} + +var username; +var password; + +if (process.argv.length > 3) { + username = process.argv[4]; + password = process.argv[5]; +} + +var expectedNumberOfExports = 0; +var actualNumberOfExports = 0; + +(async () => { + const browser = await puppeteer.launch({ignoreHTTPSErrors: IGNORE_HTTPS_ERRORS, headless: HEADLESS}); + const page = await browser.newPage(); + + if (username !== undefined && password !== undefined) { + // sign in + const parts = url.split('://'); + const signinUrl = parts[0] + '://' + parts[1].substring(0, parts[1].indexOf('/')) + '/dashboard'; + console.log(' - Signing in via ' + signinUrl); + + await page.goto(signinUrl, { waitUntil: 'networkidle2' }); + await page.type('#username', username); + await page.type('#password', password); + await page.keyboard.press('Enter'); + await page.waitForSelector('div#dashboard'); + } + + // visit the diagrams page + console.log(" - Opening " + url); + await page.goto(url, { waitUntil: 'domcontentloaded' }); + await page.waitForFunction('structurizr.scripting && structurizr.scripting.isDiagramRendered() === true'); + + if (format === PNG_FORMAT) { + // add a function to the page to save the generated PNG images + await page.exposeFunction('savePNG', (content, filename) => { + console.log(" - " + filename); + content = content.replace(/^data:image\/png;base64,/, ""); + fs.writeFile(filename, content, 'base64', function (err) { + if (err) throw err; + }); + + actualNumberOfExports++; + + if (actualNumberOfExports === expectedNumberOfExports) { + console.log(" - Finished"); + browser.close(); + } + }); + } + + // get the array of views + const views = await page.evaluate(() => { + return structurizr.scripting.getViews(); + }); + + views.forEach(function(view) { + if (view.type === IMAGE_VIEW_TYPE) { + expectedNumberOfExports++; // diagram only + } else { + expectedNumberOfExports++; // diagram + expectedNumberOfExports++; // key + } + }); + + console.log(" - Starting export"); + for (var i = 0; i < views.length; i++) { + const view = views[i]; + + await page.evaluate((view) => { + structurizr.scripting.changeView(view.key); + }, view); + + await page.waitForFunction('structurizr.scripting.isDiagramRendered() === true'); + + if (format === SVG_FORMAT) { + const diagramFilename = FILENAME_SUFFIX + view.key + '.svg'; + const diagramKeyFilename = FILENAME_SUFFIX + view.key + '-key.svg' + + var svgForDiagram = await page.evaluate(() => { + return structurizr.scripting.exportCurrentDiagramToSVG({ includeMetadata: true }); + }); + + console.log(" - " + diagramFilename); + fs.writeFile(diagramFilename, svgForDiagram, function (err) { + if (err) throw err; + }); + actualNumberOfExports++; + + if (view.type !== IMAGE_VIEW_TYPE) { + var svgForKey = await page.evaluate(() => { + return structurizr.scripting.exportCurrentDiagramKeyToSVG(); + }); + + console.log(" - " + diagramKeyFilename); + fs.writeFile(diagramKeyFilename, svgForKey, function (err) { + if (err) throw err; + }); + actualNumberOfExports++; + } + + if (actualNumberOfExports === expectedNumberOfExports) { + console.log(" - Finished"); + browser.close(); + } + } else { + const diagramFilename = FILENAME_SUFFIX + view.key + '.png'; + const diagramKeyFilename = FILENAME_SUFFIX + view.key + '-key.png' + + page.evaluate((diagramFilename) => { + structurizr.scripting.exportCurrentDiagramToPNG({ includeMetadata: true, crop: false }, function(png) { + window.savePNG(png, diagramFilename); + }) + }, diagramFilename); + + if (view.type !== IMAGE_VIEW_TYPE) { + page.evaluate((diagramKeyFilename) => { + structurizr.scripting.exportCurrentDiagramKeyToPNG(function(png) { + window.savePNG(png, diagramKeyFilename); + }) + }, diagramKeyFilename); + } + } + } + +})(); \ No newline at end of file diff --git a/dsl/export/export-documentation.js b/dsl/export/export-documentation.js new file mode 100644 index 0000000..b06db44 --- /dev/null +++ b/dsl/export/export-documentation.js @@ -0,0 +1,63 @@ +const puppeteer = require('puppeteer'); +const fs = require('fs'); + +const FILENAME_SUFFIX = ''; + +const IGNORE_HTTPS_ERRORS = true; +const HEADLESS = true; + +if (process.argv.length < 3) { + console.log("Usage: [username] [password]") + process.exit(1); +} + +const url = process.argv[2]; + +var username; +var password; + +if (process.argv.length > 2) { + username = process.argv[3]; + password = process.argv[4]; +} + +(async () => { + const browser = await puppeteer.launch({ignoreHTTPSErrors: IGNORE_HTTPS_ERRORS, headless: HEADLESS}); + const page = await browser.newPage(); + + if (username !== undefined && password !== undefined) { + // sign in + const parts = url.split('://'); + const signinUrl = parts[0] + '://' + parts[1].substring(0, parts[1].indexOf('/')) + '/dashboard'; + console.log(' - Signing in via ' + signinUrl); + + await page.goto(signinUrl, { waitUntil: 'networkidle2' }); + await page.type('#username', username); + await page.type('#password', password); + await page.keyboard.press('Enter'); + await page.waitForSelector('div#dashboard'); + } + + // visit the documentation page + console.log(" - Opening " + url); + await page.goto(url, { waitUntil: 'domcontentloaded' }); + await page.waitForFunction('structurizr.scripting && structurizr.scripting.isDocumentationRendered() === true'); + + await page.exposeFunction('saveHtml', (content) => { + const filename = FILENAME_SUFFIX + 'documentation.html'; + console.log(" - Writing " + filename); + fs.writeFile(filename, content, 'utf8', function (err) { + if (err) throw err; + }); + + console.log(" - Finished"); + browser.close(); + }); + + await page.evaluate(() => { + return structurizr.scripting.exportDocumentationToOfflineHtmlPage(function(html) { + saveHtml(html); + }); + }); + +})(); \ No newline at end of file diff --git a/dsl/export/sc_nappl-key.svg b/dsl/export/sc_nappl-key.svg new file mode 100644 index 0000000..e20aafe --- /dev/null +++ b/dsl/export/sc_nappl-key.svg @@ -0,0 +1 @@ +DatabaseElementKubernetes - crdKubernetes - dsKubernetes - svcnplusnscaleRelationship \ No newline at end of file diff --git a/dsl/export/sc_nappl.svg b/dsl/export/sc_nappl.svg new file mode 100644 index 0000000..66d9fb5 --- /dev/null +++ b/dsl/export/sc_nappl.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timefocus on nscale Application Layer[System Context] nscale Application LayerKubernetes Cluster-Namespace-Kubernetes IngressController[Software System]Layer 7 Load BalancerCert Manager ClusterIssuer[Software System]provides certificatesInstance-nplus Environment[Software System]provides global configuration gitand web uiDatabase[Software System]-nscale Application Layer Cluster-nscale Rendition Server[Software System]-nscale ILM Connector[Software System]-nscale Application LayerWeb[Software System]provides html web ui for nscalenplus AdministratorServer[Software System]Layer 4 Proxy with RMS to simulatea classic environment to allowoffline configurationnscale Pipeliner AC[Software System]Pipeliner im AC Modusnscale CMIS Connector[Software System]-nscale MonitoringConsole[Software System]provides monitoring for all nscalecomponentsnscale Storage Layer[Software System]-nscale Application Layer[Software System]Provides DMS and BPMFunctionalitynscale Pipeliner CM[Software System]Pipeliner im Core Modusnscale Application Layer(Jobs)[Software System]-nscale Cluster Service-selects all cluster members,nappl and pipelinerSAP[Software System]SAP ServerIdentity Provider[Software System]Provider or Broker for IdentityInformation and SSO Servicescreate renditionsRemove vertex.Remove vertex.Remove link.Link options.monitorRemove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove link.Link options.remoteAdministrationRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.consume SNC[SAP SNC Access]Remove vertex.Remove vertex.Remove link.Link options.discoverRemove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.ProvideCertificateRemove link.Link options.Authorize[Single Sign On with optional Multi Factor]Remove vertex.Remove link.Link options.mount confRemove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.monitorRemove link.Link options.mount globalInstance confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.create renditionsRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.store documentsRemove vertex.Remove link.Link options.mount etcRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.monitorRemove link.Link options.monitorRemove link.Link options.remoteAdministrationRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.discoverRemove link.Link options.consume[Advanced Connector Protocol Adapter]Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove vertex.Remove link.Link options.ProvideConfigurationRemove link.Link options.consume AL[SAP Archive Link Protocol]Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.store documentsRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.store metadataRemove vertex.Remove vertex.Remove link.Link options.store metadataRemove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.store documentsRemove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove link.Link options.ProvideConfigurationRemove link.Link options.monitorRemove vertex.Remove vertex.Remove link.Link options.monitorRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.consume[Advanced Connect Protocol Adapter]Remove vertex.Remove link.Link options.monitorRemove link.Link options.discoverRemove link.Link options.Import[Periodic Import of Account / Group Information via LDAP]Remove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.ProvideCertificateRemove link.Link options.mount confRemove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.mount etcRemove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.consume[Advanced Connect Protocol Adapter]Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.consume[Advaced Connect Protocol Adapter]Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.monitorRemove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.monitorRemove vertex.Remove vertex.Remove link.Link options.consume ILM[SAP Information Lifecycle Management Protocol]Remove vertex.Remove link.Link options.create renditionsRemove vertex.Remove link.Link options.remoteAdministrationRemove vertex.Remove vertex.Remove link.Link options.store metadataRemove link.Link options.mount confRemove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.create renditionsRemove vertex.Remove vertex.Remove link.Link options. \ No newline at end of file diff --git a/dsl/export/sc_sap-key.svg b/dsl/export/sc_sap-key.svg new file mode 100644 index 0000000..2fbdb08 --- /dev/null +++ b/dsl/export/sc_sap-key.svg @@ -0,0 +1 @@ +ElementKubernetes - dsnscaleRelationship \ No newline at end of file diff --git a/dsl/export/sc_sap.svg b/dsl/export/sc_sap.svg new file mode 100644 index 0000000..f884c6a --- /dev/null +++ b/dsl/export/sc_sap.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timefocus on SAP[System Context] SAPKubernetes Cluster-Kubernetes IngressController[Software System]Layer 7 Load BalancerNamespace-Instance-nscale Application Layer Cluster-nscale Application Layer[Software System]Provides DMS and BPMFunctionalitySAP[Software System]SAP Serverconsume ILM[SAP Information Lifecycle Management Protocol]Remove vertex.Remove link.Link options.consume AL[SAP Archive Link Protocol]Remove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.consume SNC[SAP SNC Access]Remove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove link.Link options. \ No newline at end of file diff --git a/dsl/export/sc_web-key.svg b/dsl/export/sc_web-key.svg new file mode 100644 index 0000000..7806e81 --- /dev/null +++ b/dsl/export/sc_web-key.svg @@ -0,0 +1 @@ +Kubernetes - crdKubernetes - dsnplusnscaleRelationship \ No newline at end of file diff --git a/dsl/export/sc_web.svg b/dsl/export/sc_web.svg new file mode 100644 index 0000000..3c09893 --- /dev/null +++ b/dsl/export/sc_web.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timefocus on nscale Web[System Context] nscale Application Layer WebKubernetes Cluster-Namespace-Kubernetes IngressController[Software System]Layer 7 Load BalancerCert Manager ClusterIssuer[Software System]provides certificatesInstance-nplus Environment[Software System]provides global configuration gitand web uinscale Application LayerWeb[Software System]provides html web ui for nscalenscale Application Layer Cluster-nscale MonitoringConsole[Software System]provides monitoring for all nscalecomponentsnscale Application Layer[Software System]Provides DMS and BPMFunctionalitymount etcRemove vertex.Remove vertex.Remove link.Link options.consume[Advanced Connector Protocol Adapter]Remove link.Link options.monitorRemove vertex.Remove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.ProvideCertificateRemove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.mount confRemove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.monitorRemove link.Link options.mount confRemove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options. \ No newline at end of file diff --git a/dsl/export/sl_all-key.svg b/dsl/export/sl_all-key.svg new file mode 100644 index 0000000..edd2ed6 --- /dev/null +++ b/dsl/export/sl_all-key.svg @@ -0,0 +1 @@ +DatabaseElementKubernetes - crdKubernetes - dsKubernetes - svcmobileclient, nscalenplusnscalePersonrichclient, nscalewebclient, nscaleRelationship \ No newline at end of file diff --git a/dsl/export/sl_all.svg b/dsl/export/sl_all.svg new file mode 100644 index 0000000..b7426a2 --- /dev/null +++ b/dsl/export/sl_all.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timeshows all LandscapeOverviewKubernetes Cluster-Namespace-Kubernetes IngressController[Software System]Layer 7 Load BalancerCert Manager ClusterIssuer[Software System]provides certificatesInstance-nplus Environment[Software System]provides global configuration gitand web uinscale ILM Connector[Software System]-nscale Application LayerWeb[Software System]provides html web ui for nscaleApplication[Software System]Initialize Document Areas and (Re-)Import Generic Base Apps whenupdates occurnscale Pipeliner AC[Software System]Pipeliner im AC Modusnplus AdministratorServer[Software System]Layer 4 Proxy with RMS to simulatea classic environment to allowoffline configurationnscale CMIS Connector[Software System]-nscale Application Layer Cluster-nscale Storage Layer[Software System]-Database[Software System]-nscale Rendition Server[Software System]-nscale MonitoringConsole[Software System]provides monitoring for all nscalecomponentsnscale Cluster Service-selects all cluster members,nappl and pipelinernscale Application Layer[Software System]Provides DMS and BPMFunctionalitynscale Pipeliner CM[Software System]Pipeliner im Core Modusnscale Application Layer(Jobs)[Software System]-3rd Party Software[Software System]Any Application with Access Rightsnscale Mobile[Software System]Rich Mobile Clientnscale Cockpit[Software System]Rich Windows Clientnscale Web[Software System]Thin Web ClientIdentity Provider[Software System]Provider or Broker for IdentityInformation and SSO ServicesUser[Person]uses the Business Applicationsrunning in the EnvironmentAdmin[Person]Maintains and Operates theEnvironmentSAP[Software System]SAP Servernscale Administrator[Software System]Eclipse RCP Administrator Clientcreate renditionsRemove vertex.Remove vertex.Remove link.Link options.monitorRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove link.Link options.remoteAdministrationRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.consume SNC[SAP SNC Access]Remove vertex.Remove vertex.Remove link.Link options.https/nscalealinst1Remove vertex.Remove link.Link options.AC[nscale Advanced Connect API]Remove vertex.Remove link.Link options.discoverRemove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.ProvideCertificateRemove link.Link options.remoteAdministrationRemove link.Link options.Authorize[Single Sign On with optional Multi Factor]Remove vertex.Remove link.Link options.useRemove link.Link options.mount confRemove vertex.Remove link.Link options.useRemove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.https/nscalealinst1Remove link.Link options.CMIS REST[cmis REST API]Remove vertex.Remove link.Link options.https/nscale_webRemove vertex.Remove link.Link options.Pipeliner DAV[DAV Payload Dropoff Service]Remove vertex.Remove link.Link options.monitorRemove link.Link options.mount globalInstance confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.create renditionsRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.consume[Advanced Connect Protocol Adapter]Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.store documentsRemove vertex.Remove link.Link options.mount etcRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.monitorRemove vertex.Remove link.Link options.monitorRemove link.Link options.remoteAdministrationRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.discoverRemove vertex.Remove vertex.Remove link.Link options.consume[Advanced Connector Protocol Adapter]Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.consume AL[SAP Archive Link Protocol]Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.authenticateRemove vertex.Remove link.Link options.store documentsRemove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.store metadataRemove vertex.Remove vertex.Remove link.Link options.RemoteManagement[RMS and https Protocols]Remove vertex.Remove link.Link options.store metadataRemove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.store documentsRemove vertex.Remove link.Link options.balance Layer 7trafficRemove link.Link options.ProvideConfigurationRemove vertex.Remove link.Link options.monitorRemove vertex.Remove vertex.Remove link.Link options.monitorRemove vertex.Remove vertex.Remove vertex.Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.REST[nscale REST API]Remove vertex.Remove link.Link options.consume[Advanced Connect Protocol Adapter]Remove link.Link options.monitorRemove link.Link options.discoverRemove vertex.Remove link.Link options.Import[Periodic Import of Account / Group Information via LDAP]Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.ProvideCertificateRemove link.Link options.useRemove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove link.Link options.CMIS SOAP[cmis SOAP API]Remove vertex.Remove link.Link options.remoteAdministrationRemove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove link.Link options.ProvideConfigurationRemove vertex.Remove vertex.Remove link.Link options.mount etcRemove vertex.Remove link.Link options.balance Layer 7trafficRemove link.Link options.remoteAdministrationRemove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.balance Layer 7trafficRemove vertex.Remove vertex.Remove link.Link options.consume[Advaced Connect Protocol Adapter]Remove vertex.Remove link.Link options.consume[Advanced Connect Protocol Adapter]Remove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.monitorRemove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.ProvideCertificateRemove vertex.Remove vertex.Remove link.Link options.useRemove link.Link options.ProvideCertificateRemove vertex.Remove link.Link options.monitorRemove vertex.Remove link.Link options.consume ILM[SAP Information Lifecycle Management Protocol]Remove vertex.Remove link.Link options.create renditionsRemove vertex.Remove link.Link options.mountRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove vertex.Remove vertex.Remove link.Link options.mount poolRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.store metadataRemove vertex.Remove link.Link options.mount confRemove vertex.Remove vertex.Remove vertex.Remove link.Link options.remoteAdministrationRemove link.Link options.create renditionsRemove vertex.Remove link.Link options. \ No newline at end of file diff --git a/dsl/export/sl_nappl-key.svg b/dsl/export/sl_nappl-key.svg new file mode 100644 index 0000000..525c370 --- /dev/null +++ b/dsl/export/sl_nappl-key.svg @@ -0,0 +1 @@ +ElementnscaleRelationship \ No newline at end of file diff --git a/dsl/export/sl_nappl.svg b/dsl/export/sl_nappl.svg new file mode 100644 index 0000000..e3a5eb6 --- /dev/null +++ b/dsl/export/sl_nappl.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timethe Application Layer Cluster and peripheral servicesnscale Application LayerKubernetes Cluster-Namespace-Instance-nscale Application Layer Cluster-nscale Pipeliner AC[Software System]Pipeliner im AC Modusnscale Pipeliner CM[Software System]Pipeliner im Core Modusnscale Application Layer[Software System]Provides DMS and BPMFunctionalitynscale Application Layer(Jobs)[Software System]-Identity Provider[Software System]Provider or Broker for IdentityInformation and SSO ServicesImport[Periodic Import of Account / Group Information via LDAP]Remove link.Link options.clustercommunicationRemove vertex.Remove vertex.Remove link.Link options.Authorize[Single Sign On with optional Multi Factor]Remove vertex.Remove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options.clustercommunicationRemove vertex.Remove vertex.Remove link.Link options.consume[Advaced Connect Protocol Adapter]Remove link.Link options.clustercommunicationRemove vertex.Remove link.Link options. \ No newline at end of file diff --git a/dsl/export/sl_user-key.svg b/dsl/export/sl_user-key.svg new file mode 100644 index 0000000..6944f71 --- /dev/null +++ b/dsl/export/sl_user-key.svg @@ -0,0 +1 @@ +Elementmobileclient, nscalenscalePersonwebclient, nscaleRelationship \ No newline at end of file diff --git a/dsl/export/sl_user.svg b/dsl/export/sl_user.svg new file mode 100644 index 0000000..6ee651f --- /dev/null +++ b/dsl/export/sl_user.svg @@ -0,0 +1 @@ +Tuesday, December 19, 2023 at 8:42 AM Central European Standard Timeshows how endusers are working with the systemUser Accessnscale Cockpit[Software System]Rich Windows Clientnscale Web[Software System]Thin Web ClientIdentity Provider[Software System]Provider or Broker for IdentityInformation and SSO ServicesUser[Person]uses the Business Applicationsrunning in the Environmentnscale Mobile[Software System]Rich Mobile ClientuseRemove link.Link options.useRemove link.Link options.useRemove link.Link options.authenticateRemove link.Link options. \ No newline at end of file diff --git a/dsl/filePvc.dsl b/dsl/filePvc.dsl new file mode 100644 index 0000000..0f6df34 --- /dev/null +++ b/dsl/filePvc.dsl @@ -0,0 +1,4 @@ +filepvc = Container "File Volume" "Persistent Volume Claim for a shared RWX File Volume" { + technology "PVC" + tags "Kubernetes - pvc" +} diff --git a/dsl/ilm.dsl b/dsl/ilm.dsl new file mode 100644 index 0000000..9d092c6 --- /dev/null +++ b/dsl/ilm.dsl @@ -0,0 +1,19 @@ +ilm = softwareSystem "nscale ILM Connector" { + tags "nscale" + + replicaset = Container "ReplicaSet" "StatefulSet with default Replica 2" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "ILM Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connect Protocol Adapter" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} \ No newline at end of file diff --git a/dsl/ingress.dsl b/dsl/ingress.dsl new file mode 100644 index 0000000..d11b45c --- /dev/null +++ b/dsl/ingress.dsl @@ -0,0 +1,13 @@ +certificate = Container "Certificate" "https Certificate" { + tags "Kubernetes - crd" + technology "Kubernetes" + clusterIssuer -> this "Provide Certificate" +} +ingress = Container "Ingress" "Layer 7 Ingress Configuration" { + tags "Kubernetes - ing" + technology "Kubernetes" + this -> ingressController "Provide Configuration" + certificate -> this "use" +} +ingressController -> replicaset.main "balance Layer 7 traffic" +svc -> ingressController "provide Pod IPs" \ No newline at end of file diff --git a/dsl/license.dsl b/dsl/license.dsl new file mode 100644 index 0000000..b7e6733 --- /dev/null +++ b/dsl/license.dsl @@ -0,0 +1,3 @@ +license = component "license" "nscale License Secret" { + tags "Kubernetes - secret" +} \ No newline at end of file diff --git a/dsl/mon.dsl b/dsl/mon.dsl new file mode 100644 index 0000000..4cb650c --- /dev/null +++ b/dsl/mon.dsl @@ -0,0 +1,30 @@ +mon = softwareSystem "nscale Monitoring Console" { + tags "nscale" + description "provides monitoring for all nscale components" + !include "dataPvc.dsl" + replicaset = Container "ReplicaSet" "StatefulSet with Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "MON Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> datapvc "mount data" + -> nplus.confpvc "mount etc" + + -> nappl "monitor" + -> nappljobs "monitor" + -> nstlA "monitor" + -> nstlB "monitor" + -> cmis "monitor" + -> ilm "monitor" + -> pipelinercm "monitor" + -> pipelinerac "monitor" + -> web "monitor" + -> rs "monitor" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} \ No newline at end of file diff --git a/dsl/nappl.dsl b/dsl/nappl.dsl new file mode 100644 index 0000000..bd76eae --- /dev/null +++ b/dsl/nappl.dsl @@ -0,0 +1,25 @@ +nappl = softwareSystem "nscale Application Layer" { + tags "nscale" + description "Provides DMS and BPM Functionality" + replicaset = Container "ReplicaSet" "StatefulSet with default Replica 2" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "NAPPL Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nstlA.svc "store documents" + -> nstlB.svc "store documents" + -> database.svc "store metadata" + -> rs.svc "create renditions" + -> license "read" + -> sap "replicate" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} \ No newline at end of file diff --git a/dsl/nappljobs.dsl b/dsl/nappljobs.dsl new file mode 100644 index 0000000..3895012 --- /dev/null +++ b/dsl/nappljobs.dsl @@ -0,0 +1,22 @@ +nappljobs = softwareSystem "nscale Application Layer (Jobs)" { + tags "nscale" + replicaset = Container "ReplicaSet" "StatefulSet Replica 1 dedicated to Jobs" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "NAPPL Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nstlA.svc "store documents" + -> nstlB.svc "store documents" + -> database.svc "store metadata" + -> rs.svc "create renditions" + -> license "read" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} \ No newline at end of file diff --git a/dsl/nstl.dsl b/dsl/nstl.dsl new file mode 100644 index 0000000..b85a04a --- /dev/null +++ b/dsl/nstl.dsl @@ -0,0 +1,53 @@ +nstl = group "nstl" { +nstlA = softwareSystem "nscale Storage Layer A" { + tags "nscale" + !include "dataPvc.dsl" + replicaset = Container "ReplicaSet" "StatefulSet with fix Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "NSTL Container" "Container Template with official Image" { + technology "C++" + tags "nscale" + -> datapvc "mount arc" + -> datapvc "mount ret" + -> datapvc "mount HD" + -> datapvc "mount da" + -> nplus.confpvc "mount etc" + -> license "read" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} + +nstlB = softwareSystem "nscale Storage Layer B" { + tags "nscale" + !include "dataPvc.dsl" + replicaset = Container "ReplicaSet" "StatefulSet with fix Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "NSTL Container" "Container Template with official Image" { + technology "C++" + tags "nscale" + -> datapvc "mount arc" + -> datapvc "mount ret" + -> datapvc "mount HD" + -> datapvc "mount da" + -> nplus.confpvc "mount etc" + -> license "read" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} + +nstlA -> nstlB "forward DA and Document" +nstlB -> nstlA "forward DA and Document" + +} \ No newline at end of file diff --git a/dsl/pam.dsl b/dsl/pam.dsl new file mode 100644 index 0000000..1d08f7e --- /dev/null +++ b/dsl/pam.dsl @@ -0,0 +1,18 @@ +pam = softwareSystem "nscale Process Automation Modeler" { + tags "nscale" + description "provides modeling for workflows" + replicaset = Container "ReplicaSet" "StatefulSet with Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "PAM Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connector Protocol Adapter" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} \ No newline at end of file diff --git a/dsl/pipelinerac.dsl b/dsl/pipelinerac.dsl new file mode 100644 index 0000000..7815ea4 --- /dev/null +++ b/dsl/pipelinerac.dsl @@ -0,0 +1,24 @@ +pipelinerac = softwareSystem "nscale Pipeliner AC" "Pipeliner im AC Modus" { + tags "nscale" + !include "dataPvc.dsl" + replicaset = Container "ReplicaSet" "StatefulSet with Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "WebDAV Container" "Sidecar Container Template with WebDAV Image" { + tags "nplus" + } + pl = component "Pipeliner Container" "Container Template with official Image" { + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advaced Connect Protocol Adapter" + -> rs.svc "create renditions" + -> license "read" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} diff --git a/dsl/pipelinercm.dsl b/dsl/pipelinercm.dsl new file mode 100644 index 0000000..745f470 --- /dev/null +++ b/dsl/pipelinercm.dsl @@ -0,0 +1,26 @@ +pipelinercm = softwareSystem "nscale Pipeliner CM" "Pipeliner im Core Modus" { + tags "nscale" + !include "dataPvc.dsl" + replicaset = Container "ReplicaSet" "StatefulSet with Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "WebDAV Container" "Sidecar Container Template with WebDAV Image" { + tags "nplus" + } + pl = component "Pipeliner Container" "Container Template with official Image" { + tags "nscale" + -> nplus.confpvc "mount conf" + -> nstlA.svc "store documents" + -> nstlB.svc "store documents" + -> database.svc "store metadata" + -> rs.svc "create renditions" + -> license "read" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} diff --git a/dsl/rs.dsl b/dsl/rs.dsl new file mode 100644 index 0000000..9f280d7 --- /dev/null +++ b/dsl/rs.dsl @@ -0,0 +1,21 @@ +rs = softwareSystem "nscale Rendition Server" { + tags "nscale" + !include "filePvc.dsl" + replicaset = Container "ReplicaSet" "StatefulSet with default Replica 2" { + technology "Kubernetes" + tags "Kubernetes - sts" + + !include "license.dsl" + main = component "RS Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> filepvc "mount workspace" + -> license "read" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} \ No newline at end of file diff --git a/dsl/service.dsl b/dsl/service.dsl new file mode 100644 index 0000000..e612ab4 --- /dev/null +++ b/dsl/service.dsl @@ -0,0 +1,5 @@ +svc = Container "Service" "Kubernetes Service with Layer 4 Load Balancer" { + technology "Kubernetes" + tags "Kubernetes - svc" + this -> replicaset.main "balance Layer 4 traffic" +} \ No newline at end of file diff --git a/dsl/sharepoint.dsl b/dsl/sharepoint.dsl new file mode 100644 index 0000000..b48f3e7 --- /dev/null +++ b/dsl/sharepoint.dsl @@ -0,0 +1,40 @@ +sharepoint = group "sharepoint" { +sharepointA = softwareSystem "nscale SharePoint Connector A" { + tags "nscale" + replicaset = Container "ReplicaSet" "StatefulSet with fix Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "SharePoint Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connector Protocol Adapter" + -> sharepoint "consume" "SharePoint API" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} + +sharepointB = softwareSystem "nscale SharePoint Connector B" { + tags "nscale" + replicaset = Container "ReplicaSet" "StatefulSet with fix Replica 1" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "SharePoint Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connector Protocol Adapter" + -> sharepoint "consume" "SharePoint API" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" +} + +} \ No newline at end of file diff --git a/dsl/views.dsl b/dsl/views.dsl new file mode 100644 index 0000000..911fdb8 --- /dev/null +++ b/dsl/views.dsl @@ -0,0 +1,49 @@ +SystemLandscape "sl_all" "Overview" { + title "Overview" + description "shows all Landscape" + include * + autoLayout +} + +systemContext web "sc_web" "focus on nscale Web" { + include * + autoLayout +} + +systemLandscape "sc_nstl" "focus on nscale Server Storage Layer" { + include nstl + autoLayout +} + +systemContext nappl "sc_nappl" "focus on nscale Application Layer" { + include * + autoLayout +} + +systemContext sap "sc_sap" "focus on SAP" { + include * + autoLayout +} + +SystemLandscape "sl_user" "focus on the end user" { + title "User Access" + description "shows how endusers are working with the system" + include user webclient cockpitclient mobileclient idp + autoLayout +} + +SystemLandscape "sl_nappl" "focus on nappl" { + title "nscale Application Layer" + description "the Application Layer Cluster and peripheral services" + include nappl nappljobs pipelinercm pipelinerac idp + autoLayout lr +} + +container nplus "c_nplus" "nplus Environment" { + title "nplus Environment" + description "the Environment handles multiple Inances running in a Kubernetes Namespace" + include * adminclient + exclude rs nappl nappljobs pipelinercm pipelinerac mon nstl web cmis ilm + autolayout +} + diff --git a/dsl/waitFor.dsl b/dsl/waitFor.dsl new file mode 100644 index 0000000..f3ca392 --- /dev/null +++ b/dsl/waitFor.dsl @@ -0,0 +1,5 @@ +waitFor = component "init:waitFor" "Init-Container that waits for any given preqequisite" { + technology "bash" + tags "nplus" + main -> this "waitFor" +} diff --git a/dsl/web.dsl b/dsl/web.dsl new file mode 100644 index 0000000..1b2894f --- /dev/null +++ b/dsl/web.dsl @@ -0,0 +1,19 @@ +web = softwareSystem "nscale Application Layer Web" { + tags "nscale" + description "provides html web ui for nscale" + replicaset = Container "ReplicaSet" "StatefulSet with default Replica 2" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "WEB Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connector Protocol Adapter" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} \ No newline at end of file diff --git a/dsl/webdav.dsl b/dsl/webdav.dsl new file mode 100644 index 0000000..f654e6e --- /dev/null +++ b/dsl/webdav.dsl @@ -0,0 +1,18 @@ +webdav = softwareSystem "nscale WEBDAV Connector" { + tags "nscale" + replicaset = Container "ReplicaSet" "StatefulSet with default Replica 2" { + technology "Kubernetes" + tags "Kubernetes - sts" + + main = component "WEBDAV Container" "Container Template with official Image" { + technology "Java" + tags "nscale" + -> nplus.confpvc "mount conf" + -> nappl.svc "consume" "Advanced Connect Protocol Adapter" + } + !include "copyConf.dsl" + !include "waitFor.dsl" + } + !include "service.dsl" + !include "ingress.dsl" +} \ No newline at end of file diff --git a/dsl/workspace.dsl b/dsl/workspace.dsl new file mode 100644 index 0000000..1395404 --- /dev/null +++ b/dsl/workspace.dsl @@ -0,0 +1,170 @@ +workspace { + !identifiers hierarchical + + model { + properties { + "structurizr.groupSeparator" "/" + } + + /* ************************************************************** + * Services and Components running in the K8s cluster * + ************************************************************** */ + + group "Kubernetes Cluster" { + ingressController = softwareSystem "Kubernetes Ingress Controller" "Layer 7 Load Balancer" "Kubernetes - ds" + clusterIssuer = softwareSystem "Cert Manager Cluster Issuer" "provides certificates" "Kubernetes - crd" + group "Namespace" { + !include "environment.dsl" + group "Instance" { + !include "database.dsl" + !include "rs.dsl" + !include "nstl.dsl" + group "nscale Application Layer Cluster" { + !include "nappl.dsl" + !include "nappljobs.dsl" + !include "pipelinercm.dsl" + !include "clusterService.dsl" + } + !include "web.dsl" + !include "pipelinerac.dsl" + !include "cmis.dsl" + !include "webdav.dsl" + !include "ilm.dsl" + !include "mon.dsl" + !include "pam.dsl" + !include "sharepoint.dsl" + + !include "adminserver.dsl" + !include "application.dsl" + } + } + } + + /* ************************************************************** + * Client Applications, accessing the Services and Components * + ************************************************************** */ + + adminclient = softwareSystem "nscale Administrator" "Eclipse RCP Administrator Client" { + tags "richclient, nscale" + -> adminserver.l3lb "Remote Management" "RMS and https Protocols" + } + mobileclient = softwareSystem "nscale Mobile" "Rich Mobile Client" { + tags "mobileclient, nscale" + -> ingressController "https /nscalealinst1" + } + cockpitclient = softwareSystem "nscale Cockpit" "Rich Windows Client" { + tags "richtclient, nscale" + -> ingressController "https /nscalealinst1" + } + webclient = softwareSystem "nscale Web" "Thin Web Client" { + tags "webclient, nscale" + -> ingressController "https /nscale_web" + } + + + + /* ************************************************************** + * Users running the clients above * + ************************************************************** */ + + user = person "User" { + description "uses the Business Applications running in the Environment" + -> mobileclient "use" + -> cockpitclient "use" + -> webclient "use" + } + admin = person "Admin" { + description "Maintains and Operates the Environment" + -> adminclient "use" + -> nplus.davserver "mount" + -> nplus.toolbox "use" + } + + + /* ************************************************************** + * 3rd Party Applications accessing the Services and Components * + ************************************************************** */ + + sap = softwareSystem "SAP" "SAP Server" { + -> ingressController "consume AL" "SAP Archive Link Protocol" + -> ingressController "consume ILM" "SAP Information Lifecycle Management Protocol" + } + + o365sp = softwareSystem "SharePoint" "SharePoint Server" { + } + + /* when you run a SAP System, you most likely also want to access it for replication */ + nappl.replicaset.main -> sap "consume SNC" "SAP SNC Access" + + + app = softwareSystem "3rd Party Software" "Any Application with Access Rights" { + -> ingressController "AC" "nscale Advanced Connect API + -> ingressController "REST" "nscale REST API" + -> ingressController "CMIS REST" "cmis REST API" + -> ingressController "CMIS SOAP" "cmis SOAP API" + -> ingressController "Pipeliner DAV" "DAV Payload Dropoff Service" + } + + /* ************************************************************** + * 3rd Party Identity and Authentication Services * + ************************************************************** */ + + idp = softwareSystem "Identity Provider" { + description "Provider or Broker for Identity Information and SSO Services" + -> nappl "Authorize" "Single Sign On with optional Multi Factor" "saml, openid" + -> nappljobs "Import" "Periodic Import of Account / Group Information via LDAP" + user -> this "authenticate" + } + + } + + views { + + theme https://static.structurizr.com/themes/kubernetes-v0.3/theme.json + + # As soon as we use our own views, all default views are gone... + !include "views.dsl" + + styles { + element "Person" { + shape Person + } + element "Kubernetes - svc" { + shape hexagon + } + element "Database" { + background #707070 + color #ffffff + shape cylinder + } + element "Kubernetes - pvc" { + shape cylinder + } + element "nscale" { + color #FFFFFF + background #11a63c + } + element "nplus" { + color #FFFFFF + background #424c63 + } + element "planned" { + opacity 30 + } + element "mobileclient" { + shape "MobileDeviceLandscape" + } + element "richclient" { + shape "Window" + } + element "webclient" { + shape "WebBrowser" + } + element "Group" { + color #ff00ff + } + } + + } + +} \ No newline at end of file diff --git a/samples/README.md b/samples/README.md new file mode 100644 index 0000000..2d82ddc --- /dev/null +++ b/samples/README.md @@ -0,0 +1,152 @@ +# The Samples + +- [Remote Management Server](administrator) + Shows how you can setup an ***nplus Remote Management Server*** and expose a complete Instance on a single **virtual IP Adress** to be able to connect with the *nscale Administrator* from your desktop and even + perform any **offline configuration** tasks, such as **configuring the *nscale Pipeliner*** with its cold.xml. + +- [Applications](application) + - shows how to deploy an ***nplus Application***, inlcuding **creating a Document area** in the *nscale Application Layer* and + **installing *nscale Business Apps*** or **custom *Generic Base Apps*** into multiple Document Areas. + - It also demonstrates how to use the *prepper* component to **download assets from git** or any other artifacs site. + +- [Blobstores](blobstore) + - shows how to connect the *nscale Storage Layer* to an **Amazon S3** Object Store, an **Azure Blobstore** or any other compatiple Object Store, like **CephGW** or **min.io** + - it also demonstrates the use of **envMaps** and **envSecrets** to set environment variables outside the values.yaml file + +- [Certificates](certificates) + - shows how to **disable certificate generation** and use a **prepared static certificate** for the ingress + - it also talks about the pitfalls of `.this` + +- [Cluster](cluster) + shows how to render a cluster chart and prepare the cluster for *nplus* + +- [Defaults](default) + Renders a **minimalistic** Instance manifest without any customization + +- [Detached Applications](detached) + Shows how to separate the application from the instance but still use them in tandem. This technique is used to be able to separately update instance and application. + +- [Environments](environment) + holds values for **different environments**, such as a lab environment (which is used for our internal test cases) or a production environment + +- [Instance Groups](group) + - Large Instances can be split easily and re-grouped again with the `.instance.group` tag. This example shows how. + - It also shows how to switch off any certificate or networkPolicy creation at Instance Level + +- [High Avalability](ha) + - showcases a full **High Availability** szenario, including a dedicated **nappljobs** and redundant components to reduce the risk of outages + +- [Highest Doc ID / HID](hid) + - shows how to enable highest ID checking in *nstl*. + +- [No Waves](nowaves) + Shows how to set up a simple argoCD Application without using any *waves* but just relying on *waitFor* + +- [Version Pinning](pinning) + There are several ways how to pin the **version of *nscale* components**. This example shows how to stay flexible in terms of **nplus versions** and still pin *nscale* to a + specific version. + +- [Resources](resources) + - demonstrates how for different environments, for different tenants depending on the usage (like amount of concurrent users) or scenarios alike, + you might want to use different sets of **resouce definitions for RAM, CPU** or HD Space. + +- [Security](security) + IT Security is an important aspect when running an nplus Environment. This example shows + - how to configure **https for all inter-Pod communications**, and + - how to force **all connections** to be **encrypted**. (**Zero Trust Mode**) + +- [Shared Services](shared) + You might want to have a central **nplus** Instance that can be used by multiple tenants. This example shows how to do that. + +- [SharePoint Retrieval HA](sharepoint) + Normally, you either have HA with multiple replicas *or* you use multiple instances if you want different configurations per instance. This example shows how you can combine both approaches: Having mutliple instances with different configuration (for archiving) and a global ingress to all instances (for HA retrieval) + +- [Single Instance Mode](sim) + Some *nplus* subscribers use **maximum tenant separation**, so not only **firewalling each component**, but also running each **Instance in a dedicated Namespace**. + This shows how to enable ***Single Instance Mode***, that melts the environment and instance together in a **single deployment**. + +- [Static Volumes](static) + Shows how to disable dynamic volume provisioning (depending on the storage class) and use **pre-created static volumes** instead. + +- [Chart](chart) + This is an example for a **custom Umbrella Chart**, to create a custom base chart with your **own environment defaults** to build your deployments upon. This is the next step after applying value files. + + + +# Configuration Options + +There are several possible ways to configure and customize the *nplus* helm charts: + +1. By using `--set` parameter at the command line: + + ``` + helm install \ + --set components.rs=false \ + --set components.mon=false \ + --set components.nstl=false \ + --set global.ingress.domain="demo.nplus.cloud" \ + --set global.ingress.issuer="nplus-issuer" \ + demo1 nplus/nplus-instance + ``` + + `kubectl get instances` will show this Instance being handled by `helm`. + +2. By adding one or more values files: + + ``` + helm install \ + --values empty.yaml \ + --values s3-env.yaml \ + --values lab.yaml \ + demo2 nplus/nplus-instance + ``` + +3. By using `helm template` and piping the output to `kubectl` + + ``` + helm template \ + --values empty.yaml \ + --values s3-env.yaml \ + --values lab.yaml \ + demo2 nplus/nplus-instance | kubectl apply -f - + ``` + + `kubectl get instances` will show this Instance being handled manually (`manual`). + +4. By building *Umbrella Charts* that contain default values for your environment + + + +# Using ArgoCD + +Deploying trough ArgoCD is identical to deploying trough Helm. Just use the `instance-argo` chart instead of `instance`. +But you can use the same value files for all deployment methods. The `instance-argo` chart will render all values into the *argoCD Application*, taking them fully into account. + +If you deploy Instances by ArgoCD, `kubectl get instances` will show these Instance being handled by `argoCD`. + + + +# Stacking Values + +The sample value files provided here work for standard Instances as well as for argoCD Versions. + +The values Files are stacked: + +- `environment/demo.yaml` contains the default values for the environment +- `empty/values.yaml` creates a sample document area in the *nscale Application Layer* +- `s3/env.yaml` adds a S3 storage to the *nscale Storage Layer*, in form of simple environment variables + +This stack can be installed by using the `helm install` command: + +``` +helm install \ + --values environment/demo.yaml \ + --values empty/values.yaml \ + --values s3/env.yaml \ + empty-sample-s3 nplus/nplus-instance +``` + +The advantage of stacking is to separate and reuse parts of your configuration for different purposes. +- Reuse values for different environments like stages or labs, where only the environment is different but the components and applications are (and have to be) the same +- Use the same Storage Configuration for multiple Instances +- Have one configuration for your Application / Solution and use that on many tenants to keep them all in sync diff --git a/samples/application/README.md b/samples/application/README.md new file mode 100644 index 0000000..9c3b030 --- /dev/null +++ b/samples/application/README.md @@ -0,0 +1,93 @@ +# Installing Document Areas + +## Creating an empty document area while deploying an Instance + +This is the simplest sample, just the core services with an empty document area: + +``` +helm install \ + --values samples/application/empty.yaml \ + --values samples/environment/demo.yaml \ + empty nplus/nplus-instance +``` + +The empty Document Area is created with + +```yaml +components: + application: true + prepper: true + +application: + docAreas: + - id: "Sample" + run: + - "/pool/downloads/sample.sh" + +prepper: + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz" +``` + +This turns on the *prepper* component, used to download a sample tarball from git. It will also extract the tarball into the `downloads` folder that is created on the *pool* automatically. + +Then, after the Application Layer is running, a document area `Sample` is created. The content of the sample script will be executed. + +If you use **argoCD** as deployment tool, you would go with + +``` +helm install \ + --values samples/application/empty.yaml \ + --values samples/environment/demo.yaml \ + empty-argo nplus/nplus-instance-argo +``` + + + +## Deploying the *SBS* Apps to a new document area + +In the SBS scenario, some Apps are installed into the document area: + +```bash +helm install \ + --values samples/applications/sbs.yaml \ + --values samples/environment/demo.yaml \ + sbs nplus/nplus-instance +``` + +The values look like this: + +```yaml +components: + application: true +application: + nameOverride: SBS + docAreas: + - id: "SBS" + name: "DocArea with SBS" + description: "This is a sample DocArea with the SBS Apps installed" + apps: + - "/pool/nstore/bl-app-9.0.1202.zip" + - "/pool/nstore/gdpr-app-9.0.1302.zip" + ... + - "/pool/nstore/ts-app-9.0.1302.zip" + - "/pool/nstore/ocr-base-9.0.1302.zip" + +``` + +This will create a document area `SBS` and install the SBS Apps into it. + + +# Accounting in nstl + +To collect Accounting Data in *nscale Server Storage Layer*, you can enable the nstl accouting feature by setting `accounting: true`. +This will create the accounting csv files in *ptemp* under `//accounting`. +Additionally, you can enable a log forwarder printing it to stdout. + +``` +nstl: + accounting: true + logForwarder: + - name: Accounting + path: "/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv" +``` diff --git a/samples/application/build.sh b/samples/application/build.sh new file mode 100755 index 0000000..b151efc --- /dev/null +++ b/samples/application/build.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="empty" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/hid/values.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/hid/values.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + + + +# Set the Variables +SAMPLE="sbs" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/sbs.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/application/sbs.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + diff --git a/samples/application/empty.yaml b/samples/application/empty.yaml new file mode 100644 index 0000000..85e284e --- /dev/null +++ b/samples/application/empty.yaml @@ -0,0 +1,20 @@ +components: + application: true + prepper: true + +application: + docAreas: + - id: "Sample" + run: + - "/pool/downloads/sample.sh" + +prepper: + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz" + +nstl: + accounting: true + logForwarder: + - name: Accounting + path: "/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv" + db: "/opt/ceyoniq/nscale-server/storage-layer/logsdb/logs.db" diff --git a/samples/application/sbs.yaml b/samples/application/sbs.yaml new file mode 100644 index 0000000..94c6047 --- /dev/null +++ b/samples/application/sbs.yaml @@ -0,0 +1,28 @@ +components: + application: true +application: + nameOverride: SBS + docAreas: + - id: "SBS" + name: "DocArea with SBS" + description: "This is a sample DocArea with the SBS Apps installed" + apps: + - "/pool/nstore/bl-app-9.0.1202.zip" + - "/pool/nstore/gdpr-app-9.0.1302.zip" + - "/pool/nstore/sbs-base-9.0.1302.zip" + - "/pool/nstore/sbs-app-9.0.1302.zip" + - "/pool/nstore/tmpl-app-9.0.1302.zip" + - "/pool/nstore/cm-base-9.0.1302.zip" + - "/pool/nstore/cm-app-9.0.1302.zip" + - "/pool/nstore/hr-base-9.0.1302.zip" + - "/pool/nstore/hr-app-9.0.1302.zip" + - "/pool/nstore/pm-base-9.0.1302.zip" + - "/pool/nstore/pm-app-9.0.1302.zip" + - "/pool/nstore/sd-base-9.0.1302.zip" + - "/pool/nstore/sd-app-9.0.1302.zip" + - "/pool/nstore/kon-app-9.0.1302.zip" + - "/pool/nstore/kal-app-9.0.1302.zip" + - "/pool/nstore/dok-app-9.0.1302.zip" + - "/pool/nstore/ts-base-9.0.1302.zip" + - "/pool/nstore/ts-app-9.0.1302.zip" + - "/pool/nstore/ocr-base-9.0.1302.zip" diff --git a/samples/blobstore/README.md b/samples/blobstore/README.md new file mode 100644 index 0000000..538dd54 --- /dev/null +++ b/samples/blobstore/README.md @@ -0,0 +1,74 @@ +# Using Object Stores + +Blobstores aka Objectstores have a REST Interface that you can upload your Payload to and receive an ID for it. They are normally structured into *Buckets* or *Containers* to privide +some sort of pooling payload within the store. + +The *nscale Server Storage Layer* supports multiple brands of objectstores, the most popular being Amazon S3 and Microsoft Azure Blobstore. + +In order to use them, you need to +- get an account for the store +- configure the *nstl* with the url, credentials etc. +- Add firewall rules to access to store + +Have a look at the sample files + +- s3-env.yaml + for Amazon S3 compatible storage, and +- azureblob.yaml + for Azure Blobstore + +For S3 compatible storage, there are multiple S3 flavours available. + + + +# Custom Environment Variables + +There are multiple ways of how to set custom environment variables in addition to the named values, you set in helm: + +## Using `env` + +Please have a look at `s3-env.yaml` to see how custom environment variables can be injected into a component: + +``` +nstl: + env: + # Archivtyp + NSTL_ARCHIVETYPE_900_NAME: "S3" + NSTL_ARCHIVETYPE_900_ID: "900" + NSTL_ARCHIVETYPE_900_LOCALMIGRATION: "0" + NSTL_ARCHIVETYPE_900_LOCALMIGRATIONTYPE: "NONE" + NSTL_ARCHIVETYPE_900_S3MIGRATION: "1" +``` + +This will set the environment variables in the storage layer to add an archive type with id 900. + + +## Using `envMap` and `envSecret` + +Alternatively to the standard `env`setting, you can also use configmaps and secrets for additional environment variables. + +The file `s3-envres.yaml` creates a configmap and a secret with the same variables as used in the `s3-env.yaml` sample. `s3-envfrom.yaml` shows how to import them. + +Please be aware, that data in secrets need to be base64 encoded: + +``` +echo "xxx" | base64 +``` + +So in order to use the envFrom mechanism, + +- prepare the resources (as in `s3-envres.yaml`) +- upload the resources to your cluster + ``` + kubectl apply -f s3-envres.yaml + ``` +- add it to your configuration + ``` + nstl: + # These resources are set in the s3-envres.yaml sample file + # you can set single values (envMap or envSecret) or lists (envMaps or envSecrets) + envMaps: + - env-sample-archivetype + - env-sample-device + envSecret: env-sample-device-secret + ``` diff --git a/samples/blobstore/azureblob.yaml b/samples/blobstore/azureblob.yaml new file mode 100644 index 0000000..7996862 --- /dev/null +++ b/samples/blobstore/azureblob.yaml @@ -0,0 +1,20 @@ +nstl: + env: + # global + NSTL_RETRIEVALORDER: "AZURE, HARDDISK_ADAPTER, REMOTE_EXPLICIT, REMOTE_DA" + # Archive Type + NSTL_ARCHIVETYPE_901_NAME: "AZUREBLOB" + NSTL_ARCHIVETYPE_901_ID: "901" + NSTL_ARCHIVETYPE_901_LOCALMIGRATION: "0" + NSTL_ARCHIVETYPE_901_LOCALMIGRATIONTYPE: "NONE" + NSTL_ARCHIVETYPE_901_AZUREMIGRATION: "1" + # Device + NSTL_AZURE_0_CONFIGURED: "1" + NSTL_AZURE_0_ARCHIVETYPES: "AZUREBLOB" + NSTL_AZURE_0_INDEX: "0" + NSTL_AZURE_0_NAME: "AZUREBLOB" + NSTL_AZURE_0_INITIALLYACTIVE: "1" + NSTL_AZURE_0_PERMANENTMIGRATION: "1" + NSTL_AZURE_0_CONTAINERNAME: "demostore" + NSTL_AZURE_0_ACCOUNTNAME: "xxx" + NSTL_AZURE_0_ACCOUNTKEY: "xxx" diff --git a/samples/blobstore/s3-env.yaml b/samples/blobstore/s3-env.yaml new file mode 100644 index 0000000..e578148 --- /dev/null +++ b/samples/blobstore/s3-env.yaml @@ -0,0 +1,23 @@ +nstl: + env: + # Archivtyp + NSTL_ARCHIVETYPE_900_NAME: "S3" + NSTL_ARCHIVETYPE_900_ID: "900" + NSTL_ARCHIVETYPE_900_LOCALMIGRATION: "0" + NSTL_ARCHIVETYPE_900_LOCALMIGRATIONTYPE: "NONE" + NSTL_ARCHIVETYPE_900_S3MIGRATION: "1" + # Device + NSTL_S3_0_CONFIGURED: "1" + NSTL_S3_0_ARCHIVETYPES: "S3" + NSTL_S3_0_INDEX: "0" + NSTL_S3_0_TYPE: "S3_COMPATIBLE" + NSTL_S3_0_NAME: "S3" + NSTL_S3_0_INITIALLYACTIVE: "1" + NSTL_S3_0_USESSL: "1" + NSTL_S3_0_VERIFYSSL: "0" + NSTL_S3_0_ACCESSID: "xxx" + NSTL_S3_0_SECRETKEY: "xxx" + NSTL_S3_0_ENDPOINT: "s3.nplus.cloud" + NSTL_S3_0_BUCKETNAME: "nstl" + NSTL_S3_0_USEVIRTUALADDRESSING: "0" + NSTL_S3_0_PERMANENTMIGRATION: "1" \ No newline at end of file diff --git a/samples/blobstore/s3-envfrom.yaml b/samples/blobstore/s3-envfrom.yaml new file mode 100644 index 0000000..e7b09cc --- /dev/null +++ b/samples/blobstore/s3-envfrom.yaml @@ -0,0 +1,7 @@ +nstl: + # These resources are set in the s3-envres.yaml sample file + # you can set single values (envMap or envSecret) or lists (envMaps or envSecrets) + envMaps: + - env-sample-archivetype + - env-sample-device + envSecret: env-sample-device-secret diff --git a/samples/blobstore/s3-envres.yaml b/samples/blobstore/s3-envres.yaml new file mode 100644 index 0000000..ba23953 --- /dev/null +++ b/samples/blobstore/s3-envres.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: env-sample-archivetype + namespace: lab +data: + NSTL_ARCHIVETYPE_900_NAME: "S3" + NSTL_ARCHIVETYPE_900_ID: "900" + NSTL_ARCHIVETYPE_900_LOCALMIGRATION: "0" + NSTL_ARCHIVETYPE_900_LOCALMIGRATIONTYPE: "NONE" + NSTL_ARCHIVETYPE_900_S3MIGRATION: "1" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: env-sample-device + namespace: lab +data: + NSTL_S3_0_CONFIGURED: "1" + NSTL_S3_0_ARCHIVETYPES: "S3" + NSTL_S3_0_INDEX: "0" + NSTL_S3_0_TYPE: "S3_COMPATIBLE" + NSTL_S3_0_NAME: "S3" + NSTL_S3_0_INITIALLYACTIVE: "1" + NSTL_S3_0_USESSL: "1" + NSTL_S3_0_VERIFYSSL: "0" + NSTL_S3_0_ENDPOINT: "s3.nplus.cloud" + NSTL_S3_0_BUCKETNAME: "nstl" + NSTL_S3_0_USEVIRTUALADDRESSING: "0" + NSTL_S3_0_PERMANENTMIGRATION: "1" +--- +apiVersion: v1 +kind: Secret +metadata: + name: env-sample-device-secret + namespace: lab +type: Opaque +data: + NSTL_S3_0_ACCESSID: eHh4Cg== + NSTL_S3_0_SECRETKEY: eHh4Cg== diff --git a/samples/certificates/README.md b/samples/certificates/README.md new file mode 100644 index 0000000..89b6975 --- /dev/null +++ b/samples/certificates/README.md @@ -0,0 +1,35 @@ +# (auto-) certificates and the pitfalls of *.this* + +*nplus* will automatically generate certificates for your ingress. It either uses an issuer like *cert-manager* or generates a *self-signed-certificate*. + +In your production environment though, you might want to take more control over the certificate generation process and don't leave it to *nplus* to automatically take care of it. +In that case, you want to switch the automation *off*. + +To do so, you need to understand what is happening internally: + +- if `.this.ingress.issuer` is set, the chart requests this issuer to generate a tls secret with the name `.this.ingress.secret` + by creating a certificate resource with the name of the domain `.this.ingress.domain` +- else, so no issuer is set, the chart checks wether the flag `.this.ingress.createSelfSignedCertificate` is set to `true` and + generates a tls secret with the name `.this.ingress.secret` +- else, so neither issuer nor createSelfSignedCertificate are set, the charts will not generate anything + +The way how `.this` works is, that it gathers the key from `.Values.global.environment`, `.Values.global` and then `.Values` and flattens them merged into `.this`so that you can set your values +on different levels. + +However, the *merge* function overwrites non exising values and also boolean `true` overwrites a boolean `false`, not just the nil values. So to make sure we still can cancel functionality +by setting `null`or `false`, there is a forth merge which is set to forcefully overwrite existing keys: `override`, which can also be set on *environment*, *global* or on the *component* level. + +So the correct way to cancel the generation process is to force the issuer to null (which will cancel the *cert-manager* generation) and also force `createSelfSignedCertificate` to false (to cancel the *self-signed-certificate* generation): + +```yaml +global: + override: + ingress: + enabled: true + secret: myCertificate + issuer: null + createSelfSignedCertificate: false +``` + +This makes sure, you will get an ingress, that uses the tls certificate in the secret `myCertificate` for encryption and does not generate anything. + diff --git a/samples/certificates/values.yaml b/samples/certificates/values.yaml new file mode 100644 index 0000000..53e3733 --- /dev/null +++ b/samples/certificates/values.yaml @@ -0,0 +1,6 @@ +global: + ingress: + enabled: true + secret: mySecret + issuer: null + createSelfSignedCertificate: false \ No newline at end of file diff --git a/samples/chart/build.sh b/samples/chart/build.sh new file mode 100755 index 0000000..212233e --- /dev/null +++ b/samples/chart/build.