# yaml-language-server: $schema=values.schema.json
# -- Ingress defines wether this component is reachable via an ingress controller, Layer 7, through http(s)
ingress:
# -- You can toggle the ingress on wether you'd like this component
# to be reachable through an ingress or not.
enabled: true
# -- Overrides the default backend protocol. The default is http,
# unless in zeroTrust Mode, then it is switched to https automatically.
# @default -- `http`
`https` in zero trust mode
backendProtocol:
# -- defines the path for a potential rewriting to `rewriteTarget`. Do not change unless you have a good reason
# Example: `/nscalealinst1(/\|$)(.*)`
# @internal -- This is an alpha feature - do not use it.
inputPath:
# -- defines a rewriteTarget for a potential retriting of `inputPath`. Do not change unless you have a good reason
# Example: `/nscalealinst1/$2`
# @internal -- This is an alpha feature - do not use it.
rewriteTarget:
# -- deny is used to exclude specific paths from public access, such as
# administrative paths. For Example, in nappl, webc ist the hessian protocol, webb is
# the burlap protocol. The configuration service is the endpoint used by
# the Admin client.
deny:
# -- on component level, set cookie affinity for the ingress
# example: `XtConLoadBalancerSession` for nscale Web
cookie:
# -- Sets the name of the tls secret to be used for this ingress, that contains
# the private and public key. These secrets can optionally be provided by the instance
# @default -- `{{ .this.ingress.domain }}-tls`
secret:
# -- Sets the domain to be used. This domain should be provided by the instance globally
# for all components, but you are free to override it here
domain:
# -- The ingressclass to use for this ingress. Most likely, this is provided globally by the
# instance, but you are free to override it here if this component should use a different class
# e.g. if you have separated ingress controllers, like a public and an internal one
# @default -- `public`
class:
# -- optionally sets a whitelist of ip ranges (CIDR format, comma separated)
# from which ingress is allowed. This is an annotation for nginx, so won't work with other
# ingress controllers
whitelist:
# -- Specify the namespace in which the ingress controller runs. This sets the firewall rule / networkPolicy
# to allow traffic from this namespace to our pods. This may be a comma separated list
# @default -- "ingress, kube-system, ingress-nginx"
namespace:
# -- The default service context path for this ingress. Some components allow to change this (e.g. SharePoint), for the
# most though this is only a constant used in the scripts.
contextPath: "/rapadm"
# -- Sets the annotation `nginx.ingress.kubernetes.io/proxy-read-timeout` on the ingress object, if set.
proxyReadTimeout:
# -- Adds extra Annotations to the ingress
annotations:
# -- Security Section defining default runtime environment for your container
security:
podSecurityContext:
# -- The user under which the container ist run. Avoid 0 / root. The container should run in a non-root context
# for security
# @internal -- there is normally no need to change this
runAsUser: 1001
# -- The file system group as which new files are created
# @internal -- there is normally no need to change this
fsGroup: 1001
# -- Under which condition should the fsGroup be changed
# @internal -- there is normally no need to change this
fsGroupChangePolicy: OnRootMismatch
containerSecurityContext:
# -- sets the container root file system to read only. This should be the case in production environment
# @internal -- you should not change this
readOnlyRootFilesystem: true
# -- Some functionality may need the possibility to allow privilege escalation. This should be very restrictive
# @internal -- you should not change this
allowPrivilegeEscalation: false
# -- Capabilities this container should have. Only allow the necessity, and drop as many as possible
# @internal -- you should not change this
capabilities:
drop:
- ALL
# -- turns on *Zero Trust* Mode, disabling *all* http communication, even the internal http probes
# @default -- `false`
zeroTrust:
mounts:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
temp:
# -- Sets the path to the temporary files
# @internal -- do not change this value
path: "/tmp"
# -- Sets a list of paths to the temporary files
# @internal -- do not change this value
paths:
# -- Sets the size of the temporary disk (all paths)
size: "1Gi"
# -- The conf volume is a RWX volume mounted by the environment, that holds
# all configurations of all instances and components in this environment
conf:
# -- Sets the path to the conf files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the conf files
# @internal -- do not change this value
paths:
# -- The log volume is used to take any left-over logging in the container.
# The container should log to stdout, but if any component still tries to log to disk
# this disk needs to be writeable
logs:
# -- Sets the path to the log files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the log files
# @internal -- do not change this value
paths:
# -- Sets the size of the log disk (all paths)
size:
# -- some nscale Components require a license file and this
# defines it's location
license:
# -- Sets the path to the license files
# @internal -- do not change this value
path:
# -- If you want to use additional
# fonts like the msttcorefonts (Microsoft Core Fonts). This mounts the
# fonts directory from the environment pool
fonts:
