Configuration reference

10. Configuration reference#

This section provides a reference for the configuration values of the Helm Chart used to deploy Univention Nubus for Kubernetes. For overwriting default values before installation of the Helm Chart, refer to Customizing the Chart Before Installation.

The build process for this document automatically generates this reference from the Nubus for Kubernetes Helm Chart.

10.1. Aliases#

Throughout the Nubus for Kubernetes documentation you may find Helm Chart values that use their alias names and not the canonical name. The following namespaces use aliases:

Table 10.1 Helm Chart namespace aliases#
Alias	Namespace	Definition
`guardian`	nubusGuardian	`nubusGuardian.nameOverride`
`keycloak-bootstrap`	nubusKeycloakBootstrap	`nubusKeycloakBootstrap.nameOverride`
`keycloak-extensions`	nubusKeycloakExtensions	`nubusKeycloakExtensions.nameOverride`
`ldap-notifier`	nubusLdapNotifier	`nubusLdapNotifier.nameOverride`
`ldap-server`	nubusLdapServer	`nubusLdapServer.nameOverride`
`notifications-api`	nubusNotificationsApi	`nubusNotificationsApi.nameOverride`
`portal-consumer`	nubusPortalConsumer	`nubusPortalConsumer.nameOverride`
`portal-frontend`	nubusPortalFrontend	`nubusPortalFrontend.nameOverride`
`portal-server`	nubusPortalServer	`nubusPortalServer.nameOverride`
`provisioning`	nubusProvisioning	`nubusProvisioning.nameOverride`
`provisioning-listener`	nubusUdmListener	`nubusUdmListener.nameOverride`
`selfservice-listener`	nubusSelfServiceConsumer	`nubusSelfServiceConsumer.nameOverride`
`stack-data-ums`	nubusStackDataUms	`nubusStackDataUms.nameOverride`
`udm-rest-api`	nubusUdmRestApi	`nubusUdmRestApi.nameOverride`
`umc-gateway`	nubusUmcGateway	`nubusUmcGateway.nameOverride`
`umc-server`	nubusUmcServer	`nubusUmcServer.nameOverride`

10.2. Helm Chart reference#

Name:: nubus
Version:: 1.5.1
Description:: Univention Nubus

You find the configuration options for nubus in the following sections.

10.2.1. `additionalAnnotations`#

additionalAnnotations#

Additional custom annotations to add to all objects deployed directly by the umbrella chart.

Default value: {}

10.2.2. `additionalLabels`#

additionalLabels#

Additional custom labels to add to all objects deployed directly by the umbrella chart.

Default value: {}

10.2.3. `certificates`#

certificates.enabled#

Enable SAML self-signed certificate generation. This required cert-manager.io

Default value: true

10.2.4. `common`#

common.exampleValue#

#bitnami/common #It is required by CI/CD tools and processes. #@skip exampleValue ##

Default value: "common-chart"

10.2.5. `extraSecrets`#

extraSecrets#

Allows for creation of additional secrets, for example containing credentials for third party services.

Default value: []

10.2.6. `global`#

global.certManagerIssuer#: Default value: ""

global.configMapUcr#

Default value:

"{{ .Release.Name }}-stack-data-ums-ucr"

global.configUcr.apache2.loglevel#: Default value: "info"

global.configUcr.umc.module.debug.level#: Default value: 2

global.configUcr.umc.server.debug.level#: Default value: 2

global.domain#: Default value: ""

global.enablePlainUmcLogin#

Allow plain UMC login (otherwise only SAML login is possible) Be aware this will expose the UMC login page to the public, which can circumvent 2FA and other security measures placed in the IdP.

Default value: false

global.extensions#

Extensions to load. Add entries to load additional extensions into Nubus.

Default value: []

global.ingressClass#: Default value: ""

global.keycloak.realm#: Default value: "nubus"

global.ldap.auth.cnAdmin.existingSecret.keyMapping.password#: Default value: "adminPassword"

global.ldap.auth.cnAdmin.existingSecret.name#: Default value: null

global.ldap.auth.cnAdmin.password#: Default value: null

global.ldap.baseDn#: Default value: ""

global.ldap.domainName#: Default value: ""

global.memcached.auth.username#: Default value: ""

global.memcached.connection.host#: Default value: ""

global.nubusDeployment#

Indicates to all subcharts that they are being used as part of a Nubus deployment.

Default value: true

global.nubusMasterPassword#

Master password from which other passwords are derived.

Default value: ""

global.objectStorage.bucket#: Default value: "nubus"

global.objectStorage.connection.endpoint#: Default value: ""

global.objectStorage.connection.host#: Default value: ""

global.objectStorage.connection.port#: Default value: ""

global.objectStorage.connection.protocol#: Default value: ""

global.postgresql.connection.host#: Default value: ""

global.postgresql.connection.port#: Default value: ""

global.subDomains.keycloak#: Default value: "id"

global.subDomains.portal#: Default value: "portal"

global.systemExtensions#

Allows to configure the system extensions to load. This is intended for internal usage, prefer to use global.extensions for user configured extensions.

Default value:

[{"name": "portal", "image": {"registry": "artifacts.software-univention.de", "repository": "nubus/images/portal-extension", "imagePullPolicy": "IfNotPresent", "tag": "0.44.3@sha256:734efc0adda680526dde09387db964612f9e0ab020382580984488cc993c68f0"}}]

10.2.7. `ingress`#

ingress.annotations.nginx.ingress.kubernetes.io/proxy-body-size#: Default value: "128k"

ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size#: Default value: "64k"

ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffers-number#: Default value: "4"

ingress.annotations.nginx.ingress.kubernetes.io/proxy-busy-buffers-size#: Default value: "128k"

ingress.annotations.nginx.ingress.kubernetes.io/proxy-http-version#: Default value: "1.1"

ingress.annotations.nginx.ingress.kubernetes.io/proxy-set-headers#

Default value:

"Host $http_host;\nX-Forwarded-For $proxy_add_x_forwarded_for;\nX-Forwarded-Host $http_x_forwarded_host;\nX-Forwarded-Port $http_x_forwarded_port;\nX-Forwarded-Proto $http_x_forwarded_proto;\n"

ingress.annotations.nginx.ingress.kubernetes.io/use-regex#: Default value: "true"

ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

ingress.enabled#

Enable creation of Ingress.

Default value: true

ingress.host#

Define the Fully Qualified Domain Name (FQDN) where application should be reachable.

Default value: ""

ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

10.2.8. `keycloak`#

keycloak.affinity#

Affinity for pod assignment Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it’s set.

Default value: {}

keycloak.commonAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

keycloak.commonLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

keycloak.config.baseUrl#: Default value: ""

keycloak.config.enableMetrics#

Enables Keycloak metrics endpoint Ref.: https://www.keycloak.org/server/configuration-metrics

Default value: true

keycloak.config.exposeAdminConsole#

Expose admin console, if set to true no Ingress path restrictions are applied. Otherwise only /realms/ and /resources/ are made available to the public internet. Ref.: https://www.keycloak.org/server/reverseproxy#_exposed_path_recommendations

Default value: false

keycloak.config.hostname#

Hostname. Ref.: https://www.keycloak.org/server/hostname Default: {{ .Values.global.subDomains.keycloak }}.{{ .Values.global.domain }}

Default value: ""

keycloak.config.logLevel#: Default value: "INFO"

keycloak.config.proxy#

Proxy mode. Ref.: https://www.keycloak.org/server/reverseproxy

Default value: "edge"

keycloak.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

keycloak.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

keycloak.containerSecurityContext.enabled#

Enable security context.

Default value: true

keycloak.containerSecurityContext.privileged#: Default value: false

keycloak.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: false

keycloak.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

keycloak.containerSecurityContext.runAsNonRoot#

Run container as user.

Default value: true

keycloak.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

keycloak.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

keycloak.enabled#: Default value: true

keycloak.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar” #

Default value: []

keycloak.extraStartupArgs#

Array with extra startup arguments.

Default value: []

keycloak.extraVolumeMounts#

Optionally specify extra list of additional volumeMounts.

Default value: []

keycloak.extraVolumes#

Optionally specify extra list of additional volumes

Default value: []

keycloak.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

keycloak.global.domain#

Define the domain name.

Default value: ""

keycloak.global.imagePullSecrets#

Credentials to fetch images from private registry Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry” #

Default value: []

keycloak.global.imageRegistry#

Container registry address.

Default value:

"docker.software-univention.de"

keycloak.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

keycloak.global.postgresql.connection.host#: Default value: ""

keycloak.global.postgresql.connection.port#: Default value: ""

keycloak.global.subDomains.keycloak#

Subdomain for keycloak.

Default value: "id"

keycloak.global.subDomains.portal#

Subdomain for the Nubus portal.

Default value: "portal"

keycloak.image.imagePullPolicy#

Define an ImagePullPolicy. # Ref.: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy # “IfNotPresent” => The image is pulled only if it is not already present locally. “Always” => Every time the kubelet launches a container, the kubelet queries the container image registry to resolve the name to an image digest. If the kubelet has a container image with that exact digest cached locally, the kubelet uses its cached image; otherwise, the kubelet pulls the image with the resolved digest, and uses that image to launch the container. “Never” => The kubelet does not try fetching the image. If the image is somehow already present locally, the kubelet attempts to start the container; otherwise, startup fails #

Default value: "IfNotPresent"

keycloak.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

keycloak.image.repository#

Container repository string.

Default value: "keycloak-keycloak"

keycloak.image.tag#

Define image tag.

Default value:

"25.0.1-ucs1@sha256:61cb3e703672f6d8806af41bec8056ca84e295bbeb546fdb5349322d1174a43d"

keycloak.imagePullSecrets#

Credentials to fetch images from private registry Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry” #

Default value: []

keycloak.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size#: Default value: "8k"

keycloak.ingress.annotations.nginx.org/proxy-buffer-size#: Default value: "8k"

keycloak.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

keycloak.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

keycloak.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

keycloak.ingress.enabled#: Default value: true

keycloak.ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

keycloak.ingress.path#

Define the Ingress path.

Default value: "/"

keycloak.ingress.pathType#

Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit pathType will fail validation. There are three supported path types: # “ImplementationSpecific” => With this path type, matching is up to the IngressClass. Implementations can treat this as a separate pathType or treat it identically to Prefix or Exact path types. “Exact” => Matches the URL path exactly and with case sensitivity. “Prefix” => Matches based on a URL path prefix split by /. # Ref.: https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types

Default value: "Prefix"

keycloak.ingress.paths#

Default value:

[{"pathType": "Prefix", "path": "/admin"}, {"pathType": "Prefix", "path": "/realms"}, {"pathType": "Prefix", "path": "/resources"}]

keycloak.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

keycloak.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

keycloak.keycloak.auth.existingSecret.keyMapping.adminPassword#: Default value: "admin_password"

keycloak.keycloak.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-credentials\" .Release.Name -}}"

keycloak.keycloak.auth.username#: Default value: "kcadmin"

keycloak.keycloak.features.disabled#

Disables a set of one or more features for keycloak.

Default value: []

keycloak.keycloak.features.enabled#

Enables a set of one or more features for keycloak.

Default value:

["admin-fine-grained-authz", "token-exchange"]

keycloak.lifecycleHooks#

Lifecycle to automate configuration before or after startup

Default value: {}

keycloak.livenessProbe.enabled#

Enables kubernetes LivenessProbe.

Default value: true

keycloak.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 3

keycloak.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 1

keycloak.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 5

keycloak.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

keycloak.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 2

keycloak.nameOverride#

String to partially override release name.

Default value: ""

keycloak.nodeSelector#

Node labels for pod assignment Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

keycloak.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

keycloak.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

keycloak.podManagementPolicy#

Pod management policy. Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/

Default value: "OrderedReady"

keycloak.podSecurityContext.enabled#

Enable security context.

Default value: true

keycloak.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group

Default value: 1000

keycloak.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

keycloak.postgresql.auth.database#: Default value: "keycloak"

keycloak.postgresql.auth.existingSecret.keyMapping.password#: Default value: null

keycloak.postgresql.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-postgresql-credentials\" .Release.Name -}}"

keycloak.postgresql.auth.username#: Default value: "keycloak_user"

keycloak.postgresql.connection.host#: Default value: ""

keycloak.postgresql.connection.port#: Default value: ""

keycloak.readinessProbe.enabled#

Enables kubernetes ReadinessProbe.

Default value: true

keycloak.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 5

keycloak.readinessProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 1

keycloak.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 5

keycloak.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

keycloak.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 2

keycloak.replicaCount#: Default value: 1

keycloak.resources.limits.cpu#: Default value: 288

keycloak.resources.limits.memory#: Default value: "1Gi"

keycloak.resources.requests.cpu#: Default value: "10m"

keycloak.resources.requests.memory#: Default value: "16Mi"

keycloak.service.annotations#

Additional custom annotations

Default value: {}

keycloak.service.clusterIP#

This creates a headless service. Instead of load balancing, it creates a DNS A record for each pod. This allows Infinispan to discover each other via the DNS. See in combination with KC_CACHE_STACK=kubernetes.

Default value: "None"

keycloak.service.enabled#

Enable kubernetes service creation.

Default value: true

keycloak.service.ports.http.containerPort#

Internal port.

Default value: 8080

keycloak.service.ports.http.port#

Accessible port.

Default value: 8080

keycloak.service.ports.http.protocol#

service protocol.

Default value: "TCP"

keycloak.service.ports.https.containerPort#

Internal port.

Default value: 8443

keycloak.service.ports.https.port#

Accessible port.

Default value: 8443

keycloak.service.ports.https.protocol#

service protocol.

Default value: "TCP"

keycloak.service.ports.ispn.containerPort#

Internal port.

Default value: 7800

keycloak.service.ports.ispn.port#

Accessible port.

Default value: 7800

keycloak.service.ports.ispn.protocol#

service protocol.

Default value: "TCP"

keycloak.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

keycloak.serviceAccount.annotations#

Additional custom annotations for the ServiceAccount.

Default value: {}

keycloak.serviceAccount.automountServiceAccountToken#

Allows auto mount of ServiceAccountToken on the serviceAccount created. Can be set to false if pods using this serviceAccount do not need to use K8s API.

Default value: false

keycloak.serviceAccount.create#

Enable creation of ServiceAccount for pod.

Default value: true

keycloak.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

keycloak.startupProbe.enabled#

Enables kubernetes ReadinessProbe.

Default value: true

keycloak.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

keycloak.startupProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 30

keycloak.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

keycloak.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

keycloak.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

keycloak.terminationGracePeriodSeconds#: Default value: 5

keycloak.theme.colors.primary#

Primary color.

Default value: "#5e27dd"

keycloak.theme.colors.primary15#

Primary color 15%.

Default value: "#e7dffa"

keycloak.theme.favIcon#

Logo as SVG content.

Default value: ""

keycloak.theme.texts.productName#

Branding name.

Default value: "openDesk"

keycloak.theme.univentionCustomTheme#

URL to the custom theme, set the logo in there :root { –login-logo: url(“..”) no-repeat center; }

Default value: ""

keycloak.theme.univentionTheme#

URI to the base theme

Default value: ""

keycloak.tolerations#

Tolerations for pod assignment Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

keycloak.topologySpreadConstraints#

Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # topologySpreadConstraints: - maxSkew: 1 topologyKey: failure-domain.beta.kubernetes.io/zone whenUnsatisfiable: DoNotSchedule

Default value: []

keycloak.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first.

Default value: "RollingUpdate"

10.2.9. `minio`#

minio.affinity#

#@param affinity Affinity for pod assignment. Evaluated as a template. #ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity #Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it’s set ##

Default value: {}

minio.apiIngress.annotations#

#@param apiIngress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. #For a full list of possible ingress annotations, please see #ref: kubernetes/ingress-nginx #Use this parameter to set the required annotations for cert-manager, see #ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## #e.g: #annotations: # kubernetes.io/ingress.class: nginx # cert-manager.io/cluster-issuer: cluster-issuer-name ##

Default value: {}

minio.apiIngress.apiVersion#

#@param apiIngress.apiVersion Force Ingress API version (automatically detected if not set) ##

Default value: ""

minio.apiIngress.enabled#

#@param apiIngress.enabled Enable ingress controller resource for MinIO API ##

Default value: false

minio.apiIngress.extraHosts#

#@param apiIngress.extraHosts The list of additional hostnames to be covered with this ingress record. #Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array #e.g: #extraHosts: # - name: minio.local # path: / ##

Default value: []

minio.apiIngress.extraPaths#

#@param apiIngress.extraPaths Any additional paths that may need to be added to the ingress under the main host #For example: The ALB ingress controller requires a special rule for handling SSL redirection. #extraPaths: #- path: /* # backend: # serviceName: ssl-redirect # servicePort: use-annotation ##

Default value: []

minio.apiIngress.extraRules#

#@param apiIngress.extraRules Additional rules to be covered with this ingress record #ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules #e.g: #extraRules: #- host: example.local # http: # path: / # backend: # service: # name: example-svc # port: # name: http ##

Default value: []

minio.apiIngress.extraTls#

#@param apiIngress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. #see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls #e.g: #extraTls: #- hosts: # - minio.local # secretName: minio.local-tls ##

Default value: []

minio.apiIngress.hostname#

#@param apiIngress.hostname Default host for the ingress resource ##

Default value: "minio.local"

minio.apiIngress.ingressClassName#

#@param apiIngress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) #This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster. #ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ ##

Default value: ""

minio.apiIngress.path#

#@param apiIngress.path The Path to MinIO®. You may need to set this to ‘/*’ in order to use this with ALB ingress controllers. ##

Default value: "/"

minio.apiIngress.pathType#

#@param apiIngress.pathType Ingress path type ##

Default value: "ImplementationSpecific"

minio.apiIngress.secrets#

#@param apiIngress.secrets If you’re providing your own certificates, please use this to add the certificates as secrets #key and certificate are expected in PEM format #name should line up with a secretName set further up ## #If it is not set and you’re using cert-manager, this is unneeded, as it will create a secret for you with valid certificates #If it is not set and you’re NOT using cert-manager either, self-signed certificates will be created valid for 365 days #It is also possible to create and manage the certificates outside of this helm chart #Please see README.md for more information ## #Example #secrets: # - name: minio.local-tls # key: “” # certificate: “” ##

Default value: []

minio.apiIngress.selfSigned#

#@param apiIngress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm ##

Default value: false

minio.apiIngress.servicePort#

#@param apiIngress.servicePort Service port to be used #Default is http. Alternative is https. ##

Default value: "minio-api"

minio.apiIngress.tls#

#@param apiIngress.tls Enable TLS configuration for the hostname defined at apiIngress.hostname parameter #TLS certificates will be retrieved from a TLS secret with name: {{- printf “%s-tls” .Values.apiIngress.hostname }} #You can: # - Use the ingress.secrets parameter to create this TLS secret # - Rely on cert-manager to create it by setting the corresponding annotations # - Rely on Helm to create self-signed certificates by setting ingress.selfSigned=true ##

Default value: false

minio.args#

#@param args Default container args (useful when using custom images). Use array form ##

Default value: []

minio.auth.existingSecret#

Default value:

"{{ .Release.Name }}-minio-credentials"

minio.auth.forceNewKeys#

#@param auth.forceNewKeys Force root credentials (user and password) to be reconfigured every time they change in the secrets ##

Default value: false

minio.auth.forcePassword#

#@param auth.forcePassword Force users to specify required passwords ##

Default value: false

minio.auth.rootPassword#

#@param auth.rootPassword Password for MinIO® root user ##

Default value: ""

minio.auth.rootPasswordSecretKey#

#@param auth.rootPasswordSecretKey Key where the MINIO_ROOT_USER password is being stored inside the existing secret auth.existingSecret ##

Default value: ""

minio.auth.rootUser#: Default value: "admin"

minio.auth.rootUserSecretKey#

#@param auth.rootUserSecretKey Key where the MINIO_ROOT_USER username is being stored inside the existing secret auth.existingSecret ##

Default value: ""

minio.auth.useCredentialsFiles#

#@param auth.useCredentialsFiles Mount credentials as a files instead of using an environment variable ##

Default value: false

minio.auth.useSecret#

#@param auth.useSecret Uses a secret to mount the credential files. ##

Default value: true

minio.automountServiceAccountToken#

#@param automountServiceAccountToken Mount Service Account token in pod ##

Default value: false

minio.clientImage.digest#: Default value: ""

minio.clientImage.registry#: Default value: "docker.io"

minio.clientImage.repository#: Default value: "bitnami/minio-client"

minio.clientImage.tag#: Default value: "2024.7.31-debian-12-r1"

minio.clusterDomain#

#@param clusterDomain Default Kubernetes cluster domain ##

Default value: "cluster.local"

minio.command#

#@param command Default container command (useful when using custom images). Use array form ##

Default value: []

minio.commonAnnotations#

#@param commonAnnotations Annotations to add to all deployed objects ##

Default value: {}

minio.commonLabels#

#@param commonLabels Labels to add to all deployed objects ##

Default value: {}

minio.containerPorts.api#: Default value: 9000

minio.containerPorts.console#: Default value: 9001

minio.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

minio.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

minio.containerSecurityContext.enabled#: Default value: true

minio.containerSecurityContext.privileged#: Default value: false

minio.containerSecurityContext.readOnlyRootFilesystem#: Default value: true

minio.containerSecurityContext.runAsGroup#: Default value: 1001

minio.containerSecurityContext.runAsNonRoot#: Default value: true

minio.containerSecurityContext.runAsUser#: Default value: 1001

minio.containerSecurityContext.seLinuxOptions#: Default value: {}

minio.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

minio.customLivenessProbe#

#@param customLivenessProbe Override default liveness probe ##

Default value: {}

minio.customReadinessProbe#

#@param customReadinessProbe Override default readiness probe ##

Default value: {}

minio.customStartupProbe#

#@param customStartupProbe Override default startup probe ##

Default value: {}

minio.defaultBuckets#: Default value: "nubus"

minio.deployment.updateStrategy.type#: Default value: "Recreate"

minio.disableWebUI#

#@param disableWebUI Disable MinIO® Web UI #ref: minio/minio ##

Default value: false

minio.enabled#: Default value: true

minio.extraDeploy#

#@param extraDeploy Array of extra objects to deploy with the release ##

Default value: []

minio.extraEnvVars#

#@param extraEnvVars Extra environment variables to be set on MinIO® container #e.g: #extraEnvVars: # - name: FOO # value: “bar” ##

Default value: []

minio.extraEnvVarsCM#

#@param extraEnvVarsCM ConfigMap with extra environment variables ##

Default value: ""

minio.extraEnvVarsSecret#

#@param extraEnvVarsSecret Secret with extra environment variables ##

Default value: ""

minio.extraVolumeMounts#

#@param extraVolumeMounts Optionally specify extra list of additional volumeMounts for MinIO® container(s) ##

Default value: []

minio.extraVolumes#

#@param extraVolumes Optionally specify extra list of additional volumes for MinIO® pods ##

Default value: []

minio.fullnameOverride#

#@param fullnameOverride String to fully override common.names.fullname template ##

Default value: ""

minio.global.compatibility.openshift.adaptSecurityContext#

#@param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) ##

Default value: "auto"

minio.global.defaultStorageClass#: Default value: ""

minio.global.imagePullSecrets#

#e.g. #imagePullSecrets: # - myRegistryKeySecretName ##

Default value: []

minio.global.imageRegistry#: Default value: ""

minio.global.storageClass#: Default value: ""

minio.hostAliases#

#@param hostAliases MinIO® pod host aliases #https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ##

Default value: []

minio.image.debug#

#Set to true if you would like to see extra information on logs ##

Default value: false

minio.image.digest#: Default value: ""

minio.image.pullPolicy#

#Specify a imagePullPolicy #Defaults to ‘Always’ if image tag is ‘latest’, else set to ‘IfNotPresent’ #ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images ##

Default value: "IfNotPresent"

minio.image.pullSecrets#

#Optionally specify an array of imagePullSecrets. #Secrets must be manually created in the namespace. #ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ #e.g: #pullSecrets: # - myRegistryKeySecretName ##

Default value: []

minio.image.registry#: Default value: "docker.io"

minio.image.repository#: Default value: "bitnami/minio"

minio.image.tag#: Default value: "2024.8.3-debian-12-r1"

minio.ingress.annotations#

#@param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. #For a full list of possible ingress annotations, please see #ref: kubernetes/ingress-nginx #Use this parameter to set the required annotations for cert-manager, see #ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations ## #e.g: #annotations: # kubernetes.io/ingress.class: nginx # cert-manager.io/cluster-issuer: cluster-issuer-name ##

Default value: {}

minio.ingress.apiVersion#

#@param ingress.apiVersion Force Ingress API version (automatically detected if not set) ##

Default value: ""

minio.ingress.enabled#

#@param ingress.enabled Enable ingress controller resource for MinIO Console ##

Default value: false

minio.ingress.extraHosts#

#@param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. #Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array #e.g: #extraHosts: # - name: minio.local # path: / ##

Default value: []

minio.ingress.extraPaths#

#@param ingress.extraPaths Any additional paths that may need to be added to the ingress under the main host #For example: The ALB ingress controller requires a special rule for handling SSL redirection. #extraPaths: #- path: /* # backend: # serviceName: ssl-redirect # servicePort: use-annotation ##

Default value: []

minio.ingress.extraRules#

#@param ingress.extraRules Additional rules to be covered with this ingress record #ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules #e.g: #extraRules: #- host: example.local # http: # path: / # backend: # service: # name: example-svc # port: # name: http ##

Default value: []

minio.ingress.extraTls#

#@param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. #see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls #e.g: #extraTls: #- hosts: # - minio.local # secretName: minio.local-tls ##

Default value: []

minio.ingress.hostname#

#@param ingress.hostname Default host for the ingress resource ##

Default value: "minio.local"

minio.ingress.ingressClassName#

#@param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) #This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster. #ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/ ##

Default value: ""

minio.ingress.path#

#@param ingress.path The Path to MinIO®. You may need to set this to ‘/*’ in order to use this with ALB ingress controllers. ##

Default value: "/"

minio.ingress.pathType#

#@param ingress.pathType Ingress path type ##

Default value: "ImplementationSpecific"

minio.ingress.secrets#

#@param ingress.secrets If you’re providing your own certificates, please use this to add the certificates as secrets #key and certificate are expected in PEM format #name should line up with a secretName set further up ## #If it is not set and you’re using cert-manager, this is unneeded, as it will create a secret for you with valid certificates #If it is not set and you’re NOT using cert-manager either, self-signed certificates will be created valid for 365 days #It is also possible to create and manage the certificates outside of this helm chart #Please see README.md for more information ## #Example #secrets: # - name: minio.local-tls # key: “” # certificate: “” ##

Default value: []

minio.ingress.selfSigned#

#@param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm ##

Default value: false

minio.ingress.servicePort#

#@param ingress.servicePort Service port to be used #Default is http. Alternative is https. ##

Default value: "minio-console"

minio.ingress.tls#

#@param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter #TLS certificates will be retrieved from a TLS secret with name: {{- printf “%s-tls” .Values.ingress.hostname }} #You can: # - Use the ingress.secrets parameter to create this TLS secret # - Rely on cert-manager to create it by setting the corresponding annotations # - Rely on Helm to create self-signed certificates by setting ingress.selfSigned=true ##

Default value: false

minio.initContainers#

#@param initContainers Add additional init containers to the MinIO® pods #e.g: #initContainers: # - name: your-image-name # image: your-image # imagePullPolicy: Always # ports: # - name: portname # containerPort: 1234 ##

Default value: []

minio.kubeVersion#

#@param kubeVersion Force target Kubernetes version (using Helm capabilities if not set) ##

Default value: ""

minio.lifecycleHooks#

#@param lifecycleHooks for the MinIO&reg container(s) to automate configuration before or after startup ##

Default value: {}

minio.livenessProbe.enabled#: Default value: true

minio.livenessProbe.failureThreshold#: Default value: 5

minio.livenessProbe.initialDelaySeconds#: Default value: 5

minio.livenessProbe.periodSeconds#: Default value: 5

minio.livenessProbe.successThreshold#: Default value: 1

minio.livenessProbe.timeoutSeconds#: Default value: 5

minio.metrics.prometheusAuthType#

#@param metrics.prometheusAuthType Authentication mode for Prometheus (jwt or public) #To allow public access without authentication for prometheus metrics set environment as follows. ##

Default value: "public"

minio.metrics.prometheusRule.additionalLabels#

#@param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus ##

Default value: {}

minio.metrics.prometheusRule.enabled#

#@param metrics.prometheusRule.enabled Create a Prometheus Operator PrometheusRule (also requires metrics.enabled to be true and metrics.prometheusRule.rules) ##

Default value: false

minio.metrics.prometheusRule.namespace#

#@param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) ##

Default value: ""

minio.metrics.prometheusRule.rules#

#@param metrics.prometheusRule.rules Prometheus Rule definitions - alert: minio cluster nodes offline annotations: summary: “minio cluster nodes offline” description: “minio cluster nodes offline, pod {{{{}} $labels.pod {{`}}`}} service {{{{}} $labels.job {{`}}`}} offline” for: 10m expr: minio_cluster_nodes_offline_total > 0 labels: severity: critical group: PaaS ##

Default value: []

minio.metrics.serviceMonitor.apiVersion#

#@param metrics.serviceMonitor.apiVersion ApiVersion for the serviceMonitor Resource (defaults to “monitoring.coreos.com/v1”)

Default value: ""

minio.metrics.serviceMonitor.enabled#

#@param metrics.serviceMonitor.enabled If the operator is installed in your cluster, set to true to create a Service Monitor Entry ##

Default value: false

minio.metrics.serviceMonitor.honorLabels#

#@param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint ##

Default value: false

minio.metrics.serviceMonitor.interval#

#@param metrics.serviceMonitor.interval Interval at which metrics should be scraped ##

Default value: "30s"

minio.metrics.serviceMonitor.jobLabel#

#@param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus ##

Default value: ""

minio.metrics.serviceMonitor.labels#

#@param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor ##

Default value: {}

minio.metrics.serviceMonitor.metricRelabelings#

#@param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion ##

Default value: []

minio.metrics.serviceMonitor.namespace#

#@param metrics.serviceMonitor.namespace Namespace which Prometheus is running in ##

Default value: ""

minio.metrics.serviceMonitor.paths#

#DEPRECATED metrics.serviceMonitor.path - please use metrics.serviceMonitor.paths instead ## #path: /minio/v2/metrics/cluster #@param metrics.serviceMonitor.paths HTTP paths to scrape for metrics ##

Default value:

["/minio/v2/metrics/cluster", "/minio/v2/metrics/node"]

minio.metrics.serviceMonitor.relabelings#

#@param metrics.serviceMonitor.relabelings Metrics relabelings to add to the scrape endpoint, applied before scraping ##

Default value: []

minio.metrics.serviceMonitor.scrapeTimeout#

#@param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended #e.g: #scrapeTimeout: 30s

Default value: ""

minio.metrics.serviceMonitor.selector#

#@param metrics.serviceMonitor.selector Prometheus instance selector labels #ref: bitnami/charts ##

Default value: {}

minio.metrics.serviceMonitor.tlsConfig#

#@param metrics.serviceMonitor.tlsConfig Additional TLS configuration for metrics endpoint with “https” scheme #ref: prometheus-operator/prometheus-operator

Default value: {}

minio.mode#

#@param mode MinIO® server mode (standalone or distributed) #ref: https://docs.minio.io/docs/distributed-minio-quickstart-guide ##

Default value: "standalone"

minio.nameOverride#

#@param nameOverride String to partially override common.names.fullname template (will maintain the release name) ##

Default value: ""

minio.namespaceOverride#

#@param namespaceOverride String to fully override common.names.namespace ##

Default value: ""

minio.networkPolicy.allowExternal#

#@param networkPolicy.allowExternal The Policy model to apply #When set to false, only pods with the correct client label will have network access to the ports MinIO is #listening on. When true, MinIO will accept connections from any source (with the correct destination port). ##

Default value: true

minio.networkPolicy.allowExternalEgress#

#@param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ##

Default value: true

minio.networkPolicy.enabled#: Default value: false

minio.networkPolicy.extraEgress#

#@param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy #e.g: #extraEgress: # - ports: # - port: 1234 # to: # - podSelector: # - matchLabels: # - role: frontend # - podSelector: # - matchExpressions: # - key: role # operator: In # values: # - frontend ##

Default value: []

minio.networkPolicy.extraIngress#

#@param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy #e.g: #extraIngress: # - ports: # - port: 1234 # from: # - podSelector: # - matchLabels: # - role: frontend # - podSelector: # - matchExpressions: # - key: role # operator: In # values: # - frontend ##

Default value: []

minio.networkPolicy.ingressNSMatchLabels#

#@param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces #@param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces ##

Default value: {}

minio.networkPolicy.ingressNSPodMatchLabels#: Default value: {}

minio.networkPolicy.resources.limits.cpu#: Default value: 288

minio.networkPolicy.resources.limits.memory#: Default value: "1Gi"

minio.networkPolicy.resources.requests.cpu#: Default value: "10m"

minio.networkPolicy.resources.requests.memory#: Default value: "16Mi"

minio.nodeAffinityPreset.key#

#@param nodeAffinityPreset.key Node label key to match. Ignored if affinity is set. #E.g. #key: “kubernetes.io/e2e-az-name” ##

Default value: ""

minio.nodeAffinityPreset.type#

#@param nodeAffinityPreset.type Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard ##

Default value: ""

minio.nodeAffinityPreset.values#

#@param nodeAffinityPreset.values Node label values to match. Ignored if affinity is set. #E.g. #values: # - e2e-az1 # - e2e-az2 ##

Default value: []

minio.nodeSelector#

#@param nodeSelector Node labels for pod assignment. Evaluated as a template. #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ ##

Default value: {}

minio.pdb.create#

#@param pdb.create Enable/disable a Pod Disruption Budget creation ##

Default value: true

minio.pdb.maxUnavailable#

#@param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable after the eviction ##

Default value: ""

minio.pdb.minAvailable#

#@param pdb.minAvailable Minimum number/percentage of pods that must still be available after the eviction ##

Default value: ""

minio.persistence.accessModes#

#@param persistence.accessModes PVC Access Modes for MinIO® data volume ##

Default value: ["ReadWriteOnce"]

minio.persistence.annotations#

#@param persistence.annotations Annotations for the PVC ##

Default value: {}

minio.persistence.enabled#

#@param persistence.enabled Enable MinIO® data persistence using PVC. If false, use emptyDir ##

Default value: true

minio.persistence.existingClaim#

#@param persistence.existingClaim Name of an existing PVC to use (only in standalone mode) ##

Default value: ""

minio.persistence.mountPath#

#@param persistence.mountPath Data volume mount path ##

Default value: "/bitnami/minio/data"

minio.persistence.size#

#@param persistence.size PVC Storage Request for MinIO® data volume ##

Default value: "8Gi"

minio.persistence.storageClass#

#@param persistence.storageClass PVC Storage Class for MinIO® data volume #If defined, storageClassName: <storageClass> #If set to “-”, storageClassName: “”, which disables dynamic provisioning #If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner. (gp2 on AWS, standard on # GKE, AWS & OpenStack) ##

Default value: ""

minio.podAffinityPreset#

#@param podAffinityPreset Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ##

Default value: ""

minio.podAnnotations#

#@param podAnnotations Annotations for MinIO® pods #ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ ##

Default value: {}

minio.podAntiAffinityPreset#

#@param podAntiAffinityPreset Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ##

Default value: "soft"

minio.podLabels#

#@param podLabels Extra labels for MinIO® pods #Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ##

Default value: {}

minio.podSecurityContext.enabled#: Default value: true

minio.podSecurityContext.fsGroup#: Default value: 1001

minio.podSecurityContext.fsGroupChangePolicy#: Default value: "OnRootMismatch"

minio.podSecurityContext.supplementalGroups#: Default value: []

minio.podSecurityContext.sysctls#: Default value: []

minio.priorityClassName#

#@param priorityClassName MinIO® pods’ priorityClassName ##

Default value: ""

minio.provisioning.args#

#@param provisioning.args Default provisioning container args (useful when using custom images). Use array form ##

Default value: []

minio.provisioning.buckets#

Default value:

[{"name": "nubus", "versioning": false, "withLock": false}]

minio.provisioning.cleanupAfterFinished.enabled#: Default value: true

minio.provisioning.cleanupAfterFinished.resources.limits.cpu#: Default value: 288

minio.provisioning.cleanupAfterFinished.resources.limits.memory#: Default value: "1Gi"

minio.provisioning.cleanupAfterFinished.resources.requests.cpu#: Default value: "10m"

minio.provisioning.cleanupAfterFinished.resources.requests.memory#: Default value: "16Mi"

minio.provisioning.cleanupAfterFinished.seconds#: Default value: 900

minio.provisioning.command#

#@param provisioning.command Default provisioning container command (useful when using custom images). Use array form ##

Default value: []

minio.provisioning.config#

#@param provisioning.config MinIO® config provisioning #https://docs.min.io/docs/minio-server-configuration-guide.html #e.g. #config: # - name: region # options: # name: us-east-1

Default value: []

minio.provisioning.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

minio.provisioning.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

minio.provisioning.containerSecurityContext.enabled#: Default value: true

minio.provisioning.containerSecurityContext.privileged#: Default value: false

minio.provisioning.containerSecurityContext.readOnlyRootFilesystem#: Default value: true

minio.provisioning.containerSecurityContext.runAsGroup#: Default value: 1001

minio.provisioning.containerSecurityContext.runAsNonRoot#: Default value: true

minio.provisioning.containerSecurityContext.runAsUser#: Default value: 1001

minio.provisioning.containerSecurityContext.seLinuxOptions#: Default value: {}

minio.provisioning.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

minio.provisioning.enabled#: Default value: true

minio.provisioning.extraCommands#

Default value:

["mc anonymous set download provisioning/nubus/portal-assets"]

minio.provisioning.extraVolumeMounts#

#@param provisioning.extraVolumeMounts Optionally specify extra list of additional volumeMounts for MinIO® provisioning container ##

Default value: []

minio.provisioning.extraVolumes#

#@param provisioning.extraVolumes Optionally specify extra list of additional volumes for MinIO® provisioning pod ##

Default value: []

minio.provisioning.groups#

#@param provisioning.groups MinIO® groups provisioning #https://docs.min.io/docs/minio-admin-complete-guide.html#group #e.g. #groups # - name: test-group # disabled: false # members: # - test-username # policies: # - readwrite # When set to true, it will replace all policies with the specified. # When false, the policies will be added to the existing. # setPolicies: false

Default value: []

minio.provisioning.networkPolicy.allowExternalEgress#

#@param provisioning.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations. ##

Default value: true

minio.provisioning.networkPolicy.enabled#

#@param provisioning.networkPolicy.enabled Enable creation of NetworkPolicy resources ##

Default value: true

minio.provisioning.networkPolicy.extraEgress#

#@param provisioning.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy #e.g: #extraEgress: # - ports: # - port: 1234 # to: # - podSelector: # - matchLabels: # - role: frontend # - podSelector: # - matchExpressions: # - key: role # operator: In # values: # - frontend ##

Default value: []

minio.provisioning.networkPolicy.extraIngress#

#@param provisioning.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy #e.g: #extraIngress: # - ports: # - port: 1234 # from: # - podSelector: # - matchLabels: # - role: frontend # - podSelector: # - matchExpressions: # - key: role # operator: In # values: # - frontend ##

Default value: []

minio.provisioning.nodeSelector#

#@param provisioning.nodeSelector Node labels for pod assignment. Evaluated as a template. #ref: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/ ##

Default value: {}

minio.provisioning.podAnnotations#

#@param provisioning.podAnnotations Provisioning Pod annotations. ##

Default value: {}

minio.provisioning.podLabels#

#@param provisioning.podLabels Extra labels for provisioning pods #Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ##

Default value: {}

minio.provisioning.podSecurityContext.enabled#: Default value: true

minio.provisioning.podSecurityContext.fsGroup#: Default value: 1001

minio.provisioning.podSecurityContext.fsGroupChangePolicy#: Default value: "Always"

minio.provisioning.podSecurityContext.supplementalGroups#: Default value: []

minio.provisioning.podSecurityContext.sysctls#: Default value: []

minio.provisioning.policies#

Default value:

[{"name": "nubus-bucket-policy", "statements": [{"resources": ["arn:aws:s3:::nubus"], "effect": "Allow", "actions": ["s3:*"]}, {"resources": ["arn:aws:s3:::nubus/*"], "effect": "Allow", "actions": ["s3:*"]}]}]

minio.provisioning.resources#

#@param provisioning.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) #Example: #resources: # requests: # cpu: 2 # memory: 512Mi # limits: # cpu: 3 # memory: 1024Mi ##

Default value: {}

minio.provisioning.resources.limits.cpu#: Default value: 288

minio.provisioning.resources.limits.memory#: Default value: "1Gi"

minio.provisioning.resources.requests.cpu#: Default value: "10m"

minio.provisioning.resources.requests.memory#: Default value: "16Mi"

minio.provisioning.resourcesPreset#

#We usually recommend not to specify default resources and to leave this as a conscious #choice for the user. This also increases chances charts run on environments with little #resources, such as Minikube. If you do want to specify resources, uncomment the following #lines, adjust them as necessary, and remove the curly braces after ‘resources:’. #@param provisioning.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if provisioning.resources is set (provisioning.resources is recommended for production). #More information: bitnami/charts ##

Default value: "nano"

minio.provisioning.schedulerName#

#@param provisioning.schedulerName Name of the k8s scheduler (other than default) for MinIO® provisioning #ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ##

Default value: ""

minio.provisioning.users#

#@param provisioning.users MinIO® users provisioning. Can be used in addition to provisioning.usersExistingSecrets. #https://docs.min.io/docs/minio-admin-complete-guide.html#user #e.g. #users: # - username: test-username # password: test-password # disabled: false # policies: # - readwrite # - consoleAdmin # - diagnostics # When set to true, it will replace all policies with the specified. # When false, the policies will be added to the existing. # setPolicies: false

Default value: []

minio.provisioning.usersExistingSecrets#: Default value: ["nubus-minio-provisioning"]

minio.readinessProbe.enabled#: Default value: true

minio.readinessProbe.failureThreshold#: Default value: 5

minio.readinessProbe.initialDelaySeconds#: Default value: 5

minio.readinessProbe.periodSeconds#: Default value: 5

minio.readinessProbe.successThreshold#: Default value: 1

minio.readinessProbe.timeoutSeconds#: Default value: 1

minio.resources#

#@param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) #Example: #resources: # requests: # cpu: 2 # memory: 512Mi # limits: # cpu: 3 # memory: 1024Mi ##

Default value: {}

minio.resources.limits.cpu#: Default value: 288

minio.resources.limits.memory#: Default value: "1Gi"

minio.resources.requests.cpu#: Default value: "10m"

minio.resources.requests.memory#: Default value: "16Mi"

minio.resourcesPreset#

#MinIO® containers’ resource requests and limits #ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ #We usually recommend not to specify default resources and to leave this as a conscious #choice for the user. This also increases chances charts run on environments with little #resources, such as Minikube. If you do want to specify resources, uncomment the following #lines, adjust them as necessary, and remove the curly braces after ‘resources:’. #@param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). #More information: bitnami/charts ##

Default value: "micro"

minio.runtimeClassName#

#@param runtimeClassName Name of the runtime class to be used by MinIO® pods’ #ref: https://kubernetes.io/docs/concepts/containers/runtime-class/ ##

Default value: ""

minio.schedulerName#

#@param schedulerName Specifies the schedulerName, if it’s nil uses kube-scheduler #https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ##

Default value: ""

minio.service.annotations#

#@param service.annotations Annotations for MinIO® service #This can be used to set the LoadBalancer service type to internal only. #ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ##

Default value: {}

minio.service.clusterIP#

#@param service.clusterIP Service Cluster IP #e.g.: #clusterIP: None ##

Default value: ""

minio.service.externalTrafficPolicy#

#@param service.externalTrafficPolicy Enable client source IP preservation #ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ##

Default value: "Cluster"

minio.service.extraPorts#

#@param service.extraPorts Extra ports to expose in the service (normally used with the sidecar value) ##

Default value: []

minio.service.headless.annotations#

#@param service.headless.annotations Annotations for the headless service. ##

Default value: {}

minio.service.loadBalancerIP#

#@param service.loadBalancerIP loadBalancerIP if service type is LoadBalancer (optional, cloud specific) #ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer ##

Default value: ""

minio.service.loadBalancerSourceRanges#

#@param service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer #https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service #e.g: #loadBalancerSourceRanges: # - 10.10.10.0/24 ##

Default value: []

minio.service.nodePorts.api#: Default value: ""

minio.service.nodePorts.console#: Default value: ""

minio.service.ports.api#: Default value: 9000

minio.service.ports.console#: Default value: 9001

minio.service.type#

#@param service.type MinIO® service type ##

Default value: "ClusterIP"

minio.serviceAccount.annotations#

#@param serviceAccount.annotations Custom annotations for MinIO® ServiceAccount ##

Default value: {}

minio.serviceAccount.automountServiceAccountToken#

#@param serviceAccount.automountServiceAccountToken Enable/disable auto mounting of the service account token ##

Default value: false

minio.serviceAccount.create#

#@param serviceAccount.create Enable the creation of a ServiceAccount for MinIO® pods ##

Default value: true

minio.serviceAccount.name#

#@param serviceAccount.name Name of the created ServiceAccount #If not set and create is true, a name is generated using the common.names.fullname template ##

Default value: ""

minio.sidecars#

#@param sidecars Add additional sidecar containers to the MinIO® pods #e.g: #sidecars: # - name: your-image-name # image: your-image # imagePullPolicy: Always # ports: # - name: portname # containerPort: 1234 ##

Default value: []

minio.startupProbe.enabled#: Default value: false

minio.startupProbe.failureThreshold#: Default value: 60

minio.startupProbe.initialDelaySeconds#: Default value: 0

minio.startupProbe.periodSeconds#: Default value: 10

minio.startupProbe.successThreshold#: Default value: 1

minio.startupProbe.timeoutSeconds#: Default value: 5

minio.statefulset.drivesPerNode#

#@param statefulset.drivesPerNode Number of drives attached to every node (only for MinIO® distributed mode) ##

Default value: 1

minio.statefulset.podManagementPolicy#

#@param statefulset.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel #ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy ##

Default value: "Parallel"

minio.statefulset.replicaCount#

#@param statefulset.replicaCount Number of pods per zone (only for MinIO® distributed mode). Should be even and >= 4 ##

Default value: 4

minio.statefulset.updateStrategy.type#: Default value: "RollingUpdate"

minio.statefulset.zones#

#@param statefulset.zones Number of zones (only for MinIO® distributed mode) ##

Default value: 1

minio.terminationGracePeriodSeconds#: Default value: 5

minio.tls.autoGenerated#

#@param tls.autoGenerated Generate automatically self-signed TLS certificates ##

Default value: false

minio.tls.enabled#: Default value: false

minio.tls.existingSecret#

Default value:

"{{ .Release.Name }}-minio-tls"

minio.tls.mountPath#

#@param tls.mountPath The mount path where the secret will be located #Custom mount path where the certificates will be located, if empty will default to /certs

Default value: ""

minio.tls.resources.limits.cpu#: Default value: 288

minio.tls.resources.limits.memory#: Default value: "1Gi"

minio.tls.resources.requests.cpu#: Default value: "10m"

minio.tls.resources.requests.memory#: Default value: "16Mi"

minio.tolerations#

#@param tolerations Tolerations for pod assignment. Evaluated as a template. #ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ##

Default value: []

minio.topologySpreadConstraints#

#@param topologySpreadConstraints Topology Spread Constraints for MinIO® pods assignment spread across your cluster among failure-domains #Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ##

Default value: []

minio.volumePermissions.containerSecurityContext.runAsUser#: Default value: 0

minio.volumePermissions.containerSecurityContext.seLinuxOptions#: Default value: {}

minio.volumePermissions.enabled#

#@param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to runAsUser:fsGroup ##

Default value: false

minio.volumePermissions.image.digest#: Default value: ""

minio.volumePermissions.image.pullPolicy#: Default value: "IfNotPresent"

minio.volumePermissions.image.pullSecrets#

Default value: []

minio.volumePermissions.image.registry#: Default value: "docker.io"

minio.volumePermissions.image.repository#: Default value: "bitnami/os-shell"

minio.volumePermissions.image.tag#: Default value: "12-debian-12-r27"

minio.volumePermissions.resources#

#@param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads) #Example: #resources: # requests: # cpu: 2 # memory: 512Mi # limits: # cpu: 3 # memory: 1024Mi ##

Default value: {}

minio.volumePermissions.resourcesPreset#

#Init container’ resource requests and limits #ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ #We usually recommend not to specify default resources and to leave this as a conscious #choice for the user. This also increases chances charts run on environments with little #resources, such as Minikube. If you do want to specify resources, uncomment the following #lines, adjust them as necessary, and remove the curly braces after ‘resources:’. #@param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). #More information: bitnami/charts ##

Default value: "nano"

10.2.10. `nubusDevelopment`#

nubusDevelopment.resources.limits.cpu#: Default value: 288

nubusDevelopment.resources.limits.memory#: Default value: "1Gi"

nubusDevelopment.resources.requests.cpu#: Default value: "10m"

nubusDevelopment.resources.requests.memory#: Default value: "16Mi"

nubusDevelopment.terminationGracePeriodSeconds#: Default value: 5

10.2.11. `nubusGuardian`#

nubusGuardian.authorizationApi.affinity#: Default value: {}

nubusGuardian.authorizationApi.config.guardianAuthzAdapterAppPersistencePort#

Port and adapter to specify where to store the application data. Example: “udm_data”

Default value: "udm_data"

nubusGuardian.authorizationApi.config.guardianAuthzAdapterAuthenticationPort#

Port and adapter for authentication. Use fast_api_oauth for integrated OIDC support. Example: “fast_api_oauth”

Default value: "fast_api_oauth"

nubusGuardian.authorizationApi.config.guardianAuthzAdapterPolicyPort#

Port and adapter for policies. Defaults to opa for Open Policy Agent. Example: “opa”

Default value: "opa"

nubusGuardian.authorizationApi.config.guardianAuthzAdapterSettingsPort#

Port and adapter to specify where to read the settings from. Defaults to env for environment. Example: “env”

Default value: "env"

nubusGuardian.authorizationApi.config.guardianAuthzCorsAllowedOrigins#

Comma-separated list of hosts that are allowed to make cross-origin resource sharing (CORS) requests to the server. Example: “*”

Default value: "*"

nubusGuardian.authorizationApi.config.guardianAuthzLoggingFormat#

Defines the format of the log output, if not structured. The possible options are described in https://loguru.readthedocs.io/en/stable/api/logger.html. Example: “<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}”

Default value:

"<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"

nubusGuardian.authorizationApi.config.guardianAuthzLoggingLevel#

Sets the log level of the application. Chart defaults to: “DEBUG”

Default value: ""

nubusGuardian.authorizationApi.config.guardianAuthzLoggingStructured#

If set to True, the logging output is structured as a JSON object. Example: true

Default value: true

nubusGuardian.authorizationApi.config.home#

Directory that Guardian will use to save the bundles and configuration. Example: /guardian_service_dir

Default value: "/guardian_service_dir"

nubusGuardian.authorizationApi.config.isUniventionAppCenter#: Default value: 0

nubusGuardian.authorizationApi.config.oauthAdapterWellKnownUrl#

OIDC well-known url Example: “http://keycloak/realms/souvap/.well-known/openid-configuration”

Default value: ""

nubusGuardian.authorizationApi.config.opaAdapterUrl#

URL to Open Policy Agent. Example: “http://ums-guardian-open-policy-agent:8181/”

Default value: ""

nubusGuardian.authorizationApi.config.secretRef#

The reference to the secret containing udmDataAdapterPassword and udmDataAdapterUsername secret. Example: “guardian-udm-secret”

Default value: ""

nubusGuardian.authorizationApi.config.udmDataAdapterPassword#

Password for authenticating against the UDM REST API. Do not use, see secretRef below. Example: “password”

Default value: ""

nubusGuardian.authorizationApi.config.udmDataAdapterPasswordFile#

File where the UDM password will be stored. Example: “/var/secrets/udmDataAdapterPassword”

Default value:

"/var/secrets/udmDataAdapterPassword"

nubusGuardian.authorizationApi.config.udmDataAdapterUrl#

The URL of the UDM REST API for data queries. Example: “http://udm-rest-api/univention/udm”

Default value: ""

nubusGuardian.authorizationApi.config.udmDataAdapterUsername#

Username for authenticating against the UDM REST API Do not use, see secretRef below. Example: “cn=admin”

Default value: ""

nubusGuardian.authorizationApi.config.udmDataAdapterUsernameFile#

File where the UDM username will be stored. Example: “/var/secrets/udmDataAdapterUsername”

Default value:

"/var/secrets/udmDataAdapterUsername"

nubusGuardian.authorizationApi.environment#: Default value: {}

nubusGuardian.authorizationApi.fullnameOverride#: Default value: ""

nubusGuardian.authorizationApi.image.imagePullPolicy#: Default value: "Always"

nubusGuardian.authorizationApi.image.imagePullSecrets#: Default value: []

nubusGuardian.authorizationApi.image.registry#

Default value:

"docker.software-univention.de"

nubusGuardian.authorizationApi.image.repository#

Default value:

"guardian-authorization-api-authorization-api"

nubusGuardian.authorizationApi.image.sha256#

Define image sha256 as an alternative to tag

Default value: null

nubusGuardian.authorizationApi.image.tag#: Default value: "2.0.0"

nubusGuardian.authorizationApi.nameOverride#: Default value: ""

nubusGuardian.authorizationApi.nodeSelector#: Default value: {}

nubusGuardian.authorizationApi.persistence.data.size#: Default value: "1Gi"

nubusGuardian.authorizationApi.persistence.data.storageClass#: Default value: ""

nubusGuardian.authorizationApi.podAnnotations#: Default value: {}

nubusGuardian.authorizationApi.podSecurityContext.fsGroup#: Default value: 1000

nubusGuardian.authorizationApi.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusGuardian.authorizationApi.probes.liveness.enabled#: Default value: true

nubusGuardian.authorizationApi.probes.liveness.failureThreshold#: Default value: 3

nubusGuardian.authorizationApi.probes.liveness.initialDelaySeconds#: Default value: 120

nubusGuardian.authorizationApi.probes.liveness.periodSeconds#: Default value: 30

nubusGuardian.authorizationApi.probes.liveness.successThreshold#: Default value: 1

nubusGuardian.authorizationApi.probes.liveness.timeoutSeconds#: Default value: 3

nubusGuardian.authorizationApi.probes.readiness.enabled#: Default value: true

nubusGuardian.authorizationApi.probes.readiness.failureThreshold#: Default value: 30

nubusGuardian.authorizationApi.probes.readiness.initialDelaySeconds#: Default value: 30

nubusGuardian.authorizationApi.probes.readiness.periodSeconds#: Default value: 15

nubusGuardian.authorizationApi.probes.readiness.successThreshold#: Default value: 1

nubusGuardian.authorizationApi.probes.readiness.timeoutSeconds#: Default value: 3

nubusGuardian.authorizationApi.replicaCount#: Default value: 1

nubusGuardian.authorizationApi.resources.limits.cpu#: Default value: "4"

nubusGuardian.authorizationApi.resources.limits.memory#: Default value: "4Gi"

nubusGuardian.authorizationApi.resources.requests.cpu#: Default value: "250m"

nubusGuardian.authorizationApi.resources.requests.memory#: Default value: "512Mi"

nubusGuardian.authorizationApi.securityContext.allowPrivilegeEscalation#: Default value: false

nubusGuardian.authorizationApi.securityContext.capabilities.drop#: Default value: ["ALL"]

nubusGuardian.authorizationApi.securityContext.privileged#: Default value: false

nubusGuardian.authorizationApi.securityContext.readOnlyRootFilesystem#: Default value: true

nubusGuardian.authorizationApi.securityContext.runAsGroup#: Default value: 1000

nubusGuardian.authorizationApi.securityContext.runAsNonRoot#: Default value: true

nubusGuardian.authorizationApi.securityContext.runAsUser#: Default value: 1000

nubusGuardian.authorizationApi.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusGuardian.authorizationApi.service.enabled#: Default value: true

nubusGuardian.authorizationApi.service.ports.http.containerPort#: Default value: 8000

nubusGuardian.authorizationApi.service.ports.http.port#: Default value: 80

nubusGuardian.authorizationApi.service.ports.http.protocol#: Default value: "TCP"

nubusGuardian.authorizationApi.service.sessionAffinity.enabled#: Default value: false

nubusGuardian.authorizationApi.service.sessionAffinity.timeoutSeconds#: Default value: 10800

nubusGuardian.authorizationApi.service.type#: Default value: "ClusterIP"

nubusGuardian.authorizationApi.tolerations#: Default value: []

nubusGuardian.enabled#: Default value: false

nubusGuardian.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusGuardian.extraIngresses#

Extra ingress configuration

Default value: []

nubusGuardian.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusGuardian.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusGuardian.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusGuardian.global.affinity#: Default value: {}

nubusGuardian.global.domain#: Default value: ""

nubusGuardian.global.environment#: Default value: {}

nubusGuardian.global.fullnameOverride#: Default value: ""

nubusGuardian.global.imageRegistry#

Default value:

"artifacts.software-univention.de"

nubusGuardian.global.nameOverride#: Default value: ""

nubusGuardian.global.nodeSelector#: Default value: {}

nubusGuardian.global.podAnnotations#: Default value: {}

nubusGuardian.global.podSecurityContext#: Default value: {}

nubusGuardian.global.postgresql.connection.host#: Default value: ""

nubusGuardian.global.postgresql.connection.port#: Default value: ""

nubusGuardian.global.replicaCount#: Default value: 1

nubusGuardian.global.securityContext#: Default value: {}

nubusGuardian.global.subDomains.keycloak#: Default value: ""

nubusGuardian.global.subDomains.portal#: Default value: "portal"

nubusGuardian.global.tolerations#: Default value: []

nubusGuardian.ingress.annotations#

Define custom ingress annotations for all Ingresses.

Default value: {}

nubusGuardian.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusGuardian.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusGuardian.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusGuardian.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusGuardian.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusGuardian.ingress.ingressClassName#

The Ingress controller class name. (This will be the default for all Ingresses)

Default value: ""

nubusGuardian.ingress.items#

Default value:

[{"name": "management-ui", "host": "", "paths": [{"path": "/univention/guardian/management-ui", "pathType": "Prefix", "backend": {"service": {"name": "guardian-management-ui", "port": {"number": 80}}}}], "ingressClassName": "", "annotations": {}, "tls": {"secretName": ""}}, {"name": "management-api", "host": "", "paths": [{"path": "/guardian/management", "pathType": "Prefix", "backend": {"service": {"name": "guardian-management-api", "port": {"number": 80}}}}], "ingressClassName": "", "annotations": {}, "tls": {"secretName": ""}}, {"name": "authorization-api", "host": "", "paths": [{"path": "/guardian/authorization", "pathType": "Prefix", "backend": {"service": {"name": "guardian-authorization-api", "port": {"number": 80}}}}], "ingressClassName": "", "annotations": {}, "tls": {"secretName": ""}}]

nubusGuardian.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusGuardian.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusGuardian.managementApi.affinity#: Default value: {}

nubusGuardian.managementApi.config.guardianManagementAdapterAppPersistencePort#

Port and adapter for persisting app data. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterAuthenticationPort#

Port and adapter for authentication. Use fast_api_oauth for integrated OIDC support.

Default value: "fast_api_oauth"

nubusGuardian.managementApi.config.guardianManagementAdapterAuthorizationApiUrl#

URL to the Authorization API. Example: http://guardian-management-api/guardian/authorization

Default value: ""

nubusGuardian.managementApi.config.guardianManagementAdapterCapabilityPersistencePort#

Port and adapter for persisting capabilities. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterConditionPersistencePort#

Port and adapter for persisting conditions. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterContextPersistencePort#

Port and adapter for persisting contexts. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterNamespacePersistencePort#

Port and adapter for persisting namespaces. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterPermissionPersistencePort#

Port and adapter for persisting permissions. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterResourceAuthorizationPort#: Default value: "guardian"

nubusGuardian.managementApi.config.guardianManagementAdapterRolePersistencePort#

Port and adapter for persisting roles. Defaults to sql.

Default value: "sql"

nubusGuardian.managementApi.config.guardianManagementAdapterSettingsPort#

Port and adapter for where to get the settings from. Defaults to env to read from environment.

Default value: "env"

nubusGuardian.managementApi.config.guardianManagementBaseUrl#

Defines the base URL of the API. If unset the url is generated from hostname and domainname. Example: “http://example.test/guardian/management”

Default value: ""

nubusGuardian.managementApi.config.guardianManagementCorsAllowedOrigins#

Comma-separated list of hosts that are allowed to make cross-origin resource sharing (CORS) requests to the server.

Default value: "*"

nubusGuardian.managementApi.config.guardianManagementLoggingFormat#

Defines the format of the log output, if not structured. The possible options are described in https://loguru.readthedocs.io/en/stable/api/logger.html.

Default value:

"<green>{time:YYYY-MM-DD HH:mm:ss.SSS ZZ}</green> | <level>{level}</level> | <level>{message}</level> | {extra}"

nubusGuardian.managementApi.config.guardianManagementLoggingLevel#

Sets the log level of the application.

Default value: "DEBUG"

nubusGuardian.managementApi.config.guardianManagementLoggingStructured#

If set to True, the logging output is structured as a JSON object.

Default value: true

nubusGuardian.managementApi.config.home#

Directory that Guardian will use to save the bundles and configuration.

Default value: "/guardian_service_dir"

nubusGuardian.managementApi.config.isUniventionAppCenter#: Default value: 0

nubusGuardian.managementApi.config.oauthAdapterM2mSecret#

Machine-to-machine secret (not used, see secretRef below)

Default value: ""

nubusGuardian.managementApi.config.oauthAdapterM2mSecretFile#

File where the machine-to-machine secret will be saved.

Default value:

"/var/secrets/oauthAdapterM2mSecret"

nubusGuardian.managementApi.config.oauthAdapterWellKnownUrl#

Identity Provider well known URL Example: http://keycloak/realms/souvap/.well-known/openid-configuration

Default value: ""

nubusGuardian.managementApi.config.secretRef#

The reference to the secret containing oauthAdapterM2mSecret secret.

Default value: ""

nubusGuardian.managementApi.config.sqlPersistenceAdapterDialect#

Dialect of the database.

Default value: "postgresql"

nubusGuardian.managementApi.environment#: Default value: {}

nubusGuardian.managementApi.fullnameOverride#: Default value: ""

nubusGuardian.managementApi.image.imagePullPolicy#: Default value: "Always"

nubusGuardian.managementApi.image.imagePullSecrets#: Default value: []

nubusGuardian.managementApi.image.registry#

Default value:

"docker.software-univention.de"

nubusGuardian.managementApi.image.repository#

Default value:

"guardian-management-api-management-api"

nubusGuardian.managementApi.image.sha256#

Define image sha256 as an alternative to tag

Default value: null

nubusGuardian.managementApi.image.tag#: Default value: "2.0.0"

nubusGuardian.managementApi.nameOverride#: Default value: ""

nubusGuardian.managementApi.nodeSelector#: Default value: {}

nubusGuardian.managementApi.persistence.data.size#: Default value: "1Gi"

nubusGuardian.managementApi.persistence.data.storageClass#: Default value: ""

nubusGuardian.managementApi.podAnnotations#: Default value: {}

nubusGuardian.managementApi.podSecurityContext.fsGroup#: Default value: 1000

nubusGuardian.managementApi.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusGuardian.managementApi.probes.liveness.enabled#: Default value: true

nubusGuardian.managementApi.probes.liveness.failureThreshold#: Default value: 3

nubusGuardian.managementApi.probes.liveness.initialDelaySeconds#: Default value: 120

nubusGuardian.managementApi.probes.liveness.periodSeconds#: Default value: 30

nubusGuardian.managementApi.probes.liveness.successThreshold#: Default value: 1

nubusGuardian.managementApi.probes.liveness.timeoutSeconds#: Default value: 3

nubusGuardian.managementApi.probes.readiness.enabled#: Default value: true

nubusGuardian.managementApi.probes.readiness.failureThreshold#: Default value: 30

nubusGuardian.managementApi.probes.readiness.initialDelaySeconds#: Default value: 30

nubusGuardian.managementApi.probes.readiness.periodSeconds#: Default value: 15

nubusGuardian.managementApi.probes.readiness.successThreshold#: Default value: 1

nubusGuardian.managementApi.probes.readiness.timeoutSeconds#: Default value: 3

nubusGuardian.managementApi.replicaCount#: Default value: 1

nubusGuardian.managementApi.resources.limits.cpu#: Default value: "4"

nubusGuardian.managementApi.resources.limits.memory#: Default value: "4Gi"

nubusGuardian.managementApi.resources.requests.cpu#: Default value: "250m"

nubusGuardian.managementApi.resources.requests.memory#: Default value: "512Mi"

nubusGuardian.managementApi.securityContext.allowPrivilegeEscalation#: Default value: false

nubusGuardian.managementApi.securityContext.capabilities.drop#: Default value: ["ALL"]

nubusGuardian.managementApi.securityContext.privileged#: Default value: false

nubusGuardian.managementApi.securityContext.readOnlyRootFilesystem#: Default value: true

nubusGuardian.managementApi.securityContext.runAsGroup#: Default value: 1000

nubusGuardian.managementApi.securityContext.runAsNonRoot#: Default value: true

nubusGuardian.managementApi.securityContext.runAsUser#: Default value: 1000

nubusGuardian.managementApi.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusGuardian.managementApi.service.enabled#: Default value: true

nubusGuardian.managementApi.service.ports.http.containerPort#: Default value: 8000

nubusGuardian.managementApi.service.ports.http.port#: Default value: 80

nubusGuardian.managementApi.service.ports.http.protocol#: Default value: "TCP"

nubusGuardian.managementApi.service.sessionAffinity.enabled#: Default value: false

nubusGuardian.managementApi.service.sessionAffinity.timeoutSeconds#: Default value: 10800

nubusGuardian.managementApi.service.type#: Default value: "ClusterIP"

nubusGuardian.managementApi.tolerations#: Default value: []

nubusGuardian.managementUi.affinity#: Default value: {}

nubusGuardian.managementUi.config.viteApiDataAdapterUri#

URL for the Guardian Management API from outside. Will be queried from the client. Example: “https://porta.example.test/guardian/management”

Default value: ""

nubusGuardian.managementUi.config.viteKeycloakAuthenticationAdapterClientId#

Keycloak client ID. Must be provisioned either by the provisioning job in this chart or manually.

Default value: "guardian-ui"

nubusGuardian.managementUi.config.viteKeycloakAuthenticationAdapterRealm#

Keycloak authentication realm.

Default value: ""

nubusGuardian.managementUi.config.viteKeycloakAuthenticationAdapterSsoUri#

Base URI of the Keycloak server for authentication. Example: “https://id.example.test”

Default value: ""

nubusGuardian.managementUi.config.viteManagementUiAdapterAuthenticationPort#

Port and adapter for authentication. Defaults to keycloak.

Default value: "keycloak"

nubusGuardian.managementUi.config.viteManagementUiAdapterDataPort#

Port and adapter to use as data source for the UI. Defaults to api for Guardian’s Management API.

Default value: "api"

nubusGuardian.managementUi.environment#: Default value: {}

nubusGuardian.managementUi.fullnameOverride#: Default value: ""

nubusGuardian.managementUi.image.imagePullPolicy#: Default value: "Always"

nubusGuardian.managementUi.image.imagePullSecrets#: Default value: []

nubusGuardian.managementUi.image.registry#

Default value:

"docker.software-univention.de"

nubusGuardian.managementUi.image.repository#

Default value:

"guardian-management-ui-management-ui"

nubusGuardian.managementUi.image.sha256#

Define image sha256 as an alternative to tag

Default value: null

nubusGuardian.managementUi.image.tag#: Default value: "2.0.0"

nubusGuardian.managementUi.nameOverride#: Default value: ""

nubusGuardian.managementUi.nodeSelector#: Default value: {}

nubusGuardian.managementUi.persistence.data.size#: Default value: "1Gi"

nubusGuardian.managementUi.persistence.data.storageClass#: Default value: ""

nubusGuardian.managementUi.podAnnotations#: Default value: {}

nubusGuardian.managementUi.podSecurityContext#: Default value: {}

nubusGuardian.managementUi.probes.liveness.enabled#: Default value: true

nubusGuardian.managementUi.probes.liveness.failureThreshold#: Default value: 3

nubusGuardian.managementUi.probes.liveness.initialDelaySeconds#: Default value: 120

nubusGuardian.managementUi.probes.liveness.periodSeconds#: Default value: 30

nubusGuardian.managementUi.probes.liveness.successThreshold#: Default value: 1

nubusGuardian.managementUi.probes.liveness.timeoutSeconds#: Default value: 3

nubusGuardian.managementUi.probes.readiness.enabled#: Default value: true

nubusGuardian.managementUi.probes.readiness.failureThreshold#: Default value: 30

nubusGuardian.managementUi.probes.readiness.initialDelaySeconds#: Default value: 30

nubusGuardian.managementUi.probes.readiness.periodSeconds#: Default value: 15

nubusGuardian.managementUi.probes.readiness.successThreshold#: Default value: 1

nubusGuardian.managementUi.probes.readiness.timeoutSeconds#: Default value: 3

nubusGuardian.managementUi.replicaCount#: Default value: 1

nubusGuardian.managementUi.resources.limits.cpu#: Default value: "4"

nubusGuardian.managementUi.resources.limits.memory#: Default value: "4Gi"

nubusGuardian.managementUi.resources.requests.cpu#: Default value: "250m"

nubusGuardian.managementUi.resources.requests.memory#: Default value: "512Mi"

nubusGuardian.managementUi.securityContext.allowPrivilegeEscalation#: Default value: false

nubusGuardian.managementUi.securityContext.capabilities.drop#: Default value: ["ALL"]

nubusGuardian.managementUi.securityContext.privileged#: Default value: false

nubusGuardian.managementUi.securityContext.readOnlyRootFilesystem#: Default value: true

nubusGuardian.managementUi.securityContext.runAsGroup#: Default value: 1000

nubusGuardian.managementUi.securityContext.runAsNonRoot#: Default value: true

nubusGuardian.managementUi.securityContext.runAsUser#: Default value: 1000

nubusGuardian.managementUi.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusGuardian.managementUi.service.enabled#: Default value: true

nubusGuardian.managementUi.service.ports.http.containerPort#: Default value: 8383

nubusGuardian.managementUi.service.ports.http.port#: Default value: 80

nubusGuardian.managementUi.service.ports.http.protocol#: Default value: "TCP"

nubusGuardian.managementUi.service.sessionAffinity.enabled#: Default value: false

nubusGuardian.managementUi.service.sessionAffinity.timeoutSeconds#: Default value: 10800

nubusGuardian.managementUi.service.type#: Default value: "ClusterIP"

nubusGuardian.managementUi.tolerations#: Default value: []

nubusGuardian.nameOverride#: Default value: "guardian"

nubusGuardian.openPolicyAgent.affinity#: Default value: {}

nubusGuardian.openPolicyAgent.config.isUniventionAppCenter#: Default value: 0

nubusGuardian.openPolicyAgent.config.opaDataBundle#

Default value:

"bundles/GuardianDataBundle.tar.gz"

nubusGuardian.openPolicyAgent.config.opaGuardianManagementUrl#

Bundle server URL

Default value: ""

nubusGuardian.openPolicyAgent.config.opaPolicyBundle#

Default value:

"bundles/GuardianPolicyBundle.tar.gz"

nubusGuardian.openPolicyAgent.config.opaPollingMaxDelay#: Default value: 15

nubusGuardian.openPolicyAgent.config.opaPollingMinDelay#: Default value: 10

nubusGuardian.openPolicyAgent.environment#: Default value: {}

nubusGuardian.openPolicyAgent.fullnameOverride#: Default value: ""

nubusGuardian.openPolicyAgent.image.imagePullPolicy#: Default value: "Always"

nubusGuardian.openPolicyAgent.image.imagePullSecrets#: Default value: []

nubusGuardian.openPolicyAgent.image.registry#

Default value:

"docker.software-univention.de"

nubusGuardian.openPolicyAgent.image.repository#

Default value:

"guardian-authorization-api-opa"

nubusGuardian.openPolicyAgent.image.sha256#

Define image sha256 as an alternative to tag

Default value: null

nubusGuardian.openPolicyAgent.image.tag#: Default value: "2.0.0"

nubusGuardian.openPolicyAgent.nameOverride#: Default value: ""

nubusGuardian.openPolicyAgent.nodeSelector#: Default value: {}

nubusGuardian.openPolicyAgent.podAnnotations#: Default value: {}

nubusGuardian.openPolicyAgent.podSecurityContext.fsGroup#: Default value: 1000

nubusGuardian.openPolicyAgent.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusGuardian.openPolicyAgent.probes.liveness.enabled#: Default value: true

nubusGuardian.openPolicyAgent.probes.liveness.failureThreshold#: Default value: 3

nubusGuardian.openPolicyAgent.probes.liveness.initialDelaySeconds#: Default value: 120

nubusGuardian.openPolicyAgent.probes.liveness.periodSeconds#: Default value: 30

nubusGuardian.openPolicyAgent.probes.liveness.successThreshold#: Default value: 1

nubusGuardian.openPolicyAgent.probes.liveness.timeoutSeconds#: Default value: 3

nubusGuardian.openPolicyAgent.probes.readiness.enabled#: Default value: true

nubusGuardian.openPolicyAgent.probes.readiness.failureThreshold#: Default value: 30

nubusGuardian.openPolicyAgent.probes.readiness.initialDelaySeconds#: Default value: 30

nubusGuardian.openPolicyAgent.probes.readiness.periodSeconds#: Default value: 15

nubusGuardian.openPolicyAgent.probes.readiness.successThreshold#: Default value: 1

nubusGuardian.openPolicyAgent.probes.readiness.timeoutSeconds#: Default value: 3

nubusGuardian.openPolicyAgent.replicaCount#: Default value: 1

nubusGuardian.openPolicyAgent.resources.limits.cpu#: Default value: "4"

nubusGuardian.openPolicyAgent.resources.limits.memory#: Default value: "4Gi"

nubusGuardian.openPolicyAgent.resources.requests.cpu#: Default value: "250m"

nubusGuardian.openPolicyAgent.resources.requests.memory#: Default value: "512Mi"

nubusGuardian.openPolicyAgent.securityContext.allowPrivilegeEscalation#: Default value: false

nubusGuardian.openPolicyAgent.securityContext.capabilities.drop#: Default value: ["ALL"]

nubusGuardian.openPolicyAgent.securityContext.privileged#: Default value: false

nubusGuardian.openPolicyAgent.securityContext.readOnlyRootFilesystem#: Default value: true

nubusGuardian.openPolicyAgent.securityContext.runAsGroup#: Default value: 1000

nubusGuardian.openPolicyAgent.securityContext.runAsNonRoot#: Default value: true

nubusGuardian.openPolicyAgent.securityContext.runAsUser#: Default value: 1000

nubusGuardian.openPolicyAgent.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusGuardian.openPolicyAgent.service.enabled#: Default value: true

nubusGuardian.openPolicyAgent.service.ports.http.containerPort#: Default value: 8181

nubusGuardian.openPolicyAgent.service.ports.http.port#: Default value: 80

nubusGuardian.openPolicyAgent.service.ports.http.protocol#: Default value: "TCP"

nubusGuardian.openPolicyAgent.service.sessionAffinity.enabled#: Default value: false

nubusGuardian.openPolicyAgent.service.sessionAffinity.timeoutSeconds#: Default value: 10800

nubusGuardian.openPolicyAgent.service.type#: Default value: "ClusterIP"

nubusGuardian.openPolicyAgent.tolerations#: Default value: []

nubusGuardian.postgresql.auth.credentialSecret.key#: Default value: "password"

nubusGuardian.postgresql.auth.credentialSecret.name#: Default value: ""

nubusGuardian.postgresql.auth.database#: Default value: "guardian"

nubusGuardian.postgresql.auth.password#: Default value: ""

nubusGuardian.postgresql.auth.username#: Default value: "guardian"

nubusGuardian.postgresql.bundled#: Default value: false

nubusGuardian.postgresql.connection.host#: Default value: ""

nubusGuardian.postgresql.connection.port#: Default value: ""

nubusGuardian.postgresql.nameOverride#: Default value: "guardian-postgresql"

nubusGuardian.provisioning.backoffLimit#: Default value: 900

nubusGuardian.provisioning.config.debug.enabled#

Enable debug output of included Ansible scripts

Default value: false

nubusGuardian.provisioning.config.debug.pauseBeforeScriptStart#

Seconds for the job to pause before starting the actual bootstrapping.

Default value: 0

nubusGuardian.provisioning.config.keycloak.connection.host#

Keycloak host.

Default value: ""

nubusGuardian.provisioning.config.keycloak.connection.port#

Keycloak port.

Default value: ""

nubusGuardian.provisioning.config.keycloak.credentialSecret.key#: Default value: "adminPassword"

nubusGuardian.provisioning.config.keycloak.credentialSecret.name#: Default value: ""

nubusGuardian.provisioning.config.keycloak.password#

Keycloak password.

Default value: ""

nubusGuardian.provisioning.config.keycloak.realm#

Keycloak realm.

Default value: ""

nubusGuardian.provisioning.config.keycloak.username#: Default value: "kcadmin"

nubusGuardian.provisioning.config.managementApi.clientSecret#

Specify this only if you do not want to use a secret (see below).

Default value: ""

nubusGuardian.provisioning.config.managementApi.credentialSecret.key#: Default value: "managementApiClientSecret"

nubusGuardian.provisioning.config.nubusBaseUrl#

Base URL for setting in Keycloak application URL without backslash. Example: “https://portal.uv-example.gaia.open-desk.cloud”

Default value: ""

nubusGuardian.provisioning.enabled#: Default value: true

nubusGuardian.provisioning.image.imagePullSecrets#: Default value: []

nubusGuardian.provisioning.image.registry#

Default value:

"artifacts.software-univention.de"

nubusGuardian.provisioning.image.repository#: Default value: "nubus/images/guardian-init"

nubusGuardian.provisioning.image.tag#

Default value:

"0.14.1@sha256:7abfa39021972654571df02fa1e9c35be562e5331a312fab555c912ef3966d30"

nubusGuardian.provisioning.podSecurityContext.fsGroup#: Default value: 1000

nubusGuardian.provisioning.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusGuardian.provisioning.provisioningImage.imagePullPolicy#: Default value: "IfNotPresent"

nubusGuardian.provisioning.provisioningImage.imagePullSecrets#: Default value: []

nubusGuardian.provisioning.provisioningImage.registry#

Default value:

"artifacts.software-univention.de"

nubusGuardian.provisioning.provisioningImage.repository#

Default value:

"nubus/images/keycloak-bootstrap"

nubusGuardian.provisioning.provisioningImage.tag#: Default value: "0.1.2"

nubusGuardian.provisioning.restartPolicy#: Default value: "OnFailure"

nubusGuardian.provisioning.securityContext.allowPrivilegeEscalation#: Default value: false

nubusGuardian.provisioning.securityContext.privileged#: Default value: false

nubusGuardian.provisioning.securityContext.readOnlyRootFilesystem#: Default value: false

nubusGuardian.provisioning.securityContext.runAsGroup#: Default value: 1000

nubusGuardian.provisioning.securityContext.runAsNonRoot#: Default value: true

nubusGuardian.provisioning.securityContext.runAsUser#: Default value: 1000

nubusGuardian.provisioning.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusGuardian.provisioning.tolerations#: Default value: []

nubusGuardian.provisioning.ttlSecondsAfterFinished#

Time in seconds until the job gets deleted

Default value: 300

nubusGuardian.resources.limits.cpu#: Default value: 288

nubusGuardian.resources.limits.memory#: Default value: "1Gi"

nubusGuardian.resources.requests.cpu#: Default value: "10m"

nubusGuardian.resources.requests.memory#: Default value: "16Mi"

nubusGuardian.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusGuardian.serviceAccount.automountServiceAccountToken#

#@param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created #Can be set to false if pods using this serviceAccount do not need to use K8s API ##

Default value: false

nubusGuardian.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusGuardian.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusGuardian.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusGuardian.terminationGracePeriodSeconds#: Default value: 5

10.2.12. `nubusKeycloakBootstrap`#

nubusKeycloakBootstrap.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusKeycloakBootstrap.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusKeycloakBootstrap.affinity#

Default value: {}

nubusKeycloakBootstrap.bootstrap.ldapMappers#

Support for additional attributes to be mapped from the LDAP to the Keycloak user object

Default value: []

nubusKeycloakBootstrap.bootstrap.loginLinks#

Define links that are rendered on the login page of Keycloak

Default value: []

nubusKeycloakBootstrap.bootstrap.twoFactorAuthentication.enabled#

Enable Keycloak’s built-in 2FA support

Default value: false

nubusKeycloakBootstrap.bootstrap.twoFactorAuthentication.group#

LDAP group DN which membership enables 2FA for users

Default value: ""

nubusKeycloakBootstrap.cleanup.deletePodsOnSuccess#

Keep Pods/Job logs after successful run.

Default value: false

nubusKeycloakBootstrap.cleanup.keepPVCOnDelete#

Keep persistence on delete of this release.

Default value: false

nubusKeycloakBootstrap.config.debug.enabled#

Enable debug output of included Ansible scripts

Default value: false

nubusKeycloakBootstrap.config.debug.pauseBeforeScriptStart#

Seconds for the job to pause before starting the actual bootstrapping.

Default value: 0

nubusKeycloakBootstrap.config.saml.serviceProviderHostname#

Service provider public hostname

Default value: ""

nubusKeycloakBootstrap.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusKeycloakBootstrap.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusKeycloakBootstrap.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusKeycloakBootstrap.containerSecurityContext.privileged#: Default value: false

nubusKeycloakBootstrap.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusKeycloakBootstrap.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusKeycloakBootstrap.containerSecurityContext.runAsNonRoot#

Run container as user.

Default value: true

nubusKeycloakBootstrap.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusKeycloakBootstrap.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusKeycloakBootstrap.enabled#: Default value: true

nubusKeycloakBootstrap.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar” #

Default value: []

nubusKeycloakBootstrap.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusKeycloakBootstrap.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusKeycloakBootstrap.global.domain#: Default value: ""

nubusKeycloakBootstrap.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusKeycloakBootstrap.global.imagePullSecrets#

Credentials to fetch images from private registry Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry” #

Default value: []

nubusKeycloakBootstrap.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusKeycloakBootstrap.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusKeycloakBootstrap.global.subDomains.keycloak#: Default value: ""

nubusKeycloakBootstrap.global.subDomains.portal#: Default value: "portal"

nubusKeycloakBootstrap.image.imagePullPolicy#

Default value: "IfNotPresent"

nubusKeycloakBootstrap.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

nubusKeycloakBootstrap.image.repository#

Container repository string.

Default value:

"nubus/images/keycloak-bootstrap"

nubusKeycloakBootstrap.image.tag#

Define image tag.

Default value:

"0.7.1@sha256:1675e1615732914f01f832af7347c5913af51b447f7e5ca4bdd38557d798c52e"

nubusKeycloakBootstrap.imagePullSecrets#

Credentials to fetch images from private registry Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry” #

Default value: []

nubusKeycloakBootstrap.keycloak.auth.existingSecret.keyMapping.adminPassword#: Default value: "admin_password"

nubusKeycloakBootstrap.keycloak.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-credentials\" .Release.Name -}}"

nubusKeycloakBootstrap.keycloak.auth.realm#

Keycloak realm.

Default value: ""

nubusKeycloakBootstrap.keycloak.auth.username#: Default value: "kcadmin"

nubusKeycloakBootstrap.keycloak.connection.host#

Keycloak host.

Default value: ""

nubusKeycloakBootstrap.keycloak.connection.port#

Keycloak port.

Default value: ""

nubusKeycloakBootstrap.ldap.auth.bindDn#

Default value:

"{{ include \"nubus.keycloak.ldap.auth.bindDn\" . }}"

nubusKeycloakBootstrap.ldap.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-bootstrap-ldap-credentials\" .Release.Name -}}"

nubusKeycloakBootstrap.ldap.connection.host#

LDAP host.

Default value: ""

nubusKeycloakBootstrap.ldap.connection.port#

LDAP port.

Default value: ""

nubusKeycloakBootstrap.ldap.connection.protocol#

LDAP protocol.

Default value: ""

nubusKeycloakBootstrap.ldap.connection.tls.ca.secretKeyRef.key#: Default value: "ca.crt"

nubusKeycloakBootstrap.ldap.connection.tls.ca.secretKeyRef.name#: Default value: ""

nubusKeycloakBootstrap.ldap.connection.tls.cert.secretKeyRef.key#: Default value: "tls.crt"

nubusKeycloakBootstrap.ldap.connection.tls.cert.secretKeyRef.name#: Default value: ""

nubusKeycloakBootstrap.ldap.connection.tls.enabled#

Enable TLS.

Default value: false

nubusKeycloakBootstrap.ldap.connection.tls.key.secretKeyRef.key#: Default value: "tls.key"

nubusKeycloakBootstrap.ldap.connection.tls.key.secretKeyRef.name#: Default value: ""

nubusKeycloakBootstrap.nameOverride#: Default value: "keycloak-bootstrap"

nubusKeycloakBootstrap.nodeSelector#

Node labels for pod assignment Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusKeycloakBootstrap.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusKeycloakBootstrap.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusKeycloakBootstrap.podSecurityContext.enabled#

Enable security context.

Default value: false

nubusKeycloakBootstrap.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusKeycloakBootstrap.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusKeycloakBootstrap.resources.limits.cpu#: Default value: 288

nubusKeycloakBootstrap.resources.limits.memory#: Default value: "1Gi"

nubusKeycloakBootstrap.resources.requests.cpu#: Default value: "10m"

nubusKeycloakBootstrap.resources.requests.memory#: Default value: "16Mi"

nubusKeycloakBootstrap.serviceAccount.annotations#

Additional custom annotations for the ServiceAccount.

Default value: {}

nubusKeycloakBootstrap.serviceAccount.automountServiceAccountToken#

Allows auto mount of ServiceAccountToken on the serviceAccount created. Can be set to false if pods using this serviceAccount do not need to use K8s API.

Default value: false

nubusKeycloakBootstrap.serviceAccount.create#

Enable creation of ServiceAccount for pod.

Default value: true

nubusKeycloakBootstrap.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusKeycloakBootstrap.terminationGracePeriodSeconds#: Default value: 5

nubusKeycloakBootstrap.tolerations#

Tolerations for pod assignment Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusKeycloakBootstrap.topologySpreadConstraints#

Default value: []

10.2.13. `nubusKeycloakExtensions`#

nubusKeycloakExtensions.enabled#: Default value: false

nubusKeycloakExtensions.global.keycloak.realm#: Default value: ""

nubusKeycloakExtensions.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusKeycloakExtensions.global.postgresql.connection.host#: Default value: ""

nubusKeycloakExtensions.global.postgresql.connection.port#: Default value: ""

nubusKeycloakExtensions.handler.additionalAnnotations#

Additional custom annotations to add to deployments.

Default value: {}

nubusKeycloakExtensions.handler.affinity#

#Global values

Default value: {}

nubusKeycloakExtensions.handler.appConfig.autoExpireRuleInMins#

Minutes to automatically expire actions such as IP and device blocks and reCaptcha prompt

Default value: 1

nubusKeycloakExtensions.handler.appConfig.captchaProtectionEnable#

Whether to enable reCaptcha prompting protection

Default value: "False"

nubusKeycloakExtensions.handler.appConfig.deviceProtectionEnable#

Whether to enable device blocking

Default value: "True"

nubusKeycloakExtensions.handler.appConfig.eventsRetentionPeriod#

Minutes to buffer Keycloak events locally, allowing to persist more than the configured in Keycloak

Default value: 1

nubusKeycloakExtensions.handler.appConfig.failedAttemptsForCaptchaTrigger#

Number of failed login attempts within the minutes of eventsRetentionPeriod to enforce reCaptcha prompt

Default value: 3

nubusKeycloakExtensions.handler.appConfig.failedAttemptsForDeviceBlock#

Number of failed login attempts within the minutes of eventsRetentionPeriod to trigger a device block. Should be greater than failedAttemptsForCaptchaTrigger if it is enabled

Default value: 5

nubusKeycloakExtensions.handler.appConfig.failedAttemptsForIpBlock#

Number of failed login attempts within the minutes of eventsRetentionPeriod to trigger an IP block. Should be greater than failedAttemptsForDeviceBlock if it is enabled

Default value: 7

nubusKeycloakExtensions.handler.appConfig.ipProtectionEnable#

Whether to enable IP blocking

Default value: "True"

nubusKeycloakExtensions.handler.appConfig.logLevel#: Default value: "INFO"

nubusKeycloakExtensions.handler.appConfig.mailFrom#

Email to send emails from

Default value: "univention@example.org"

nubusKeycloakExtensions.handler.appConfig.newDeviceLoginNotificationEnable#

Whether to enable email notification to users on New Device Login

Default value: "True"

nubusKeycloakExtensions.handler.appConfig.newDeviceLoginSubject#

Subject for email notification to users on New Device Login

Default value: "New device login"

nubusKeycloakExtensions.handler.customLivenessProbe#

#@param handler.customLivenessProbe Custom livenessProbe that overrides the default one ##

Default value: {}

nubusKeycloakExtensions.handler.customReadinessProbe#

#@param handler.customReadinessProbe Custom readinessProbe that overrides the default one ##

Default value: {}

nubusKeycloakExtensions.handler.customStartupProbe#

#@param handler.customStartupProbe Custom startupProbe that overrides the default one ##

Default value: {}

nubusKeycloakExtensions.handler.enabled#: Default value: true

nubusKeycloakExtensions.handler.environment#: Default value: {}

nubusKeycloakExtensions.handler.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusKeycloakExtensions.handler.image.registry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusKeycloakExtensions.handler.image.repository#

Default value:

"nubus/images/keycloak-handler"

nubusKeycloakExtensions.handler.image.tag#

Default value:

"0.14.0@sha256:ebe761c90f7d2798bdf1daa7805d2fcf849d3699387027b5f861183956aeb76b"

nubusKeycloakExtensions.handler.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusKeycloakExtensions.handler.ingress.enabled#

Set this to true in order to enable the installation on Ingress related objects.

Default value: false

nubusKeycloakExtensions.handler.lifecycleHooks#

#@param handler.lifecycleHooks for the handler container to automate configuration before or after startup ##

Default value: {}

nubusKeycloakExtensions.handler.livenessProbe.command#: Default value: "exit 0\n"

nubusKeycloakExtensions.handler.livenessProbe.enabled#: Default value: false

nubusKeycloakExtensions.handler.livenessProbe.failureThreshold#: Default value: 6

nubusKeycloakExtensions.handler.livenessProbe.initialDelaySeconds#: Default value: 30

nubusKeycloakExtensions.handler.livenessProbe.periodSeconds#: Default value: 10

nubusKeycloakExtensions.handler.livenessProbe.successThreshold#: Default value: 1

nubusKeycloakExtensions.handler.livenessProbe.timeoutSeconds#: Default value: 5

nubusKeycloakExtensions.handler.nodeSelector#: Default value: {}

nubusKeycloakExtensions.handler.podAnnotations#: Default value: {}

nubusKeycloakExtensions.handler.podSecurityContext#: Default value: {}

nubusKeycloakExtensions.handler.readinessProbe.command#: Default value: "exit 0\n"

nubusKeycloakExtensions.handler.readinessProbe.enabled#: Default value: false

nubusKeycloakExtensions.handler.readinessProbe.failureThreshold#: Default value: 6

nubusKeycloakExtensions.handler.readinessProbe.initialDelaySeconds#: Default value: 5

nubusKeycloakExtensions.handler.readinessProbe.periodSeconds#: Default value: 10

nubusKeycloakExtensions.handler.readinessProbe.successThreshold#: Default value: 1

nubusKeycloakExtensions.handler.readinessProbe.timeoutSeconds#: Default value: 5

nubusKeycloakExtensions.handler.replicaCount#: Default value: 1

nubusKeycloakExtensions.handler.resources.limits.cpu#: Default value: "4"

nubusKeycloakExtensions.handler.resources.limits.memory#: Default value: "4Gi"

nubusKeycloakExtensions.handler.resources.requests.cpu#: Default value: "250m"

nubusKeycloakExtensions.handler.resources.requests.memory#: Default value: "512Mi"

nubusKeycloakExtensions.handler.securityContext.allowPrivilegeEscalation#: Default value: false

nubusKeycloakExtensions.handler.securityContext.capabilities.drop#: Default value: ["ALL"]

nubusKeycloakExtensions.handler.securityContext.privileged#: Default value: false

nubusKeycloakExtensions.handler.securityContext.readOnlyRootFilesystem#: Default value: true

nubusKeycloakExtensions.handler.securityContext.runAsGroup#: Default value: 1000

nubusKeycloakExtensions.handler.securityContext.runAsNonRoot#: Default value: true

nubusKeycloakExtensions.handler.securityContext.runAsUser#: Default value: 1000

nubusKeycloakExtensions.handler.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusKeycloakExtensions.handler.service.additionalAnnotations#

Additional custom annotations to add to service.

Default value: {}

nubusKeycloakExtensions.handler.service.enabled#: Default value: false

nubusKeycloakExtensions.handler.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusKeycloakExtensions.handler.serviceAccount.automountServiceAccountToken#

Default value: false

nubusKeycloakExtensions.handler.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusKeycloakExtensions.handler.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusKeycloakExtensions.handler.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusKeycloakExtensions.handler.startupProbe.command#: Default value: "exit 0\n"

nubusKeycloakExtensions.handler.startupProbe.enabled#: Default value: false

nubusKeycloakExtensions.handler.startupProbe.failureThreshold#: Default value: 15

nubusKeycloakExtensions.handler.startupProbe.initialDelaySeconds#: Default value: 30

nubusKeycloakExtensions.handler.startupProbe.periodSeconds#: Default value: 10

nubusKeycloakExtensions.handler.startupProbe.successThreshold#: Default value: 1

nubusKeycloakExtensions.handler.startupProbe.timeoutSeconds#: Default value: 1

nubusKeycloakExtensions.handler.terminationGracePeriodSeconds#

In seconds, time the given to the pod needs to terminate gracefully. Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

Default value: ""

nubusKeycloakExtensions.handler.tolerations#: Default value: []

nubusKeycloakExtensions.keycloak.auth.existingSecret.keyMapping.adminPassword#: Default value: "admin_password"

nubusKeycloakExtensions.keycloak.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-credentials\" .Release.Name -}}"

nubusKeycloakExtensions.keycloak.auth.masterRealm#

Keycloak master realm.

Default value: "master"

nubusKeycloakExtensions.keycloak.auth.realm#

Keycloak realm.

Default value: ""

nubusKeycloakExtensions.keycloak.auth.username#: Default value: "kcadmin"

nubusKeycloakExtensions.keycloak.connection.host#: Default value: ""

nubusKeycloakExtensions.nameOverride#: Default value: "keycloak-extensions"

nubusKeycloakExtensions.postgresql.auth.database#: Default value: "keycloak_extensions"

nubusKeycloakExtensions.postgresql.auth.existingSecret.keyMapping.password#: Default value: null

nubusKeycloakExtensions.postgresql.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-extensions-postgresql-credentials\" .Release.Name -}}"

nubusKeycloakExtensions.postgresql.auth.username#: Default value: "keycloak_extensions"

nubusKeycloakExtensions.postgresql.connection.customca#

CustomCA certificate

Default value: ""

nubusKeycloakExtensions.postgresql.connection.host#: Default value: ""

nubusKeycloakExtensions.postgresql.connection.pathCA#

Path to CA

Default value: "/etc/ssl/certs/rootca.pem"

nubusKeycloakExtensions.postgresql.connection.port#: Default value: ""

nubusKeycloakExtensions.postgresql.connection.ssl#

PostgreSQL SSL flag

Default value: "false"

nubusKeycloakExtensions.proxy.additionalAnnotations#

Additional custom annotations to add to deployments.

Default value: {}

nubusKeycloakExtensions.proxy.affinity#: Default value: {}

nubusKeycloakExtensions.proxy.appConfig.captcha.captchaSecretKey#: Default value: "some_secret_key"

nubusKeycloakExtensions.proxy.appConfig.captcha.captchaSiteKey#: Default value: "some_site_key"

nubusKeycloakExtensions.proxy.appConfig.captcha.existingSecret.keyMapping.secret_key#: Default value: null

nubusKeycloakExtensions.proxy.appConfig.captcha.existingSecret.keyMapping.site_key#: Default value: null

nubusKeycloakExtensions.proxy.appConfig.captcha.existingSecret.name#: Default value: ""

nubusKeycloakExtensions.proxy.appConfig.logLevel#: Default value: "info"

nubusKeycloakExtensions.proxy.customLivenessProbe#

#@param proxy.customLivenessProbe Custom livenessProbe that overrides the default one ##

Default value: {}

nubusKeycloakExtensions.proxy.customReadinessProbe#

#@param proxy.customReadinessProbe Custom readinessProbe that overrides the default one ##

Default value: {}

nubusKeycloakExtensions.proxy.customStartupProbe#

#@param proxy.customStartupProbe Custom startupProbe that overrides the default one ##

Default value: {}

nubusKeycloakExtensions.proxy.enabled#: Default value: true

nubusKeycloakExtensions.proxy.environment#: Default value: {}

nubusKeycloakExtensions.proxy.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusKeycloakExtensions.proxy.image.registry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusKeycloakExtensions.proxy.image.repository#: Default value: "nubus/images/keycloak-proxy"

nubusKeycloakExtensions.proxy.image.tag#

Default value:

"0.14.0@sha256:8087338d266e64cc4f416abf8a9546715aae0b2212ddfc38e42bf2c15322ede9"

nubusKeycloakExtensions.proxy.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusKeycloakExtensions.proxy.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size#: Default value: "8k"

nubusKeycloakExtensions.proxy.ingress.annotations.nginx.org/proxy-buffer-size#: Default value: "8k"

nubusKeycloakExtensions.proxy.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusKeycloakExtensions.proxy.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusKeycloakExtensions.proxy.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusKeycloakExtensions.proxy.ingress.enabled#

Set this to true in order to enable the installation on Ingress related objects.

Default value: true

nubusKeycloakExtensions.proxy.ingress.ingressClassName#: Default value: ""

nubusKeycloakExtensions.proxy.ingress.paths#

#define hostname host: “sso.example.com”

Default value:

[{"pathType": "Prefix", "path": "/admin"}, {"pathType": "Prefix", "path": "/realms"}, {"pathType": "Prefix", "path": "/resources"}, {"pathType": "Prefix", "path": "/fingerprintjs"}]

nubusKeycloakExtensions.proxy.ingress.tls.enabled#: Default value: true

nubusKeycloakExtensions.proxy.ingress.tls.secretName#: Default value: ""

nubusKeycloakExtensions.proxy.lifecycleHooks#

#@param handler.lifecycleHooks for the proxy container to automate configuration before or after startup ##

Default value: {}

nubusKeycloakExtensions.proxy.livenessProbe.enabled#: Default value: false

nubusKeycloakExtensions.proxy.livenessProbe.failureThreshold#: Default value: 6

nubusKeycloakExtensions.proxy.livenessProbe.initialDelaySeconds#: Default value: 30

nubusKeycloakExtensions.proxy.livenessProbe.periodSeconds#: Default value: 10

nubusKeycloakExtensions.proxy.livenessProbe.successThreshold#: Default value: 1

nubusKeycloakExtensions.proxy.livenessProbe.timeoutSeconds#: Default value: 5

nubusKeycloakExtensions.proxy.nodeSelector#: Default value: {}

nubusKeycloakExtensions.proxy.podAnnotations#: Default value: {}

nubusKeycloakExtensions.proxy.podSecurityContext#: Default value: {}

nubusKeycloakExtensions.proxy.readinessProbe.enabled#: Default value: false

nubusKeycloakExtensions.proxy.readinessProbe.failureThreshold#: Default value: 6

nubusKeycloakExtensions.proxy.readinessProbe.initialDelaySeconds#: Default value: 5

nubusKeycloakExtensions.proxy.readinessProbe.periodSeconds#: Default value: 10

nubusKeycloakExtensions.proxy.readinessProbe.successThreshold#: Default value: 1

nubusKeycloakExtensions.proxy.readinessProbe.timeoutSeconds#: Default value: 5

nubusKeycloakExtensions.proxy.replicaCount#: Default value: 1

nubusKeycloakExtensions.proxy.resources.limits.cpu#: Default value: "4"

nubusKeycloakExtensions.proxy.resources.limits.memory#: Default value: "4Gi"

nubusKeycloakExtensions.proxy.resources.requests.cpu#: Default value: "250m"

nubusKeycloakExtensions.proxy.resources.requests.memory#: Default value: "512Mi"

nubusKeycloakExtensions.proxy.securityContext.allowPrivilegeEscalation#: Default value: false

nubusKeycloakExtensions.proxy.securityContext.capabilities.drop#: Default value: ["ALL"]

nubusKeycloakExtensions.proxy.securityContext.privileged#: Default value: false

nubusKeycloakExtensions.proxy.securityContext.readOnlyRootFilesystem#: Default value: true

nubusKeycloakExtensions.proxy.securityContext.runAsGroup#: Default value: 1000

nubusKeycloakExtensions.proxy.securityContext.runAsNonRoot#: Default value: true

nubusKeycloakExtensions.proxy.securityContext.runAsUser#: Default value: 1000

nubusKeycloakExtensions.proxy.securityContext.seccompProfile.type#: Default value: "RuntimeDefault"

nubusKeycloakExtensions.proxy.service.additionalAnnotations#

Additional custom annotations to add to service.

Default value: {}

nubusKeycloakExtensions.proxy.service.enabled#: Default value: true

nubusKeycloakExtensions.proxy.service.ports.http.containerPort#: Default value: 8181

nubusKeycloakExtensions.proxy.service.ports.http.port#: Default value: 8181

nubusKeycloakExtensions.proxy.service.ports.http.protocol#: Default value: "TCP"

nubusKeycloakExtensions.proxy.service.sessionAffinity.enabled#: Default value: false

nubusKeycloakExtensions.proxy.service.sessionAffinity.timeoutSeconds#: Default value: 10800

nubusKeycloakExtensions.proxy.service.type#: Default value: "ClusterIP"

nubusKeycloakExtensions.proxy.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusKeycloakExtensions.proxy.serviceAccount.automountServiceAccountToken#

Default value: false

nubusKeycloakExtensions.proxy.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusKeycloakExtensions.proxy.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusKeycloakExtensions.proxy.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusKeycloakExtensions.proxy.startupProbe.enabled#: Default value: false

nubusKeycloakExtensions.proxy.startupProbe.failureThreshold#: Default value: 15

nubusKeycloakExtensions.proxy.startupProbe.initialDelaySeconds#: Default value: 30

nubusKeycloakExtensions.proxy.startupProbe.periodSeconds#: Default value: 10

nubusKeycloakExtensions.proxy.startupProbe.successThreshold#: Default value: 1

nubusKeycloakExtensions.proxy.startupProbe.timeoutSeconds#: Default value: 1

nubusKeycloakExtensions.proxy.terminationGracePeriodSeconds#

In seconds, time the given to the pod needs to terminate gracefully. Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

Default value: ""

nubusKeycloakExtensions.proxy.tolerations#: Default value: []

nubusKeycloakExtensions.resources.limits.cpu#: Default value: 288

nubusKeycloakExtensions.resources.limits.memory#: Default value: "1Gi"

nubusKeycloakExtensions.resources.requests.cpu#: Default value: "10m"

nubusKeycloakExtensions.resources.requests.memory#: Default value: "16Mi"

nubusKeycloakExtensions.smtp.auth.enabled#

Enable SMTP authentication

Default value: true

nubusKeycloakExtensions.smtp.auth.existingSecret.keyMapping.password#: Default value: null

nubusKeycloakExtensions.smtp.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-extensions-smtp-credentials\" .Release.Name -}}"

nubusKeycloakExtensions.smtp.auth.username#: Default value: "keycloak-extensions"

nubusKeycloakExtensions.smtp.connection.host#: Default value: ""

nubusKeycloakExtensions.smtp.connection.port#

Email SMTP port

Default value: "587"

nubusKeycloakExtensions.smtp.connection.ssl#

Require SSL/TLS encryption for connection.

Default value: false

nubusKeycloakExtensions.smtp.connection.starttls#

Use StartTLS for traffic encryption:

Default value: true

nubusKeycloakExtensions.terminationGracePeriodSeconds#: Default value: 5

10.2.14. `nubusLdapNotifier`#

nubusLdapNotifier.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusLdapNotifier.affinity.podAffinity.requiredDuringSchedulingIgnoredDuringExecution#

Default value:

[{"labelSelector": {"matchExpressions": [{"key": "ldap-server-type", "operator": "In", "values": ["primary"]}]}, "topologyKey": "kubernetes.io/hostname"}]

nubusLdapNotifier.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusLdapNotifier.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusLdapNotifier.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusLdapNotifier.containerSecurityContext.privileged#: Default value: false

nubusLdapNotifier.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusLdapNotifier.containerSecurityContext.runAsGroup#

Process group id.

Default value: 102

nubusLdapNotifier.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusLdapNotifier.containerSecurityContext.runAsUser#

Process user id.

Default value: 101

nubusLdapNotifier.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusLdapNotifier.enabled#: Default value: true

nubusLdapNotifier.environment#: Default value: {}

nubusLdapNotifier.extraInitContainers#

Define extra init containers. # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

Default value: []

nubusLdapNotifier.fullnameOverride#: Default value: ""

nubusLdapNotifier.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusLdapNotifier.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusLdapNotifier.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusLdapNotifier.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusLdapNotifier.image.pullPolicy#: Default value: "IfNotPresent"

nubusLdapNotifier.image.pullSecrets#: Default value: []

nubusLdapNotifier.image.registry#: Default value: ""

nubusLdapNotifier.image.repository#: Default value: "nubus/images/ldap-notifier"

nubusLdapNotifier.image.tag#

Default value:

"0.29.1@sha256:c06923e8d9190a83d94b2f3e429d8ae812f09fbb9f89b5689d3e221ccbbcd1ab"

nubusLdapNotifier.ldapNotifier.environment#

TODO: Clarify usage of this parameter

Default value: "production"

nubusLdapNotifier.ldapNotifier.ldapServerGid#: Default value: "102"

nubusLdapNotifier.ldapNotifier.ldapServerUid#: Default value: "101"

nubusLdapNotifier.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusLdapNotifier.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusLdapNotifier.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapNotifier.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapNotifier.livenessProbe.tcpSocket.port#: Default value: 6669

nubusLdapNotifier.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapNotifier.nameOverride#: Default value: "ldap-notifier"

nubusLdapNotifier.nodeSelector#: Default value: {}

nubusLdapNotifier.podAnnotations#: Default value: {}

nubusLdapNotifier.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusLdapNotifier.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 102

nubusLdapNotifier.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusLdapNotifier.readinessProbe.failureThreshold#

Number of failed executions until container is considered not ready.

Default value: 10

nubusLdapNotifier.readinessProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusLdapNotifier.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapNotifier.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapNotifier.readinessProbe.tcpSocket.port#: Default value: 6669

nubusLdapNotifier.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapNotifier.replicaCount#: Default value: 1

nubusLdapNotifier.resources#

#Deployment resources

Default value: null

nubusLdapNotifier.resources.limits.cpu#: Default value: 288

nubusLdapNotifier.resources.limits.memory#: Default value: "1Gi"

nubusLdapNotifier.resources.requests.cpu#: Default value: "10m"

nubusLdapNotifier.resources.requests.memory#: Default value: "16Mi"

nubusLdapNotifier.service.annotations#

Additional custom annotations.

Default value: {}

nubusLdapNotifier.service.ports.notifier.containerPort#

Internal port.

Default value: 6669

nubusLdapNotifier.service.ports.notifier.port#

Accessible port.

Default value: 6669

nubusLdapNotifier.service.ports.notifier.protocol#

service protocol.

Default value: "TCP"

nubusLdapNotifier.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusLdapNotifier.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusLdapNotifier.serviceAccount.automountServiceAccountToken#

Default value: false

nubusLdapNotifier.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusLdapNotifier.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusLdapNotifier.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusLdapNotifier.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusLdapNotifier.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusLdapNotifier.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapNotifier.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapNotifier.startupProbe.tcpSocket.port#: Default value: 6669

nubusLdapNotifier.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapNotifier.terminationGracePeriodSeconds#: Default value: 5

nubusLdapNotifier.tolerations#: Default value: []

nubusLdapNotifier.volumes.claims#

Mapping of volumes to the volume claim names to use. Those have to match the volumes of the “ldap-server”. Default: claims: shared-data: “shared-data-ldap-server-0” shared-run: “shared-run-ldap-server-0”

Default value: null

10.2.15. `nubusLdapServer`#

nubusLdapServer.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusLdapServer.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusLdapServer.affinityPrimary.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution#

Default value:

[{"weight": 100, "podAffinityTerm": {"labelSelector": {"matchExpressions": [{"key": "ldap-server-type", "operator": "In", "values": ["primary"]}]}, "topologyKey": "kubernetes.io/hostname"}}]

nubusLdapServer.affinityProxy.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution#

Default value:

[{"weight": 100, "podAffinityTerm": {"labelSelector": {"matchExpressions": [{"key": "ldap-server-type", "operator": "In", "values": ["proxy"]}]}, "topologyKey": "kubernetes.io/hostname"}}]

nubusLdapServer.affinitySecondary.podAntiAffinity.preferredDuringSchedulingIgnoredDuringExecution#

Default value:

[{"weight": 100, "podAffinityTerm": {"labelSelector": {"matchExpressions": [{"key": "ldap-server-type", "operator": "In", "values": ["secondary"]}]}, "topologyKey": "kubernetes.io/hostname"}}]

nubusLdapServer.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusLdapServer.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusLdapServer.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusLdapServer.containerSecurityContext.privileged#: Default value: false

nubusLdapServer.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusLdapServer.containerSecurityContext.runAsGroup#

Process group id.

Default value: 102

nubusLdapServer.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusLdapServer.containerSecurityContext.runAsUser#

Process user id.

Default value: 101

nubusLdapServer.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusLdapServer.dhInitContainer.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusLdapServer.dhInitContainer.image.registry#: Default value: "docker.io"

nubusLdapServer.dhInitContainer.image.repository#: Default value: "alpine/openssl"

nubusLdapServer.dhInitContainer.image.tag#

Default value:

"3.1.4@sha256:974b4593b02447256622dce7b930b98764441dab39c5ca729381aa35332d6778"

nubusLdapServer.enabled#: Default value: true

nubusLdapServer.extensions#

Extensions to load. This will override the configuration in global.extensions.

Default value: []

nubusLdapServer.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusLdapServer.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusLdapServer.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusLdapServer.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusLdapServer.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

nubusLdapServer.global.configMapUcr#

ConfigMap name to read UCR values from.

Default value: null

nubusLdapServer.global.extensions#

Allows to configure extensions globally.

Default value: []

nubusLdapServer.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusLdapServer.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusLdapServer.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusLdapServer.global.ldap.baseDn#: Default value: ""

nubusLdapServer.global.ldap.domainName#: Default value: ""

nubusLdapServer.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusLdapServer.global.systemExtensions#

Allows to configure system extensions globally.

Default value: []

nubusLdapServer.highAvailabilityMode#: Default value: false

nubusLdapServer.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusLdapServer.initResources#

Configure resource requests and limits for initContainers

Default value: {}

nubusLdapServer.ldapServer.config.domainName#

Internal domain name of the UCS machine domainName: “univention-organization.intranet”

Default value: ""

nubusLdapServer.ldapServer.config.ldapBaseDn#

Base DN of the LDAP directory #ldapBaseDn: “dc=univention-organization,dc=intranet”

Default value: ""

nubusLdapServer.ldapServer.config.logLevel#

Log level for slapd. Pass a comma-separated list of values from the <a href=”https://openldap.org/doc/admin24/runningslapd.html#Command-Line%20Options”>OpenLDAP docs</a>. Example: “conns,stats”.

Default value: "stats"

nubusLdapServer.ldapServer.config.samlMetadataUrl#

URL of the IdP that contains the SAML metadata. #samlMetadataUrl: “http://myportal.local:8097/realms/ucs/protocol/saml/descriptor”

Default value: ""

nubusLdapServer.ldapServer.config.samlMetadataUrlInternal#

Internal URL of the IdP to download SAML metadata from, in the case that saml_metadata_url is not visible to the container. #samlMetadataUrlInternal: “http://keycloak.myportal.local/realms/ucs/protocol/saml/descriptor”

Default value: ""

nubusLdapServer.ldapServer.config.samlServiceProviders#

A comma separated list of SAML2 Service Provider URLs (must be defined) #samlServiceProviders: “http://myportal.local:8000/univention/saml/metadata,http://myportal.local:8000/auth/realms/ucs”

Default value: ""

nubusLdapServer.ldapServer.credentialSecret#

Optional reference to a different secret containing credentials #credentialSecret: name: “custom-credentials” adminPasswordKey: “adminPassword”

Default value: {}

nubusLdapServer.ldapServer.generateDHparam#

Enable to generate DH parameters on startup

Default value: true

nubusLdapServer.ldapServer.image.imagePullPolicy#

Image pull policy. This setting has higher precedence than global.imagePullPolicy.

Default value: "IfNotPresent"

nubusLdapServer.ldapServer.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

nubusLdapServer.ldapServer.image.repository#: Default value: "nubus/images/ldap-server"

nubusLdapServer.ldapServer.image.tag#

Default value:

"0.29.1@sha256:0d3f136572849311490d2b616fa948bb6c97a6df9517fcc3770264ed8ee5c8e6"

nubusLdapServer.ldapServer.leaderElector.image.pullPolicy#

Image pull policy. This setting has higher precedence than global.imagePullPolicy.

Default value: "IfNotPresent"

nubusLdapServer.ldapServer.leaderElector.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

nubusLdapServer.ldapServer.leaderElector.image.repository#

Default value:

"nubus/images/ldap-server-elector"

nubusLdapServer.ldapServer.leaderElector.image.tag#

Default value:

"0.29.1@sha256:3c6213b745a4dab642acf9b170a4f4db7dfa94c71262723fe563c447145af198"

nubusLdapServer.ldapServer.leaderElector.leaseDurationSeconds#: Default value: 15

nubusLdapServer.ldapServer.leaderElector.leaseName#: Default value: "ldap-primary-leader"

nubusLdapServer.ldapServer.leaderElector.renewDeadlineSeconds#: Default value: 10

nubusLdapServer.ldapServer.leaderElector.retryPeriodSeconds#: Default value: 5

nubusLdapServer.ldapServer.legacy.shareSamlSize#: Default value: "100Mi"

nubusLdapServer.ldapServer.legacy.sharedRunSize#: Default value: "1Gi"

nubusLdapServer.ldapServer.tls.caCertificateFile#

Path the CA certificate file (TLSCACertPath (slapd), CA_CERT_FILE(entrypoint))

Default value: "/certificates/ca.crt"

nubusLdapServer.ldapServer.tls.certificateFile#

Path the servers certificate file

Default value: "/certificates/tls.crt"

nubusLdapServer.ldapServer.tls.certificateKeyFile#

Path the servers private-key file

Default value: "/certificates/tls.key"

nubusLdapServer.ldapServer.tls.enabled#: Default value: false

nubusLdapServer.ldifProducer.config.backpressureWaitTimeout#: Default value: 5

nubusLdapServer.ldifProducer.config.ldapThreads#

Amount of socketserver worker threads, should be roughly equivalent to the amount of ldap threads.

Default value: 5

nubusLdapServer.ldifProducer.config.logLevel#

Log level for the ldif-producer. valid values are: ERROR WARNING, INFO, DEBUG

Default value: "INFO"

nubusLdapServer.ldifProducer.config.maxInFlightLdapMessages#: Default value: 10

nubusLdapServer.ldifProducer.enabled#: Default value: false

nubusLdapServer.ldifProducer.image.imagePullPolicy#

Image pull policy. This setting has higher precedence than global.imagePullPolicy.

Default value: "IfNotPresent"

nubusLdapServer.ldifProducer.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

nubusLdapServer.ldifProducer.image.repository#: Default value: "nubus/images/ldif-producer"

nubusLdapServer.ldifProducer.image.tag#

Default value:

"0.29.1@sha256:e0b63736b2e4dffea2fdabc23c200ecb304e27fe4ba7987eae3223321f7d392a"

nubusLdapServer.ldifProducer.nats.auth.credentialSecretName#: Default value: ""

nubusLdapServer.ldifProducer.nats.connection.host#: Default value: ""

nubusLdapServer.ldifProducer.nats.connection.port#: Default value: ""

nubusLdapServer.ldifProducer.nats.natsMaxReconnectAttempts#: Default value: 2

nubusLdapServer.lifecycleHooks#

Lifecycle to automate configuration before or after startup.

Default value: {}

nubusLdapServer.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusLdapServer.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusLdapServer.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapServer.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapServer.livenessProbe.tcpSocket.port#: Default value: 389

nubusLdapServer.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapServer.nameOverride#: Default value: "ldap-server"

nubusLdapServer.nodeSelector#

Node labels for pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusLdapServer.persistence.accessModes#

The volume access modes, some of “ReadWriteOnce”, “ReadOnlyMany”, “ReadWriteMany”, “ReadWriteOncePod”. # “ReadWriteOnce” => The volume can be mounted as read-write by a single node. ReadWriteOnce access mode still can allow multiple pods to access the volume when the pods are running on the same node. “ReadOnlyMany” => The volume can be mounted as read-only by many nodes. “ReadWriteMany” => The volume can be mounted as read-write by many nodes. “ReadWriteOncePod” => The volume can be mounted as read-write by a single Pod. Use ReadWriteOncePod access mode if you want to ensure that only one pod across whole cluster can read that PVC or write to it. #

Default value: ["ReadWriteOnce"]

nubusLdapServer.persistence.annotations#

Annotations for the PVC.

Default value: {}

nubusLdapServer.persistence.dataSource#

Custom PVC data source.

Default value: {}

nubusLdapServer.persistence.enabled#

Enable data persistence (true) or use temporary storage (false).

Default value: true

nubusLdapServer.persistence.existingClaim#

Use an already existing claim.

Default value: ""

nubusLdapServer.persistence.labels#

Labels for the PVC.

Default value: {}

nubusLdapServer.persistence.selector#

Selector to match an existing Persistent Volume (this value is evaluated as a template). # selector: matchLabels: app: my-app #

Default value: {}

nubusLdapServer.persistence.size#

The volume size with unit.

Default value: "10Gi"

nubusLdapServer.persistence.storageClass#

The (storage) class of PV.

Default value: ""

nubusLdapServer.podAnnotationsPrimary#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusLdapServer.podAnnotationsProxy#: Default value: {}

nubusLdapServer.podAnnotationsSecondary#: Default value: {}

nubusLdapServer.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusLdapServer.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusLdapServer.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 102

nubusLdapServer.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusLdapServer.podSecurityContext.sysctls#

Allow binding to ports below 1024 without root access.

Default value:

[{"name": "net.ipv4.ip_unprivileged_port_start", "value": "1"}]

nubusLdapServer.rbac.create#: Default value: true

nubusLdapServer.readinessProbe.failureThreshold#

Number of failed executions until container is considered not ready.

Default value: 10

nubusLdapServer.readinessProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusLdapServer.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapServer.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapServer.readinessProbe.tcpSocket.port#: Default value: 389

nubusLdapServer.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapServer.readinessProbePrimary.exec.command#

Default value:

["/bin/sh", "-c", "ldapsearch -H ldapi:/// -Y EXTERNAL -b \"cn=config\" -LLL \"(&(objectClass=mdb))\" dn"]

nubusLdapServer.readinessProbePrimary.failureThreshold#

Number of failed executions until container is considered not ready.

Default value: 1

nubusLdapServer.readinessProbePrimary.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusLdapServer.readinessProbePrimary.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapServer.readinessProbePrimary.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapServer.readinessProbePrimary.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapServer.replicaCountPrimary#: Default value: 1

nubusLdapServer.replicaCountProxy#: Default value: 1

nubusLdapServer.replicaCountSecondary#: Default value: 1

nubusLdapServer.resources#: Default value: {}

nubusLdapServer.resourcesPrimary#

Configure resource requests and limits. # Ref: https://kubernetes.io/docs/user-guide/compute-resources/

Default value: null

nubusLdapServer.resourcesPrimary.limits.cpu#: Default value: 288

nubusLdapServer.resourcesPrimary.limits.memory#: Default value: "1Gi"

nubusLdapServer.resourcesPrimary.requests.cpu#: Default value: "10m"

nubusLdapServer.resourcesPrimary.requests.memory#: Default value: "16Mi"

nubusLdapServer.resourcesProxy#: Default value: null

nubusLdapServer.resourcesProxy.limits.cpu#: Default value: 288

nubusLdapServer.resourcesProxy.limits.memory#: Default value: "1Gi"

nubusLdapServer.resourcesProxy.requests.cpu#: Default value: "10m"

nubusLdapServer.resourcesProxy.requests.memory#: Default value: "16Mi"

nubusLdapServer.resourcesSecondary#: Default value: null

nubusLdapServer.resourcesSecondary.limits.cpu#: Default value: 288

nubusLdapServer.resourcesSecondary.limits.memory#: Default value: "1Gi"

nubusLdapServer.resourcesSecondary.requests.cpu#: Default value: "10m"

nubusLdapServer.resourcesSecondary.requests.memory#: Default value: "16Mi"

nubusLdapServer.service.annotations#

Additional custom annotations.

Default value: {}

nubusLdapServer.service.ports.ldap.containerPort#

Internal port.

Default value: 389

nubusLdapServer.service.ports.ldap.port#

Accessible port.

Default value: 389

nubusLdapServer.service.ports.ldap.protocol#

service protocol.

Default value: "TCP"

nubusLdapServer.service.ports.ldaps.containerPort#

Internal port.

Default value: 636

nubusLdapServer.service.ports.ldaps.port#

Accessible port.

Default value: 636

nubusLdapServer.service.ports.ldaps.protocol#

service protocol.

Default value: "TCP"

nubusLdapServer.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusLdapServer.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusLdapServer.serviceAccount.automountServiceAccountToken#

Default value: true

nubusLdapServer.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusLdapServer.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusLdapServer.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusLdapServer.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusLdapServer.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusLdapServer.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusLdapServer.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusLdapServer.startupProbe.tcpSocket.port#: Default value: 389

nubusLdapServer.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusLdapServer.systemExtensions#

Allows to configure the system extensions to load. This is intended for internal usage, prefer to use extensions for user configured extensions. This value will override the configuration in global.systemExtensions.

Default value: []

nubusLdapServer.terminationGracePeriodSeconds#

In seconds, time the given to the pod needs to terminate gracefully. Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

Default value: 20

nubusLdapServer.tolerations#

Tolerations for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusLdapServer.topologySpreadConstraints#

Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ # topologySpreadConstraints: - maxSkew: 1 topologyKey: failure-domain.beta.kubernetes.io/zone whenUnsatisfiable: DoNotSchedule

Default value: []

nubusLdapServer.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

nubusLdapServer.waitForDependency.enabled#: Default value: true

nubusLdapServer.waitForDependency.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusLdapServer.waitForDependency.image.registry#: Default value: ""

nubusLdapServer.waitForDependency.image.repository#

Default value:

"nubus/images/wait-for-dependency"

nubusLdapServer.waitForDependency.image.tag#

Default value:

"0.26.0@sha256:a31fde86bf21c597a31356fe492ab7e7a03a89282ca215eb7100763d6eb96b6b"

10.2.16. `nubusNotificationsApi`#

nubusNotificationsApi.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusNotificationsApi.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusNotificationsApi.affinity#

Affinity for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it’s set.

Default value: {}

nubusNotificationsApi.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusNotificationsApi.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusNotificationsApi.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusNotificationsApi.containerSecurityContext.privileged#: Default value: false

nubusNotificationsApi.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusNotificationsApi.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusNotificationsApi.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusNotificationsApi.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusNotificationsApi.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusNotificationsApi.enabled#: Default value: true

nubusNotificationsApi.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusNotificationsApi.extraIngresses#

Extra ingress configuration

Default value: []

nubusNotificationsApi.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusNotificationsApi.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusNotificationsApi.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusNotificationsApi.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

nubusNotificationsApi.global.configMapUcr#: Default value: "stack-data-ums-ucr"

nubusNotificationsApi.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusNotificationsApi.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusNotificationsApi.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusNotificationsApi.global.postgresql.connection.host#: Default value: ""

nubusNotificationsApi.global.postgresql.connection.port#: Default value: 5432

nubusNotificationsApi.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusNotificationsApi.image.registry#

Default value:

"artifacts.software-univention.de"

nubusNotificationsApi.image.repository#

Default value:

"nubus/images/notifications-api"

nubusNotificationsApi.image.tag#

Default value:

"0.48.3@sha256:7d4e8e0a6fb6be2b3f1e5f0db49375d7a0a5820fc7517b685b2109dac00ea823"

nubusNotificationsApi.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusNotificationsApi.ingress.annotations.nginx.ingress.kubernetes.io/rewrite-target#: Default value: "/$2$3"

nubusNotificationsApi.ingress.annotations.nginx.ingress.kubernetes.io/use-regex#: Default value: "true"

nubusNotificationsApi.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusNotificationsApi.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusNotificationsApi.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusNotificationsApi.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusNotificationsApi.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusNotificationsApi.ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

nubusNotificationsApi.ingress.paths#

Define the Ingress paths.

Default value:

[{"path": "/(univention/portal/notifications-api/)(.*)$", "pathType": "ImplementationSpecific"}]

nubusNotificationsApi.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusNotificationsApi.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusNotificationsApi.lifecycleHooks#

Lifecycle to automate configuration before or after startup.

Default value: {}

nubusNotificationsApi.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusNotificationsApi.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusNotificationsApi.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusNotificationsApi.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusNotificationsApi.livenessProbe.tcpSocket.port#

The port to connect to the container.

Default value: 8080

nubusNotificationsApi.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusNotificationsApi.nameOverride#: Default value: "notifications-api"

nubusNotificationsApi.nodeSelector#

Node labels for pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusNotificationsApi.notificationsApi.apiPrefix#

The URL prefix under which the API shall be deployed.

Default value:

"/univention/portal/notifications-api/"

nubusNotificationsApi.notificationsApi.applyDatabaseMigrations#

Apply database migrations automatically

Default value: "True"

nubusNotificationsApi.notificationsApi.devMode#

Activate the development mode. Do not use this in production deployments.

Default value: "False"

nubusNotificationsApi.notificationsApi.environment#

TODO: Clarify usage of this parameter

Default value: "production"

nubusNotificationsApi.notificationsApi.logLevel#: Default value: "INFO"

nubusNotificationsApi.notificationsApi.sqlEcho#

SQL command logging, e.g. “True” or “False”

Default value: "False"

nubusNotificationsApi.persistence.accessModes#

Default value: ["ReadWriteOnce"]

nubusNotificationsApi.persistence.annotations#

Annotations for the PVC.

Default value: {}

nubusNotificationsApi.persistence.dataSource#

Custom PVC data source.

Default value: {}

nubusNotificationsApi.persistence.enabled#

Enable data persistence (true) or use temporary storage (false).

Default value: true

nubusNotificationsApi.persistence.existingClaim#

Use an already existing claim.

Default value: ""

nubusNotificationsApi.persistence.labels#

Labels for the PVC.

Default value: {}

nubusNotificationsApi.persistence.selector#

Selector to match an existing Persistent Volume (this value is evaluated as a template). # selector: matchLabels: app: my-app #

Default value: {}

nubusNotificationsApi.persistence.size#

The volume size with unit.

Default value: "10Gi"

nubusNotificationsApi.persistence.storageClass#

The (storage) class of PV.

Default value: ""

nubusNotificationsApi.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusNotificationsApi.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusNotificationsApi.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusNotificationsApi.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusNotificationsApi.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusNotificationsApi.podSecurityContext.sysctls#

Configure sysctls for the pod sysctls: - name: “net.ipv4.ip_unprivileged_port_start” value: “1”

Default value: []

nubusNotificationsApi.postgresql.auth.database#: Default value: "notificationsapi"

nubusNotificationsApi.postgresql.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-notifications-api-postgresql-credentials"

nubusNotificationsApi.postgresql.auth.password#

PostgreSQL user password. (not yet supported)

Default value: ""

nubusNotificationsApi.postgresql.auth.username#: Default value: "notificationsapi_user"

nubusNotificationsApi.postgresql.bundled#: Default value: false

nubusNotificationsApi.postgresql.connection.host#: Default value: ""

nubusNotificationsApi.postgresql.connection.port#: Default value: ""

nubusNotificationsApi.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusNotificationsApi.readinessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusNotificationsApi.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusNotificationsApi.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusNotificationsApi.readinessProbe.tcpSocket.port#: Default value: 8080

nubusNotificationsApi.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusNotificationsApi.replicaCount#

Set the amount of replicas of deployment.

Default value: 1

nubusNotificationsApi.resources#

Configure resource requests and limits. # Ref: https://kubernetes.io/docs/user-guide/compute-resources/

Default value: {}

nubusNotificationsApi.resources.limits.cpu#: Default value: 288

nubusNotificationsApi.resources.limits.memory#: Default value: "1Gi"

nubusNotificationsApi.resources.requests.cpu#: Default value: "10m"

nubusNotificationsApi.resources.requests.memory#: Default value: "16Mi"

nubusNotificationsApi.service.annotations#

Additional custom annotations.

Default value: {}

nubusNotificationsApi.service.ports.http.containerPort#

Internal port.

Default value: 8080

nubusNotificationsApi.service.ports.http.port#

Accessible port.

Default value: 80

nubusNotificationsApi.service.ports.http.protocol#

service protocol.

Default value: "TCP"

nubusNotificationsApi.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusNotificationsApi.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusNotificationsApi.serviceAccount.automountServiceAccountToken#

Default value: false

nubusNotificationsApi.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusNotificationsApi.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusNotificationsApi.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusNotificationsApi.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusNotificationsApi.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusNotificationsApi.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusNotificationsApi.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusNotificationsApi.startupProbe.tcpSocket.port#

The port to connect to the container.

Default value: 8080

nubusNotificationsApi.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusNotificationsApi.terminationGracePeriodSeconds#: Default value: 5

nubusNotificationsApi.tolerations#

Tolerations for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusNotificationsApi.topologySpreadConstraints#

Default value: []

nubusNotificationsApi.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

10.2.17. `nubusPortalConsumer`#

nubusPortalConsumer.affinity#

#Global values

Default value: {}

nubusPortalConsumer.autoscaling.enabled#: Default value: false

nubusPortalConsumer.enabled#: Default value: true

nubusPortalConsumer.environment#: Default value: {}

nubusPortalConsumer.extraEnvVars#

Array with extra environment variables to add to containers.

Default value: []

nubusPortalConsumer.extraSecrets#: Default value: []

nubusPortalConsumer.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusPortalConsumer.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusPortalConsumer.fullnameOverride#: Default value: ""

nubusPortalConsumer.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusPortalConsumer.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusPortalConsumer.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusPortalConsumer.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusPortalConsumer.ldap.credentialSecret.machinePasswordKey#: Default value: "machine.secret"

nubusPortalConsumer.ldap.credentialSecret.name#: Default value: ""

nubusPortalConsumer.ldap.tlsSecret.caCertKey#: Default value: "ca.crt"

nubusPortalConsumer.ldap.tlsSecret.certificateKey#: Default value: "tls.crt"

nubusPortalConsumer.ldap.tlsSecret.name#: Default value: ""

nubusPortalConsumer.ldap.tlsSecret.privateKeyKey#: Default value: "tls.key"

nubusPortalConsumer.mountSecrets#: Default value: true

nubusPortalConsumer.nameOverride#: Default value: "portal-consumer"

nubusPortalConsumer.nodeSelector#: Default value: {}

nubusPortalConsumer.objectStorage.auth.accessKey#: Default value: null

nubusPortalConsumer.objectStorage.auth.secretKey#: Default value: null

nubusPortalConsumer.persistence.groupMembershipCache.size#: Default value: "100Mi"

nubusPortalConsumer.persistence.groupMembershipCache.storageClass#: Default value: ""

nubusPortalConsumer.podAnnotations#: Default value: {}

nubusPortalConsumer.podSecurityContext#: Default value: {}

nubusPortalConsumer.portalConsumer.adminGroup#

Define LDAP Admin Group. Example: “cn=Domain Admins,cn=groups,dc=example,dc=com”

Default value: null

nubusPortalConsumer.portalConsumer.assetsRootPath#

Where to store the assets inside the object storage bucket, e.g. portal entry icons

Default value: "portal-assets"

nubusPortalConsumer.portalConsumer.authMode#

Define the authentication mode for the portal. Use “ucs” or “saml”. Chart default is “ucs”. In a Nubus deployment the default is “saml”.

Default value: ""

nubusPortalConsumer.portalConsumer.caCert#

CA root certificate, base64-encoded. Optional; will be written to “caCertFile” if set.

Default value: ""

nubusPortalConsumer.portalConsumer.caCertFile#

The path to the “caCertFile” docker secret or a plain file.

Default value: "/var/secrets/ca_cert"

nubusPortalConsumer.portalConsumer.certPem#: Default value: ""

nubusPortalConsumer.portalConsumer.domainName#

Internal domain name of the UCS machine

Default value: "univention.intranet"

nubusPortalConsumer.portalConsumer.editable#

Defines if members of the Admin group can use the edit mode in the portal.

Default value: "true"

nubusPortalConsumer.portalConsumer.environment#

TODO: Clarify usage of this parameter

Default value: "production"

nubusPortalConsumer.portalConsumer.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusPortalConsumer.portalConsumer.image.registry#: Default value: ""

nubusPortalConsumer.portalConsumer.image.repository#: Default value: "nubus/images/portal-consumer"

nubusPortalConsumer.portalConsumer.image.tag#

Default value:

"0.48.3@sha256:329ad2fbfdba2fb3cb0b170158f9fdff8786c0f1e24537d16a197432e0d0f2d0"

nubusPortalConsumer.portalConsumer.ldapBaseDn#

Base DN of the LDAP directory

Default value: null

nubusPortalConsumer.portalConsumer.ldapHost#

Default value:

"{{ .Release.Name }}-ldap-server-primary"

nubusPortalConsumer.portalConsumer.ldapHostDn#

DN of the UCS machine

Default value: null

nubusPortalConsumer.portalConsumer.ldapPort#

Port to connect to the LDAP server.

Default value: ""

nubusPortalConsumer.portalConsumer.logLevel#: Default value: "INFO"

nubusPortalConsumer.portalConsumer.machineSecret#

LDAP password for ldapHostDn. Will be written to “machineSecretFile” if set.

Default value: null

nubusPortalConsumer.portalConsumer.machineSecretFile#

The path to the “machineSecretFile” docker secret or a plain file

Default value: "/var/secrets/machine_secret"

nubusPortalConsumer.portalConsumer.objectStorageAccessKeyId#

User for the object storage. Chart default is “ums_user”.

Default value: ""

nubusPortalConsumer.portalConsumer.objectStorageBucket#: Default value: "nubus"

nubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.accessKeyKey#: Default value: "accessKey"

nubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.name#: Default value: ""

nubusPortalConsumer.portalConsumer.objectStorageCredentialSecret.secretKeyKey#: Default value: "secretKey"

nubusPortalConsumer.portalConsumer.objectStorageEndpoint#

Object storage endpoint. Nubus chart default is “http://$RELEASE_NAME.ums-minio:9000”.

Default value: ""

nubusPortalConsumer.portalConsumer.objectStorageSecretAccessKey#

Password for access to object storage. Chart default is “stub_password”.

Default value: ""

nubusPortalConsumer.portalConsumer.port#: Default value: "80"

nubusPortalConsumer.portalConsumer.portalDefaultDn#

DN of the default portal

Default value: null

nubusPortalConsumer.portalConsumer.secretMountPath#

Path to mount the secrets to.

Default value: "/var/secrets"

nubusPortalConsumer.portalConsumer.tlsMode#

Whenever to start encryption and validate certificates. Chose from “off”, “unvalidated” and “secure”. Chart default is “off”.

Default value: "off"

nubusPortalConsumer.portalConsumer.ucsInternalPath#

Define UCS internal endpoint where the portal, selfservice and groups are defined Example: “https://portal.example.com/univention/internal”

Default value: "portal-data"

nubusPortalConsumer.portalConsumer.udmApiSecretFile#

UDM API password file. Default: same as machineSecretFile.

Default value: "/var/secrets/machine_secret"

nubusPortalConsumer.portalConsumer.udmApiUrl#

UDM API connection URL

Default value: null

nubusPortalConsumer.portalConsumer.udmApiUsername#

UDM API username.

Default value: "cn=admin"

nubusPortalConsumer.portalConsumer.umcGetUrl#

Define UMC get endpoint. Example: “https://portal.example.com/univention/internal/umc/get”

Default value: null

nubusPortalConsumer.portalConsumer.umcSessionUrl#

Define UMC session-info” endpoint. Example: “https://portal.example.com/univention/internal/umc/get/session-info”

Default value: null

nubusPortalConsumer.probes.liveness.enabled#: Default value: true

nubusPortalConsumer.probes.liveness.failureThreshold#: Default value: 3

nubusPortalConsumer.probes.liveness.initialDelaySeconds#: Default value: 120

nubusPortalConsumer.probes.liveness.periodSeconds#: Default value: 30

nubusPortalConsumer.probes.liveness.successThreshold#: Default value: 1

nubusPortalConsumer.probes.liveness.timeoutSeconds#: Default value: 3

nubusPortalConsumer.probes.readiness.enabled#: Default value: true

nubusPortalConsumer.probes.readiness.failureThreshold#: Default value: 30

nubusPortalConsumer.probes.readiness.initialDelaySeconds#: Default value: 30

nubusPortalConsumer.probes.readiness.periodSeconds#: Default value: 15

nubusPortalConsumer.probes.readiness.successThreshold#: Default value: 1

nubusPortalConsumer.probes.readiness.timeoutSeconds#: Default value: 3

nubusPortalConsumer.provisioningApi.auth.credentialSecret.key#

The key where the password can be found.

Default value: "PROVISIONING_API_PASSWORD"

nubusPortalConsumer.provisioningApi.auth.credentialSecret.name#

The name of the secret.

Default value: ""

nubusPortalConsumer.provisioningApi.auth.existingSecret.name#: Default value: null

nubusPortalConsumer.provisioningApi.auth.password#: Default value: null

nubusPortalConsumer.provisioningApi.auth.username#: Default value: "portal-consumer"

nubusPortalConsumer.provisioningApi.config.maxAcknowledgementRetries#

The maximum number of retries for acknowledging a message

Default value: 3

nubusPortalConsumer.provisioningApi.connection.baseUrl#

The base URL the provisioning API is reachable at. (e.g. “https://provisioning-api”)

Default value: ""

nubusPortalConsumer.replicaCount#: Default value: 1

nubusPortalConsumer.resources#

Deployment resources for the consumer container

Default value: {}

nubusPortalConsumer.resources.limits.cpu#: Default value: 288

nubusPortalConsumer.resources.limits.memory#: Default value: "1Gi"

nubusPortalConsumer.resources.requests.cpu#: Default value: "10m"

nubusPortalConsumer.resources.requests.memory#: Default value: "16Mi"

nubusPortalConsumer.resourcesWaitForDependency#

Deployment resources for the dependency waiters

Default value: {}

nubusPortalConsumer.securityContext#: Default value: {}

nubusPortalConsumer.terminationGracePeriodSeconds#: Default value: 5

nubusPortalConsumer.tolerations#: Default value: []

nubusPortalConsumer.waitForDependency.extraEnvVars#

Array with extra environment variables to add to containers.

Default value: []

nubusPortalConsumer.waitForDependency.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusPortalConsumer.waitForDependency.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusPortalConsumer.waitForDependency.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusPortalConsumer.waitForDependency.image.registry#: Default value: ""

nubusPortalConsumer.waitForDependency.image.repository#

Default value:

"nubus/images/wait-for-dependency"

nubusPortalConsumer.waitForDependency.image.tag#

Default value:

"0.26.0@sha256:a31fde86bf21c597a31356fe492ab7e7a03a89282ca215eb7100763d6eb96b6b"

10.2.18. `nubusPortalFrontend`#

nubusPortalFrontend.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusPortalFrontend.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusPortalFrontend.affinity#

Default value: {}

nubusPortalFrontend.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusPortalFrontend.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusPortalFrontend.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusPortalFrontend.containerSecurityContext.privileged#: Default value: false

nubusPortalFrontend.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusPortalFrontend.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusPortalFrontend.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusPortalFrontend.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusPortalFrontend.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusPortalFrontend.enabled#: Default value: true

nubusPortalFrontend.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusPortalFrontend.extraIngresses#

Extra ingress configuration

Default value: []

nubusPortalFrontend.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusPortalFrontend.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusPortalFrontend.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusPortalFrontend.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

nubusPortalFrontend.global.configMapUcr#: Default value: "stack-data-ums-ucr"

nubusPortalFrontend.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusPortalFrontend.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusPortalFrontend.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusPortalFrontend.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusPortalFrontend.image.registry#: Default value: ""

nubusPortalFrontend.image.repository#: Default value: "nubus/images/portal-frontend"

nubusPortalFrontend.image.tag#

Default value:

"0.48.3@sha256:a352175e7dbc0d8cd3a606b62f2b213247c3f98dd66cce6deb73ba4f26100375"

nubusPortalFrontend.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusPortalFrontend.ingress.annotations#

Define custom ingress annotations for all Ingresses.

Default value: {}

nubusPortalFrontend.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusPortalFrontend.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusPortalFrontend.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusPortalFrontend.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusPortalFrontend.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusPortalFrontend.ingress.ingressClassName#

The Ingress controller class name. (This will be the default for all Ingresses)

Default value: ""

nubusPortalFrontend.ingress.items#

Default value:

[{"name": "rewrites", "host": "", "paths": [{"path": "/univention/(portal|selfservice)/$", "pathType": "ImplementationSpecific"}, {"path": "/univention/(portal|selfservice)/index.html$", "pathType": "ImplementationSpecific"}, {"path": "/univention/(portal|selfservice)/(css|fonts|i18n|media|js|oidc|custom)(/.*)$", "pathType": "ImplementationSpecific"}, {"path": "/univention/(portal)/(icons)(/.*)$", "pathType": "ImplementationSpecific"}], "ingressClassName": "", "annotations": {"nginx.ingress.kubernetes.io/rewrite-target": "/$2$3", "nginx.ingress.kubernetes.io/use-regex": "true"}, "tls": {"secretName": ""}}, {"name": "redirects", "host": "", "paths": [{"pathType": "ImplementationSpecific", "path": "/$"}, {"pathType": "ImplementationSpecific", "path": "/univention$"}, {"pathType": "ImplementationSpecific", "path": "/univention/$"}, {"pathType": "ImplementationSpecific", "path": "/univention/portal$"}, {"pathType": "ImplementationSpecific", "path": "/univention/selfservice$"}], "ingressClassName": "", "annotations": {"nginx.ingress.kubernetes.io/permanent-redirect": "/univention/portal/"}, "tls": {"secretName": ""}}]

nubusPortalFrontend.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusPortalFrontend.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusPortalFrontend.lifecycleHooks#

Lifecycle to automate configuration before or after startup.

Default value: {}

nubusPortalFrontend.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusPortalFrontend.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusPortalFrontend.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusPortalFrontend.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusPortalFrontend.livenessProbe.tcpSocket.port#

The port to connect to the container.

Default value: 80

nubusPortalFrontend.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusPortalFrontend.nameOverride#: Default value: "portal-frontend"

nubusPortalFrontend.nodeSelector#

Node labels for pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusPortalFrontend.persistence.accessModes#

Default value: ["ReadWriteOnce"]

nubusPortalFrontend.persistence.annotations#

Annotations for the PVC.

Default value: {}

nubusPortalFrontend.persistence.dataSource#

Custom PVC data source.

Default value: {}

nubusPortalFrontend.persistence.enabled#

Enable data persistence (true) or use temporary storage (false).

Default value: true

nubusPortalFrontend.persistence.existingClaim#

Use an already existing claim.

Default value: ""

nubusPortalFrontend.persistence.labels#

Labels for the PVC.

Default value: {}

nubusPortalFrontend.persistence.selector#

Selector to match an existing Persistent Volume (this value is evaluated as a template). # selector: matchLabels: app: my-app #

Default value: {}

nubusPortalFrontend.persistence.size#

The volume size with unit.

Default value: "10Gi"

nubusPortalFrontend.persistence.storageClass#

The (storage) class of PV.

Default value: ""

nubusPortalFrontend.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusPortalFrontend.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusPortalFrontend.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusPortalFrontend.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusPortalFrontend.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusPortalFrontend.podSecurityContext.sysctls#

Configure sysctls for the pod

Default value:

[{"name": "net.ipv4.ip_unprivileged_port_start", "value": "1"}]

nubusPortalFrontend.portalFrontend.branding.backgroundImage#

Background image for the portal frontend.

Default value: ""

nubusPortalFrontend.portalFrontend.branding.css#

Custom CSS style sheet for the portal frontend.

Default value: ""

nubusPortalFrontend.portalFrontend.branding.favicon#

Favicon for the portal frontend.

Default value: ""

nubusPortalFrontend.portalFrontend.branding.logo#

Logo for the loading screen of the portal frontend.

Default value: ""

nubusPortalFrontend.portalFrontend.environment#

TODO: Clarify usage of this parameter

Default value: "production"

nubusPortalFrontend.portalFrontend.logLevel#: Default value: "INFO"

nubusPortalFrontend.portalFrontend.nginx.disableIPv6#

Disable IPv6 support.

Default value: false

nubusPortalFrontend.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusPortalFrontend.readinessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusPortalFrontend.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusPortalFrontend.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusPortalFrontend.readinessProbe.tcpSocket.port#: Default value: 80

nubusPortalFrontend.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusPortalFrontend.replicaCount#

Set the amount of replicas of deployment.

Default value: 1

nubusPortalFrontend.resources#

Configure resource requests and limits. # Ref: https://kubernetes.io/docs/user-guide/compute-resources/

Default value: {}

nubusPortalFrontend.resources.limits.cpu#: Default value: 288

nubusPortalFrontend.resources.limits.memory#: Default value: "1Gi"

nubusPortalFrontend.resources.requests.cpu#: Default value: "10m"

nubusPortalFrontend.resources.requests.memory#: Default value: "16Mi"

nubusPortalFrontend.service.annotations#

Additional custom annotations.

Default value: {}

nubusPortalFrontend.service.ports.http.containerPort#

Internal port.

Default value: 80

nubusPortalFrontend.service.ports.http.port#

Accessible port.

Default value: 80

nubusPortalFrontend.service.ports.http.protocol#

service protocol.

Default value: "TCP"

nubusPortalFrontend.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusPortalFrontend.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusPortalFrontend.serviceAccount.automountServiceAccountToken#

Default value: false

nubusPortalFrontend.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusPortalFrontend.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusPortalFrontend.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusPortalFrontend.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusPortalFrontend.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusPortalFrontend.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusPortalFrontend.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusPortalFrontend.startupProbe.tcpSocket.port#

The port to connect to the container.

Default value: 80

nubusPortalFrontend.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusPortalFrontend.terminationGracePeriodSeconds#: Default value: 5

nubusPortalFrontend.tolerations#

Tolerations for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusPortalFrontend.topologySpreadConstraints#

Default value: []

nubusPortalFrontend.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

10.2.19. `nubusPortalServer`#

nubusPortalServer.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusPortalServer.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusPortalServer.affinity#

Default value: {}

nubusPortalServer.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusPortalServer.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusPortalServer.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusPortalServer.containerSecurityContext.privileged#: Default value: false

nubusPortalServer.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusPortalServer.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusPortalServer.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusPortalServer.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusPortalServer.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusPortalServer.enabled#: Default value: true

nubusPortalServer.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusPortalServer.extraIngresses#

Extra ingress configuration

Default value: []

nubusPortalServer.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusPortalServer.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusPortalServer.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusPortalServer.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

nubusPortalServer.global.configMapUcr#: Default value: "stack-data-ums-ucr"

nubusPortalServer.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusPortalServer.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusPortalServer.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusPortalServer.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusPortalServer.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusPortalServer.image.registry#: Default value: ""

nubusPortalServer.image.repository#: Default value: "nubus/images/portal-server"

nubusPortalServer.image.tag#

Default value:

"0.48.3@sha256:331a3f247d3c3d496ee1be78d71b6c737666f2fbf0bced1985e2edb295729e59"

nubusPortalServer.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusPortalServer.ingress.annotations.nginx.ingress.kubernetes.io/rewrite-target#: Default value: "/$2$3"

nubusPortalServer.ingress.annotations.nginx.ingress.kubernetes.io/use-regex#: Default value: "true"

nubusPortalServer.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusPortalServer.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusPortalServer.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusPortalServer.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusPortalServer.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusPortalServer.ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

nubusPortalServer.ingress.paths#

Define the Ingress paths.

Default value:

[{"path": "/()(univention/portal/|univention/selfservice/)(portal.json|navigation.json)$", "pathType": "ImplementationSpecific"}]

nubusPortalServer.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusPortalServer.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusPortalServer.lifecycleHooks#

Lifecycle to automate configuration before or after startup.

Default value: {}

nubusPortalServer.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusPortalServer.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusPortalServer.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusPortalServer.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusPortalServer.livenessProbe.tcpSocket.port#

The port to connect to the container.

Default value: 80

nubusPortalServer.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusPortalServer.nameOverride#: Default value: "portal-server"

nubusPortalServer.nodeSelector#

Node labels for pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusPortalServer.objectStorage.auth.accessKey#: Default value: null

nubusPortalServer.objectStorage.auth.secretKey#: Default value: null

nubusPortalServer.persistence.accessModes#

Default value: ["ReadWriteOnce"]

nubusPortalServer.persistence.annotations#

Annotations for the PVC.

Default value: {}

nubusPortalServer.persistence.dataSource#

Custom PVC data source.

Default value: {}

nubusPortalServer.persistence.enabled#

Enable data persistence (true) or use temporary storage (false).

Default value: true

nubusPortalServer.persistence.existingClaim#

Use an already existing claim.

Default value: ""

nubusPortalServer.persistence.labels#

Labels for the PVC.

Default value: {}

nubusPortalServer.persistence.selector#

Selector to match an existing Persistent Volume (this value is evaluated as a template). # selector: matchLabels: app: my-app #

Default value: {}

nubusPortalServer.persistence.size#

The volume size with unit.

Default value: "10Gi"

nubusPortalServer.persistence.storageClass#

The (storage) class of PV.

Default value: ""

nubusPortalServer.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusPortalServer.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusPortalServer.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusPortalServer.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusPortalServer.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusPortalServer.podSecurityContext.sysctls#

Allow binding to ports below 1024 without root access.

Default value:

[{"name": "net.ipv4.ip_unprivileged_port_start", "value": "1"}]

nubusPortalServer.portalServer.adminGroup#

Define LDAP Admin Group. Example: “cn=Domain Admins,cn=groups,dc=example,dc=com”

Default value: null

nubusPortalServer.portalServer.authMode#

Define the authentication mode for the portal. Use “ucs” or “saml”. Chart default is “ucs”. In a Nubus deployment the default is “saml”.

Default value: ""

nubusPortalServer.portalServer.centralNavigation.authenticatorSecretName#

Provide a name to a custom secret containing authenticator.secret. Will get mounted in /var/secrets/authenticator.secret.

Default value: ""

nubusPortalServer.portalServer.centralNavigation.enabled#

Activate the shared secret authenticator for the portal, instead of the UMC session cookie one. This allows 3rd party apps to authenticate against the portal server to get the central navigation.

Default value: true

nubusPortalServer.portalServer.credentialSecret#

Optional reference to a different secret for credentials credentialSecret: name: “custom-credentials” accessKeyId: “ums_user” secretAccessKey: “ums_password”

Default value: {}

nubusPortalServer.portalServer.editable#

Defines if members of the Admin group can use the edit mode in the portal.

Default value: "true"

nubusPortalServer.portalServer.environment#

TODO: Clarify usage of this parameter

Default value: "production"

nubusPortalServer.portalServer.logLevel#: Default value: "INFO"

nubusPortalServer.portalServer.objectStorageAccessKeyId#

User for the object storage. Chart default is “ums_user”.

Default value: ""

nubusPortalServer.portalServer.objectStorageBucket#: Default value: "nubus"

nubusPortalServer.portalServer.objectStorageCredentialSecret.accessKeyKey#: Default value: "accessKey"

nubusPortalServer.portalServer.objectStorageCredentialSecret.name#: Default value: ""

nubusPortalServer.portalServer.objectStorageCredentialSecret.secretKeyKey#: Default value: "secretKey"

nubusPortalServer.portalServer.objectStorageEndpoint#

Object storage endpoint. Nubus chart default is “http://$RELEASE_NAME.ums-minio:9000”.

Default value: ""

nubusPortalServer.portalServer.objectStorageSecretAccessKey#

Password for access to object storage. Chart default is “stub_password”.

Default value: ""

nubusPortalServer.portalServer.port#: Default value: 80

nubusPortalServer.portalServer.ucsInternalPath#

Define object storage path inside the bucket where files are placed. Example: “portal-assets”

Default value: "portal-data"

nubusPortalServer.portalServer.umcGetUrl#

Define UMC get endpoint. Example: “https://portal.example.com/univention/internal/umc/get”

Default value: null

nubusPortalServer.portalServer.umcSessionUrl#

Define UMC session-info” endpoint. Example: “https://portal.example.com/univention/internal/umc/get/session-info”

Default value: null

nubusPortalServer.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusPortalServer.readinessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusPortalServer.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusPortalServer.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusPortalServer.readinessProbe.tcpSocket.port#: Default value: 80

nubusPortalServer.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusPortalServer.replicaCount#

Set the amount of replicas of deployment.

Default value: 1

nubusPortalServer.resources#

Configure resource requests and limits. # Ref: https://kubernetes.io/docs/user-guide/compute-resources/

Default value: {}

nubusPortalServer.resources.limits.cpu#: Default value: 288

nubusPortalServer.resources.limits.memory#: Default value: "1Gi"

nubusPortalServer.resources.requests.cpu#: Default value: "10m"

nubusPortalServer.resources.requests.memory#: Default value: "16Mi"

nubusPortalServer.service.annotations#

Additional custom annotations.

Default value: {}

nubusPortalServer.service.ports.http.containerPort#

Internal port.

Default value: 80

nubusPortalServer.service.ports.http.port#

Accessible port.

Default value: 80

nubusPortalServer.service.ports.http.protocol#

service protocol.

Default value: "TCP"

nubusPortalServer.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusPortalServer.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusPortalServer.serviceAccount.automountServiceAccountToken#

Default value: false

nubusPortalServer.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusPortalServer.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusPortalServer.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusPortalServer.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusPortalServer.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusPortalServer.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusPortalServer.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusPortalServer.startupProbe.tcpSocket.port#

The port to connect to the container.

Default value: 80

nubusPortalServer.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusPortalServer.terminationGracePeriodSeconds#: Default value: 5

nubusPortalServer.tolerations#

Tolerations for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusPortalServer.topologySpreadConstraints#

Default value: []

nubusPortalServer.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

10.2.20. `nubusProvisioning`#

nubusProvisioning.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusProvisioning.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusProvisioning.affinity#

Default value: {}

nubusProvisioning.api.additionalAnnotations#: Default value: {}

nubusProvisioning.api.additionalLabels#: Default value: {}

nubusProvisioning.api.auth.admin.existingSecret.keyMapping.password#: Default value: "ADMIN_PASSWORD"

nubusProvisioning.api.auth.admin.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusProvisioning.api.auth.adminPassword#: Default value: null

nubusProvisioning.api.auth.eventsUdm.existingSecret.keyMapping.password#: Default value: "EVENTS_PASSWORD_UDM"

nubusProvisioning.api.auth.eventsUdm.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusProvisioning.api.auth.prefill.existingSecret.keyMapping.password#: Default value: "PREFILL_PASSWORD"

nubusProvisioning.api.auth.prefill.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusProvisioning.api.auth.prefillPassword#: Default value: null

nubusProvisioning.api.auth.udmTransformerPassword#: Default value: null

nubusProvisioning.api.config.CORS_ALL#

FastAPI: disable CORS checks

Default value: "false"

nubusProvisioning.api.config.DEBUG#

#api FastAPI: debug mode: send traceback in response on errors

Default value: "false"

nubusProvisioning.api.config.LOG_LEVEL#: Default value: "INFO"

nubusProvisioning.api.config.ROOT_PATH#

FastAPI: webserver root path

Default value: "/"

nubusProvisioning.api.image.imagePullPolicy#: Default value: null

nubusProvisioning.api.image.registry#: Default value: ""

nubusProvisioning.api.image.repository#

Default value:

"nubus/images/provisioning-events-and-consumer-api"

nubusProvisioning.api.image.tag#

Default value:

"0.46.0@sha256:c9025d0c058a36fb7926a6ad9768f9909efa4dff76022d7b7de862b000da6e6f"

nubusProvisioning.api.nats.auth.existingSecret.keyMapping.provisioningApiPassword#: Default value: "NATS_PASSWORD"

nubusProvisioning.api.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusProvisioning.api.nats.auth.password#: Default value: null

nubusProvisioning.api.nats.connection.host#: Default value: ""

nubusProvisioning.api.nats.connection.password.secretKeyRef.key#: Default value: "password"

nubusProvisioning.api.nats.connection.port#: Default value: ""

nubusProvisioning.api.nats.connection.username#: Default value: "events_and_consumer_api"

nubusProvisioning.api.podAnnotations#: Default value: {}

nubusProvisioning.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusProvisioning.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusProvisioning.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusProvisioning.containerSecurityContext.privileged#: Default value: false

nubusProvisioning.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusProvisioning.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusProvisioning.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusProvisioning.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusProvisioning.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusProvisioning.dispatcher.additionalAnnotations#: Default value: {}

nubusProvisioning.dispatcher.additionalLabels#: Default value: {}

nubusProvisioning.dispatcher.config.LOG_LEVEL#: Default value: "INFO"

nubusProvisioning.dispatcher.config.natsMaxReconnectAttempts#: Default value: 5

nubusProvisioning.dispatcher.image.imagePullPolicy#: Default value: null

nubusProvisioning.dispatcher.image.registry#

TODO: unset when global.imageRegistry is supported by update-helm-values

Default value: ""

nubusProvisioning.dispatcher.image.repository#

Default value:

"nubus/images/provisioning-dispatcher"

nubusProvisioning.dispatcher.image.tag#

Default value:

"0.46.0@sha256:01464a4f2e1297ff2d1a507e69829fa7d0b84543e88280113bd9b9fb88bf2bce"

nubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.dispatcherPassword#: Default value: "NATS_PASSWORD"

nubusProvisioning.dispatcher.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-dispatcher-credentials"

nubusProvisioning.dispatcher.nats.auth.password#: Default value: null

nubusProvisioning.dispatcher.nats.connection.host#: Default value: ""

nubusProvisioning.dispatcher.nats.connection.port#: Default value: ""

nubusProvisioning.dispatcher.podAnnotations#: Default value: {}

nubusProvisioning.enabled#: Default value: true

nubusProvisioning.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusProvisioning.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusProvisioning.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusProvisioning.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusProvisioning.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

nubusProvisioning.global.configMapUcr#: Default value: null

nubusProvisioning.global.imagePullPolicy#

Default value: null

nubusProvisioning.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusProvisioning.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusProvisioning.global.nats.connection.host#: Default value: ""

nubusProvisioning.global.nats.connection.port#: Default value: ""

nubusProvisioning.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusProvisioning.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusProvisioning.ingress.annotations#

Define custom ingress annotations. annotations: nginx.ingress.kubernetes.io/rewrite-target: /

Default value: {}

nubusProvisioning.ingress.enabled#

Enable creation of Ingress.

Default value: false

nubusProvisioning.ingress.host#

Define the Fully Qualified Domain Name (FQDN) where application should be reachable.

Default value: ""

nubusProvisioning.ingress.ingressClassName#

The Ingress controller class name.

Default value: "nginx"

nubusProvisioning.ingress.pathType#

Default value: "Prefix"

nubusProvisioning.ingress.paths#

Define the Ingress path.

Default value: []

nubusProvisioning.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusProvisioning.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusProvisioning.istio.enabled#

Set this to true in order to enable the installation on Istio related objects.

Default value: false

nubusProvisioning.istio.gateway.annotations#: Default value: null

nubusProvisioning.istio.gateway.enabled#: Default value: false

nubusProvisioning.istio.gateway.externalGatewayName#: Default value: "swp-istio-gateway"

nubusProvisioning.istio.gateway.selectorIstio#: Default value: "ingressgateway"

nubusProvisioning.istio.gateway.tls.enabled#: Default value: true

nubusProvisioning.istio.gateway.tls.httpsRedirect#: Default value: true

nubusProvisioning.istio.gateway.tls.secretName#: Default value: ""

nubusProvisioning.istio.virtualService.annotations#: Default value: {}

nubusProvisioning.istio.virtualService.enabled#: Default value: true

nubusProvisioning.istio.virtualService.pathOverrides#

Allows to inject deployment specific path configuration which is configured before the elements from paths below. This allows to redirect some paths to other services, e.g. in order to supply a file custom.css.

Default value: []

nubusProvisioning.istio.virtualService.paths#

The paths configuration. The default only grabs what is known to be part of the frontend. # pathOverrides is provided as a workaround so that specific sub-paths can be redirected to other services.

Default value: []

nubusProvisioning.ldap.auth.existingSecret.keyMapping.password#

Default value:

"{{ .Values.global.ldap.auth.cnAdmin.existingSecret.keyMapping.password }}"

nubusProvisioning.ldap.auth.existingSecret.name#

Default value:

"{{- printf \"%s-ldap-server-credentials\" .Release.Name -}}"

nubusProvisioning.lifecycleHooks#

Lifecycle to automate configuration before or after startup.

Default value: {}

nubusProvisioning.livenessProbe.api.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.livenessProbe.api.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusProvisioning.livenessProbe.api.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.livenessProbe.api.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.livenessProbe.api.tcpSocket.port#

The port to connect to the container.

Default value: 7777

nubusProvisioning.livenessProbe.api.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.livenessProbe.dispatcher.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.livenessProbe.dispatcher.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.livenessProbe.dispatcher.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusProvisioning.livenessProbe.dispatcher.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.livenessProbe.dispatcher.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.livenessProbe.dispatcher.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.livenessProbe.prefill.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.livenessProbe.prefill.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.livenessProbe.prefill.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusProvisioning.livenessProbe.prefill.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.livenessProbe.prefill.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.livenessProbe.prefill.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.livenessProbe.udmTransformer.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.livenessProbe.udmTransformer.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.livenessProbe.udmTransformer.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusProvisioning.livenessProbe.udmTransformer.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.livenessProbe.udmTransformer.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.livenessProbe.udmTransformer.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.nameOverride#: Default value: "provisioning"

nubusProvisioning.nats.affinity.enabled#

Disable the pod affinity rules when running on a cluster with less than 3 kubernetes nodes.

Default value: true

nubusProvisioning.nats.auth.adminPassword#: Default value: null

nubusProvisioning.nats.bundled#

Set to true if you want NATS to be installed as well.

Default value: true

nubusProvisioning.nats.config.authorization.enabled#: Default value: true

nubusProvisioning.nats.config.cluster.replicas#

TODO: Set back to the default of 3 after nats clustering is solved.

Default value: 1

nubusProvisioning.nats.config.createUsers.admin.password#: Default value: "$NATS_PASSWORD"

nubusProvisioning.nats.config.createUsers.admin.permissions.publish#: Default value: ">"

nubusProvisioning.nats.config.createUsers.admin.permissions.subscribe#: Default value: ">"

nubusProvisioning.nats.config.createUsers.admin.user#: Default value: "admin"

nubusProvisioning.nats.config.createUsers.dispatcher.password#: Default value: "$NATS_DISPATCHER_PASSWORD"

nubusProvisioning.nats.config.createUsers.dispatcher.permissions.publish#: Default value: ">"

nubusProvisioning.nats.config.createUsers.dispatcher.permissions.subscribe#: Default value: ">"

nubusProvisioning.nats.config.createUsers.dispatcher.user#: Default value: "dispatcher"

nubusProvisioning.nats.config.createUsers.prefill.password#: Default value: "$NATS_PREFILL_PASSWORD"

nubusProvisioning.nats.config.createUsers.prefill.permissions.publish#: Default value: ">"

nubusProvisioning.nats.config.createUsers.prefill.permissions.subscribe#: Default value: ">"

nubusProvisioning.nats.config.createUsers.prefill.user#: Default value: "prefill"

nubusProvisioning.nats.config.createUsers.provisioningApi.password#

Default value:

"$NATS_PROVISIONING_API_PASSWORD"

nubusProvisioning.nats.config.createUsers.provisioningApi.permissions.publish#: Default value: ">"

nubusProvisioning.nats.config.createUsers.provisioningApi.permissions.subscribe#: Default value: ">"

nubusProvisioning.nats.config.createUsers.provisioningApi.user#: Default value: "api"

nubusProvisioning.nats.config.createUsers.udmListener.password#: Default value: "$NATS_UDM_LISTENER_PASSWORD"

nubusProvisioning.nats.config.createUsers.udmListener.permissions.publish#: Default value: ">"

nubusProvisioning.nats.config.createUsers.udmListener.permissions.subscribe#: Default value: ">"

nubusProvisioning.nats.config.createUsers.udmListener.user#: Default value: "udmlistener"

nubusProvisioning.nats.config.createUsers.udmTransformer.password#

Default value:

"$NATS_UDM_TRANSFORMER_PASSWORD"

nubusProvisioning.nats.config.createUsers.udmTransformer.permissions.publish#: Default value: ">"

nubusProvisioning.nats.config.createUsers.udmTransformer.permissions.subscribe#: Default value: ">"

nubusProvisioning.nats.config.createUsers.udmTransformer.user#: Default value: "udmtransformer"

nubusProvisioning.nats.config.extraConfig.max_payload#: Default value: "16MB"

nubusProvisioning.nats.config.jetstream.enabled#: Default value: true

nubusProvisioning.nats.connection.host#

The NATS service to connect to.

Default value: ""

nubusProvisioning.nats.connection.port#

The port to connect to the NATS service.

Default value: ""

nubusProvisioning.nats.connection.tls.caFile#

The CA to verify the servers identity when initialising the connection.

Default value: "/certificates/ca.crt"

nubusProvisioning.nats.connection.tls.certFile#

The certificate to present when initialising the connection.

Default value: "/certificates/tls.crt"

nubusProvisioning.nats.connection.tls.enabled#: Default value: false

nubusProvisioning.nats.connection.tls.keyFile#

The private key to use for the connection.

Default value: "/certificates/tls.key"

nubusProvisioning.nats.extraEnvVars#

Default value:

[{"name": "NATS_UDM_LISTENER_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-udm-listener-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-nats-credentials", "key": "admin_password"}}}, {"name": "NATS_PROVISIONING_API_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-api-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_DISPATCHER_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-dispatcher-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_UDM_TRANSFORMER_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-udm-transformer-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_PREFILL_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-prefill-credentials", "key": "NATS_PASSWORD"}}}]

nubusProvisioning.nats.global.imageRegistry#: Default value: "docker.io"

nubusProvisioning.nats.nameOverride#: Default value: "provisioning-nats"

nubusProvisioning.nats.nats.image.registry#: Default value: "docker.io"

nubusProvisioning.nats.natsBox.image.registry#: Default value: "docker.io"

nubusProvisioning.nats.natsBox.resources.limits.cpu#: Default value: 288

nubusProvisioning.nats.natsBox.resources.limits.memory#: Default value: "1Gi"

nubusProvisioning.nats.natsBox.resources.requests.cpu#: Default value: "10m"

nubusProvisioning.nats.natsBox.resources.requests.memory#: Default value: "16Mi"

nubusProvisioning.nats.reloader.image.registry#: Default value: "docker.io"

nubusProvisioning.nats.reloader.resources.limits.cpu#: Default value: 288

nubusProvisioning.nats.reloader.resources.limits.memory#: Default value: "1Gi"

nubusProvisioning.nats.reloader.resources.requests.cpu#: Default value: "10m"

nubusProvisioning.nats.reloader.resources.requests.memory#: Default value: "16Mi"

nubusProvisioning.nats.resources.limits.cpu#: Default value: 288

nubusProvisioning.nats.resources.limits.memory#: Default value: "1Gi"

nubusProvisioning.nats.resources.requests.cpu#: Default value: "10m"

nubusProvisioning.nats.resources.requests.memory#: Default value: "16Mi"

nubusProvisioning.nodeSelector#

Node labels for pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusProvisioning.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusProvisioning.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusProvisioning.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusProvisioning.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusProvisioning.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusProvisioning.podSecurityContext.sysctls#

Allow binding to ports below 1024 without root access.

Default value:

[{"name": "net.ipv4.ip_unprivileged_port_start", "value": "1"}]

nubusProvisioning.prefill.additionalAnnotations#: Default value: {}

nubusProvisioning.prefill.additionalLabels#: Default value: {}

nubusProvisioning.prefill.config.LOG_LEVEL#: Default value: "INFO"

nubusProvisioning.prefill.config.UDM_HOST#

UDM REST API: host defaults to %RELEASE-NAME%-udm-rest-api

Default value: ""

nubusProvisioning.prefill.config.UDM_PORT#

UDM REST API: port

Default value: 9979

nubusProvisioning.prefill.config.maxPrefillAttempts#: Default value: 5

nubusProvisioning.prefill.config.natsMaxReconnectAttempts#: Default value: 5

nubusProvisioning.prefill.image.imagePullPolicy#: Default value: null

nubusProvisioning.prefill.image.registry#: Default value: ""

nubusProvisioning.prefill.image.repository#

Default value:

"nubus/images/provisioning-prefill"

nubusProvisioning.prefill.image.tag#

Default value:

"0.46.0@sha256:e7dfa77a8fe5b6d40d734b04dda9583c03ae8cf48221e6f0af0b35052514a948"

nubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.prefillPassword#: Default value: "NATS_PASSWORD"

nubusProvisioning.prefill.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-prefill-credentials"

nubusProvisioning.prefill.nats.auth.password#: Default value: null

nubusProvisioning.prefill.nats.connection.host#: Default value: ""

nubusProvisioning.prefill.nats.connection.port#: Default value: ""

nubusProvisioning.prefill.podAnnotations#: Default value: {}

nubusProvisioning.readinessProbe.api.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.readinessProbe.api.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusProvisioning.readinessProbe.api.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.readinessProbe.api.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.readinessProbe.api.tcpSocket.port#

The port to connect to the container.

Default value: 7777

nubusProvisioning.readinessProbe.api.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.readinessProbe.dispatcher.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.readinessProbe.dispatcher.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.readinessProbe.dispatcher.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusProvisioning.readinessProbe.dispatcher.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.readinessProbe.dispatcher.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.readinessProbe.dispatcher.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.readinessProbe.prefill.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.readinessProbe.prefill.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.readinessProbe.prefill.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusProvisioning.readinessProbe.prefill.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.readinessProbe.prefill.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.readinessProbe.prefill.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.readinessProbe.udmTransformer.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.readinessProbe.udmTransformer.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.readinessProbe.udmTransformer.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusProvisioning.readinessProbe.udmTransformer.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.readinessProbe.udmTransformer.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.readinessProbe.udmTransformer.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.registerConsumers.additionalAnnotations#: Default value: {}

nubusProvisioning.registerConsumers.additionalLabels#: Default value: {}

nubusProvisioning.registerConsumers.config.UDM_HOST#

UDM REST API: host defaults to %RELEASE-NAME%-udm-rest-api

Default value: ""

nubusProvisioning.registerConsumers.config.UDM_PORT#

UDM REST API: port

Default value: 9979

nubusProvisioning.registerConsumers.createUsers#: Default value: {}

nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.keyMapping.password#: Default value: "portal-consumer.json"

nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.name#

Default value:

"{{- printf \"%s-provisioning-register-consumers-json-secrets\" .Release.Name -}}"

nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.keyMapping.password#: Default value: "selfservice.json"

nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.name#

Default value:

"{{- printf \"%s-provisioning-register-consumers-json-secrets\" .Release.Name -}}"

nubusProvisioning.registerConsumers.image.imagePullPolicy#: Default value: null

nubusProvisioning.registerConsumers.image.registry#

TODO: unset when global.imageRegistry is supported by update-helm-values

Default value: ""

nubusProvisioning.registerConsumers.image.repository#

Default value:

"nubus/images/wait-for-dependency"

nubusProvisioning.registerConsumers.image.tag#

Default value:

"0.25.0@sha256:71a4d66fd67db6f92212b1936862b2b0d5a678d412213d74452a9195c2fe67f7"

nubusProvisioning.registerConsumers.jsonSecretName#: Default value: ""

nubusProvisioning.registerConsumers.podAnnotations#: Default value: {}

nubusProvisioning.registerConsumers.provisioningApiBaseUrl#: Default value: ""

nubusProvisioning.replicaCount.api#: Default value: 1

nubusProvisioning.replicaCount.dispatcher#

TODO: Discuss that this may never be higher than 1

Default value: 1

nubusProvisioning.replicaCount.prefill#: Default value: 1

nubusProvisioning.replicaCount.udmTransformer#

TODO: Discuss that this may never be higher than 1

Default value: 1

nubusProvisioning.resources.api.limits.cpu#: Default value: 288

nubusProvisioning.resources.api.limits.memory#: Default value: "1Gi"

nubusProvisioning.resources.api.requests.cpu#: Default value: "10m"

nubusProvisioning.resources.api.requests.memory#: Default value: "16Mi"

nubusProvisioning.resources.dispatcher.limits.cpu#: Default value: 288

nubusProvisioning.resources.dispatcher.limits.memory#: Default value: "1Gi"

nubusProvisioning.resources.dispatcher.requests.cpu#: Default value: "10m"

nubusProvisioning.resources.dispatcher.requests.memory#: Default value: "16Mi"

nubusProvisioning.resources.prefill.limits.cpu#: Default value: 288

nubusProvisioning.resources.prefill.limits.memory#: Default value: "1Gi"

nubusProvisioning.resources.prefill.requests.cpu#: Default value: "10m"

nubusProvisioning.resources.prefill.requests.memory#: Default value: "16Mi"

nubusProvisioning.resources.registerConsumers.limits.cpu#: Default value: 1

nubusProvisioning.resources.registerConsumers.limits.memory#: Default value: "1Gi"

nubusProvisioning.resources.registerConsumers.requests.cpu#: Default value: 0.1

nubusProvisioning.resources.registerConsumers.requests.memory#: Default value: "64Mi"

nubusProvisioning.resources.udmTransformer.limits.cpu#: Default value: 1

nubusProvisioning.resources.udmTransformer.limits.memory#: Default value: "1Gi"

nubusProvisioning.resources.udmTransformer.requests.cpu#: Default value: 0.1

nubusProvisioning.resources.udmTransformer.requests.memory#: Default value: "64Mi"

nubusProvisioning.service.annotations#

Additional custom annotations.

Default value: {}

nubusProvisioning.service.enabled#

Enable kubernetes service creation.

Default value: true

nubusProvisioning.service.ports.http.containerPort#

Internal port.

Default value: 7777

nubusProvisioning.service.ports.http.port#

Accessible port.

Default value: 80

nubusProvisioning.service.ports.http.protocol#

service protocol.

Default value: "TCP"

nubusProvisioning.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusProvisioning.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusProvisioning.serviceAccount.automountServiceAccountToken#

Default value: false

nubusProvisioning.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusProvisioning.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusProvisioning.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusProvisioning.startupProbe.api.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.startupProbe.api.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusProvisioning.startupProbe.api.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.startupProbe.api.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.startupProbe.api.tcpSocket.port#

The port to connect to the container.

Default value: 7777

nubusProvisioning.startupProbe.dispatcher.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.startupProbe.dispatcher.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.startupProbe.dispatcher.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusProvisioning.startupProbe.dispatcher.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.startupProbe.dispatcher.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.startupProbe.dispatcher.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.startupProbe.prefill.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.startupProbe.prefill.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.startupProbe.prefill.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusProvisioning.startupProbe.prefill.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.startupProbe.prefill.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.startupProbe.prefill.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.startupProbe.udmTransformer.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusProvisioning.startupProbe.udmTransformer.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusProvisioning.startupProbe.udmTransformer.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusProvisioning.startupProbe.udmTransformer.periodSeconds#

Time between probe executions.

Default value: 20

nubusProvisioning.startupProbe.udmTransformer.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusProvisioning.startupProbe.udmTransformer.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusProvisioning.terminationGracePeriodSeconds#: Default value: 5

nubusProvisioning.tolerations#

Tolerations for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusProvisioning.topologySpreadConstraints#

Default value: []

nubusProvisioning.udmTransformer.additionalAnnotations#: Default value: {}

nubusProvisioning.udmTransformer.additionalLabels#: Default value: {}

nubusProvisioning.udmTransformer.config.LDAP_TLS_MODE#

Whether to start ldap encryption and validate certificates. Chose from “off”, “unvalidated” and “secure”.

Default value: "off"

nubusProvisioning.udmTransformer.config.LOG_LEVEL#: Default value: "INFO"

nubusProvisioning.udmTransformer.config.ldapPublisherName#

Enables toggling between ldif-producer and udm-listener. Beware: ldif-producer is experimental and unsupported.

Default value: "udm-listener"

nubusProvisioning.udmTransformer.image.imagePullPolicy#: Default value: null

nubusProvisioning.udmTransformer.image.registry#: Default value: ""

nubusProvisioning.udmTransformer.image.repository#

Default value:

"nubus/images/provisioning-udm-transformer"

nubusProvisioning.udmTransformer.image.tag#

Default value:

"0.46.0@sha256:e1877879044e5b0967362b5ec9a491e046d674407fbf081756b5e9e0e2dcd8e5"

nubusProvisioning.udmTransformer.ldap.auth.bindDn#

LDAP username with global read access

Default value: ""

nubusProvisioning.udmTransformer.ldap.baseDn#

LDAP BASE DN of the LDAP domain.

Default value: ""

nubusProvisioning.udmTransformer.ldap.connection.host#

Default value:

"{{ .Release.Name }}-ldap-server-primary"

nubusProvisioning.udmTransformer.ldap.connection.port#

LDAP server port

Default value: ""

nubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.udmTransformerPassword#: Default value: "NATS_PASSWORD"

nubusProvisioning.udmTransformer.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-udm-transformer-credentials"

nubusProvisioning.udmTransformer.nats.auth.password#: Default value: null

nubusProvisioning.udmTransformer.podAnnotations#: Default value: {}

nubusProvisioning.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first. FIXME: Change to RollingUpdate after this bug is fixed https://git.knut.univention.de/univention/customers/dataport/upx/provisioning/-/issues/70

Default value: "Recreate"

10.2.21. `nubusSelfServiceConsumer`#

nubusSelfServiceConsumer.affinity#

#Global values

Default value: {}

nubusSelfServiceConsumer.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusSelfServiceConsumer.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusSelfServiceConsumer.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusSelfServiceConsumer.containerSecurityContext.privileged#: Default value: false

nubusSelfServiceConsumer.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusSelfServiceConsumer.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusSelfServiceConsumer.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusSelfServiceConsumer.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusSelfServiceConsumer.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusSelfServiceConsumer.enabled#: Default value: true

nubusSelfServiceConsumer.environment#: Default value: {}

nubusSelfServiceConsumer.extraEnvVars#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusSelfServiceConsumer.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusSelfServiceConsumer.fullnameOverride#: Default value: ""

nubusSelfServiceConsumer.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusSelfServiceConsumer.global.imagePullSecrets#

Credentials to fetch images from private registry Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry” #

Default value: []

nubusSelfServiceConsumer.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusSelfServiceConsumer.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusSelfServiceConsumer.image.imagePullPolicy#

The pull policy of the container image. This setting has higher precedence than global.imagePullPolicy.

Default value: "IfNotPresent"

nubusSelfServiceConsumer.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

nubusSelfServiceConsumer.image.repository#

The path to the container image.

Default value:

"nubus/images/selfservice-invitation"

nubusSelfServiceConsumer.image.tag#

The tag of the container image. (This is replaced with an appropriate value during the build process of the Helm chart.)

Default value:

"0.12.3@sha256:8c20895767bb1972a3abb066ba8adc4034ce718b199fbe205a9ae67d5544a888"

nubusSelfServiceConsumer.livenessProbe.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusSelfServiceConsumer.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusSelfServiceConsumer.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusSelfServiceConsumer.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusSelfServiceConsumer.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusSelfServiceConsumer.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusSelfServiceConsumer.nameOverride#: Default value: "selfservice-listener"

nubusSelfServiceConsumer.nats.auth.password#: Default value: null

nubusSelfServiceConsumer.nodeSelector#: Default value: {}

nubusSelfServiceConsumer.podAnnotations#: Default value: {}

nubusSelfServiceConsumer.podSecurityContext#: Default value: {}

nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.keyMapping.password#: Default value: "PROVISIONING_API_PASSWORD"

nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-selfservice-listener-credentials"

nubusSelfServiceConsumer.provisioningApi.auth.password#

TODO: This needs another iteration, it shows that we set the password, but we also have the existingSecret. Most likely this does belong in the user provisioning configuration around provisioning.

Default value: null

nubusSelfServiceConsumer.provisioningApi.auth.username#: Default value: "selfservice"

nubusSelfServiceConsumer.provisioningApi.config.maxAcknowledgementRetries#

The maximum number of retries for acknowledging a message

Default value: 3

nubusSelfServiceConsumer.provisioningApi.connection.baseUrl#

The base URL the provisioning API is reachable at. (e.g. “https://provisioning-api”)

Default value: ""

nubusSelfServiceConsumer.readinessProbe.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusSelfServiceConsumer.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusSelfServiceConsumer.readinessProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusSelfServiceConsumer.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusSelfServiceConsumer.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusSelfServiceConsumer.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusSelfServiceConsumer.replicaCount#: Default value: 1

nubusSelfServiceConsumer.resources#: Default value: {}

nubusSelfServiceConsumer.resources.limits.cpu#: Default value: 288

nubusSelfServiceConsumer.resources.limits.memory#: Default value: "1Gi"

nubusSelfServiceConsumer.resources.requests.cpu#: Default value: "10m"

nubusSelfServiceConsumer.resources.requests.memory#: Default value: "16Mi"

nubusSelfServiceConsumer.resourcesWaitForDependency#: Default value: {}

nubusSelfServiceConsumer.securityContext#: Default value: {}

nubusSelfServiceConsumer.selfserviceListener.config.logLevel#

Log level for the selfservice listener. valid values are: ERROR WARNING, INFO, DEBUG

Default value: "INFO"

nubusSelfServiceConsumer.selfserviceListener.config.maxUmcRequestRetries#

Configure how often sending the invitation email is retried before the Pod fails. After a pod restart the message will still be retried again. valid values are: integers between 0 and 10

Default value: 5

nubusSelfServiceConsumer.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusSelfServiceConsumer.serviceAccount.automountServiceAccountToken#

Default value: false

nubusSelfServiceConsumer.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusSelfServiceConsumer.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusSelfServiceConsumer.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusSelfServiceConsumer.terminationGracePeriodSeconds#: Default value: 5

nubusSelfServiceConsumer.tolerations#: Default value: []

nubusSelfServiceConsumer.umc.connection.baseUrl#

The base URL the UMC is reachable at. (e.g. “https://umc-server”)

Default value: ""

nubusSelfServiceConsumer.waitForDependency.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusSelfServiceConsumer.waitForDependency.image.registry#: Default value: ""

nubusSelfServiceConsumer.waitForDependency.image.repository#

Default value:

"nubus/images/wait-for-dependency"

nubusSelfServiceConsumer.waitForDependency.image.tag#

Default value:

"0.26.0@sha256:a31fde86bf21c597a31356fe492ab7e7a03a89282ca215eb7100763d6eb96b6b"

10.2.22. `nubusStackDataUms`#

nubusStackDataUms.additionalAnnotations#

Additional custom annotations to add to deployed objects.

Default value: {}

nubusStackDataUms.affinity#

#Global values

Default value: {}

nubusStackDataUms.configMapUcr#

Default value:

"{{ include \"common.names.fullname\" . }}-ucr"

nubusStackDataUms.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusStackDataUms.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusStackDataUms.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusStackDataUms.containerSecurityContext.privileged#: Default value: false

nubusStackDataUms.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusStackDataUms.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusStackDataUms.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusStackDataUms.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusStackDataUms.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusStackDataUms.enabled#: Default value: true

nubusStackDataUms.environment#: Default value: {}

nubusStackDataUms.extensions#

Extensions to load. This will override the configuration in global.extensions.

Default value: []

nubusStackDataUms.fullnameOverride#: Default value: ""

nubusStackDataUms.global.configUcr#: Default value: {}

nubusStackDataUms.global.extensions#

Allows to configure extensions globally.

Default value: []

nubusStackDataUms.global.imagePullPolicy#

Define an ImagePullPolicy. # Ref.: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy #

Default value: "IfNotPresent"

nubusStackDataUms.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusStackDataUms.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusStackDataUms.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusStackDataUms.global.systemExtensions#

Allows to configure system extensions globally.

Default value: []

nubusStackDataUms.image.imagePullPolicy#: Default value: ""

nubusStackDataUms.image.registry#: Default value: ""

nubusStackDataUms.image.repository#: Default value: "nubus/images/data-loader"

nubusStackDataUms.image.sha256#

Define image sha256 as an alternative to tag

Default value: null

nubusStackDataUms.image.tag#

Default value:

"0.80.2@sha256:04b4b928e5e957f6544b6e0af32c75340cfacf182a78e03bc1a65bdf9f8d9e5d"

nubusStackDataUms.mountSecrets#: Default value: true

nubusStackDataUms.nameOverride#: Default value: "stack-data-ums"

nubusStackDataUms.nodeSelector#: Default value: {}

nubusStackDataUms.nubusKeycloakBootstrap.enabled#: Default value: true

nubusStackDataUms.nubusKeycloakBootstrap.keycloak.auth.existingSecret.keyMapping.adminPassword#: Default value: "admin_password"

nubusStackDataUms.nubusKeycloakBootstrap.keycloak.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusKeycloakBootstrap.keycloak.auth.username#: Default value: "kcadmin"

nubusStackDataUms.nubusKeycloakBootstrap.ldap.auth.bindDn#

Default value:

"{{ include \"nubus.keycloak.ldap.auth.bindDn\" . }}"

nubusStackDataUms.nubusKeycloakBootstrap.ldap.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-bootstrap-ldap-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusKeycloakBootstrap.nameOverride#: Default value: "keycloak-bootstrap"

nubusStackDataUms.nubusKeycloakBootstrap.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusKeycloakBootstrap.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusKeycloakBootstrap.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusKeycloakBootstrap.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusKeycloakBootstrap.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusKeycloakExtensions.enabled#: Default value: false

nubusStackDataUms.nubusKeycloakExtensions.handler.appConfig.logLevel#: Default value: "INFO"

nubusStackDataUms.nubusKeycloakExtensions.keycloak.auth.existingSecret.keyMapping.adminPassword#: Default value: "admin_password"

nubusStackDataUms.nubusKeycloakExtensions.keycloak.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusKeycloakExtensions.keycloak.auth.username#: Default value: "kcadmin"

nubusStackDataUms.nubusKeycloakExtensions.keycloak.connection.host#: Default value: ""

nubusStackDataUms.nubusKeycloakExtensions.nameOverride#: Default value: "keycloak-extensions"

nubusStackDataUms.nubusKeycloakExtensions.postgresql.auth.database#: Default value: "keycloak_extensions"

nubusStackDataUms.nubusKeycloakExtensions.postgresql.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-extensions-postgresql-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusKeycloakExtensions.postgresql.auth.username#: Default value: "keycloak_extensions"

nubusStackDataUms.nubusKeycloakExtensions.postgresql.connection.host#: Default value: ""

nubusStackDataUms.nubusKeycloakExtensions.postgresql.connection.port#: Default value: ""

nubusStackDataUms.nubusKeycloakExtensions.proxy.appConfig.logLevel#: Default value: "info"

nubusStackDataUms.nubusKeycloakExtensions.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusKeycloakExtensions.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusKeycloakExtensions.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusKeycloakExtensions.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusKeycloakExtensions.smtp.auth.existingSecret.name#

Default value:

"{{- printf \"%s-keycloak-extensions-smtp-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusKeycloakExtensions.smtp.auth.username#: Default value: "keycloak-extensions"

nubusStackDataUms.nubusKeycloakExtensions.smtp.connection.host#: Default value: ""

nubusStackDataUms.nubusKeycloakExtensions.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusNotificationsApi.enabled#: Default value: true

nubusStackDataUms.nubusNotificationsApi.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusStackDataUms.nubusNotificationsApi.nameOverride#: Default value: "notifications-api"

nubusStackDataUms.nubusNotificationsApi.notificationsApi.logLevel#: Default value: "INFO"

nubusStackDataUms.nubusNotificationsApi.postgresql.auth.database#: Default value: "notificationsapi"

nubusStackDataUms.nubusNotificationsApi.postgresql.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-notifications-api-postgresql-credentials"

nubusStackDataUms.nubusNotificationsApi.postgresql.auth.username#: Default value: "notificationsapi_user"

nubusStackDataUms.nubusNotificationsApi.postgresql.bundled#: Default value: false

nubusStackDataUms.nubusNotificationsApi.postgresql.connection.host#: Default value: ""

nubusStackDataUms.nubusNotificationsApi.postgresql.connection.port#: Default value: ""

nubusStackDataUms.nubusNotificationsApi.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusNotificationsApi.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusNotificationsApi.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusNotificationsApi.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusNotificationsApi.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusPortalConsumer.enabled#: Default value: true

nubusStackDataUms.nubusPortalConsumer.nameOverride#: Default value: "portal-consumer"

nubusStackDataUms.nubusPortalConsumer.objectStorage.auth.accessKey#: Default value: null

nubusStackDataUms.nubusPortalConsumer.objectStorage.auth.secretKey#: Default value: null

nubusStackDataUms.nubusPortalConsumer.portalConsumer.ldapHost#

Default value:

"{{ .Release.Name }}-ldap-server-primary"

nubusStackDataUms.nubusPortalConsumer.portalConsumer.objectStorageBucket#: Default value: "nubus"

nubusStackDataUms.nubusPortalConsumer.provisioningApi.auth.existingSecret.name#: Default value: null

nubusStackDataUms.nubusPortalConsumer.provisioningApi.auth.password#: Default value: null

nubusStackDataUms.nubusPortalConsumer.provisioningApi.auth.username#: Default value: "portal-consumer"

nubusStackDataUms.nubusPortalConsumer.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusPortalConsumer.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusPortalConsumer.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusPortalConsumer.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusPortalConsumer.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusPortalServer.enabled#: Default value: true

nubusStackDataUms.nubusPortalServer.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusStackDataUms.nubusPortalServer.nameOverride#: Default value: "portal-server"

nubusStackDataUms.nubusPortalServer.objectStorage.auth.accessKey#: Default value: null

nubusStackDataUms.nubusPortalServer.objectStorage.auth.secretKey#: Default value: null

nubusStackDataUms.nubusPortalServer.portalServer.logLevel#: Default value: "INFO"

nubusStackDataUms.nubusPortalServer.portalServer.objectStorageBucket#: Default value: "nubus"

nubusStackDataUms.nubusPortalServer.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusPortalServer.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusPortalServer.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusPortalServer.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusPortalServer.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusProvisioning.api.auth.admin.existingSecret.keyMapping.password#: Default value: "ADMIN_PASSWORD"

nubusStackDataUms.nubusProvisioning.api.auth.admin.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusStackDataUms.nubusProvisioning.api.auth.adminPassword#: Default value: null

nubusStackDataUms.nubusProvisioning.api.auth.eventsUdm.existingSecret.keyMapping.password#: Default value: "EVENTS_PASSWORD_UDM"

nubusStackDataUms.nubusProvisioning.api.auth.eventsUdm.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusStackDataUms.nubusProvisioning.api.auth.prefill.existingSecret.keyMapping.password#: Default value: "PREFILL_PASSWORD"

nubusStackDataUms.nubusProvisioning.api.auth.prefill.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusStackDataUms.nubusProvisioning.api.auth.prefillPassword#: Default value: null

nubusStackDataUms.nubusProvisioning.api.auth.udmTransformerPassword#: Default value: null

nubusStackDataUms.nubusProvisioning.api.config.LOG_LEVEL#: Default value: "INFO"

nubusStackDataUms.nubusProvisioning.api.nats.auth.existingSecret.keyMapping.provisioningApiPassword#: Default value: "NATS_PASSWORD"

nubusStackDataUms.nubusProvisioning.api.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-api-credentials"

nubusStackDataUms.nubusProvisioning.api.nats.auth.password#: Default value: null

nubusStackDataUms.nubusProvisioning.api.nats.connection.host#: Default value: ""

nubusStackDataUms.nubusProvisioning.api.nats.connection.password.secretKeyRef.key#: Default value: "password"

nubusStackDataUms.nubusProvisioning.api.nats.connection.port#: Default value: ""

nubusStackDataUms.nubusProvisioning.api.nats.connection.username#: Default value: "events_and_consumer_api"

nubusStackDataUms.nubusProvisioning.dispatcher.config.LOG_LEVEL#: Default value: "INFO"

nubusStackDataUms.nubusProvisioning.dispatcher.nats.auth.existingSecret.keyMapping.dispatcherPassword#: Default value: "NATS_PASSWORD"

nubusStackDataUms.nubusProvisioning.dispatcher.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-dispatcher-credentials"

nubusStackDataUms.nubusProvisioning.dispatcher.nats.auth.password#: Default value: null

nubusStackDataUms.nubusProvisioning.dispatcher.nats.connection.host#: Default value: ""

nubusStackDataUms.nubusProvisioning.dispatcher.nats.connection.port#: Default value: ""

nubusStackDataUms.nubusProvisioning.enabled#: Default value: true

nubusStackDataUms.nubusProvisioning.ldap.auth.existingSecret.keyMapping.password#

Default value:

"{{ .Values.global.ldap.auth.cnAdmin.existingSecret.keyMapping.password }}"

nubusStackDataUms.nubusProvisioning.ldap.auth.existingSecret.name#

Default value:

"{{- printf \"%s-ldap-server-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusProvisioning.nameOverride#: Default value: "provisioning"

nubusStackDataUms.nubusProvisioning.nats.auth.adminPassword#: Default value: null

nubusStackDataUms.nubusProvisioning.nats.config.cluster.replicas#

TODO: Set back to the default of 3 after nats clustering is solved.

Default value: 1

nubusStackDataUms.nubusProvisioning.nats.config.createUsers.udmListener.password#: Default value: "$NATS_UDM_LISTENER_PASSWORD"

nubusStackDataUms.nubusProvisioning.nats.config.createUsers.udmListener.permissions.publish#: Default value: ">"

nubusStackDataUms.nubusProvisioning.nats.config.createUsers.udmListener.permissions.subscribe#: Default value: ">"

nubusStackDataUms.nubusProvisioning.nats.config.createUsers.udmListener.user#: Default value: "udmlistener"

nubusStackDataUms.nubusProvisioning.nats.extraEnvVars#

Default value:

[{"name": "NATS_UDM_LISTENER_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-udm-listener-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-nats-credentials", "key": "admin_password"}}}, {"name": "NATS_PROVISIONING_API_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-api-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_DISPATCHER_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-dispatcher-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_UDM_TRANSFORMER_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-udm-transformer-credentials", "key": "NATS_PASSWORD"}}}, {"name": "NATS_PREFILL_PASSWORD", "valueFrom": {"secretKeyRef": {