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="chart" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/chart/resources.yaml \ + $NAME $SAMPLES/chart/tenant > $DEST/instance/$SAMPLE.yaml + +# Create the manifest - argo version +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/chart/resources.yaml \ + $NAME-argo $SAMPLES/chart/tenant-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + diff --git a/samples/chart/resources.yaml b/samples/chart/resources.yaml new file mode 100644 index 0000000..5fd16a5 --- /dev/null +++ b/samples/chart/resources.yaml @@ -0,0 +1,170 @@ +instance: + web: + resources: + requests: + cpu: "10m" + memory: "1.5Gi" + limits: + cpu: "4000m" + memory: "4Gi" + prepper: + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "128Mi" + application: + resources: + requests: + cpu: "10m" + memory: "1.5Gi" + limits: + cpu: "4000m" + memory: "4Gi" + nappl: + resources: + requests: + cpu: "10m" + memory: "1.5Gi" + limits: + cpu: "4000m" + memory: "4Gi" + nappljobs: + resources: + requests: + cpu: "10m" + memory: "2Gi" + limits: + cpu: "4000m" + memory: "4Gi" + administrator: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" + cmis: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" + database: + resources: + requests: + cpu: "2m" + memory: "256Mi" + limits: + cpu: "4000m" + memory: "8Gi" + ilm: + resources: + requests: + cpu: "2m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "2Gi" + mon: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" + nstl: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" + nstla: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" + nstlb: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" + nstlc: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" + nstld: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" + pam: + resources: + requests: + cpu: "5m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "1Gi" + rs: + resources: + requests: + cpu: "2m" + memory: "1Gi" + limits: + cpu: "4000m" + memory: "8Gi" + webdav: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" + + rms: + resources: + requests: + cpu: "2m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" + rmsa: + resources: + requests: + cpu: "2m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" + rmsb: + resources: + requests: + cpu: "2m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" diff --git a/samples/chart/tenant-argo/Chart.yaml b/samples/chart/tenant-argo/Chart.yaml new file mode 100644 index 0000000..972865c --- /dev/null +++ b/samples/chart/tenant-argo/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: sample-tenant-argo +description: | + ArgoCD Version of the sample tenant chart. It demonstrates the use of umbrella + charts to customize default values for your environment or tenant templates. +type: application +dependencies: + - name: nplus-instance-argo + alias: instance-argo + version: "*-0" + repository: "file://../../../charts/instance-argo" +version: 1.0.0 diff --git a/samples/chart/tenant-argo/README.md b/samples/chart/tenant-argo/README.md new file mode 100644 index 0000000..32640aa --- /dev/null +++ b/samples/chart/tenant-argo/README.md @@ -0,0 +1,93 @@ + + +# sample-tenant-argo + +ArgoCD Version of the sample tenant chart. It demonstrates the use of umbrella +charts to customize default values for your environment or tenant templates. + +## sample-tenant-argo Chart Configuration + +You can customize / configure sample-tenant-argo by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**global**​.meta​.isArgo | | `true` | +**instance-argo**​.argocd​.chart | | `"sample-tenant"` | +**instance-argo**​.argocd​.destinationServer | | `"https://kubernetes.default.svc"` | +**instance-argo**​.argocd​.namespace | | `"argocd"` | +**instance-argo**​.argocd​.project | | `"default"` | +**instance-argo**​.argocd​.prune | | `true` | +**instance-argo**​.argocd​.repo | | `"https://git.nplus.cloud"` | +**instance-argo**​.argocd​.selfHeal | | `true` | + diff --git a/samples/chart/tenant-argo/values.schema.json b/samples/chart/tenant-argo/values.schema.json new file mode 100644 index 0000000..475183e --- /dev/null +++ b/samples/chart/tenant-argo/values.schema.json @@ -0,0 +1,112 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "global": { + "additionalProperties": false, + "properties": { + "meta": { + "additionalProperties": false, + "properties": { + "isArgo": { + "default": true, + "title": "isArgo", + "type": "boolean" + } + }, + "title": "meta", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "instance-argo": { + "description": "nplus Instance ArgoCD Edition, supporting the deployment of npus Instances through ArgoCD", + "properties": { + "argocd": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "chart": { + "default": "nplus-instance", + "description": "The name of the chart to use for the instance", + "title": "chart" + }, + "destinationNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "ArgoCD can deploy to any Namespace on the destination Server. You have to specify it. Default is the release namespace", + "title": "destinationNamespace" + }, + "destinationServer": { + "default": "https://kubernetes.default.svc", + "description": "ArgoCD can also remote deploy Applications to alien clusters. The server specifies the API Endpoint of the Cluster, where the Application should be deployed", + "title": "destinationServer" + }, + "namespace": { + "default": "argocd", + "description": "The ArgoCD Namespace within the cluster. The ArgoCD Application will be deployed to this namespace You will need write privileges for this namespace", + "title": "namespace" + }, + "project": { + "default": "default", + "description": "ArgoCD organizes Applications in Projects. This is the name of the project, the application should be deployed to", + "title": "project" + }, + "prune": { + "default": "true", + "description": "Toggle pruning for this Application", + "title": "prune" + }, + "repo": { + "default": "https://git.nplus.cloud", + "description": "Specifiy the helm repo, from which ArgoCD should load the chart. Please make sure ArgoCD gets access rights to this repo", + "title": "repo" + }, + "selfHeal": { + "default": "true", + "description": "Toggle self healing feature for this Application", + "title": "selfHeal" + } + }, + "title": "argocd", + "type": "object" + }, + "global": { + "additionalProperties": false, + "properties": { + "meta": { + "additionalProperties": false, + "properties": { + "isArgo": { + "default": "true", + "description": "specifies that this is an Argo Installation. Used to determine the correct handler in the chart @internal -- Do not change", + "title": "isArgo" + } + }, + "title": "meta", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + } + }, + "title": "nplus-instance-argo", + "type": "object" + } + }, + "type": "object" +} diff --git a/samples/chart/tenant-argo/values.yaml b/samples/chart/tenant-argo/values.yaml new file mode 100644 index 0000000..aac8144 --- /dev/null +++ b/samples/chart/tenant-argo/values.yaml @@ -0,0 +1,13 @@ +# yaml-language-server: $schema=values.schema.json +instance-argo: + argocd: + chart: sample-tenant + namespace: argocd + project: default + destinationServer: "https://kubernetes.default.svc" + selfHeal: true + prune: true + repo: "https://git.nplus.cloud" +global: + meta: + isArgo: true diff --git a/samples/chart/tenant/Chart.yaml b/samples/chart/tenant/Chart.yaml new file mode 100644 index 0000000..c78e0fd --- /dev/null +++ b/samples/chart/tenant/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v2 +name: sample-tenant +description: | + The sample tenant chart demonstrates how to use umbrella charts with default values, + e.g. to define tenant templates +type: application +dependencies: + - name: nplus-instance + alias: instance + version: "*-0" + repository: "file://../../../charts/instance" +version: 1.0.0 diff --git a/samples/chart/tenant/README.md b/samples/chart/tenant/README.md new file mode 100644 index 0000000..a9a2073 --- /dev/null +++ b/samples/chart/tenant/README.md @@ -0,0 +1,88 @@ + + +# sample-tenant + +The sample tenant chart demonstrates how to use umbrella charts with default values, +e.g. to define tenant templates + +## sample-tenant Chart Configuration + +You can customize / configure sample-tenant by setting configuration values on the command line or in values files, +that you can pass to helm. Please see the samples directory for details. + +In case there is no value set, the key will not be used in the manifest, resulting in values taken from the config files of the component. + +### Template Functions + +You can use template functions in the values files. If you do so, make sure you quote correctly (single quotes, if you have double quotes in the template, +or escaped quotes). + +### Global Values + +All values can be set per component, per instance or globally per environment. + +Example: `global.ingress.domain` sets the domain on instance level. You can still set a different domain on a component, such as administrator. +In that case, simply set `ingress.domain` for the administrator chart and that setting will have priority: + +- Prio 1 - Component Level: `ingress.domain` +- Prio 2 - Instance Level: `global.ingress.domain` +- Prio 3 - Environment Level: `global.environment.ingress.domain` + +### Using Values in Templates + +As it would be a lot of typing to write `.Values.ingress.domain | default .Values.global.ingress.domain | default .Values.global.environment.ingress.domain`in your +template code, this is automatically done by nplus. You can simply type `.this.ingress.domain` and you will get a condensed and defaulted version +of your Values. + +So an example in your `values.yaml` would be: + +``` +administrator: + waitFor: + - '-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:\{{ .this.nappl.port }} -timeout 600' +``` + +This example shows `.this.nappl.port` which might come from a component, instance or global setting. You do not need to care. +The `.Release.Namespace` is set by helm. You have access to all Release and Chart Metadata, just like in your chart code. + +The `.component.prefix` is calculated by nplus and gives you some handy shortcuts to internal variables: + +- `.component.chartName` + The name of the chart as in `.Chart.Name`, but with override by `.Values.nameOverride` +- `.component.shortChartName` + A shorter Version of the name - `nappl` instead of `nplus-component-nappl` +- `.component.prefix` + The instance Prefix used to name the resources including `-`. This prefix is dropped, if the + `.Release.Name` equals `.Release.Namespace` for those of you that only + run one nplus Instance per namespace +- `.component.name` + The name of the component, including `.Values.nameOverride` and some logic +- `.component.fullName` + The fullName inlcuding `.Values.fullnameOverride` and some logic +- `.component.chart` + Mainly the `Chart.Name` and `Chart.Version` +- `.component.storagePath` + The path where the component config is stored in the conf PVC +- `.component.handler` + The handler (either helm, argoCD or manual) + +- `.instance.name` + The name of the instance, but with override by `.Values.instanceOverride` +- `.instance.group` + The group, this instance belongs to. Override by `.Values.groupOverride` +- `.instance.version` + The *nscale* version (mostly taken from Application Layer), this instance is deploying. + +- `.environment.name` + The name of the environment, but with override by `.Values.environmentNameOverride` + +### Keys + +You can set any of the following values for this component: + +| Key | Description | Default | +|-----|-------------|---------| +**global**​.ingress​.domain | | `"{{ .instance.group | default .Release.Name }}.sample.nplus.cloud"` | +**instance**​.application​.docAreas[0]​.id | | `"Sample"` | +**instance**​.components​.application | | `true` | + diff --git a/samples/chart/tenant/values.schema.json b/samples/chart/tenant/values.schema.json new file mode 100644 index 0000000..71483bb --- /dev/null +++ b/samples/chart/tenant/values.schema.json @@ -0,0 +1,29293 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "additionalProperties": false, + "properties": { + "global": { + "additionalProperties": false, + "properties": { + "ingress": { + "additionalProperties": false, + "properties": { + "domain": { + "default": "{{ .instance.group | default .Release.Name }}.sample.nplus.cloud", + "title": "domain", + "type": "string" + } + }, + "title": "ingress", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "instance": { + "description": "nplus Instance, an umbrella chart for orchestrating the components in a nplus Instance", + "properties": { + "administrator": { + "description": "nscale Administrator, providing the Web Version of the Administrator to be used in the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "administrator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/rapadm", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "administrator", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "administrator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "There should only be a single Administrator instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-administrator", + "type": "object" + }, + "application": { + "description": "nplus Application, used to install Apps and Customizations into the nscale Application Layer.", + "properties": { + "docAreas": { + "default": "", + "description": "Provide a list of docareas to create. Please also see the example files", + "title": "docAreas" + }, + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-application", + "type": "object" + }, + "backend": { + "description": "Installs Namespace-Wide Resources such as the conf PVC and the ptemp PVC", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "storage": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "conf": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common config storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common config storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "conf", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "properties": { + "name": { + "default": "", + "description": "this is the name of the common persistant temp storage. please see section \"Storage\" for more information", + "title": "name" + }, + "size": { + "default": "", + "description": "this is the size of the common ptemp storage. please see section \"Storage\" for more information", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "you can set the volumeName to the value of a pre-existing volume to avoid having the PV created for you by the csi driver provisioner", + "title": "volumeName" + } + }, + "title": "ptemp", + "type": "object" + } + }, + "title": "storage", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-backend", + "type": "object" + }, + "cmis": { + "description": "nscale CMIS Connector, provides a CMIS Interface to the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "cmis-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1200.2024112508", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/cmis", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8096", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8196", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "cmis-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "cmis", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-cmis-connector/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-cmis", + "type": "object" + }, + "components": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "administrator": { + "default": "false", + "description": "enable a *nscale Administrator Web* component in this instance", + "title": "administrator" + }, + "application": { + "default": "false", + "description": "deploy any solution using GBA, Standard Apps or shell copy with this generic deployment chart", + "title": "application" + }, + "cmis": { + "default": "false", + "description": "enable a *nscale CMIS Connector* component in this instance", + "title": "cmis" + }, + "database": { + "default": "true", + "description": "enable an internal *Postgres Database* in this instance", + "title": "database" + }, + "dmsapi": { + "default": false, + "description": "TODO: remove", + "title": "dmsapi", + "type": "boolean" + }, + "erpcmis": { + "default": "false", + "description": "enable a *nscale ERP CMIS Connector* component in this instance", + "title": "erpcmis" + }, + "erpproxy": { + "default": "false", + "description": "enable a *nscale ERP Proxy Connector* component in this instance", + "title": "erpproxy" + }, + "ilm": { + "default": "false", + "description": "enable a *nscale ILM Connector* component in this instance", + "title": "ilm" + }, + "mon": { + "default": "false", + "description": "enable a *nscale Monitoring Console* component in this instance", + "title": "mon" + }, + "nappl": { + "default": "true", + "description": "enable a consumer *nscale Application Layer* component in this instance", + "title": "nappl" + }, + "nappljobs": { + "default": "false", + "description": "enable a dedicated jobs *nscale Application Layer* component in this instance please also make sure to set the *jobs* setting", + "title": "nappljobs" + }, + "nstl": { + "default": "true", + "description": "enable a *nscale Server Storage Layer* component in this instance If you are in a **High Availability** scenario, disable this", + "title": "nstl" + }, + "nstla": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstla" + }, + "nstlb": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstlb" + }, + "nstlc": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstlc" + }, + "nstld": { + "default": "false", + "description": "enable an additional *nscale Server Storage Layer* node in this instance within a **High Availability** scenario.", + "title": "nstld" + }, + "pam": { + "default": "false", + "description": "enable a *nscale Process Automation Modeler* component in this instance", + "title": "pam" + }, + "pipeliner": { + "default": "false", + "description": "enable *nscale Pipeliner* component in this instance", + "title": "pipeliner" + }, + "prepper": { + "default": "false", + "description": "download, deploy and run any git asset or script prior to installation of the components", + "title": "prepper" + }, + "rms": { + "default": "false", + "description": "enable a *nplus Remote Management Server* component in this instance If you are in a **High Availability** scenario, disable this", + "title": "rms" + }, + "rmsa": { + "default": "false", + "description": "enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario.", + "title": "rmsa" + }, + "rmsb": { + "default": "false", + "description": "enable an additional *nplus Remote Management Server* in this instance within a **High Availability** scenario.", + "title": "rmsb" + }, + "rs": { + "default": "true", + "description": "enable a *nscale Rendition Server* component in this instance", + "title": "rs" + }, + "sharepoint": { + "default": "false", + "description": "enable a *nscale Sharepoint Connector* component in this instance", + "title": "sharepoint" + }, + "sharepointa": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointa" + }, + "sharepointb": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointb" + }, + "sharepointc": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointc" + }, + "sharepointd": { + "default": "false", + "description": "enable an additional *nscale Sharepoint Connector* component in this instance for another set of configuration parameters", + "title": "sharepointd" + }, + "sim": { + "additionalProperties": false, + "description": "This section is for the single-instance-mode in which all environement components are integrated into the instance", + "properties": { + "backend": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the backend components holds the common storages / PVCs for conf and ptemp umong other common environmental resources", + "title": "backend" + }, + "dav": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. DAV gives you WebDAV access to your conf and ptemp volumes", + "title": "dav" + }, + "operator": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. The Operator will let you query the Custom Resources for nscale, e.g. `kubectl get nscale`", + "title": "operator" + }, + "toolbox": { + "default": "false", + "description": "This is for *Single-Instance-Mode* **only**. Read the docu before enabling this. the toolbox has a git client installed and is suitable for pulling, pushing, copying stuff into the pool, fonts, certificates, snippets and configuration files", + "title": "toolbox" + } + }, + "title": "sim" + }, + "web": { + "default": "true", + "description": "enable a *nscale Web* component in this instance", + "title": "web" + }, + "webdav": { + "default": "false", + "description": "enable a *nscale WebDAV Connector* component in this instance", + "title": "webdav" + } + }, + "title": "components", + "type": "object" + }, + "database": { + "description": "Postgres Database, deploys a DEV or TESTING environment DB", + "properties": { + "database": { + "additionalProperties": false, + "properties": { + "account": { + "default": "nscale", + "description": "the technical account to own the nscale database, if not set by secret", + "title": "account" + }, + "name": { + "default": "nscale", + "description": "name of the nscale database", + "title": "name" + }, + "password": { + "default": "nscale", + "description": "password of the technical account, if not set by secret", + "title": "password" + }, + "secret": { + "default": "", + "description": "the secret with credentials (account, password) for the nscale technical account. This setting has priority over account and password", + "title": "secret" + } + }, + "title": "database", + "type": "object" + }, + "dbAdmin": { + "additionalProperties": false, + "properties": { + "account": { + "default": "postgres", + "description": "the database admin account, if not set by secret", + "title": "account" + }, + "password": { + "default": "postgres", + "description": "the database admin password, if not set by secret", + "title": "password" + }, + "secret": { + "default": "", + "description": "the secret with credentials (account, password) for the database admin account. This setting has priority over adminAccount and adminPassword", + "title": "secret" + } + }, + "title": "dbAdmin", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "bitnami/postgresql", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "default": "", + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "title": "pullSecrets" + }, + "repo": { + "default": "", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "15", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "5432", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "database", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/bitnami/postgresql/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "30Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "The replicaCount for the Database should never be changed @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-database", + "type": "object" + }, + "dav": { + "description": "Provides WebDAV access to environment resources such as the conf PVC and the ptemp PVC", + "properties": { + "account": { + "default": "admin", + "description": "the dav user", + "title": "account" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "password": { + "default": "admin", + "description": "password of the dav user", + "title": "password" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-dav", + "type": "object" + }, + "dmsapi": { + "description": "eon DMS-API provides a eon Standard Interface to the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "dms-api", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "9.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dms_api", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "9443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "dms-api", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "dmsapi", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/tomcat/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/tomcat/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "eon-dms-api", + "type": "object" + }, + "erpcmis": { + "description": "nscale ERP CMIS, providing SAP S/4 HANA Public Cloud Archive Access", + "properties": { + "alien": { + "additionalProperties": false, + "properties": { + "doAppend": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "doAppend" + }, + "port": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "port" + }, + "server": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "server" + }, + "ssl": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "ssl" + }, + "url": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "alien", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "erp-cmis-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1000.2024032720", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/cmis/browser", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8096", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8196", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "erpcmis-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "erpcmis", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "migration": { + "additionalProperties": false, + "properties": { + "checkDocuments": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "checkDocuments" + }, + "checkIgnoreTime": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "checkIgnoreTime" + }, + "delay": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "delay" + }, + "doListMigration": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "doListMigration" + }, + "enabled": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "enabled" + }, + "fileDelimiter": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "fileDelimiter" + }, + "viaFileSystem": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "viaFileSystem" + } + }, + "title": "migration", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-cmis/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sign": { + "additionalProperties": false, + "properties": { + "authID": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "authID" + }, + "keyAlias": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "keyPassword" + } + }, + "title": "sign", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + }, + "xsap": { + "additionalProperties": false, + "properties": { + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp cmis image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "xsap", + "type": "object" + } + }, + "title": "nplus-component-erpcmis", + "type": "object" + }, + "erpproxy": { + "description": "nscale ERP Proxy, providing SAP Archive Link access to alien Archive Components", + "properties": { + "alien": { + "additionalProperties": false, + "properties": { + "doAppend": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "doAppend" + }, + "port": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "port" + }, + "server": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "server" + }, + "ssl": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "ssl" + }, + "url": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "alien", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sap-proxy-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/pre-release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024092409", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/sap_proxy", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8097", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8197", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "erpproxy-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "erpproxy", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "migration": { + "additionalProperties": false, + "properties": { + "checkDocuments": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "checkDocuments" + }, + "checkIgnoreTime": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "checkIgnoreTime" + }, + "delay": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "delay" + }, + "doListMigration": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "doListMigration" + }, + "enabled": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "enabled" + }, + "fileDelimiter": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "fileDelimiter" + }, + "viaFileSystem": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "viaFileSystem" + } + }, + "title": "migration", + "type": "object" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/sap-proxy/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sign": { + "additionalProperties": false, + "properties": { + "authID": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "authID" + }, + "keyAlias": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "keyPassword" + } + }, + "title": "sign", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + }, + "xsap": { + "additionalProperties": false, + "properties": { + "url": { + "default": "{{ printf \"%s/%s\" ($.this.nappl).instance \"xsap/cs/xsap\"}}", + "description": "xsap url to use.", + "title": "url" + }, + "useSign": { + "default": "", + "description": "Documentation pending until official release of the erp proxy image by *Ceyoniq*", + "title": "useSign" + } + }, + "title": "xsap", + "type": "object" + } + }, + "title": "nplus-component-erpproxy", + "type": "object" + }, + "global": { + "additionalProperties": false, + "properties": { + "database": { + "additionalProperties": false, + "properties": { + "account": { + "default": "nscale", + "description": "DB account (if not using a secret)", + "title": "account" + }, + "dialect": { + "default": "PostgreSQL", + "description": "nscale DB server dialect", + "title": "dialect" + }, + "driverclass": { + "default": "org.postgresql.Driver", + "description": "nscale DB server driverclass", + "title": "driverclass" + }, + "name": { + "default": "nscale", + "description": "name of the nscale DB", + "title": "name" + }, + "password": { + "default": "nscale", + "description": "DB password (if not using a secret)", + "title": "password" + }, + "passwordEncoded": { + "default": "false", + "description": "weather the password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "public", + "description": "DB schema name", + "title": "schema" + }, + "secret": { + "default": "", + "description": "DB credential secret (account, password)", + "title": "secret" + }, + "url": { + "default": "jdbc:postgresql://{{ .component.prefix }}database:5432/{{ .this.database.name }}", + "description": "The URL to the database", + "title": "url" + } + }, + "title": "database", + "type": "object" + }, + "ingress": { + "additionalProperties": false, + "properties": { + "appRoot": { + "default": "/nscale_web", + "description": "Sets the root for this instance, where incoming root traffic should be redirected to", + "title": "appRoot" + }, + "class": { + "default": "`public``", + "description": "sets the global ingressclass for all components to use - if they do not define a specific one, for example if there are separate controllers for internal and external traffic", + "title": "class" + }, + "createSelfSignedCertificate": { + "default": "true", + "description": "if you do not define an issuer to generate the tls secret for you, you still can have a self signed certificate generated for you, if you set this to true. The default is true, so either you have an issuer or not, you will always end up with a certificate. Set an empty issuer and createSelfSignedCertificate to false to have no certificate generated and use an external or existing secret. Then make sure the secret matches.", + "title": "createSelfSignedCertificate" + }, + "domain": { + "default": "", + "description": "Sets the global domain within the instance to be used, if the component does not define any domain. If this remains empty, no ingress is generated Example: `{{ .instance.group }}.lab.nplus.cloud`", + "title": "domain" + }, + "issuer": { + "default": "", + "description": "Sets the name of the issuer to create the tls secret. Very common is to have it created by cert-manager. Please see the documentation how to create a cert-manager cluster issuer for example. If no issuer is set, no certificate request will be generated", + "title": "issuer" + }, + "namespace": { + "default": "`ingress, kube-system, ingress-nginx`", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. This secret is then either generated by cert-manager or self signed by helm - or not created", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress", + "type": "object" + }, + "instance": { + "additionalProperties": false, + "properties": { + "group": { + "default": "", + "description": "The group of the instance. This is used for the networkPolicies. Only Pods within one group are allowed to communicate if you enable the nplus Network Policies. By default, this is set the same as the instance name", + "title": "group" + }, + "name": { + "default": "{{ .Release.Name }}", + "description": "The name of the instance. Should this name be identical to the namespace name, then the prefix will be dropped. By default, this is the .Release.Name", + "title": "name" + } + }, + "title": "instance", + "type": "object" + }, + "license": { + "default": "nscale-license", + "description": "Globally set the license secret name", + "title": "license" + }, + "logForwarderImage": { + "additionalProperties": false, + "properties": { + "name": { + "default": "fluent-bit", + "description": "defines the nplus toolbox name to be used for the *wait* feature", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "defines the nplus toolbox pull policy to be used for the *wait* feature", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.fluentbit.io/fluent", + "description": "defines the nplus toolbox image to be used for the *wait* feature", + "title": "repo" + }, + "tag": { + "default": "2.0", + "description": "defines the tag for the logforwarder (FluentBit) @internal -- set by devOps pipeline, so do not modify", + "title": "tag" + } + }, + "title": "logForwarderImage", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "nscaleVersion": { + "default": "9.3.1300", + "description": "Sets the nscale version of this deployment / instance. This is used by the operator to display the correct version e.g. in the Web UI. @internal -- this is set by the devOps pipeline, so do not modify", + "title": "nscaleVersion" + } + }, + "title": "meta", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "properties": { + "account": { + "default": "admin", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "nscale", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}", + "description": "sets the *nscale Server Application Layer* host to be used. As this is a global option, it can be overridden at component level.", + "title": "host" + }, + "instance": { + "default": "nscalealinst1", + "description": "the instance of *nscale Server Application Layer* to be used @internal -- As this is depricated for nscale 10, you should never modify this.", + "title": "instance" + }, + "password": { + "default": "admin", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "8080", + "description": "sets the *nscale Server Application Layer* port to be used. As this is a global option, it can be overridden at component level. if you switch to zero trus mode or change the nappl backend to https, you want to modify this port to 8443", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "false", + "description": "wether to use ssl or not for the advanced connector", + "title": "ssl" + } + }, + "title": "nappl", + "type": "object" + }, + "security": { + "additionalProperties": false, + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "administratorInstance": { + "default": "{{ .this.instance.name }}", + "description": "sets the instance, from which Administration is allowed", + "title": "administratorInstance" + }, + "administratorNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "sets the namespace, from which Administration is allowed", + "title": "administratorNamespace" + }, + "createNetworkPolicy": { + "default": "", + "description": "creates NetworkPolicies for each component.", + "title": "createNetworkPolicy" + }, + "defaultEgressPolicy": { + "default": "", + "description": "if defined, creates a default NetworkPolicy to handle egress Traffic from the instance. Possible Values: deny, allow, none", + "title": "defaultEgressPolicy" + }, + "defaultIngressPolicy": { + "default": "", + "description": "if defined, creates a default NetworkPolicy to handle ingress Traffic to the instance. Possible Values: deny, allow, none", + "title": "defaultIngressPolicy" + }, + "monitoringInstance": { + "default": "{{ .this.instance.name }}", + "description": "sets the instance, from which Monitoring is allowed", + "title": "monitoringInstance" + }, + "monitoringNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "sets the namespace, from which Monitoring is allowed", + "title": "monitoringNamespace" + }, + "pamInstance": { + "default": "{{ .this.instance.name }}", + "description": "sets the instance, from which Process Automation Modeling is allowed", + "title": "pamInstance" + }, + "pamNamespace": { + "default": "{{ .Release.Namespace }}", + "description": "sets the namespace, from which Process Automation Modeling is allowed", + "title": "pamNamespace" + } + }, + "title": "cni", + "type": "object" + }, + "zeroTrust": { + "default": "", + "description": "enables zero trust on the instance. When enabled, no unencrypted http connection is allowed. This will remove all http ports from pods, services, network policies and ingress rules", + "title": "zeroTrust" + } + }, + "title": "security", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "properties": { + "openTelemetry": { + "default": "", + "description": "if you use a OpenTelemetry as a telemetry collector, you can enable it here. This will add the annotations to some known pods for the injector to use agents inside the pods for telemetry collection. This often goes along with the `language` setting in the meta section to tell the telemetry collector which agent to inject.", + "title": "openTelemetry" + } + }, + "title": "telemetry", + "type": "object" + }, + "waitImage": { + "additionalProperties": false, + "properties": { + "name": { + "default": "toolbox2", + "description": "defines the nplus toolbox name to be used for the *wait* feature", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "defines the nplus toolbox pull policy to be used for the *wait* feature", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "defines the nplus toolbox image to be used for the *wait* feature", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "defines the nplus toolbox tag to be used for the *wait* feature @internal -- set by devOps pipeline, so do not modify", + "title": "tag" + } + }, + "title": "waitImage", + "type": "object" + } + }, + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "ilm": { + "description": "nscale ILM Connector, providing a certified SAP ILM interface", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "ilm-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024091702", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/sap_ilm", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8297", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8397", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "ilm-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "ilm", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-for-sap/erp-connector-ilm/temp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-ilm", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "properties": { + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + } + }, + "title": "meta", + "type": "object" + }, + "mon": { + "description": "nscale Monitoring Console, used to provide sensor information from all components to dashboards", + "properties": { + "activateRmi": { + "default": "false", + "description": "Activates the RMI Interface. Due to security concern, this defaults to `false`", + "title": "activateRmi" + }, + "activateSsl": { + "default": "true", + "description": "Activates SSL / TLS communication", + "title": "activateSsl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "monitoring-console", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024092618", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalemc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8387", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8388", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "8389", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "monitoring-console", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "mon", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-monitoring/workspace", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-monitoring/workspace/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "There should only be a single Monitoring instance, so the replicaCount is fixed to 1 @ignore -- Do not change this.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-mon", + "type": "object" + }, + "nappl": { + "description": "nscale Server Application Layer, the central component in the nscale ecosystem", + "properties": { + "database": { + "additionalProperties": false, + "description": "If you define the database in your values, this DB settings are taken. If you leave this empty, the settings from the config file are used.", + "properties": { + "account": { + "default": "", + "description": "alternative 1: the account name of the technical DB user for nscale", + "title": "account" + }, + "dialect": { + "default": "", + "description": "the database dialect to use", + "title": "dialect" + }, + "driverclass": { + "default": "", + "description": "the driver class to use", + "title": "driverclass" + }, + "name": { + "default": "", + "description": "the name of the database to use", + "title": "name" + }, + "password": { + "default": "", + "description": "alternative 1: the password of the technical DB user for nscale", + "title": "password" + }, + "passwordEncoded": { + "default": "", + "description": "weather the DB password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "", + "description": "the database schema to use", + "title": "schema" + }, + "secret": { + "default": "", + "description": "alternative 2: use a secret for the account and password", + "title": "secret" + }, + "url": { + "default": "", + "description": "the DB URL", + "title": "url" + } + }, + "title": "database" + }, + "disableSessionReplication": { + "default": "", + "description": "enables/disables the session replication for these cluster members.", + "title": "disableSessionReplication" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalealinst1", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "includeDefaultPaths": { + "default": "true", + "description": "toggles default paths like index.html, res and engine.properties", + "title": "includeDefaultPaths" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "jobs": { + "default": "true", + "description": "enables/disables the job affinity / priority for these cluster members", + "title": "jobs" + }, + "kubePing": { + "additionalProperties": false, + "description": "sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more If it is left empty, also the automountServiceAccountToken is disabled. If you set Values, they are ignored in Versions > 9.1.1200", + "properties": { + "create": { + "default": "true", + "description": "Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices", + "title": "create" + }, + "name": { + "default": "{{ .component.fullName }}-kubeping", + "description": "Set the ServiceAccount Name for the kubePing Protocol", + "title": "name" + } + }, + "title": "kubePing" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "application-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "core", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "additionalProperties": false, + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "true", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "dbIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with.", + "title": "dbIpRange" + }, + "sapIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with.", + "title": "sapIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sessionCacheStorageType": { + "default": "", + "description": "Sets the Session Cache Storage Type to HEAP or OFF_HEAP", + "title": "sessionCacheStorageType" + }, + "snc": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": "false", + "description": "Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client.", + "title": "enabled" + } + }, + "title": "snc", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "description": "Set tolerations for this component", + "items": {}, + "title": "tolerations" + }, + "updateStrategy": { + "default": "RollingUpdate", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-nappl", + "type": "object" + }, + "nappljobs": { + "description": "nscale Server Application Layer, the central component in the nscale ecosystem", + "properties": { + "database": { + "additionalProperties": false, + "description": "If you define the database in your values, this DB settings are taken. If you leave this empty, the settings from the config file are used.", + "properties": { + "account": { + "default": "", + "description": "alternative 1: the account name of the technical DB user for nscale", + "title": "account" + }, + "dialect": { + "default": "", + "description": "the database dialect to use", + "title": "dialect" + }, + "driverclass": { + "default": "", + "description": "the driver class to use", + "title": "driverclass" + }, + "name": { + "default": "", + "description": "the name of the database to use", + "title": "name" + }, + "password": { + "default": "", + "description": "alternative 1: the password of the technical DB user for nscale", + "title": "password" + }, + "passwordEncoded": { + "default": "", + "description": "weather the DB password is stored encrypted", + "title": "passwordEncoded" + }, + "schema": { + "default": "", + "description": "the database schema to use", + "title": "schema" + }, + "secret": { + "default": "", + "description": "alternative 2: use a secret for the account and password", + "title": "secret" + }, + "url": { + "default": "", + "description": "the DB URL", + "title": "url" + } + }, + "title": "database" + }, + "disableSessionReplication": { + "default": "", + "description": "enables/disables the session replication for these cluster members.", + "title": "disableSessionReplication" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121814", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscalealinst1", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "includeDefaultPaths": { + "default": "true", + "description": "toggles default paths like index.html, res and engine.properties", + "title": "includeDefaultPaths" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "jobs": { + "default": "true", + "description": "enables/disables the job affinity / priority for these cluster members", + "title": "jobs" + }, + "kubePing": { + "additionalProperties": false, + "description": "sets the serviceAccount for NAPPL. Up to 9.1.1100, this was needed for the cluster communication (kubePing). Starting 9.1.1201, this is not the case any more If it is left empty, also the automountServiceAccountToken is disabled. If you set Values, they are ignored in Versions > 9.1.1200", + "properties": { + "create": { + "default": "true", + "description": "Creates the ServiceAccount (only if Version < 9.1.1200) Later Versions use a Cluster Service and resolve the IP Adresses from the EndpointSlices", + "title": "create" + }, + "name": { + "default": "{{ .component.fullName }}-kubeping", + "description": "Set the ServiceAccount Name for the kubePing Protocol", + "title": "name" + } + }, + "title": "kubePing" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "application-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "core", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "additionalProperties": false, + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "priority": { + "additionalProperties": false, + "description": "You can give a component a specific priorityClass to implement a quality of service. You can leave this empty, then no priority is set. If you set a class, this class is taken If you additionally enable create, the class is created for you with the value defined.", + "properties": { + "className": { + "default": "", + "description": "Set the priority class for the Application Layer deployment if desired", + "title": "className" + }, + "createClass": { + "default": "true", + "description": "Creates an individual PriorityClass for this instance", + "title": "createClass" + }, + "value": { + "default": "1000000", + "description": "Sets the priorityValue", + "title": "value" + } + }, + "title": "priority" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "dbIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster DB Servers, that the nappl is allowed to communicate with.", + "title": "dbIpRange" + }, + "sapIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster SAP Servers, that the nappl is allowed to communicate with.", + "title": "sapIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sessionCacheStorageType": { + "default": "", + "description": "Sets the Session Cache Storage Type to HEAP or OFF_HEAP", + "title": "sessionCacheStorageType" + }, + "snc": { + "additionalProperties": false, + "properties": { + "enabled": { + "default": "false", + "description": "Enables the NAPPL SNC to access SAP Systems. Since nscale 8, the configuration is done in the Administration Client.", + "title": "enabled" + } + }, + "title": "snc", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "description": "Set tolerations for this component", + "items": {}, + "title": "tolerations" + }, + "updateStrategy": { + "default": "RollingUpdate", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-nappl", + "type": "object" + }, + "nstl": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstla": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstlb": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstlc": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "nstld": { + "description": "nscale Server Storage Layer, virtualizing the storage to be used by the nscale Server", + "properties": { + "accounting": { + "default": "", + "description": "sets and enables / disables the accounting function. If enabled, it writes the csv files to *ptemp* (`//accounting`) The internal path is set to `/opt/ceyoniq/nscale-server/storage-layer/accounting` by `mounts.ptemp.paths`", + "title": "accounting" + }, + "checkHighestDocId": { + "default": "", + "description": "enables checking the highest DocID when starting the server. this only makes sense, if you also set a separate volume for the highest ID This is a backup / restore feature to avoid data mangling", + "title": "checkHighestDocId" + }, + "dvCheckPath": { + "default": "", + "description": "sets the path of the highest ID file.", + "title": "dvCheckPath" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "storage-layer", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1201.2024112518", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "ingress settings. however, the nstl does not use http, so a layer 7 LB does not make any sense. @ignore", + "properties": { + "enabled": { + "default": "false", + "description": "enables ingress on this component do not change this! @ignore", + "title": "enabled" + } + }, + "title": "ingress" + }, + "logForwarder": { + "default": "", + "title": "logForwarder", + "type": "null" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "3005", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "storage-layer", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "nstl", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "50Gi", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/storage-layer/etc/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "500Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "nstlIpRange": { + "default": "", + "description": "You might want to access storage layer outside the cluster (proxy concept) To do so, you can add a specific IP Range here, which is set within the network policy.", + "title": "nstlIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsNonRoot": { + "default": true, + "title": "runAsNonRoot", + "type": "boolean" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-nstl", + "type": "object" + }, + "operator": { + "description": "Installs the nplus operator managin the custom resource definitions for nplus and nscale", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "operator", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/monitoring", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8443", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envoperator", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "ui": { + "default": "true", + "description": "Enables the web ui, default under /monitoring", + "title": "ui" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-operator", + "type": "object" + }, + "pam": { + "description": "nscale Process Automation Modeler, providing Web UI Modeler for PAP", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "process-automation-modeler", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1200.63696", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/modeler", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8092", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "pam", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "pam", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/process-automation-modeler/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/process-automation-modeler/apache/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "As this is a Admin component, there is no HA or anything so we stick to exactly 1 replica. @ignore -- Fix Value", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-pam", + "type": "object" + }, + "pipeliner": { + "description": "nscale Pipeliner, the mass import / export tool of nscale", + "properties": { + "dav": { + "additionalProperties": false, + "properties": { + "account": { + "default": "pipeliner", + "description": "the dav user", + "title": "account" + }, + "image": { + "additionalProperties": false, + "description": "the Image to use for the DAV server", + "properties": { + "name": { + "default": "toolbox2", + "title": "name", + "type": "string" + }, + "pullPolicy": { + "default": "IfNotPresent", + "description": "the DAV server image pull policy", + "title": "pullPolicy" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "title": "repo", + "type": "string" + }, + "tag": { + "default": "1.2.1300", + "title": "tag", + "type": "string" + } + }, + "title": "image" + }, + "password": { + "default": "pipeliner", + "description": "password of the dav user", + "title": "password" + }, + "secret": { + "default": "", + "description": "Alternatively, define a secret", + "title": "secret" + } + }, + "title": "dav", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "pipeliner", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121815", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/{{ .component.name }}", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "cpp", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8080", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "4173", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "pipeliner", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "pipeliner", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "defaultConfig": { + "default": "{{ .component.fullName }}-defaultconfig", + "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", + "title": "defaultConfig" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-pipeliner/workdir/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "0", + "description": "Default ReplicaCount is 0 as the pipeliner requires a working cold.xml", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-pipeliner", + "type": "object" + }, + "prepper": { + "description": "nplus Prepper, used to deploy assets prior to component deployment", + "properties": { + "download": { + "default": "", + "description": "A list of URLs (Links) to Assets to download before anything else if the download is a .tar.gz, it is automatically untared to /pool/downloads", + "title": "download" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "application", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/application", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "/pool", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "/tmp", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale Server Storage Layer*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "nstl", + "type": "object" + }, + "prerun": { + "default": "", + "description": "A list of scripts to run before the deployment of Apps", + "title": "prerun" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "rs": { + "additionalProperties": false, + "properties": { + "host": { + "default": "", + "description": "The dns of the *nscale rendition Server*. This is used to add it to the nappl configuration", + "title": "host" + } + }, + "title": "rs", + "type": "object" + }, + "run": { + "default": "", + "description": "A list of scripts to run after the deployment of Apps", + "title": "run" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-prepper", + "type": "object" + }, + "rms": { + "description": "nplus Remote Management Server incl. RMS and Access Proxy", + "properties": { + "comps": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-rms", + "type": "object" + }, + "rmsa": { + "description": "nplus Remote Management Server incl. RMS and Access Proxy", + "properties": { + "comps": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-rms", + "type": "object" + }, + "rmsb": { + "description": "nplus Remote Management Server incl. RMS and Access Proxy", + "properties": { + "comps": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "cmis": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "CMIS Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}cmis.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "cmis", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8096", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8196", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "cmis", + "type": "object" + }, + "ilm": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "SAP ILM Connector", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}ilm.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "ilm", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8297", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8397", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "ilm", + "type": "object" + }, + "mon": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Monitoring Console", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}mon.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "mon", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8387", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8388", + "description": "proxied port @internal -- do not change", + "title": "https" + }, + "tcp": { + "default": "8389", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "mon", + "type": "object" + }, + "nappl": { + "additionalProperties": false, + "description": "Values for the nappl component", + "properties": { + "displayName": { + "default": "Application Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nappl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8080", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8443", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nappl" + }, + "nstl": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Storage Layer", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}nstl.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "nstl", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "3005", + "description": "proxied port @internal -- do not change", + "title": "tcp" + }, + "tcps": { + "default": "3006", + "description": "proxied port @internal -- do not change", + "title": "tcps" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "nstl", + "type": "object" + }, + "pipeliner": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Pipeliner", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}pipeliner.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "pipeliner", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "tcp": { + "default": "4173", + "description": "proxied port @internal -- do not change", + "title": "tcp" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "StatefulSet", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "pipeliner", + "type": "object" + }, + "rs": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Rendition Server", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}rs.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "rs", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8192", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8193", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "rs", + "type": "object" + }, + "web": { + "additionalProperties": false, + "properties": { + "displayName": { + "default": "Application Layer Web", + "description": "The displayName name of the component as it appears in the RMS Server Properties @internal -- do not change", + "title": "displayName" + }, + "enabled": { + "default": "false", + "description": "Toggles if this component should be available through RMS", + "title": "enabled" + }, + "host": { + "default": "{{ .component.prefix }}web.{{ .Release.Namespace }}.svc.cluster.local", + "description": "The host, where this component runs", + "title": "host" + }, + "name": { + "default": "web", + "description": "The internal name of the component @internal -- do not change", + "title": "name" + }, + "ports": { + "additionalProperties": false, + "description": "The ports exposed by the L4 Load Balancer / Reverse Proxy @internal -- do not change", + "properties": { + "http": { + "default": "8090", + "description": "proxied port @internal -- do not change", + "title": "http" + }, + "https": { + "default": "8453", + "description": "proxied port @internal -- do not change", + "title": "https" + } + }, + "title": "ports" + }, + "replicaSetType": { + "default": "Deployment", + "description": "The type of the replicaSet - important for the kubectl command @internal -- do not change", + "title": "replicaSetType" + }, + "restartReplicas": { + "default": "1", + "description": "The amount of replicas to set when starting through the *nscale Administrator* client", + "title": "restartReplicas" + } + }, + "title": "web", + "type": "object" + } + }, + "title": "comps", + "type": "object" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "admin-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "git.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1200", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rms", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-rms/log", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "100Mi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "the replicaCount for the Storage Layer. This does not make sense, so leave this at 1 at any time, unless you know exactly what you are doing. @ignore", + "title": "replicaCount" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "cni": { + "additionalProperties": false, + "properties": { + "adminIpRange": { + "default": "", + "description": "defines the IP Range of out-of-cluster Administrator Workplaces that are allowed to access the RMS Server.", + "title": "adminIpRange" + } + }, + "title": "cni", + "type": "object" + }, + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-component-rms", + "type": "object" + }, + "rs": { + "description": "nscale Rendition Server, providing means to format-convert common file types", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "rendition-server", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1301.2024121910", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "false", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8192", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8193", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "rendition-server", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "rs", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "/usr/share/fonts/truetype/nplus", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/conf/license.xml", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-rendition-server/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "10Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-rs", + "type": "object" + }, + "sharepoint": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointa": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointb": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointc": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "sharepointd": { + "description": "nscale SharePoint Connector, providing SP archiving to the Instance", + "properties": { + "clusterService": { + "additionalProperties": false, + "properties": { + "contextPath": { + "default": "", + "description": "set the contextPath (url) for the SharePoint Cluster Service (for GET requests to a group of sharepoint instances)", + "title": "contextPath" + }, + "enabled": { + "default": false, + "title": "enabled", + "type": "boolean" + } + }, + "title": "clusterService", + "type": "object" + }, + "connector": { + "additionalProperties": false, + "properties": { + "cTagPropertyName": { + "default": "cTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "cTagPropertyName" + }, + "eTagPropertyName": { + "default": "eTag", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "eTagPropertyName" + }, + "idPropertyName": { + "default": "sharePointId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "idPropertyName" + }, + "listItemIdPropertyName": { + "default": "SharePointListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "listItemIdPropertyName" + }, + "nscaleExpirationPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleExpirationPropertyName" + }, + "nscaleGdprRelevantPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleGdprRelevantPropertyName" + }, + "nscaleLegalHidePropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHidePropertyName" + }, + "nscaleLegalHoldPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleLegalHoldPropertyName" + }, + "nscaleRetentionPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "nscaleRetentionPropertyName" + }, + "parentIdPropertyName": { + "default": "sharePointParentId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "parentIdPropertyName" + }, + "sharePointChangeTokenPropertyName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointChangeTokenPropertyName" + }, + "sharePointCreatedPropertyName": { + "default": "SharePointCreated", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatedPropertyName" + }, + "sharePointCreatorPropertyName": { + "default": "SharePointCreator", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointCreatorPropertyName" + }, + "sharePointEditedPropertyName": { + "default": "SharePointLastModified", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditedPropertyName" + }, + "sharePointEditorPropertyName": { + "default": "SharePointEditor", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "sharePointEditorPropertyName" + }, + "stubIdPropertyName": { + "default": "SharePointStubId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubIdPropertyName" + }, + "stubListItemIdPropertyName": { + "default": "SharePointStubListItemId", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "stubListItemIdPropertyName" + }, + "webUrlPropertyName": { + "default": "sharePointWebUrl", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUrlPropertyName" + } + }, + "title": "connector", + "type": "object" + }, + "doInitialCrawl": { + "default": "false", + "description": "toggle initial crawling. This value is mandatory.", + "title": "doInitialCrawl" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "sharepoint-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.2.1400.2024073012", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_spc", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "management": { + "additionalProperties": false, + "properties": { + "port": { + "default": "18098", + "description": "see mail from Manuel, 30.7.2024", + "title": "port" + }, + "security": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "security" + }, + "ssl": { + "default": "false", + "description": "see mail from Manuel, 30.7.2024", + "title": "ssl" + } + }, + "title": "management", + "type": "object" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8098", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8498", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "sharepoint-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "sharepoint", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "description": "Sets the path to the component certs. @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/sharepoint-connector/bin/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "baseFolder": { + "default": "", + "description": "The base folder, this component should write to", + "title": "baseFolder" + }, + "docArea": { + "default": "", + "description": "The document area, this component should write to", + "title": "docArea" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "parallelRequests": { + "default": "5", + "description": "amount of parallel requests", + "title": "parallelRequests" + }, + "replicaCount": { + "default": "1", + "description": "this is fix to 1 @ignore", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "sharepoint": { + "additionalProperties": false, + "properties": { + "clientCertPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientCertPw" + }, + "clientId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "clientId" + }, + "doCheckOut": { + "default": "false", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "doCheckOut" + }, + "secret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "secret" + }, + "serviceBusConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusConnectionString" + }, + "serviceBusQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusQueueName" + }, + "serviceBusRetentionConnectionString": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionConnectionString" + }, + "serviceBusRetentionQueueName": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusRetentionQueueName" + }, + "serviceBusTopicNameConfigUpdate": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "serviceBusTopicNameConfigUpdate" + }, + "spHost": { + "default": "https://example.com", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "spHost" + }, + "tenantId": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "tenantId" + }, + "triggerProperty": { + "default": "toBeArchived", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "triggerProperty" + }, + "webUserPw": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "webUserPw" + } + }, + "title": "sharepoint", + "type": "object" + }, + "ssl": { + "additionalProperties": false, + "properties": { + "keyAlias": { + "default": "https", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyAlias" + }, + "keyPassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keyPassword" + }, + "keystore": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystore" + }, + "keystorePassword": { + "default": "secret", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystorePassword" + }, + "keystoreSecret": { + "default": "", + "description": "Documentation pending until official release of *nscale SharePoint Connector* by *Ceyoniq*", + "title": "keystoreSecret" + } + }, + "title": "ssl", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-sharepoint", + "type": "object" + }, + "toolbox": { + "description": "Installs the environment toolbox with git and nstore downloader installed, also serving as target for pool copy actions in the pipeline", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "toolbox2", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "cr.nplus.cloud/subscription", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "1.2.1300", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "meta": { + "additionalProperties": false, + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "envtoolbox", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta", + "type": "object" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "nstoreDownloader": { + "additionalProperties": false, + "description": "yaml-language-server: $schema=values.schema.json", + "properties": { + "enabled": { + "default": "false", + "description": "enables the nstore downloader", + "title": "enabled" + }, + "nstore": { + "default": "`https://nstore.ceyoniq.com...`", + "description": "set the nstore URL", + "title": "nstore" + }, + "target": { + "default": "pool/nstore", + "description": "target directory in the conf pv", + "title": "target" + } + }, + "title": "nstoreDownloader", + "type": "object" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "1", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "512Mi", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "1m", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "64Mi", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + } + }, + "title": "nplus-environment-toolbox", + "type": "object" + }, + "web": { + "description": "nscale Web, providing a modern Web UI to nscale users", + "properties": { + "authType": { + "default": "", + "description": "Set the authentication type login, basic, negotiate, implicit ntlmv2, kerberos", + "title": "authType" + }, + "customizingMode": { + "default": "", + "description": "If this setting is enabled, layouts will update immediately when changes are made. It is no longer necessary to re-register or restart the service. If this setting is not activated, the automatic update of the metamodel is turned off. We recommend not using this setting in productive systems because it reduces system performance.", + "title": "customizingMode" + }, + "disableUsernamePassword": { + "default": "", + "description": "surpresses the login dialog", + "title": "disableUsernamePassword" + }, + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "application-layer-web", + "description": "the name of the image to use", + "title": "name" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1300.2024121620", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "immediateFederatedLogin": { + "default": "", + "description": "directly log in via identity providers", + "title": "immediateFederatedLogin" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/nscale_web", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "XtConLoadBalancerSession", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8090", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8453", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "web-client", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "web", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "metamodelMode": { + "default": "", + "description": "Refreshes the metamodel mode", + "title": "metamodelMode" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer-web/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "defaultConfig": { + "default": "{{ .component.fullName }}-defaultconfig", + "description": "Sets a configMap with default configuration files that get copied to a new and empty container just before the template folder gets copied. Existing files are not overwritten.", + "title": "defaultConfig" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "medium": { + "default": "", + "description": "the medium for the emptyDisk volume if you unset it, it drops it from the manifest", + "title": "medium" + }, + "path": { + "default": "/opt/ceyoniq/nscale-server/application-layer-web/apache/logs/", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "5Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "oauthDomains": { + "default": "", + "description": "OAuth nscale domains", + "title": "oauthDomains" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "sameSite": { + "default": "", + "description": "nscale SameSite Cookie Header", + "title": "sameSite" + }, + "samlDomains": { + "default": "", + "description": "SAML nscale domains", + "title": "samlDomains" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "smartCrossgrade": { + "default": "", + "description": "Enable Crossgrade for Smart Layouts", + "title": "smartCrossgrade" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-web", + "type": "object" + }, + "webdav": { + "description": "nscale WebDAV Connector, providing a standard WebDAV interface to the Instance", + "properties": { + "env": { + "default": "", + "description": "Sets additional environment variables for the configuration.", + "title": "env" + }, + "envMap": { + "default": "", + "description": "Sets the name of a configMap, which holds additional environment variables for the configuration. It is added as envFrom configMap to the container.", + "title": "envMap" + }, + "envSecret": { + "default": "", + "description": "Sets the name of a secret, which holds additional environment variables for the configuration. It is added as envFrom secretRef to the container.", + "title": "envSecret" + }, + "fullnameOverride": { + "default": "", + "description": "This overrides the output of the internal fullname function", + "title": "fullnameOverride" + }, + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + }, + "globals": { + "description": "nplus Global Functions Library Chart", + "properties": { + "global": { + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "title": "global", + "type": "object" + } + }, + "title": "nplus-globals", + "type": "object" + }, + "image": { + "additionalProperties": false, + "description": "provide the image to be used for this component", + "properties": { + "name": { + "default": "webdav-connector", + "description": "the name of the image to use", + "title": "name" + }, + "pullPolicy": { + "default": "IfNotPresent", + "title": "pullPolicy", + "type": "string" + }, + "pullSecrets": { + "description": "you can provide your own pullSecrets, in case you use a private repo.", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "pullSecrets" + }, + "repo": { + "default": "ceyoniq.azurecr.io/release/nscale", + "description": "if you use a private repo, feel free to set it here", + "title": "repo" + }, + "tag": { + "default": "ubi.9.3.1000.2024091609", + "description": "the tag of the image to use", + "title": "tag" + } + }, + "title": "image" + }, + "ingress": { + "additionalProperties": false, + "description": "Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)", + "properties": { + "annotations": { + "default": "", + "description": "Adds extra Annotations to the ingress", + "title": "annotations" + }, + "backendProtocol": { + "default": "`http`
`https` in zero trust mode", + "description": "Overrides the default backend protocol. The default is http, unless in zeroTrust Mode, then it is switched to https automatically.", + "title": "backendProtocol" + }, + "class": { + "default": "`public`", + "description": "The ingressclass to use for this ingress. Most likely, this is provided globally by the instance, but you are free to override it here if this component should use a different class e.g. if you have separated ingress controllers, like a public and an internal one", + "title": "class" + }, + "contextPath": { + "default": "/dav", + "description": "The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the most though this is only a constant used in the scripts.", + "title": "contextPath" + }, + "cookie": { + "default": "", + "description": "on component level, set cookie affinity for the ingress example: `XtConLoadBalancerSession` for nscale Web", + "title": "cookie" + }, + "deny": { + "default": "", + "description": "deny is used to exclude specific paths from public access, such as administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is the burlap protocol. The configuration service is the endpoint used by the Admin client.", + "title": "deny" + }, + "domain": { + "default": "", + "description": "Sets the domain to be used. This domain should be provided by the instance globally for all components, but you are free to override it here", + "title": "domain" + }, + "enabled": { + "default": "true", + "description": "You can toggle the ingress on wether you'd like this component to be reachable through an ingress or not.", + "title": "enabled" + }, + "inputPath": { + "default": "", + "description": "defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason Example: `/nscalealinst1(/\\|$)(.*)` @internal -- This is an alpha feature - do not use it.", + "title": "inputPath" + }, + "namespace": { + "default": "\"ingress, kube-system, ingress-nginx\"", + "description": "Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy to allow traffic from this namespace to our pods. This may be a comma separated list", + "title": "namespace" + }, + "proxyReadTimeout": { + "default": "", + "description": "Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.", + "title": "proxyReadTimeout" + }, + "rewriteTarget": { + "default": "", + "description": "defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason Example: `/nscalealinst1/$2` @internal -- This is an alpha feature - do not use it.", + "title": "rewriteTarget" + }, + "secret": { + "default": "`{{ .this.ingress.domain }}-tls`", + "description": "Sets the name of the tls secret to be used for this ingress, that contains the private and public key. These secrets can optionally be provided by the instance", + "title": "secret" + }, + "whitelist": { + "default": "", + "description": "optionally sets a whitelist of ip ranges (CIDR format, comma separated) from which ingress is allowed. This is an annotation for nginx, so won't work with other ingress controllers", + "title": "whitelist" + } + }, + "title": "ingress" + }, + "javaOpts": { + "additionalProperties": false, + "description": "Options for the Java VM", + "properties": { + "javaMaxMem": { + "default": "", + "description": "set the maximum memory, java will consume. Attention: This is NOT the real maximum and it does not include any non Java memory. Please read google, as this is highly discussed", + "title": "javaMaxMem" + }, + "javaMaxRamPercentage": { + "default": "", + "description": "set the percentage of RAM, Java will use of the total. The total amount is the amount installed in the K8s Cluster Node, OR the Memory Limit set (see resources), if any.", + "title": "javaMaxRamPercentage" + }, + "javaMinMem": { + "default": "", + "description": "set the minimum memory, java will consume", + "title": "javaMinMem" + }, + "javaMisc": { + "default": "", + "description": "Any misc Java Options that need to be passed to the container", + "title": "javaMisc" + } + }, + "title": "javaOpts" + }, + "meta": { + "additionalProperties": false, + "description": "defines internal constants for nplus. do not change these values", + "properties": { + "componentVersion": { + "default": "", + "description": "This is the version of the component, used for display @internal -- set by devOps pipeline, so do not modify", + "title": "componentVersion" + }, + "language": { + "default": "java", + "description": "Sets the language of the main service (in the *service* container). This is used for instance if you turn OpenTelemetry on, to know which Agent to inject into the container.", + "title": "language" + }, + "ports": { + "additionalProperties": false, + "description": "lists the ports this component exposes. This is important for zero trust mode and others.", + "properties": { + "http": { + "default": "8088", + "description": "The http port this component uses (if any). In zero trust mode, this will be disabled. @internal -- this is a constant value of the component and should not be changed.", + "title": "http" + }, + "https": { + "default": "8488", + "description": "The tls / https port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "https" + }, + "rmi": { + "default": "", + "description": "A potential rmi port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "rmi" + }, + "tcp": { + "default": "", + "description": "A potential tcp port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcp" + }, + "tcps": { + "default": "", + "description": "A potential tls / tcps port, this component uses (if any) @internal -- this is a constant value of the component and should not be changed.", + "title": "tcps" + } + }, + "title": "ports" + }, + "provider": { + "default": "", + "description": "sets provider (partner, reseller) information to be able to invoice per use in a cloud environment", + "title": "provider" + }, + "serviceContainer": { + "default": "webdav-connector", + "description": "The container name of the main service for this component. This is used to define where to inject the telemetry agents, if any", + "title": "serviceContainer" + }, + "stage": { + "default": "", + "description": "A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment runs in. This can be used in template functions to add the stage to for instance the service name of telemetry services like open telemetry. (see telemetry example)", + "title": "stage" + }, + "tenant": { + "default": "", + "description": "sets tenant information to be able to invoice per use in a cloud environment", + "title": "tenant" + }, + "type": { + "default": "webdav", + "description": "the type of the component. You should not change this value, except if you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner* This type is used to create cluster communication for nappl and nstl and potentially group multiple replicaSets into one service.", + "title": "type" + }, + "wave": { + "default": "", + "description": "Sets the wave in which this component should be deployed within an ArgoCD deployment if unset, it uses the default wave thus all components are installed in one wave, then relying on correct wait settings just like in a helm installation", + "title": "wave" + } + }, + "title": "meta" + }, + "minReplicaCount": { + "default": "", + "description": "if you set minReplicaCount, a podDesruptionBudget will be created with this value as minAvailable, using the full component as selector. This is useful for components, that are using multiple replicas.", + "title": "minReplicaCount" + }, + "minReplicaCountType": { + "default": "", + "description": "if you set minReplicaCountType, a podDesruptionBudget will be created with this value as minAvailable, using the component type as selector. This is useful for components, that are spread across multiple replicaSets, like sharepoint or storage layer", + "title": "minReplicaCountType" + }, + "mounts": { + "additionalProperties": false, + "properties": { + "caCerts": { + "additionalProperties": false, + "description": "You can add a file with trusted Root Certificates (e.g. Azure), to be able to connect to alien services via https. If you have a self-signed root certificate, you can also add it here.", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the certs folder. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "caCerts" + }, + "componentCerts": { + "additionalProperties": false, + "description": "the java based nscale components have their own certificates, that you might want to upload. You can normally do so via the environment configuration, but should you want to use a secret, you can set it here", + "properties": { + "configMap": { + "default": "", + "description": "Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting", + "title": "configMap" + }, + "paths": { + "default": "", + "description": "Sets the path to the component certs. @internal -- do not change this value", + "title": "paths" + }, + "secret": { + "default": "", + "description": "Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting", + "title": "secret" + } + }, + "title": "componentCerts" + }, + "conf": { + "additionalProperties": false, + "description": "The conf volume is a RWX volume mounted by the environment, that holds all configurations of all instances and components in this environment", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-webdav/conf", + "description": "Sets the path to the conf files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the conf files @internal -- do not change this value", + "title": "paths" + } + }, + "title": "conf" + }, + "data": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the data disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the data files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the data disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "data", + "type": "object" + }, + "disk": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the disk", + "title": "class" + }, + "enabled": { + "default": "false", + "description": "enables the use of the second data disk. If enabled, all paths defined will end up on this disk. In case of the (default) disabled, the paths will be added to the primaty data disk.", + "title": "enabled" + }, + "migration": { + "default": "false", + "description": "Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk. This is done only once and only if there is legacy data at all. No files are overwritten!", + "title": "migration" + }, + "path": { + "default": "", + "description": "Sets the path to the disk files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the data files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "disk", + "type": "object" + }, + "file": { + "additionalProperties": false, + "properties": { + "class": { + "default": "", + "description": "Sets the class of the shared disk", + "title": "class" + }, + "path": { + "default": "", + "description": "Sets the path to the shared files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the shared files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "", + "description": "Sets the size of the shared disk", + "title": "size" + }, + "volumeName": { + "default": "", + "description": "If you do not want to have a Volume created by the provisioner, you can set the name of your volume here to attach to this pre-existing one", + "title": "volumeName" + } + }, + "title": "file", + "type": "object" + }, + "fonts": { + "additionalProperties": false, + "description": "If you want to use additional fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the fonts directory from the environment pool", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the fonts folder. @internal -- do not change this value", + "title": "path" + } + }, + "title": "fonts" + }, + "generic": { + "default": "", + "description": "Allows to define generic mounts of pre-provisioned PVs into any container. This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.", + "title": "generic" + }, + "license": { + "additionalProperties": false, + "description": "some nscale Components require a license file and this defines it's location", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the license files @internal -- do not change this value", + "title": "path" + } + }, + "title": "license" + }, + "logs": { + "additionalProperties": false, + "description": "The log volume is used to take any left-over logging in the container. The container should log to stdout, but if any component still tries to log to disk this disk needs to be writeable", + "properties": { + "path": { + "default": "/opt/ceyoniq/nscale-webdav/logs", + "description": "Sets the path to the log files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths to the log files @internal -- do not change this value", + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the log disk (all paths)", + "title": "size" + } + }, + "title": "logs" + }, + "pool": { + "additionalProperties": false, + "properties": { + "path": { + "default": "", + "description": "Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted. this is used to store scripts, apps and assets that are required to deploy an application / solution @internal -- do not change this value", + "title": "path" + } + }, + "title": "pool", + "type": "object" + }, + "ptemp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path for temporary files that are persisted @internal -- do not change this value", + "title": "path" + }, + "paths": { + "default": "", + "description": "Sets a list of paths for temporary files that are persisted @internal -- do not change this value", + "title": "paths" + } + }, + "title": "ptemp" + }, + "temp": { + "additionalProperties": false, + "description": "The temp volume is used to hold any superflues and temporary data. it is deleted when the pod terminates. However, it is extremely important as all pods filesystems are read only", + "properties": { + "path": { + "default": "", + "description": "Sets the path to the temporary files @internal -- do not change this value", + "title": "path" + }, + "paths": { + "description": "Sets a list of paths to the temporary files @internal -- do not change this value", + "items": { + "anyOf": [ + { + "type": "string" + }, + { + "type": "string" + }, + { + "type": "string" + } + ] + }, + "title": "paths" + }, + "size": { + "default": "1Gi", + "description": "Sets the size of the temporary disk (all paths)", + "title": "size" + } + }, + "title": "temp" + } + }, + "title": "mounts", + "type": "object" + }, + "nameOverride": { + "default": "", + "description": "This overrides the output of the internal name function", + "title": "nameOverride" + }, + "nappl": { + "additionalProperties": false, + "description": "The nscale Application Layer, this component should talk to", + "properties": { + "account": { + "default": "", + "description": "The technical account to login with", + "title": "account" + }, + "domain": { + "default": "", + "description": "The domain of the technical account", + "title": "domain" + }, + "host": { + "default": "", + "description": "nappl host name", + "title": "host" + }, + "instance": { + "default": "", + "description": "instance of the Application Layer, likely `instance1`", + "title": "instance" + }, + "password": { + "default": "", + "description": "The password of the technical accunt (if not set by secret)", + "title": "password" + }, + "port": { + "default": "", + "description": "nappl port (http 8080 or https 8443)", + "title": "port" + }, + "secret": { + "default": "", + "description": "An optional secret that holds the credentials (the keys must be `account` and `password`)", + "title": "secret" + }, + "ssl": { + "default": "", + "description": "sets the Advanced Connect to tls", + "title": "ssl" + } + }, + "title": "nappl" + }, + "nodeSelector": { + "default": "", + "description": "select specific nodes for this component", + "title": "nodeSelector" + }, + "replicaCount": { + "default": "1", + "description": "Sets the number of replicas in this replicaSet. Some Components (like nstl or sharepoint) only allow a count of 1.", + "title": "replicaCount" + }, + "resources": { + "additionalProperties": false, + "description": "Assigns hardware resources to container", + "properties": { + "limits": { + "additionalProperties": false, + "description": "Limits the maximum resources", + "properties": { + "cpu": { + "default": "", + "description": "The maximum allowed CPU for the container", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "The maximum allowed RAM for the container", + "title": "memory" + } + }, + "title": "limits" + }, + "requests": { + "additionalProperties": false, + "description": "Requests are used to assign a minimum to a container. This is the guaranteed amount", + "properties": { + "cpu": { + "default": "", + "description": "Set the share of guaranteed CPU to the container.", + "title": "cpu" + }, + "memory": { + "default": "", + "description": "Set the share of guaranteed RAM to the container", + "title": "memory" + } + }, + "title": "requests" + } + }, + "title": "resources" + }, + "security": { + "additionalProperties": false, + "description": "Security Section defining default runtime environment for your container", + "properties": { + "containerSecurityContext": { + "additionalProperties": false, + "properties": { + "allowPrivilegeEscalation": { + "default": "false", + "description": "Some functionality may need the possibility to allow privilege escalation. This should be very restrictive @internal -- you should not change this", + "title": "allowPrivilegeEscalation" + }, + "capabilities": { + "additionalProperties": false, + "description": "Capabilities this container should have. Only allow the necessity, and drop as many as possible @internal -- you should not change this", + "properties": { + "drop": { + "items": { + "anyOf": [ + { + "type": "string" + } + ] + }, + "title": "drop", + "type": "array" + } + }, + "title": "capabilities" + }, + "readOnlyRootFilesystem": { + "default": "true", + "description": "sets the container root file system to read only. This should be the case in production environment @internal -- you should not change this", + "title": "readOnlyRootFilesystem" + } + }, + "title": "containerSecurityContext", + "type": "object" + }, + "podSecurityContext": { + "additionalProperties": false, + "properties": { + "fsGroup": { + "default": "1001", + "description": "The file system group as which new files are created @internal -- there is normally no need to change this", + "title": "fsGroup" + }, + "fsGroupChangePolicy": { + "default": "OnRootMismatch", + "description": "Under which condition should the fsGroup be changed @internal -- there is normally no need to change this", + "title": "fsGroupChangePolicy" + }, + "runAsUser": { + "default": "1001", + "description": "The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context for security @internal -- there is normally no need to change this", + "title": "runAsUser" + } + }, + "title": "podSecurityContext", + "type": "object" + }, + "zeroTrust": { + "default": "`false`", + "description": "turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes", + "title": "zeroTrust" + } + }, + "title": "security" + }, + "service": { + "additionalProperties": false, + "properties": { + "annotations": { + "default": "", + "description": "adds extra Annotations to the service", + "title": "annotations" + }, + "enabled": { + "default": "true", + "description": "enables the service to be consumed by group components and a potential ingress Disabling the service also disables the ingress.", + "title": "enabled" + }, + "selector": { + "default": "component", + "description": "The selector can be `component` or `type` *component* selects only pods that are in the replicaset. *type* selects any pod that has the given type", + "title": "selector" + } + }, + "title": "service", + "type": "object" + }, + "telemetry": { + "additionalProperties": false, + "description": "Settings for telemetry tools", + "properties": { + "openTelemetry": { + "default": "", + "description": "turns Open Telemetry on", + "title": "openTelemetry" + }, + "serviceName": { + "default": "", + "description": "Sets the service name for the telemetry service to more convenient identify the displayed component Example: \"{{ .this.meta.type }}-{{ .instance.name }}\"", + "title": "serviceName" + } + }, + "title": "telemetry" + }, + "template": { + "additionalProperties": false, + "description": "provide extra settings for pod templates", + "properties": { + "annotations": { + "default": "", + "description": "set additional annotations for pods", + "title": "annotations" + }, + "labels": { + "default": "", + "description": "set additional labels for pods", + "title": "labels" + } + }, + "title": "template" + }, + "terminationGracePeriodSeconds": { + "default": "", + "description": "Sets the terminationGracePeriodSeconds for the component If not set, it uses the Kubernetes defaults", + "title": "terminationGracePeriodSeconds" + }, + "timezone": { + "default": "`Europe/Berlin`", + "description": "set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl) etc.", + "title": "timezone" + }, + "tolerations": { + "default": "", + "description": "Set tolerations for this component", + "title": "tolerations" + }, + "updateStrategy": { + "default": "", + "description": "the update Strategy for this component. Normally, you can update all components rolling, except for nappl, where you need to follow the documented update procedures.", + "title": "updateStrategy" + }, + "utils": { + "additionalProperties": false, + "properties": { + "debug": { + "default": "`false`", + "description": "Turn debugging *on* will give you stack trace etc. Please check out the Chart Developer Guide", + "title": "debug" + }, + "disableWait": { + "default": "`false`", + "description": "in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might start components even if they are not intended to run yet.", + "title": "disableWait" + }, + "disableWave": { + "default": "`false`", + "description": "If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components while previous waves are not finished yet.", + "title": "disableWave" + }, + "includeNamespace": { + "default": "`true`", + "description": "By default, the namespace is rendered into the manifest. However, if you want to use `helm template` and store manifests for later applying them to multiple namespaces, you might want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later", + "title": "includeNamespace" + }, + "maintenance": { + "default": "`false`", + "description": "in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the pods will start in idle, not starting the service at all. This will allow you to gain access to the container to perform recovery and maintenance tasks while having the real container up.", + "title": "maintenance" + }, + "renderComments": { + "default": "`true`", + "description": "You can turn Comment rendering *on* to get descriptive information inside the manifests. It will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD", + "title": "renderComments" + } + }, + "title": "utils", + "type": "object" + }, + "waitFor": { + "default": "", + "description": "Defines a list of conditions that need to be met before this components starts. The condition must be a network port that opens, when the master component is ready. Mostly, this will be a service, since a component is only added to a service if the probes succeed.", + "title": "waitFor" + } + }, + "title": "nplus-component-webdav", + "type": "object" + } + }, + "title": "nplus-instance", + "type": "object" + } + }, + "type": "object" +} diff --git a/samples/chart/tenant/values.yaml b/samples/chart/tenant/values.yaml new file mode 100644 index 0000000..9e958d7 --- /dev/null +++ b/samples/chart/tenant/values.yaml @@ -0,0 +1,10 @@ +# yaml-language-server: $schema=values.schema.json +instance: + components: + application: true + application: + docAreas: + - id: "Sample" +global: + ingress: + domain: "{{ .instance.group | default .Release.Name }}.sample.nplus.cloud" diff --git a/samples/cluster/README.md b/samples/cluster/README.md new file mode 100644 index 0000000..c82791f --- /dev/null +++ b/samples/cluster/README.md @@ -0,0 +1,57 @@ +# Preparing the K8s Cluster + +*nplus* Charts bring some custom resources, *Application*, *Instance* and *Component*. they are created during deployment of a chart and then updated by the environment operator every time the status changes. + +To make this work, you will need to have the *Custom Resource Definitions* applied to your cluster prior to deploying any environment or component. This deployment is handled by the *Cluster Chart*. + +```bash +helm install nplus/nplus-cluster +``` + +The *CRDs* are grouped into *nscale* and *nplus* (both synonym), so that you can either query for + +```bash +kubectl get instance +kubectl get component +kubectl get application +``` + +or simply all at once with + +```bash +kubectl get nscale -A +``` + +the output looks like this (shortened output, showing the installed samples): + +```bash +$ kubectl get nscale -A +NAMESPACE NAME INSTANCE COMPONENT TYPE VERSION STATUS +empty-sim component.nplus.cloud/database empty-sim database database 16 healthy +empty-sim component.nplus.cloud/nappl empty-sim nappl core 9.2.1302 healthy +lab component.nplus.cloud/demo-centralservices-s3-nstl demo-centralservices-s3 nstl nstl 9.2.1302 healthy +lab component.nplus.cloud/demo-ha-web demo-ha web web 9.2.1300 redundant +lab component.nplus.cloud/demo-ha-webdav demo-ha webdav webdav 9.2.1000 redundant +lab component.nplus.cloud/demo-ha-zerotrust-administrator demo-ha-zerotrust administrator administrator 9.2.1300 healthy +lab component.nplus.cloud/no-provisioner-nstl no-provisioner nstl nstl 9.2.1302 healthy +lab component.nplus.cloud/no-provisioner-rs no-provisioner rs rs 9.2.1201 starting +lab component.nplus.cloud/no-provisioner-web no-provisioner web web 9.2.1300 healthy +lab component.nplus.cloud/sbs-nappl sbs nappl core 9.2.1302 healthy + +NAMESPACE NAME INSTANCE APPLICATION VERSION STATUS +empty-sim application.nplus.cloud/application empty-sim application 9.2.1303-123 healthy +empty-sim application.nplus.cloud/prepper empty-sim prepper 1.2.1300 healthy +lab application.nplus.cloud/demo-ha-zerotrust-application demo-ha-zerotrust application 9.2.1303-123 healthy +lab application.nplus.cloud/demo-shared-application demo-shared application 9.2.1303-123 healthy +lab application.nplus.cloud/sbs-sbs sbs SBS 9.2.1303-123 healthy +lab application.nplus.cloud/tenant-application tenant application 9.2.1303-123 healthy + +NAMESPACE NAME HANDLER VERSION TENANT STATUS +empty-sim instance.nplus.cloud/empty-sim manual 9.2.1302 healthy +lab instance.nplus.cloud/default manual 9.2.1302 healthy +lab instance.nplus.cloud/demo-centralservices manual 9.2.1302 healthy +lab instance.nplus.cloud/rms manual 9.2.1302 healthy +lab instance.nplus.cloud/sbs manual 9.2.1302 healthy +lab instance.nplus.cloud/tenant manual 9.2.1302 healthy +``` + diff --git a/samples/cluster/build.sh b/samples/cluster/build.sh new file mode 100755 index 0000000..3e9de0d --- /dev/null +++ b/samples/cluster/build.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The name of the sample +SAMPLE=cluster + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/$SAMPLE" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/$SAMPLE not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Output what is happening +echo "Building $SAMPLE" + +# Create the manifest +mkdir -p $DEST/cluster +helm template --debug \ + nplus $CHARTS/cluster > $DEST/cluster/nplus.yaml diff --git a/samples/default/README.md b/samples/default/README.md new file mode 100644 index 0000000..abf42f8 --- /dev/null +++ b/samples/default/README.md @@ -0,0 +1 @@ +This is the most simple example: It renders a default instance wihout any values at all. diff --git a/samples/default/build.sh b/samples/default/build.sh new file mode 100755 index 0000000..4c632f3 --- /dev/null +++ b/samples/default/build.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +SAMPLE="default" +NAME="sample-$SAMPLE" + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + $NAME $CHARTS/instance > $DEST/instance/default.yaml diff --git a/samples/detached/README.md b/samples/detached/README.md new file mode 100644 index 0000000..f4b1ae8 --- /dev/null +++ b/samples/detached/README.md @@ -0,0 +1,55 @@ +# Using detached applications + +All the other samples use an application that is deployed **inside of an instance**. However, you can also deploy an application **detached** from the instance as a solo chart. + +The reason for this is, that you + +- can update the instance without running the application update +- update the application without touching the instance +- have multiple applications deployed within one instance + +There are two major things you need to do: + +1. make sure the application charts sets the instance name of the instance, it should connect to +2. take the default values of the application match the ones it would get by an instance deployment + +This is a sample: (find the complete one in the [application.yaml](application.yaml)) + +```yaml +nameOverride: SBS +docAreas: + - id: "SBS" + name: "DocArea with SBS" + description: "This is a sample DocArea with the SBS Apps installed" + apps: + ... + +instance: + # this is the name of the instance, it should belong to + name: "sample-detached" + +# make sure it can wait for the nappl of the instance to be ready, before it deploys. +waitImage: + repo: cr.nplus.cloud/subscription + name: toolbox2 + tag: 1.2.1300 + pullPolicy: IfNotPresent +waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + +# Now we define where and what to deploy +nappl: + host: "{{ .component.prefix }}nappl.{{ .Release.Namespace }}" + port: 8080 + ssl: false + instance: "nscalealinst1" + account: admin + domain: nscale + password: admin + secret: +nstl: + host: "{{ .component.prefix }}nstl.{{ .Release.Namespace }}" +rs: + host: "{{ .component.prefix }}rs.{{ .Release.Namespace }}" +``` + diff --git a/samples/detached/application.yaml b/samples/detached/application.yaml new file mode 100644 index 0000000..e06c12f --- /dev/null +++ b/samples/detached/application.yaml @@ -0,0 +1,56 @@ +nameOverride: SBS +docAreas: + - id: "SBS" + name: "DocArea with SBS" + description: "This is a sample DocArea with the SBS Apps installed" + apps: + - "/pool/nstore/bl-app-9.0.1202.zip" + - "/pool/nstore/gdpr-app-9.0.1302.zip" + - "/pool/nstore/sbs-base-9.0.1302.zip" + - "/pool/nstore/sbs-app-9.0.1302.zip" + - "/pool/nstore/tmpl-app-9.0.1302.zip" + - "/pool/nstore/cm-base-9.0.1302.zip" + - "/pool/nstore/cm-app-9.0.1302.zip" + - "/pool/nstore/hr-base-9.0.1302.zip" + - "/pool/nstore/hr-app-9.0.1302.zip" + - "/pool/nstore/pm-base-9.0.1302.zip" + - "/pool/nstore/pm-app-9.0.1302.zip" + - "/pool/nstore/sd-base-9.0.1302.zip" + - "/pool/nstore/sd-app-9.0.1302.zip" + - "/pool/nstore/kon-app-9.0.1302.zip" + - "/pool/nstore/kal-app-9.0.1302.zip" + - "/pool/nstore/dok-app-9.0.1302.zip" + - "/pool/nstore/ts-base-9.0.1302.zip" + - "/pool/nstore/ts-app-9.0.1302.zip" + - "/pool/nstore/ocr-base-9.0.1302.zip" + +resources: + requests: + cpu: "10m" + memory: "512Mi" + limits: + cpu: "4000m" + memory: "2Gi" + +instance: + name: "sample-detached" +waitImage: + repo: cr.nplus.cloud/subscription + name: toolbox2 + tag: 1.2.1300 + pullPolicy: IfNotPresent +nappl: + host: "{{ .component.prefix }}nappl.{{ .Release.Namespace }}" + port: 8080 + ssl: false + instance: "nscalealinst1" + account: admin + domain: nscale + password: admin + secret: +waitFor: + - "-service {{ .component.prefix }}nappl.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" +nstl: + host: "{{ .component.prefix }}nstl.{{ .Release.Namespace }}" +rs: + host: "{{ .component.prefix }}rs.{{ .Release.Namespace }}" diff --git a/samples/detached/build.sh b/samples/detached/build.sh new file mode 100755 index 0000000..8a27feb --- /dev/null +++ b/samples/detached/build.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="detached" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +mkdir -p $DEST/application +helm template --debug \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/detached/application.yaml \ + $NAME-app $CHARTS/application > $DEST/application/$SAMPLE.yaml diff --git a/samples/environment/README.md b/samples/environment/README.md new file mode 100644 index 0000000..4121057 --- /dev/null +++ b/samples/environment/README.md @@ -0,0 +1,69 @@ +# K8s namespace aka *nplus environment* + +*nplus instances* are deployed into K8s namespaces. Always. even if you do not specify a namespace, it uses a namespace: `default`. + +In order to use this namespace for *nplus instances*, you need to deploy some shared *nplus components* into it, which are used by the instances. This is done by the environment chart: + +``` +helm install \ + --values demo.yaml \ + demo nplus/nplus-environment +``` + +After that, the K8s namespace is a valid *nplus environment* that can house multiple *nplus instances*. + + +## deploying assets into the environment + +Most likely, you will need assets to be used by your instances. Fonts for example: The *nscale Rendition Server* and die *nscale Server Application Layer* both require the Microsoft fonts, that are not allowed to be distributed by neither nscale nor nplus. So this example shows how to upload some missing pieces into the environment: + +``` +kubectl cp ./apps/app-installer-9.0.1202.jar nplus-toolbox-0:/conf/pool +kubectl cp ./fonts nplus-toolbox-0:/conf/pool +kubectl cp ./copy-snippet.sh nplus-toolbox-0:/conf/pool/scripts +kubectl cp ./test.md nplus-toolbox-0:/conf/pool/snippets +kubectl cp ./snc nplus-toolbox-0:/conf/pool +``` + +Alternatively, you can also use a `prepper` component, that you can activate on the environment chart, to download assets from any web site and deploy them into the environment: + +``` +components: + prepper: true +prepper: + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz" +``` + +Please see the prepper [README.md](../../charts/prepper/README.md) for more information. + + +## Operator Web UI + +The environment comes with the operator, responsible for managing / controlling the [custom resources](../cluster/README.md). It has a Web UI, that can be enabled in the environment chart. + +![screenshot operator](assets/operator.png) + +## *namespace*-less manifests + +Speaking of namespaces: Sometimes you want to drop the namespace from your manifest. This can be done by + +```yaml +utils: + includeNamespace: false +``` + +when you then call + +```bash +helm template myInstance nplus/nplus-instance > myInstance.yaml +``` + +the manifest in `myInstance.yaml` will **not** have a namespace set, so you can apply it to multiple namespaces later: + +```bash +kubectl apply --namespace dev -f myInstance.yaml +kubectl apply --namespace qa -f myInstance.yaml +kubectl apply --namespace prod -f myInstance.yaml +``` + diff --git a/samples/environment/assets/operator.png b/samples/environment/assets/operator.png new file mode 100644 index 0000000..d8bc259 Binary files /dev/null and b/samples/environment/assets/operator.png differ diff --git a/samples/environment/build.sh b/samples/environment/build.sh new file mode 100755 index 0000000..fb51ca7 --- /dev/null +++ b/samples/environment/build.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The name of the sample +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... +SAMPLE=environment + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/environment" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/environment not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Output what is happening +echo "Building $SAMPLE for $KUBE_CONTEXT" + +# Create the manifest +mkdir -p $DEST/environment +helm template --debug --render-subchart-notes \ + --values $SAMPLES/$SAMPLE/$KUBE_CONTEXT.yaml \ + $KUBE_CONTEXT $CHARTS/environment > $DEST/environment/$KUBE_CONTEXT.yaml + diff --git a/samples/environment/demo.yaml b/samples/environment/demo.yaml new file mode 100644 index 0000000..cca05d6 --- /dev/null +++ b/samples/environment/demo.yaml @@ -0,0 +1,24 @@ +toolbox: + enabled: true +dav: + enabled: true +nstoreDownloader: + enabled: true +global: + environment: + utils: + renderComments: true + ingress: + domain: "{{ .instance.group | default .Release.Name }}.demo.nplus.cloud" + class: "public" + issuer: "nplus-issuer" + storage: + conf: + class: "cephfs" + data: + class: "ceph-rbd" + disk: + class: "ceph-rbd" + file: + class: "cephfs" + appInstaller: "/pool/app-installer-9.0.1202.jar" diff --git a/samples/environment/dev.yaml b/samples/environment/dev.yaml new file mode 100644 index 0000000..6f7353d --- /dev/null +++ b/samples/environment/dev.yaml @@ -0,0 +1,26 @@ +toolbox: + enabled: true +dav: + enabled: true +nstoreDownloader: + enabled: true +global: + environment: + ingress: + class: "ingress-internal" + domain: "{{ .instance.group | default .Release.Name }}.dev.nplus.cloud" + issuer: "nplus-issuer" + storage: + conf: + class: "pv-af-auto" + data: + class: "pv-disk-auto" + file: + class: "pv-af-auto" + appInstaller: "/pool/app-installer-9.0.1202.jar" + security: + illumio: + enabled: true + loc: "samples" + supplier: "42i" + platform: "nplus.cloud" diff --git a/samples/environment/lab.yaml b/samples/environment/lab.yaml new file mode 100644 index 0000000..50ad281 --- /dev/null +++ b/samples/environment/lab.yaml @@ -0,0 +1,48 @@ +toolbox: + enabled: true + nstoreDownloader: + enabled: true +dav: + enabled: true +nappl: + ingress: + enabled: true + +# -- In the lab / dev environment, we quite often throw away the data disk while keeping the conf folder +# the default for the DA_HID.DAT is the conf folder, so they do not match any more. +# So we switch the check off here. +nstl: + checkHighestDocId: "0" +nstla: + checkHighestDocId: "0" +nstlb: + checkHighestDocId: "0" + +global: + environment: + ingress: + domain: "{{ .instance.group | default .Release.Name }}.lab.nplus.cloud" + class: "public" + issuer: "nplus-issuer" + whitelist: "192.168.0.0/16,10.0.0.0/8" + namespace: ingress + # proxyReadTimeout: "360s" + storage: + conf: + class: "cephfs" + ptemp: + class: "cephfs" + data: + class: "ceph-rbd" + disk: + class: "ceph-rbd" + file: + class: "cephfs" + appInstaller: "/pool/app-installer-9.0.1202.jar" + # repoOverride: cr.test.lan + security: + cni: + defaultIngressPolicy: deny + defaultEgressPolicy: deny + createNetworkPolicy: true + excludeUnusedPorts: false \ No newline at end of file diff --git a/samples/environment/local.yaml b/samples/environment/local.yaml new file mode 100644 index 0000000..97e3f77 --- /dev/null +++ b/samples/environment/local.yaml @@ -0,0 +1,12 @@ +toolbox: + enabled: true +dav: + enabled: true +nstoreDownloader: + enabled: true +global: + environment: + ingress: + class: "nginx" + domain: "{{ .instance.group | default .Release.Name }}.dev.local" + appInstaller: "/pool/app-installer-9.0.1202.jar" diff --git a/samples/environment/nodeport.yaml b/samples/environment/nodeport.yaml new file mode 100644 index 0000000..6fdc013 --- /dev/null +++ b/samples/environment/nodeport.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: nplus-operator-nodeport-access +spec: + type: NodePort + selector: + nplus/component: operator + ports: + - port: 8080 + targetPort: 8080 + nodePort: 31976 diff --git a/samples/generic/README.md b/samples/generic/README.md new file mode 100644 index 0000000..ea3e909 --- /dev/null +++ b/samples/generic/README.md @@ -0,0 +1,98 @@ +# Generic Mount Example + +This allows you to mount any pre-provisioned PVs, secret or configMap into any container. +It can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container. + +Use the following format: + +``` +mounts: + generic: + - name: : + path: + volumeName: + configMap: + secret: + subPath: [a (optional) subpath to be used inside the PV] + accessMode: + size: +``` + +## Mounting generic secrets or configMaps + +In this example, we create a secret with two sample files and a configMap with two sample files: + +``` +apiVersion: v1 +kind: Secret +metadata: + name: sample-generic-secret +type: Opaque +stringData: + test1.txt: | + This is a test file + lets see if this works. + test2.txt: | + This is a second test file + lets see if this works. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-generic-configmap +data: + test1.txt: | + This is a test file + lets see if this works. + test2.txt: | + This is a second test file + lets see if this works. +``` + +Then we use these objects to mount them as directory and as files: + +``` +nappl: + mounts: + generic: + # -- This shows how to mount the contents of a secret into + # a directory + - name: "sample-generic-secret" + secret: "sample-generic-secret" + path: "/mnt/secret" + + # -- This shows how to mount the contents of a configMap into + # a directory + - name: "sample-generic-configmap" + configMap: "sample-generic-configmap" + path: "/mnt/configmap" + + # -- This shows how to mount a file from a secret to a secret file + - name: "sample-generic-secret-file" + secret: "sample-generic-secret" + path: "/mnt/secret-file.txt" + subPath: "test1.txt" + + # -- This shows how to mount a file from a configMap to a file + - name: "sample-generic-configmap-file" + configMap: "sample-generic-configmap" + path: "/mnt/configmap-file.txt" + subPath: "test2.txt" +``` + +## Mounting generic PVs + +Here is an example how to mount any pre-created PV: + +``` +mounts: + generic: + # -- This shows how to mount a generic Persistent Volume + - name: "migration" + path: "/mnt/migration" + subPath: "{{ .Release.Name }}-mig" + accessModes: + - ReadWriteMany + volumeName: my-migration-data-volume + size: "512Gi" +``` \ No newline at end of file diff --git a/samples/generic/build.sh b/samples/generic/build.sh new file mode 100755 index 0000000..9b1013c --- /dev/null +++ b/samples/generic/build.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="generic" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/generic/values.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml diff --git a/samples/generic/content.yaml b/samples/generic/content.yaml new file mode 100644 index 0000000..9d0f3dd --- /dev/null +++ b/samples/generic/content.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: sample-generic-secret +type: Opaque +stringData: + test1.txt: | + This is a test file + lets see if this works. + test2.txt: | + This is a second test file + lets see if this works. +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-generic-configmap +data: + test1.txt: | + This is a test file + lets see if this works. + test2.txt: | + This is a second test file + lets see if this works. diff --git a/samples/generic/values.yaml b/samples/generic/values.yaml new file mode 100644 index 0000000..40ead4a --- /dev/null +++ b/samples/generic/values.yaml @@ -0,0 +1,26 @@ +nappl: + mounts: + generic: + # -- This shows how to mount the contents of a secret into + # a directory + - name: "sample-generic-secret" + secret: "sample-generic-secret" + path: "/mnt/secret" + + # -- This shows how to mount the contents of a configMap into + # a directory + - name: "sample-generic-configmap" + configMap: "sample-generic-configmap" + path: "/mnt/configmap" + + # -- This shows how to mount a file from a secret to a secret file + - name: "sample-generic-secret-file" + secret: "sample-generic-secret" + path: "/mnt/secret-file.txt" + subPath: "test1.txt" + + # -- This shows how to mount a file from a configMap to a file + - name: "sample-generic-configmap-file" + configMap: "sample-generic-configmap" + path: "/mnt/configmap-file.txt" + subPath: "test2.txt" diff --git a/samples/group/README.md b/samples/group/README.md new file mode 100644 index 0000000..11ab937 --- /dev/null +++ b/samples/group/README.md @@ -0,0 +1,56 @@ +# Grouping Instances + +Sometimes Instances become quite large with many components. If you work on them with multiple team members, you end up having to synchronize the deployment of the Instances. + +You can easily rip large Instances apart using the `group` tag, joining multiple Instances into one group and making sure the NetworkPolicies are opened to pods from other Instances within the Instance Group. + +```yaml +global: + instance: + # -- despite the instance name, all components within this group will be prefixed + # with the group (unless the group name and the environment name are not identical) + # Also this makes sure the network policies are acting on the group, not on the instance. + group: "sample-group" +``` + +You can query the instance group in your code with `.instance.group`. + +Example: We build multiple Instances in one group: + +- sample-group-backend + - Database + - nstl + - rs +- sample-group-middleware + - nappl + - application(s) +- sample-group-frontend + - web + - cmis + +Portainer is showing the group as if it were an single instance: + +![Portainer](assets/portainer.png) + + + +The nplus UI is showing the instances of the group: + +![nplus Web Monitoring](assets/monitor.png) + +And the nplus CLI is also showing single instances: + +``` +% kubectl get nscale +NAME INSTANCE COMPONENT TYPE VERSION STATUS +component.nplus.cloud/sample-group-cmis sample-group-frontend cmis cmis 9.2.1200 healthy +component.nplus.cloud/sample-group-database sample-group-backend database database 16 healthy +component.nplus.cloud/sample-group-nappl sample-group-middleware nappl core 9.2.1302 healthy +component.nplus.cloud/sample-group-rs sample-group-backend rs rs 9.2.1201 healthy +component.nplus.cloud/sample-group-web sample-group-frontend web web 9.2.1300 healthy + +NAME HANDLER VERSION TENANT STATUS +instance.nplus.cloud/sample-group-backend manual 9.2.1302 healthy +instance.nplus.cloud/sample-group-frontend manual 9.2.1302 healthy +instance.nplus.cloud/sample-group-middleware manual 9.2.1302 healthy +``` diff --git a/samples/group/assets/monitor.png b/samples/group/assets/monitor.png new file mode 100644 index 0000000..5a2a30c Binary files /dev/null and b/samples/group/assets/monitor.png differ diff --git a/samples/group/assets/portainer.png b/samples/group/assets/portainer.png new file mode 100644 index 0000000..5b0a2d9 Binary files /dev/null and b/samples/group/assets/portainer.png differ diff --git a/samples/group/backend.yaml b/samples/group/backend.yaml new file mode 100644 index 0000000..090ef08 --- /dev/null +++ b/samples/group/backend.yaml @@ -0,0 +1,42 @@ +components: + nappl: false + nappljobs: false + web: false + mon: false + rs: true + ilm: false + cmis: false + database: true + nstl: true + nstla: false + nstlb: false + pipeliner: false + application: false + administrator: false + webdav: false + rms: false + pam: false +global: + instance: + # -- despite the instance name, all components within this group will be prefixed + # with the group (unless the group name and the environment name are not identical) + # Also this makes sure the network policies are acting on the group, not on the instance. + group: "sample-group" + +# -- We need to make sure, that only ONE instance is creating the default network policies +# and also the certificate for the group. +# All other group members are using the central one +override: + ingress: + # -- this overrides any issuers and makes sure not certificate request is generated for + # cert-manager + issuer: null + # -- since no issuer is set, the default would be to generate a self signed certificate. + # We need to prevent that + createSelfSignedCertificate: false + security: + cni: + # -- Even if we globally switched the creation of network policies on, we do not want that + # for this instance (and the instance chart only: Subcharts might still create the policies. + # If you want to force that off as well, override in global) + createNetworkPolicy: false diff --git a/samples/group/build.sh b/samples/group/build.sh new file mode 100755 index 0000000..62b32fe --- /dev/null +++ b/samples/group/build.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="group" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance-group +helm template --debug \ + --values $SAMPLES/group/backend.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-backend $CHARTS/instance > $DEST/instance-group/$SAMPLE-backend.yaml + +helm template --debug \ + --values $SAMPLES/group/middleware.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-middleware $CHARTS/instance > $DEST/instance-group/$SAMPLE-middleware.yaml + +helm template --debug \ + --values $SAMPLES/group/frontend.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-frontend $CHARTS/instance > $DEST/instance-group/$SAMPLE-frontend.yaml diff --git a/samples/group/frontend.yaml b/samples/group/frontend.yaml new file mode 100644 index 0000000..d27d51e --- /dev/null +++ b/samples/group/frontend.yaml @@ -0,0 +1,26 @@ +components: + nappl: false + nappljobs: false + web: true + mon: false + rs: false + ilm: false + cmis: true + database: false + nstl: false + nstla: false + nstlb: false + pipeliner: false + application: false + administrator: false + webdav: false + rms: false + pam: false +global: + instance: + # -- despite the instance name, all components within this group will be prefixed + # with the group (unless the group name and the environment name are not identical) + # Also this makes sure the network policies are acting on the group, not on the instance. + group: "sample-group" + +# Notice, that we do NOT override anything here, are we use this instance as the master for the group. \ No newline at end of file diff --git a/samples/group/middleware.yaml b/samples/group/middleware.yaml new file mode 100644 index 0000000..1c18a07 --- /dev/null +++ b/samples/group/middleware.yaml @@ -0,0 +1,47 @@ +components: + nappl: true + nappljobs: false + web: false + mon: false + rs: false + ilm: false + cmis: false + database: false + nstl: false + nstla: false + nstlb: false + pipeliner: false + application: true + administrator: false + webdav: false + rms: false + pam: false + +application: + docAreas: + - id: "Sample" + +global: + instance: + # -- despite the instance name, all components within this group will be prefixed + # with the group (unless the group name and the environment name are not identical) + # Also this makes sure the network policies are acting on the group, not on the instance. + group: "sample-group" + +# -- We need to make sure, that only ONE instance is creating the default network policies +# and also the certificate for the group. +# All other group members are using the central one +override: + ingress: + # -- this overrides any issuers and makes sure not certificate request is generated for + # cert-manager + issuer: null + # -- since no issuer is set, the default would be to generate a self signed certificate. + # We need to prevent that + createSelfSignedCertificate: false + security: + cni: + # -- Even if we globally switched the creation of network policies on, we do not want that + # for this instance (and the instance chart only: Subcharts might still create the policies. + # If you want to force that off as well, override in global) + createNetworkPolicy: false diff --git a/samples/ha/README.md b/samples/ha/README.md new file mode 100644 index 0000000..355a872 --- /dev/null +++ b/samples/ha/README.md @@ -0,0 +1,78 @@ +# High Availability + +To gain a higher level of availability for your Instance, you can + +- create more Kubernetes Cluster Nodes +- create more replicas of the *nscale* and *nplus* components +- distribute those replicas across multiple nodes using anti-affinities + +This is how: + +``` +helm install \ + --values samples/ha/values.yaml + --values samples/environment/demo.yaml \ + sample-ha nplus/nplus-instance +``` + +The essents of the values file is this: + +- We use three (3) *nscale Server Application Layer*, two dedicated to user access, one dedicated to jobs +- if the jobs node fails, the user nodes take the jobs (handled by priority) +- if one of the user nodes fail, the other one handles the load +- Kubernetes takes care of restarting nodes should that happen +- All components run with two replicas +- Pod anti-affinities handle the distribution +- any administration component only connects to the jobs nappl, leaving the user nodes to the users +- PodDisruptionBudgets are defined for the crutial components. These are set via `minReplicaCount` for the components that can support multiple replicas, and `minReplicaCountType` for the **first** replicaSet of the components that do not support replicas, in this case nstla. + +``` +web: + replicaCount: 2 + minReplicaCount: 1 +rs: + replicaCount: 2 + minReplicaCount: 1 +ilm: + replicaCount: 2 + minReplicaCount: 1 +cmis: + replicaCount: 2 + minReplicaCount: 1 +webdav: + replicaCount: 2 + minReplicaCount: 1 +nstla: + minReplicaCountType: 1 +administrator: + nappl: + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}" + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600" +pam: + nappl: + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}" + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600" +nappl: + replicaCount: 2 + minReplicaCount: 1 + jobs: false + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600" +nappljobs: + replicaCount: 1 + jobs: true + disableSessionReplication: true + ingress: + enabled: false + snc: + enabled: true + waitFor: + - "-service {{ .component.prefix }}database.{{ .Release.Namespace }}.svc.cluster.local:5432 -timeout 600" +application: + nstl: + host: "{{ .component.prefix }}nstl-cluster.{{ .Release.Namespace }}" + nappl: + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}" +``` diff --git a/samples/ha/build.sh b/samples/ha/build.sh new file mode 100755 index 0000000..266ea15 --- /dev/null +++ b/samples/ha/build.sh @@ -0,0 +1,58 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="ha" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/ha/values.yaml \ + --values $SAMPLES/hid/values.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/ha/values.yaml \ + --values $SAMPLES/hid/values.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + + diff --git a/samples/ha/values.yaml b/samples/ha/values.yaml new file mode 100644 index 0000000..0c20ce5 --- /dev/null +++ b/samples/ha/values.yaml @@ -0,0 +1,126 @@ +components: + nappl: true + nappljobs: true + web: true + mon: true + rs: true + ilm: true + erpproxy: true + erpcmis: true + cmis: true + database: true + nstl: false + nstla: true + nstlb: true + pipeliner: false + application: true + administrator: true + webdav: true + rms: false + pam: true +web: + replicaCount: 2 + minReplicaCount: 1 + +rs: + replicaCount: 2 + minReplicaCount: 1 + +ilm: + replicaCount: 2 + minReplicaCount: 1 + +erpproxy: + replicaCount: 2 + minReplicaCount: 1 + +erpcmis: + replicaCount: 2 + minReplicaCount: 1 + +cmis: + replicaCount: 2 + minReplicaCount: 1 + +webdav: + replicaCount: 2 + minReplicaCount: 1 + +administrator: + nappl: + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}" + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600" + +pam: + nappl: + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}" + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600" + +nappl: + replicaCount: 2 + minReplicaCount: 1 + jobs: false + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 600" +nappljobs: + replicaCount: 1 + jobs: true + disableSessionReplication: true + ingress: + enabled: false + snc: + enabled: true + waitFor: + - "-service {{ .component.prefix }}database.{{ .Release.Namespace }}.svc.cluster.local:5432 -timeout 600" + +application: + nstl: + host: "{{ .component.prefix }}nstl-cluster.{{ .Release.Namespace }}" + nappl: + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}" + waitFor: + - "-service {{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local:{{ .this.nappl.port }} -timeout 1800" + +nstla: + minReplicaCountType: 1 + accounting: true + logForwarder: + - name: Accounting + path: "/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv" + serverID: 4711 + env: + NSTL_REMOTESERVER_MAINTAINCONNECTION: 1 + NSTL_REMOTESERVER_SERVERID: 4712 + NSTL_REMOTESERVER_ADDRESS: "nstlb" + NSTL_REMOTESERVER_NAME: "nstla" + NSTL_REMOTESERVER_USERNAME: "admin" + NSTL_REMOTESERVER_PASSWORD: "admin" + NSTL_REMOTESERVER_MAXCONNECTIONS: 10 + NSTL_REMOTESERVER_MAXARCCONNECTIONS: 1 + NSTL_REMOTESERVER_FORWARDDELETEJOBS: 0 + NSTL_REMOTESERVER_ACCEPTRETRIEVAL: 1 + NSTL_REMOTESERVER_ACCEPTDOCS: 1 + NSTL_REMOTESERVER_ACCEPTDOCSWITHTHISSERVERID: 1 + NSTL_REMOTESERVER_PERMANENTMIGRATION: 1 +nstlb: + accounting: true + logForwarder: + - name: Accounting + path: "/opt/ceyoniq/nscale-server/storage-layer/accounting/*.csv" + serverID: 4712 + env: + NSTL_REMOTESERVER_MAINTAINCONNECTION: 1 + NSTL_REMOTESERVER_SERVERID: 4711 + NSTL_REMOTESERVER_ADDRESS: "nstla" + NSTL_REMOTESERVER_NAME: "nstla" + NSTL_REMOTESERVER_USERNAME: "admin" + NSTL_REMOTESERVER_PASSWORD: "admin" + NSTL_REMOTESERVER_MAXCONNECTIONS: 10 + NSTL_REMOTESERVER_MAXARCCONNECTIONS: 1 + NSTL_REMOTESERVER_FORWARDDELETEJOBS: 0 + NSTL_REMOTESERVER_ACCEPTRETRIEVAL: 1 + NSTL_REMOTESERVER_ACCEPTDOCS: 1 + NSTL_REMOTESERVER_ACCEPTDOCSWITHTHISSERVERID: 1 + NSTL_REMOTESERVER_PERMANENTMIGRATION: 1 diff --git a/samples/hid/README.md b/samples/hid/README.md new file mode 100644 index 0000000..5d5aa34 --- /dev/null +++ b/samples/hid/README.md @@ -0,0 +1,17 @@ +## Highest ID + +This example shows how to configure storing the HID file in *nscale Server Storage Layer*: + +```yaml +global: + # -- enables checking the highest DocID when starting the server. + # this only makes sense, if you also set a separate volume for the highest ID + # This is a backup / restore feature to avoid data mangling + checkHighestDocId: "1" + # -- sets the path of the highest ID file. + dvCheckPath: "/opt/ceyoniq/nscale-server/storage-layer/hid" +``` + +We use the global section here to have it activated in all nstl instances defined. + +This is used by the empty application sample and the ha sample. diff --git a/samples/hid/values.yaml b/samples/hid/values.yaml new file mode 100644 index 0000000..e0d61c3 --- /dev/null +++ b/samples/hid/values.yaml @@ -0,0 +1,7 @@ +global: + # -- enables checking the highest DocID when starting the server. + # this only makes sense, if you also set a separate volume for the highest ID + # This is a backup / restore feature to avoid data mangling + checkHighestDocId: "1" + # -- sets the path of the highest ID file. + dvCheckPath: "/opt/ceyoniq/nscale-server/storage-layer/hid" diff --git a/samples/nowaves/README.md b/samples/nowaves/README.md new file mode 100644 index 0000000..e2fb6bf --- /dev/null +++ b/samples/nowaves/README.md @@ -0,0 +1,36 @@ +# Deploying with Argo + +## the argo version of the instance + +Deployin with argoCD is straight forward, as there is a ready-to-run instance chart version for argo, that takes **exactly** the same values as the *normal* chart: + +```bash +helm install \ + --values samples/application/empty.yaml \ + --values samples/environment/demo.yaml \ + sample-empty-argo nplus/nplus-instance-argo +``` + +## Using Waves + +The instance chart already comes with pre-defined waves. They are good to go with (can be modified though): + +```yaml +nappl: + meta: + wave: 15 +``` + +**But**: You might be annoyed by ArgoCD, when some services do not come up preventing other services to not be started at all since ArgoCD operates in Waves, so later services might not be deployed at all if an early wave services fails. + +Especially in DEV, this can become a testing problem. + +To turn *off* Waves completely for a Stage, Environment or Instance, go + +``` +global: + environment: + utils: + disableWave: true +``` + diff --git a/samples/nowaves/build.sh b/samples/nowaves/build.sh new file mode 100755 index 0000000..5fec2db --- /dev/null +++ b/samples/nowaves/build.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="nowaves" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/nowaves/values.yaml \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml diff --git a/samples/nowaves/values.yaml b/samples/nowaves/values.yaml new file mode 100644 index 0000000..2c6fcd9 --- /dev/null +++ b/samples/nowaves/values.yaml @@ -0,0 +1,4 @@ +global: + environment: + utils: + disableWave: true diff --git a/samples/opentelemetry/README.md b/samples/opentelemetry/README.md new file mode 100644 index 0000000..30b0f46 --- /dev/null +++ b/samples/opentelemetry/README.md @@ -0,0 +1,33 @@ +# OpenTelemetry + +You can use Annotations für Telemetry Operators such as Open Telemetry to inject their Agents into the Pods. +To do so, you can either add the annotations manually to the components, like this: + +``` +nappl: + template: + annotations: + instrumentation.opentelemetry.io/inject-java: "true" + instrumentation.opentelemetry.io/java-container-names: "application-layer" +``` + +or alternatively, you can turn on the built in functionality for the supported telemetry services. + +This is an example for OpenTelemetry: + +``` +global: + telemetry: + openTelemetry: true + serviceName: "{{ .this.meta.type }}-{{ .instance.name }}-{{ .instance.stage }}" + meta: + stage: "dev" +``` + +This will automatically set the correct settings as seen above. + + +Please also see here: + +- https://opentelemetry.io/docs/kubernetes/operator/automatic/ +- https://github.com/open-telemetry/opentelemetry-operator#opentelemetry-auto-instrumentation-injection diff --git a/samples/pinning/README.md b/samples/pinning/README.md new file mode 100644 index 0000000..c60a475 --- /dev/null +++ b/samples/pinning/README.md @@ -0,0 +1,47 @@ + +# Pinning Versions + +## Old Version + +If you like to test rolling updates and the updates to new minor versions, check out the *e90* sample: + +This sample will install a version 9.0.1400 for you to test. Since the Cluster Node Discovery changed due to a new jGroups version in nscale, the chart will notice the old version and turn on the legacy discovery mechanism to allow the Pod to find its peers in Versions prior to 9.1.1200. + +``` +helm install \ + --values samples/empty.yaml \ + --values samples/demo.yaml \ + --values versions/9.0.1400.yaml \ + sample-e90 nplus/nplus-instance +``` + +## New Version Sample + +Some nscale Versions are License-Compatible, meaning that for example a Version 9.1 License File will also be able to run a nscale Version 9.0 Software. But that is not always the case. + +So you might need to set individual licenses per instance: + +``` +kubectl create secret generic nscale-license-e10 \ + --from-file=license.xml=license10.xml +``` + +Check, if the license has been created: + +``` +# kubectl get secret | grep license +nscale-license Opaque 1 7d22h +nscale-license-e10 Opaque 1 17s +``` + +Now, we install the instance: + +``` +helm upgrade -i \ + --values samples/empty.yaml \ + --values samples/demo.yaml \ + --values versions/10.0.yaml \ + --set global.license=nscale-license-e10 \ + sample-e10 nplus/nplus-instance +``` + diff --git a/samples/pinning/build.sh b/samples/pinning/build.sh new file mode 100755 index 0000000..c6e5ba2 --- /dev/null +++ b/samples/pinning/build.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# +# VERSION 9.0 +# + +# Set the Variables +SAMPLE="nscale-90" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $WORKSPACE/versions/9.0.1400.yaml \ + --set global.license=nscale-license-e92 \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $WORKSPACE/versions/9.0.1400.yaml \ + --set global.license=nscale-license-e92 \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + + +# +# VERSION 9.1 +# + +# Set the Variables +SAMPLE="nscale-91" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $WORKSPACE/versions/9.1.1506.yaml \ + --set global.license=nscale-license-e92 \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $WORKSPACE/versions/9.1.1506.yaml \ + --set global.license=nscale-license-e92 \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + diff --git a/samples/resources/README.md b/samples/resources/README.md new file mode 100644 index 0000000..dbf4f10 --- /dev/null +++ b/samples/resources/README.md @@ -0,0 +1,192 @@ +## Assigning CPU and RAM + +You **should** assign resources to your components, depending on the load that you expect. + +In a dev environment, that might be very little and you may be fine with the defaults. + +in a qa or prod environment, this should be wisely controlled, like this: + +```yaml +nappl: + resources: + requests: + cpu: "100m" # Minimum 1/10 CPU + memory: "1024Mi" # Minimum 1 GB + limits: + cpu: "2000m" # Maximum 2 Cores + memory: "4096Mi" # Maximum 4 GB. Java will see this as total. + javaOpts: + javaMinMem: "512m" # tell Java to initialize the heap with 512 MB + javaMaxMem: "2048m" # tell Java to use max 2 GB of heap size +``` + +There are many discussions going on how much memory you should give to Java processes and how they react. Please see the internet for insight. + +#### Our **current** opinion is: + +Do not limit ram. You are not able to foresee how much Java is really consuming as the heap is only part of the RAM requirement. Java also needs *metaspace*, *code cache* and *thread stack*. Also the *GC* needs some memory, as well as the *symbols*. + +Java will crash when out of memory, so even if you set javaMaxMem == 1/2 limits.memory (what many do), that guarantees nothing and might be a lot of waste. + +So what you can consider is: + +```yaml +nappl: + resources: + requests: + cpu: "1000m" # 1 Core guaranteed + memory: "4096Mi" # 4GB guaranteed + limits: + cpu: "4000m" # Maximum 4 Cores +# memory: # No Limit but hardware + javaOpts: + javaMinMem: "1024m" # Start with 1 GB + javaMaxMem: "3072m" # Go up to 3GB (which is only part of it) but be able to take more (up to limit) without crash +``` + +Downside of this approach: If you have a memory leak, it might consume all of your nodes memory without being stopped by a hard limit. + + +#### A possible **Alternative**: + +You can set the RAM limit equal to the RAM request and leave the java Memory settings to *automatic*, which basically simulates a server. Java will *see* the limit as being the size of RAM installed in the machine and act accordingly. + +```yaml +nappl: + resources: + requests: + cpu: "1000m" # 1 Core guaranteed + memory: "4096Mi" # 4GB guaranteed + limits: + cpu: "4000m" # Maximum 4 Cores + memory: "4096Mi" # No Limit but hardware +# javaOpts: +# javaMinMem: # unset, leaving it to java +# javaMaxMem: # unset, leaving it to java +``` + + + +#### In a **DEV** environment, + +you might want to do more **overprovisioning**. You could even leave it completely unlimited, as in **DEV** you want to see memory and cpu leaks, so a limit might hide them from your sight. + +So this is a possible allocation for **DEV**, defining only the bare minimum requests: + +```yaml +nappl: + resources: + requests: + cpu: "1m" # 1/1000 Core guaranteed, + # but can consume all cores of the cluster node if required and available + memory: "512Mi" # 512MB guaranteed, + # but can consume all RAM of the cluster node if required and available +``` + +In this case, Java will see all node RAM as the limit and use whatever it needs. But as you are in a **dev** environment, there is no load and no users on the machine, so this will not require much. + + + +## Resources you should calculate + +The default resources assigned by *nplus* are for demo / testing only and you should definitely assign more ressources to your components. +Here is a very rough estimate of what you need: + +| Component | Minimum (Demo and Dev) | Small | Medium | Large | XL | Remark | +| --------------- | ---------------------- | ---------------- | ----------------- | ------------------ | ---- | ----------------------------------------------------------- | +| ADMIN | 1 GB RAM, 1 Core | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | | | +| **Application** | - | - | - | - | | Resources required during deployment only | +| CMIS | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | | +| **Database** | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 8 GB RAM, 6 Core | 16 GB RAM, 8 Core | open | | +| ILM | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | | +| MON | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | quite fix | +| **NAPPL** | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 8 GB RAM, 6 Core | 16 GB RAM, 8 Core | open | CPU depending on Jobs / Hooks, RAM depending on amount user | +| **NSTL** | 500 MB RAM, 1 Core | 1 GB RAM, 2 Core | 1 GB RAM, 2 Core | 1 GB RAM, 2 Core | | quite fix | +| PAM | | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | 2 GB RAM, 1 Core | | | +| PIPELINER | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 4 GB RAM, 4 Core | 4 GB RAM, 4 Core | open | Depending on Core Mode *or* AC Mode, No Session Replication | +| **RS** | 1 GB RAM, 1 Core | 8 GB RAM, 4 Core | 32 GB RAM, 8 Core | 64 GB RAM, 12 Core | open | CPU depending on format type, RAM depending on file size | +| SHAREPOINT | | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | | +| WEB | 1 GB RAM, 1 Core | 2 GB RAM, 2 Core | 4 GB RAM, 4 Core | 8 GB RAM, 4 Core | open | | +| WEBDAV | | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | 2 GB RAM, 2 Core | | | + + + +**Bold** components are required by a *SBS* setup, so here are some estimates per Application: + +| Component | Minimum (Demo and Dev) | Minimum (PROD) | Recommended (PROD) | Remark | +| --------- | ---------------------- | ----------------- | ------------------ | ------------------ | +| SBS | 6 GB RAM, 4 Core | 16 GB RAM, 8 Core | 24 GB RAM, 12 Core | Without WEB Client | +| eGOV | TODO | TODO | TODO | eGOV needs much more CPU than a non eGOV system | + +A word on **eGOV**: The eGOV App brings hooks and jobs, that require much more resources than a *normal* nscale system even with other Apps installed. + + +## Real Resources in DEV Idle + +``` +% kubectl top pods +... +sample-ha-administrator-0 2m 480Mi +sample-ha-argo-administrator-0 2m 456Mi +sample-ha-argo-cmis-5ff7d78c47-kgxsn 2m 385Mi +sample-ha-argo-cmis-5ff7d78c47-whx9j 2m 379Mi +sample-ha-argo-database-0 2m 112Mi +sample-ha-argo-ilm-58c65bbd64-pxgdl 2m 178Mi +sample-ha-argo-ilm-58c65bbd64-tpxfz 2m 168Mi +sample-ha-argo-mon-0 2m 308Mi +sample-ha-argo-nappl-0 5m 1454Mi +sample-ha-argo-nappl-1 3m 1452Mi +sample-ha-argo-nappljobs-0 5m 2275Mi +sample-ha-argo-nstla-0 4m 25Mi +sample-ha-argo-nstlb-0 6m 25Mi +sample-ha-argo-pam-0 5m 458Mi +sample-ha-argo-rs-7d6888d9f8-lp65s 2m 1008Mi +sample-ha-argo-rs-7d6888d9f8-tjxh8 2m 1135Mi +sample-ha-argo-web-f646f75b8-htn8x 4m 1224Mi +sample-ha-argo-web-f646f75b8-nvvjf 11m 1239Mi +sample-ha-argo-webdav-d69549bd4-nz4wn 2m 354Mi +sample-ha-argo-webdav-d69549bd4-vrg2n 3m 364Mi +sample-ha-cmis-5fc96b8f89-cwd62 2m 408Mi +sample-ha-cmis-5fc96b8f89-q4nr4 3m 442Mi +sample-ha-database-0 2m 106Mi +sample-ha-ilm-6b599bc694-5ht57 2m 174Mi +sample-ha-ilm-6b599bc694-ljkl4 2m 193Mi +sample-ha-mon-0 3m 355Mi +sample-ha-nappl-0 3m 1278Mi +sample-ha-nappl-1 4m 1295Mi +sample-ha-nappljobs-0 6m 1765Mi +sample-ha-nstla-0 4m 25Mi +sample-ha-nstlb-0 4m 25Mi +sample-ha-pam-0 2m 510Mi +sample-ha-rs-7b5fc586f6-49qhp 2m 951Mi +sample-ha-rs-7b5fc586f6-nkjqb 2m 1205Mi +sample-ha-web-7bd6ffc96b-pwvcv 3m 725Mi +sample-ha-web-7bd6ffc96b-rktrh 9m 776Mi +sample-ha-webdav-9df789f8-2d2wn 2m 365Mi +sample-ha-webdav-9df789f8-psh5q 2m 345Mi +... +``` + + +## Defaults + +Check the file `default.yaml`. You can set default memory limits for a container. These defaults are applied if you do not specify any resources in your manifest. + + +## Setting Resources for sidecar containers and init containers + +You can also set resources for sidecar containers and init containers. However, you should only set these if you know exactly what you are doing and what implications they have. + +```yaml +nstl: + sidecarResources: + requests: + cpu: "100m" # 0.1 Core guaranteed + memory: "1024Mi" # 1GB guaranteed + limits: + memory: "2048Mi" # Limit to 2 GB + # we do NOT limit the CPU (read [here](https://home.robusta.dev/blog/stop-using-cpu-limits) for details) +``` + +Init Resources can be set by using `initResources` key. + diff --git a/samples/resources/default.yaml b/samples/resources/default.yaml new file mode 100644 index 0000000..4726c13 --- /dev/null +++ b/samples/resources/default.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: defaults-resources +spec: + limits: + - default: # limits + memory: "2Gi" + cpu: "4" + defaultRequest: # requests + memory: 512Mi + cpu: "5m" + max: # max and min define the limit range + cpu: "4000m" + memory: "4Gi" + min: + cpu: "1m" + memory: "128Mi" + type: Container diff --git a/samples/resources/lab.yaml b/samples/resources/lab.yaml new file mode 100644 index 0000000..afc3e4b --- /dev/null +++ b/samples/resources/lab.yaml @@ -0,0 +1,225 @@ +web: + resources: + requests: + cpu: "10m" + memory: "1.5Gi" + limits: + cpu: "4000m" + memory: "4Gi" +prepper: + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "128Mi" +application: + resources: + requests: + cpu: "10m" + memory: "512Mi" + limits: + cpu: "4000m" + memory: "2Gi" +nappl: + resources: + requests: + cpu: "10m" + memory: "1.5Gi" + limits: + cpu: "4000m" + memory: "4Gi" +nappljobs: + resources: + requests: + cpu: "10m" + memory: "2Gi" + limits: + cpu: "4000m" + memory: "4Gi" +administrator: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +cmis: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +erpcmis: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +erpproxy: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +database: + resources: + requests: + cpu: "10m" + memory: "256Mi" + limits: + cpu: "4000m" + memory: "8Gi" +ilm: + resources: + requests: + cpu: "2m" + memory: "256Mi" + limits: + cpu: "2000m" + memory: "2Gi" +mon: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +nstl: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" +nstla: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" +nstlb: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" +nstlc: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" +nstld: + resources: + requests: + cpu: "5m" + memory: "128Mi" + limits: + cpu: "2000m" + memory: "1Gi" +pam: + resources: + requests: + cpu: "5m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "1Gi" +rs: + resources: + requests: + cpu: "2m" + memory: "1Gi" + limits: + cpu: "4000m" + memory: "8Gi" +webdav: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" + +rms: + resources: + requests: + cpu: "2m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" +rmsa: + resources: + requests: + cpu: "2m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" +rmsb: + resources: + requests: + cpu: "2m" + memory: "128Mi" + limits: + cpu: "1000m" + memory: "512Mi" +sharepoint: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +sharepointa: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +sharepointb: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +sharepointc: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" +sharepointd: + resources: + requests: + cpu: "2m" + memory: "512Mi" + limits: + cpu: "2000m" + memory: "2Gi" diff --git a/samples/rms/README.md b/samples/rms/README.md new file mode 100644 index 0000000..9f20d69 --- /dev/null +++ b/samples/rms/README.md @@ -0,0 +1,59 @@ +# (virtual-) Remote Management Server + +The *nplus RMS* creates a virtual IP Address in your subnet. On this IP, you will find an *nscale Remote Management Service* and a Layer 4 Proxy, forwarding the ports of the components to the +belonging pods. + +The result is, that under this VIP, it looks as if there is a real server with a bunch of *nscale* components installed. So you can use the desktop admin client to connect to it and configure it. Including offline configuration. + +The offline configuration writes settings to the configuration files of the components. These files are injected into the Pods by *nplus* making the legacy magic work again. + +Also, Shotdown, Startup and Restart buttons in the Admin client will work, as that will by translated to Kubernetes commands by *nplus* + +Anyways, there are some restrictions: + +- In a HA scenario, you need multiple virtual server, as nscale does not allow some components to deploy more than one instance per server (like nstl) and they would then also block the default ports. So better to have more RMS +- Log Files are not written, so the Admin cannot grab them. So no log file viewing in Admin + +> Please notice that this is a BETA Feature not released for Production use. + +This is a sample of RMS in a HA environment with two virtual servers: + +```yaml +components: + rmsa: true + rmsb: true + +rmsa: + ingress: + domain: "server1.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud" + comps: + nappl: + enabled: true + restartReplicas: 2 + nstl: + enabled: true + name: nstla + restartReplicas: 1 + host: "{{ .component.prefix }}nstla.{{ .Release.Namespace }}.svc.cluster.local" + rs: + enabled: true + restartReplicas: 2 + web: + enabled: true + restartReplicas: 2 +rmsb: + ingress: + domain: "server2.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud" + comps: + nappl: + enabled: true + name: nappljobs + restartReplicas: 1 + replicaSetType: StatefulSet + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local" + nstl: + name: nstlb + enabled: true + restartReplicas: 1 + host: "{{ .component.prefix }}nstlb.{{ .Release.Namespace }}.svc.cluster.local" +``` diff --git a/samples/rms/build.sh b/samples/rms/build.sh new file mode 100755 index 0000000..b030c99 --- /dev/null +++ b/samples/rms/build.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="administrator-server" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/rms/server.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + + + + +# Set the Variables +SAMPLE="administrator-server-ha" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/ha/values.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/rms/server-ha.yaml \ + --values $SAMPLES/application/empty.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + diff --git a/samples/rms/server-ha.yaml b/samples/rms/server-ha.yaml new file mode 100644 index 0000000..6c1ebea --- /dev/null +++ b/samples/rms/server-ha.yaml @@ -0,0 +1,39 @@ +components: + rmsa: true + rmsb: true + +# hier könnte man eine IP setzen, oder nimmt eine aus dem Pool. +# Wenn man eine IP setzt, muss sie aus einem Pool kommen. +rmsa: + ingress: + domain: "server1.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud" + comps: + nappl: + enabled: true + restartReplicas: 2 + nstl: + enabled: true + name: nstla + restartReplicas: 1 + host: "{{ .component.prefix }}nstla.{{ .Release.Namespace }}.svc.cluster.local" + rs: + enabled: true + restartReplicas: 2 + web: + enabled: true + restartReplicas: 2 +rmsb: + ingress: + domain: "server2.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud" + comps: + nappl: + enabled: true + name: nappljobs + restartReplicas: 1 + replicaSetType: StatefulSet + host: "{{ .component.prefix }}nappljobs.{{ .Release.Namespace }}.svc.cluster.local" + nstl: + name: nstlb + enabled: true + restartReplicas: 1 + host: "{{ .component.prefix }}nstlb.{{ .Release.Namespace }}.svc.cluster.local" diff --git a/samples/rms/server.yaml b/samples/rms/server.yaml new file mode 100644 index 0000000..d6c4246 --- /dev/null +++ b/samples/rms/server.yaml @@ -0,0 +1,19 @@ +components: + # -- Enable the nplus Remote Management Server / rms + rms: true +rms: + ingress: + domain: "admin.{{ .instance.group | default .Release.Name }}.lab.nplus.cloud" + # -- This sets the external IP. Has has to come from the Layer 3 Load Balancer Pool, otherwise your + # L3 Load Balancer will not be able to assign it. + # If you leavet this empty, a VIP will be assigned from the pool + externalIp: 10.17.1.49 + comps: + nappl: + enabled: true + nstl: + enabled: true + rs: + enabled: true + web: + enabled: true diff --git a/samples/security/README.md b/samples/security/README.md new file mode 100644 index 0000000..2c1733f --- /dev/null +++ b/samples/security/README.md @@ -0,0 +1,67 @@ +# Security + +## All the standards + +There are several features that will enhance the security of your system: + +- all components are running rootless by default +- all components drop all privileges +- all components deny escalation +- all components have read only file systems +- Access is restricted by NetworkPolicies + +## Additional: The backend Protocol + +Additionally, you can increase security by encrypting communication in the backend. Depending on your network driver, this might already been done automatically beween the Kubernetes Nodes. But you can double that even within a single node by switching the backend Protocol to https: + + +```yaml +global: + nappl: + port: 8443 + ssl: true + +# Web and PAM do not speak https by default yet, CRs have been filed. + +nappl: + ingress: + backendProtocol: https +cmis: + ingress: + backendProtocol: https +ilm: + ingress: + backendProtocol: https +webdav: + ingress: + backendProtocol: https +rs: + ingress: + backendProtocol: https +mon: + ingress: + backendProtocol: https +administrator: + ingress: + backendProtocol: https +``` + +This will turn every communication to https, **but** leave the unencrypted ports (http) **open** for inter-pod communication. + + +## Zero Trust Mode + +This will basically do the same as above, **but** also turn **off** any unencrypted port (like http) and also implement NetworkPolicies to drop unencrypted packages. + +This will also affect the way how *probes* are checking the pods health: *nplus* will switch them to use https instead, so even the very internal Healtch Check infrastructure will be encrypted in *zero trust mode*: + +```yaml +components: + pam: false #TODO: ITSMSD-8771: PAM does not yet support https backend. +global: + security: + zeroTrust: true + nappl: + port: 8443 + ssl: true +``` diff --git a/samples/security/build.sh b/samples/security/build.sh new file mode 100755 index 0000000..b4d8d3b --- /dev/null +++ b/samples/security/build.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="encrypt" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/security/encrypt.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/security/encrypt.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + + + + +# Set the Variables +SAMPLE="zerotrust" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/ha/values.yaml \ + --values $SAMPLES/security/zerotrust.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# creating the Argo manifest +mkdir -p $DEST/instance-argo +helm template --debug \ + --values $SAMPLES/ha/values.yaml \ + --values $SAMPLES/security/zerotrust.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME-argo $CHARTS/instance-argo > $DEST/instance-argo/$SAMPLE-argo.yaml + diff --git a/samples/security/encrypt.yaml b/samples/security/encrypt.yaml new file mode 100644 index 0000000..a399e96 --- /dev/null +++ b/samples/security/encrypt.yaml @@ -0,0 +1,28 @@ +global: + nappl: + port: 8443 + ssl: true + +# Web and PAM do not speak https by default yet, CRs have been filed. + +nappl: + ingress: + backendProtocol: https +cmis: + ingress: + backendProtocol: https +ilm: + ingress: + backendProtocol: https +webdav: + ingress: + backendProtocol: https +rs: + ingress: + backendProtocol: https +mon: + ingress: + backendProtocol: https +administrator: + ingress: + backendProtocol: https diff --git a/samples/security/zerotrust.yaml b/samples/security/zerotrust.yaml new file mode 100644 index 0000000..46f8324 --- /dev/null +++ b/samples/security/zerotrust.yaml @@ -0,0 +1,8 @@ +components: + pam: false # #TODO: ITSMSD-8771: PAM does not yet support https backend. +global: + security: + zeroTrust: true + nappl: + port: 8443 + ssl: true diff --git a/samples/shared/README.md b/samples/shared/README.md new file mode 100644 index 0000000..d9b6eac --- /dev/null +++ b/samples/shared/README.md @@ -0,0 +1,34 @@ +# Sharing Instances + +Some organisations have multiple tenants that share common services, like *nscale Rendition Server* or +have a common IT department, thus using only a single *nscale Monitoring Console* acress all tenants. + +This is the Central Services Part: +``` +helm install \ + --values samples/shared/centralservices.yaml \ + --values samples/environment/demo.yaml \ + sample-shared-cs nplus/nplus-instance +``` + +And this is the tenant using the Central Services: +``` +helm install \ + --values samples/shared/shared.yaml \ + --values samples/environment/demo.yaml \ + sample-shared nplus/nplus-instance +``` + +If you enable security based on *Network Policies*, you need to add additional Policies to allow access. Please see `shared-networkpolicy.yaml` and `centralservices-networkpolicy.yaml` as an example. + +You also want to set the *monitoringInstance* in the `global` section of the values file to enable the Network Policy for incoming monitoring traffic. + +```yaml +global: + security: + cni: + monitoringInstance: sample-shared-cs +``` + + + diff --git a/samples/shared/build.sh b/samples/shared/build.sh new file mode 100755 index 0000000..adcc002 --- /dev/null +++ b/samples/shared/build.sh @@ -0,0 +1,71 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="shared" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/shared/shared.yaml \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# Adding the extra network policy +echo -e "\n---\n" >> $DEST/instance/$SAMPLE.yaml +cat $SAMPLES/shared/shared-networkpolicy.yaml >> $DEST/instance/$SAMPLE.yaml + + + +# Set the Variables +SAMPLE="shared-cs" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/shared/centralservices.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + +# Adding the extra network policy +echo -e "\n---\n" >> $DEST/instance/$SAMPLE.yaml +cat $SAMPLES/shared/centralservices-networkpolicy.yaml >> $DEST/instance/$SAMPLE.yaml + diff --git a/samples/shared/centralservices-networkpolicy.yaml b/samples/shared/centralservices-networkpolicy.yaml new file mode 100644 index 0000000..a756155 --- /dev/null +++ b/samples/shared/centralservices-networkpolicy.yaml @@ -0,0 +1,53 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: sample-shared-cs-interinstance-core + labels: + nplus/instance: sample-shared-cs +spec: + podSelector: + matchLabels: + nplus/instance: sample-shared-cs + nplus/type: nstl + policyTypes: + - Ingress + ingress: + # + # allow access from alien CORE components to a central nscale Storage Layer + # + - from: + - podSelector: + matchLabels: + nplus/instance: sample-shared + nplus/type: core + ports: + - protocol: TCP + port: 3005 +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: sample-shared-cs-interinstance-mon + labels: + nplus/instance: sample-shared-cs +spec: + podSelector: + matchLabels: + nplus/instance: sample-shared-cs + nplus/type: mon + policyTypes: + - Egress + egress: + # + # allow monitoring console to monitor alien components. + # you will have to set the alien monitoring in the target namespace / instance. + # .Values.security.cni.monitoringNamespace .Values.security.cni.monitoringInstance + # + - to: + - podSelector: + matchLabels: + nplus/instance: sample-shared + nplus/type: core + ports: + - protocol: TCP + port: 3005 diff --git a/samples/shared/centralservices.yaml b/samples/shared/centralservices.yaml new file mode 100644 index 0000000..3184a63 --- /dev/null +++ b/samples/shared/centralservices.yaml @@ -0,0 +1,14 @@ +components: + application: false + nappl: false + nappljobs: false + rs: true + mon: true + cmis: false + ilm: false + database: false + web: false + nstl: true + pipeliner: false + administrator: false + webdav: false \ No newline at end of file diff --git a/samples/shared/shared-networkpolicy.yaml b/samples/shared/shared-networkpolicy.yaml new file mode 100644 index 0000000..89481bf --- /dev/null +++ b/samples/shared/shared-networkpolicy.yaml @@ -0,0 +1,38 @@ +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: sample-shared-interinstance + labels: + nplus/instance: sample-shared +spec: + podSelector: + matchLabels: + nplus/instance: sample-shared + nplus/type: core + policyTypes: + - Egress + egress: + # + # allow access from CORE components to a central nscale Storage Layer + # + - to: + - podSelector: + matchLabels: + nplus/instance: sample-shared-cs + nplus/type: nstl + ports: + - protocol: TCP + port: 3005 + # + # allow access from CORE components to a central nscale Rendition Server + # + - to: + - podSelector: + matchLabels: + nplus/instance: sample-shared-cs + nplus/type: rs + ports: + - protocol: TCP + port: 8192 + - protocol: TCP + port: 8193 \ No newline at end of file diff --git a/samples/shared/shared.yaml b/samples/shared/shared.yaml new file mode 100644 index 0000000..56508a4 --- /dev/null +++ b/samples/shared/shared.yaml @@ -0,0 +1,19 @@ +components: + application: true + rs: false + mon: false + nstl: false + +application: + enabled: true + docAreas: + - id: "DA" + nstl: + host: "sample-shared-cs-nstl.{{ .Release.Namespace }}" + rs: + host: "sample-shared-cs-rs.{{ .Release.Namespace }}" + +global: + security: + cni: + monitoringInstance: sample-shared-cs diff --git a/samples/sharepoint/README.md b/samples/sharepoint/README.md new file mode 100644 index 0000000..5b5445f --- /dev/null +++ b/samples/sharepoint/README.md @@ -0,0 +1,106 @@ +# Specifics of the Sharepoint Connector + +Normally, you will have different configurations if you want multiple Sharepoint Connectors. This makes the *nsp* somewhat special: + +## Multi Instance HA Sharepoint Connector + +This sample shows how to setup a sharepoint connector with multiple instances having **different** configurations for archival, but with **High Availability** on the retrieval side. + +SharePoint is one of the few components for which is is quite common to have multiple instances instead of replicas. Replicas would include, that the configuration for all pods is identical. However, you might want to have multiple configurations as you also have multiple sharepoint sites you want to archive. + +Running multiple instances with ingress enabled leads to the question, what the context path is for each instance. It cannot be the same as the load balancer would not be able to distinguish between them and thus refuses to add the configuration object - leading in a deadlock situation. + +So *nplus* defined different context paths if you have multiple instances: + +- sharepointa on `/nscale_spca` +- sharepointb on `/nscale_spcb` +- sharepointc on `/nscale_spcc` +- sharepointd on `/nscale_spcd` + +If you only run one instance, it defaults to `/nscale_spc`. + +## HA on retrieval + +Once archived, you might want to use all instances for retrieval, since they share a common retrieval configuration (same nappl, ...). So in order to gain High Availability even across multiple instances, there are two options: + +1. You turn off the services and ingresses on any sharepoint instance but sharepointa. Then you switch sharepointa's service selector to *type mode*, selecting all pods with type `sharepoint` instead of all pods of component `sharepointa`. Then you can access this one service to reach them all. +2. You can turn on the *clusterService*, which is an additional service that selects all `sharepoint` type pods and then adds an extra ingress on this service with the default context path `nscale_spc` + +However, in both scenarios, beware that the sharepoint connector can only service one context path at a time, so you will need to change the context path accordingly. + +## Sample for solution 1 + +On the instance, define the following: + +``` +components: + # -- First, we switch the default SharePoint OFF + sharepoint: false + + # -- Then we enable two sharepoint instances to be used with different configurations + sharepointa: true + sharepointb: true + +sharepointa: + service: + # -- Switching the service to "type" makes sure we select not only the component pods (in this case all replicas of sharepointa) + # but rather **any** pod of type sharepoint. + selector: "type" + ingress: + # -- The default contextPath for sharepointa is `nscale_spca` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" +sharepointb: + service: + # -- The other SP Instance does not need a service any more, as it is selected by the cluster service above. So we switch off the component + # service which also switches off the ingress as it would not have a backing service any more + enabled: false + # -- The default contextPath for sharepointb is `nscale_spcb` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" +``` + + +## Sample for Solution 2 + +On the instance, define the following: + +``` +components: + # -- First, we switch the default SharePoint OFF + sharepoint: false + + # -- Then we enable two sharepoint instances to be used with different configurations + sharepointa: true + sharepointb: true + +sharepointa: + clusterService: + # -- This enabled the cluster service + enabled: true + # -- the cluster Ingress needs to know the context path it should react on. + contextPath: "/nscale_spc" + ingress: + # -- we turn off the original ingress as the common context path would block the deployment + enabled: false + # -- The default contextPath for sharepointa is `nscale_spca` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" +sharepointb: + clusterService: + # -- on the second SharePoint Instance, we **disable** the cluster service, as it is already created by sharepointa. + enabled: false + # -- however, we need to set the context path, as this tells the networkPolicy to open up for ingress even though we switch die Ingress off in the + # next step + contextPath: "/nscale_spc" + ingress: + # -- we turn off the original ingress as the common context path would block the deployment + enabled: false + # -- The default contextPath for sharepointb is `nscale_spcb` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" +``` diff --git a/samples/sharepoint/build.sh b/samples/sharepoint/build.sh new file mode 100755 index 0000000..5fc50b8 --- /dev/null +++ b/samples/sharepoint/build.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="sharepoint" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/sharepoint/solution2.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml + diff --git a/samples/sharepoint/solution1.yaml b/samples/sharepoint/solution1.yaml new file mode 100644 index 0000000..5795715 --- /dev/null +++ b/samples/sharepoint/solution1.yaml @@ -0,0 +1,28 @@ +components: + # -- First, we switch the default SharePoint OFF + sharepoint: false + + # -- Then we enable two sharepoint instances to be used with different configurations + sharepointa: true + sharepointb: true + +sharepointa: + service: + # -- Switching the service to "type" makes sure we select not only the component pods (in this case all replicas of sharepointa) + # but rather **any** pod of type sharepoint. + selector: "type" + ingress: + # -- The default contextPath for sharepointa is `nscale_spca` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" +sharepointb: + service: + # -- The other SP Instance does not need a service any more, as it is selected by the cluster service above. So we switch off the component + # service which also switches off the ingress as it would not have a backing service any more + enabled: false + ingress: + # -- The default contextPath for sharepointb is `nscale_spcb` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" diff --git a/samples/sharepoint/solution2.yaml b/samples/sharepoint/solution2.yaml new file mode 100644 index 0000000..7212065 --- /dev/null +++ b/samples/sharepoint/solution2.yaml @@ -0,0 +1,35 @@ +components: + # -- First, we switch the default SharePoint OFF + sharepoint: false + + # -- Then we enable two sharepoint instances to be used with different configurations + sharepointa: true + sharepointb: true + +sharepointa: + clusterService: + # -- This enabled the cluster service + enabled: true + # -- the cluster Ingress needs to know the context path it should react on. + contextPath: "/nscale_spc" + ingress: + # -- we turn off the original ingress as the common context path would block the deployment + enabled: false + # -- The default contextPath for sharepointa is `nscale_spca` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" +sharepointb: + clusterService: + # -- on the second SharePoint Instance, we **disable** the cluster service, as it is already created by sharepointa. + enabled: false + # -- however, we need to set the context path, as this tells the networkPolicy to open up for ingress even though we switch die Ingress off in the + # next step + contextPath: "/nscale_spc" + ingress: + # -- we turn off the original ingress as the common context path would block the deployment + enabled: false + # -- The default contextPath for sharepointb is `nscale_spcb` to make sure we have distinguishable paths for all sharepoint instances. + # however, in this case we re-use the service as cluster service and die ingress as cluster ingress, so we switch to the general + # contextPath, as if it was a single component deployment + contextPath: "/nscale_spc" diff --git a/samples/sim/README.md b/samples/sim/README.md new file mode 100644 index 0000000..c483ae3 --- /dev/null +++ b/samples/sim/README.md @@ -0,0 +1,87 @@ +# Single-Instance-Mode + +If you choose to separate tenants on your system not only by *nplus Instances* but also by *nplus Environments*, thus running each tenant in a separate Kubernetes *Namespace*, you do not need to create an *nplus Environment* first, but you can rather enable the *nplus Environment Components* within your instance: + +```yaml +components: + sim: + dav: true + backend: true + operator: true + toolbox: true +``` + +Steps to run a SIM Instance: + +1. Create the namespace and the necessary secrets to access the repo, registry as well as the nscale license file + + ``` + SIM_NAME="empty-sim" + + kubectl create ns $SIM_NAME + kubectl create secret docker-registry nscale-cr \ + --namespace $SIM_NAME \ + --docker-server=ceyoniq.azurecr.io \ + --docker-username=$NSCALE_ACCOUNT \ + --docker-password=$NSCALE_TOKEN + kubectl create secret docker-registry nplus-cr \ + --namespace $SIM_NAME \ + --docker-server=cr.nplus.cloud \ + --docker-username=$NPLUS_ACCOUNT \ + --docker-password=$NPLUS_TOKEN + kubectl create secret generic nscale-license \ + --namespace $SIM_NAME \ + --from-file=license.xml=$NSCALE_LICENSE + ``` + +2. Deploy the Instance + + ``` + helm install \ + --values lab.yaml \ + --values single-instance-mode.yaml \ + --namespace $SIM_NAME \ + $SIM_NAME nplus/nplus-instance + ``` + +If you do not have any Application that requires assets such as scripts or apps, you are good to go with this. + +However, if your Application does require assets, the *problem* is to get them into your (not existing) environment before the Applications is trying to access them. + +There are three possible solutions: + +1. You create an umbrella chart and have a job installing the assets into your Instance +2. You pull / download assets from your git server or an asset server before the Application deployment +3. You pull / download assets from your git server or an asset server before the Component deployment, including the Application + +**Solution 1** obiously involes some implementation on your end. That is not covered in this documentation. + +**Solution 2** can be achieved by defining a downloader in your application chart (see `empty-download.yaml`): + +```yaml +components: + application: true +application: + docAreas: + - id: "Sample" + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/samples/assets/sample.sh" + run: + - "/pool/downloads/sample.sh" +``` + +**Solutions 3** should be used if you have any assets that need to be available **before** the nscale Components start, like snippets for the web client etc. + +You can use the *Prepper* for that purpose. The *Prepper* prepares everything required for the Instance to work as intended. It is very much like the *Application*, except that it does not connect to any nscale component (as they do not yet run by the time the prepper executes). But just like the Application, the Prepper is able to download assets and run scripts. + +You can add this to your deployment: + +```yaml +components: + prepper: true +prepper: + download: + - "https://git.nplus.cloud/public/nplus/raw/branch/master/assets/sample.tar.gz" + run: + - "/pool/downloads/sample/sample.sh" +``` diff --git a/samples/sim/build.sh b/samples/sim/build.sh new file mode 100755 index 0000000..43cd140 --- /dev/null +++ b/samples/sim/build.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="sim" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance-sim +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/sim/values.yaml \ + --namespace $NAME \ + $NAME $CHARTS/instance > $DEST/instance-sim/$SAMPLE.yaml diff --git a/samples/sim/values.yaml b/samples/sim/values.yaml new file mode 100644 index 0000000..5d4c43b --- /dev/null +++ b/samples/sim/values.yaml @@ -0,0 +1,7 @@ +components: + sim: + dav: true + backend: true + operator: true + toolbox: true + diff --git a/samples/static/README.md b/samples/static/README.md new file mode 100644 index 0000000..146f28a --- /dev/null +++ b/samples/static/README.md @@ -0,0 +1,169 @@ +# Static Volumes + +## Assigning PVs + +For security reasons, you might want to use a storage class that does not perform automatic provisioning of PVs. +In that case, you want to reference a pre-created volume in the PVC. +In nplus, you can do so by setting the volumeName in the values. + +Please review `values.yaml` as an example: + +```yaml +database: + mounts: + data: + volumeName: "pv-{{ .component.fullName }}-data" +nstl: + mounts: + data: + volumeName: "pv-{{ .component.fullName }}-data" +``` + +You can also set the environment config volume. Please refer to the environment documentation for that. + +``` +helm install \ + --values samples/environment/demo.yaml \ + --values samples/static/values.yaml + sample-static nplus/nplus-instance +``` + +## Creating PVs + +https://github.com/ceph/ceph-csi/blob/devel/docs/static-pvc.md + +### Data Disk: + +1. Create a pool on your cep cluster + ``` + ceph osd pool create k-lab 64 64 + ``` +2. Create a block device pool + ``` + rbd pool init k-lab + ``` +3. Create an image + ``` + rbd create -s 50G k-lab/pv-sample-static-database-data + rbd create -s 50G k-lab/pv-sample-static-nstl-data + rbd ls k-lab | grep pv-sample-static- + ``` + Resize: + ``` + rbd resize --size 50G k-lab/pv-no-provisioner-database-data --allow-shrink + ``` + +### File Share: + +1. Create a Subvolume (FS) + ``` + ceph fs subvolume create cephfs pv-no-provisioner-rs-file --size 53687091200 + ``` +2. Get the path of the subvolume + ``` + ceph fs subvolume getpath cephfs pv-no-provisioner-rs-file + ``` + +### Troubleshooting + +``` +kubectl describe pv/pv-no-provisioner-rs-file pvc/no-provisioner-rs-file +kubectl get volumeattachment +``` + +### PV Manifests + +```yaml +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-no-provisioner-database-data +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + csi: + driver: rook-ceph.rbd.csi.ceph.com + fsType: ext4 + nodeStageSecretRef: + # node stage secret name + name: rook-csi-rbd-node + # node stage secret namespace where above secret is created + namespace: rook-ceph-external + volumeAttributes: + # Required options from storageclass parameters need to be added in volumeAttributes + clusterID: rook-ceph-external + pool: k-lab + staticVolume: "true" + imageFeatures: layering + #mounter: rbd-nbd + # volumeHandle should be same as rbd image name + volumeHandle: pv-no-provisioner-database-data + persistentVolumeReclaimPolicy: Retain + # The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block` + volumeMode: Filesystem + storageClassName: ceph-rbd +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-no-provisioner-nstl-data +spec: + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + csi: + driver: rook-ceph.cephfs.csi.ceph.com + fsType: ext4 + nodeStageSecretRef: + # node stage secret name + name: rook-csi-rbd-node + # node stage secret namespace where above secret is created + namespace: rook-ceph-external + volumeAttributes: + # Required options from storageclass parameters need to be added in volumeAttributes + clusterID: rook-ceph-external + pool: k-lab + staticVolume: "true" + imageFeatures: layering + #mounter: rbd-nbd + # volumeHandle should be same as rbd image name + volumeHandle: pv-no-provisioner-nstl-data + persistentVolumeReclaimPolicy: Retain + # The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block` + volumeMode: Filesystem + storageClassName: ceph-rbd +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-no-provisioner-rs-file +spec: + accessModes: + - ReadWriteMany + capacity: + storage: 50Gi + csi: + driver: cephfs.csi.ceph.com + nodeStageSecretRef: + name: rook-csi-cephfs-secret + #rook-csi-cephfs-node + namespace: rook-ceph-external + volumeAttributes: + # Required options from storageclass parameters need to be added in volumeAttributes + clusterID: rook-ceph-external + fsName: cephfs + pool: cephfs_data + staticVolume: "true" + # rootPath kriegt man per ceph fs subvolume getpath cephfs pv-no-provisioner-rs-file + rootPath: "/volumes/_nogroup/pv-no-provisioner-rs-file/3016f512-bc19-4bfb-8eb2-5118430fbbe5" + #mounter: rbd-nbd + # volumeHandle should be same as rbd image name + volumeHandle: pv-no-provisioner-rs-file + persistentVolumeReclaimPolicy: Retain + # The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block` + volumeMode: Filesystem + storageClassName: cephfs +``` diff --git a/samples/static/build.sh b/samples/static/build.sh new file mode 100755 index 0000000..88d8218 --- /dev/null +++ b/samples/static/build.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# +# This sample script builds the example as described. It is also used to build the test environment in our lab, +# so it should be well tested. +# + +# Make sure it fails immediately, if anything goes wrong +set -e + +# -- ENVironment variables: +# CHARTS: The path to the source code +# DEST: The path to the build destination +# SAMPLE: The directory of the sample +# NAME: The name of the sample, used as the .Release.Name +# KUBE_CONTEXT: The name of the kube context, used to build this sample depending on where you run it against. You might have different Environments such as lab, dev, qa, prod, demo, local, ... + +# Check, if we have the source code available +if [ ! -d "$CHARTS" ]; then + echo "ERROR Building $SAMPLE example: The Charts Sources folder is not set. Please make sure to run this script with the full Source Code available" + exit 1 +fi +if [ ! -d "$DEST" ]; then + echo "ERROR Building $SAMPLE example: DEST folder not found." + exit 1 +fi +if [ ! -d "$CHARTS/instance" ]; then + echo "ERROR Building $SAMPLE example: Chart Sources in $CHARTS/instance not found. Are you running this script as a subscriber?" + exit 1 +fi + +# Set the Variables +SAMPLE="static" +NAME="sample-$SAMPLE" + +# Output what is happening +echo "Building $NAME" + +# Create the manifest +mkdir -p $DEST/instance +helm template --debug \ + --values $SAMPLES/application/empty.yaml \ + --values $SAMPLES/environment/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/resources/$KUBE_CONTEXT.yaml \ + --values $SAMPLES/static/values.yaml \ + $NAME $CHARTS/instance > $DEST/instance/$SAMPLE.yaml +# Adding the static PV to the manifest +echo -e "\n---\n" >> $DEST/instance/$SAMPLE.yaml +cat $SAMPLES/static/pv.yaml >> $DEST/instance/$SAMPLE.yaml diff --git a/samples/static/pv.yaml b/samples/static/pv.yaml new file mode 100644 index 0000000..72900bc --- /dev/null +++ b/samples/static/pv.yaml @@ -0,0 +1,74 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-sample-static-database-data +spec: + # -- set an empty string must be explicitly set otherwise default StorageClass will be set + # see https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + storageClassName: "" + # -- make sure, this PV may only by bound to a specific claim + claimRef: + name: sample-static-database-data + namespace: lab + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + csi: + driver: rook-ceph.rbd.csi.ceph.com + fsType: ext4 + nodeStageSecretRef: + # node stage secret name + name: rook-csi-rbd-node + # node stage secret namespace where above secret is created + namespace: rook-ceph-external + volumeAttributes: + # Required options from storageclass parameters need to be added in volumeAttributes + clusterID: rook-ceph-external + pool: k-lab + staticVolume: "true" + imageFeatures: layering + #mounter: rbd-nbd + # volumeHandle should be same as rbd image name + volumeHandle: pv-sample-static-database-data + persistentVolumeReclaimPolicy: Delete + # The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block` + volumeMode: Filesystem +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: pv-sample-static-nstl-data +spec: + # -- set an empty string must be explicitly set otherwise default StorageClass will be set + # see https://kubernetes.io/docs/concepts/storage/persistent-volumes/ + storageClassName: "" + # -- make sure, this PV may only by bound to a specific claim + claimRef: + name: sample-static-nstl-data + namespace: lab + accessModes: + - ReadWriteOnce + capacity: + storage: 50Gi + csi: + driver: rook-ceph.rbd.csi.ceph.com + fsType: ext4 + nodeStageSecretRef: + # node stage secret name + name: rook-csi-rbd-node + # node stage secret namespace where above secret is created + namespace: rook-ceph-external + volumeAttributes: + # Required options from storageclass parameters need to be added in volumeAttributes + clusterID: rook-ceph-external + pool: k-lab + staticVolume: "true" + imageFeatures: layering + #mounter: rbd-nbd + # volumeHandle should be same as rbd image name + volumeHandle: pv-sample-static-nstl-data + persistentVolumeReclaimPolicy: Delete + # The volumeMode can be either `Filesystem` or `Block` if you are creating Filesystem PVC it should be `Filesystem`, if you are creating Block PV you need to change it to `Block` + volumeMode: Filesystem + diff --git a/samples/static/values.yaml b/samples/static/values.yaml new file mode 100644 index 0000000..f59d2c8 --- /dev/null +++ b/samples/static/values.yaml @@ -0,0 +1,22 @@ +database: + mounts: + data: + volumeName: "pv-{{ .component.fullName }}-data" +nstl: + mounts: + data: + volumeName: "pv-{{ .component.fullName }}-data" + + +# # mon: +# # mounts: +# # data: +# # volumeName: "pv-{{ .component.fullName }}-data" +# # pipeliner: +# # mounts: +# # data: +# # volumeName: "pv-{{ .component.fullName }}-data" +# # rs: +# # mounts: +# # file: +# # volumeName: "pv-{{ .component.fullName }}-file"