# -- Sets the path to the fonts folder.
# @internal -- do not change this value
path:
# -- You can add a file with trusted Root Certificates (e.g. Azure), to be able to
# connect to alien services via https. If you have a self-signed root certificate,
# you can also add it here.
caCerts:
# -- Sets the path to the certs folder.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
# -- the java based nscale components have their own certificates, that you might want to upload.
# You can normally do so via the environment configuration, but should you want to use a secret,
# you can set it here
componentCerts:
# -- Sets the path to the component certs.
# @internal -- do not change this value
paths:
# -- Alternative 1: the name of the secret to use. The Key has to be the File Name used in the path setting
secret:
# -- Alternative 2: the name of the configMap to use. The Key has to be the File Name used in the path setting
configMap:
data:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- Sets the size of the data disk
size:
# -- Sets the class of the data disk
class:
# -- Sets the path to the data files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
file:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- Sets the size of the shared disk
size:
# -- Sets the class of the shared disk
class:
# -- Sets the path to the shared files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the shared files
# @internal -- do not change this value
paths:
pool:
# -- Sets the path to a directory, there the `pool` folder from the `conf` volume should be mounted.
# this is used to store scripts, apps and assets that are required to deploy an application / solution
# @internal -- do not change this value
path:
# -- The temp volume is used to hold any superflues and temporary data.
# it is deleted when the pod terminates. However, it is extremely important
# as all pods filesystems are read only
ptemp:
# -- Sets the path for temporary files that are persisted
# @internal -- do not change this value
path:
# -- Sets a list of paths for temporary files that are persisted
# @internal -- do not change this value
paths:
# -- Allows to define generic mounts of pre-provisioned PVs into any container.
# This can be used e.g. to mount migration nfs, cifs / samba shares into a pipeliner container.
generic:
disk:
# -- Sets the size of the disk
size:
# -- Sets the class of the disk
class:
# -- Sets the path to the disk files
# @internal -- do not change this value
path:
# -- Sets a list of paths to the data files
# @internal -- do not change this value
paths:
# -- If you do not want to have a Volume created by the provisioner,
# you can set the name of your volume here to attach to this pre-existing one
volumeName:
# -- enables the use of the second data disk. If enabled, all paths defined will end up on this disk.
# In case of the (default) disabled, the paths will be added to the primaty data disk.
enabled: false
# -- Enables the migration init container. This will copy the data in paths from the primary data disk to the newly enabled secondary disk.
# This is done only once and only if there is legacy data at all. No files are overwritten!
migration: false
# -- Options for the Java VM
javaOpts:
# -- set the percentage of RAM, Java will use of the total.
# The total amount is the amount installed in the K8s Cluster Node,
# OR the Memory Limit set (see resources), if any.
javaMaxRamPercentage:
# -- set the minimum memory, java will consume
javaMinMem:
# -- set the maximum memory, java will consume.
# Attention: This is NOT the real maximum and it does not include any non Java memory.
# Please read google, as this is highly discussed
javaMaxMem:
# -- Any misc Java Options that need to be passed to the container
javaMisc: "-Dorg.eclipse.rap.rwt.settingStoreFactory=settings-per-user"
# -- provide the image to be used for this component
image:
# -- you can provide your own pullSecrets, in case you use
# a private repo.
pullSecrets:
- nscale-cr
- nplus-cr
# -- the name of the image to use
name: administrator
# -- the tag of the image to use
tag: latest
# -- if you use a private repo, feel free to set it here
repo: ceyoniq.azurecr.io/release/nscale
pullPolicy: IfNotPresent
# -- set the time zone for this component to make sure log output has a specific timestamp, internal dates and times are correct (like the creationDate in nappl)
# etc.
# @default -- `Europe/Berlin`
timezone:
# -- defines internal constants for nplus.
# do not change these values
meta:
# -- the type of the component. You should not change this value, except if
# you use a pipeliner in core mode. In core mode, it should be *core*, else *pipeliner*
# This type is used to create cluster communication for nappl and nstl and potentially
# group multiple replicaSets into one service.
type: administrator
# -- lists the ports this component exposes. This is important for zero trust mode and others.
ports:
# -- The http port this component uses (if any). In zero trust mode, this will be disabled.
# @internal -- this is a constant value of the component and should not be changed.
http: 8080
# -- The tls / https port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
https: 8443
# -- A potential tcp port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcp:
# -- A potential rmi port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
rmi:
# -- A potential tls / tcps port, this component uses (if any)
# @internal -- this is a constant value of the component and should not be changed.
tcps:
# -- sets tenant information to be able to invoice per use in a cloud environment
tenant:
# -- sets provider (partner, reseller) information to be able to invoice per use in a cloud environment
provider:
# -- Sets the wave in which this component should be deployed within an ArgoCD deployment
# if unset, it uses the default wave thus all components are installed in one wave, then relying
# on correct wait settings just like in a helm installation
wave:
# -- Sets the language of the main service (in the *service* container). This is used for instance
# if you turn OpenTelemetry on, to know which Agent to inject into the container.
language: java
# -- The container name of the main service for this component. This is used to define where to
# inject the telemetry agents, if any
serviceContainer: administrator
# -- A optional parameter to indicate the stage (DEV, QA, PROD, ...) this component, instance or environment
# runs in. This can be used in template functions to add the stage to for instance the service name of
# telemetry services like open telemetry. (see telemetry example)
stage:
# -- This is the version of the component, used for display
# @internal -- set by devOps pipeline, so do not modify
componentVersion:
# -- Set tolerations for this component
tolerations:
# -- select specific nodes for this component
nodeSelector:
# -- There should only be a single Administrator instance, so the replicaCount is
# fixed to 1
# @ignore -- Do not change this.
replicaCount: 1
# # :
# # path:
# # volumeName:
# # subPath:
# -- Sets the name of a secret, which holds additional environment variables for
# the configuration. It is added as envFrom secretRef to the container.
envSecret:
# -- Sets the name of a configMap, which holds additional environment variables for
# the configuration. It is added as envFrom configMap to the container.
envMap:
# -- Sets additional environment variables for
# the configuration.
env:
# -- The nscale Application Layer, this component should talk to
nappl:
# -- nappl host name
host:
# -- nappl port (http 8080 or https 8443)
port:
# -- sets the Advanced Connect to tls
ssl:
# -- instance of the Application Layer, likely `instance1`
instance:
# -- The technical account to login with
account:
# -- The domain of the technical account
domain:
# -- The password of the technical accunt (if not set by secret)
password:
# -- An optional secret that holds the credentials (the keys must be `account` and `password`)
secret:
# -- Assigns hardware resources to container
resources:
# -- Requests are used to assign a minimum to a container. This is the guaranteed amount
requests:
# -- Set the share of guaranteed CPU to the container.
cpu:
# -- Set the share of guaranteed RAM to the container
memory:
# -- Limits the maximum resources
limits:
# -- The maximum allowed CPU for the container
cpu:
# -- The maximum allowed RAM for the container
memory:
# -- This overrides the output of the internal name function
nameOverride:
# -- This overrides the output of the internal fullname function
fullnameOverride:
utils:
# -- Turn debugging *on* will give you stack trace etc.
# Please check out the Chart Developer Guide
# @default -- `false`
debug:
# -- You can turn Comment rendering *on* to get descriptive information inside the manifests. It
# will also fail on depricated functions and keys, so it is recommended to only switch it off in PROD
# @default -- `true`
renderComments:
# -- By default, the namespace is rendered into the manifest. However, if you want to use
# `helm template` and store manifests for later applying them to multiple namespaces, you might
# want to turn this `false` to be able to use `kubectl apply -n -f template.yaml` later
# @default -- `true`
includeNamespace:
# -- in Maintenance Mode, all *waitFor* actions will be skipped, the *Health Checks* are ignored and the
# pods will start in idle, not starting the service at all. This will allow you to gain access to the container
# to perform recovery and maintenance tasks while having the real container up.
# @default -- `false`
maintenance:
# -- If you use argoCD, you most likely want to use the argo Wave Feature as well, making sure the components
# of an instance are deployed ordered. However, in DEV you might want to disable this to allow live changing components
# while previous waves are not finished yet.
# @default -- `false`
disableWave:
# -- in case you use the argoCD Wave feature, you might think about switching off the waitFor mechanism, that makes sure PODs are
# only started after pre-requisites are fulfilled. You can disable the starndard wait mechanism, but at your own risk, as this might
# start components even if they are not intended to run yet.
# @default -- `false`
disableWait:
service:
# -- enables the service to be consumed by group components and a potential ingress
# Disabling the service also disables the ingress.
enabled: true
# -- The selector can be `component` or `type`
# *component* selects only pods that are in the replicaset.
# *type* selects any pod that has the given type
selector: "component"
# -- adds extra Annotations to the service
annotations:
# -- Defines a list of conditions that need to be met before this components starts.
# The condition must be a network port that opens, when the master component is ready.
# Mostly, this will be a service, since a component is only added to a service if the
# probes succeed.
waitFor:
# -- if you set minReplicaCountType, a podDesruptionBudget will be created with this value as
# minAvailable, using the component type as selector. This is useful for components, that are spread
# across multiple replicaSets, like sharepoint or storage layer
minReplicaCountType:
# -- provide extra settings for pod templates
template:
# -- set additional annotations for pods
annotations:
# -- set additional labels for pods
labels:
# -- Settings for telemetry tools
telemetry:
# -- turns Open Telemetry on
openTelemetry:
# -- Sets the service name for the telemetry service to more convenient
# identify the displayed component
# Example: "{{ .this.meta.type }}-{{ .instance.name }}"
serviceName:
# -- Sets the terminationGracePeriodSeconds for the component
# If not set, it uses the Kubernetes defaults
terminationGracePeriodSeconds: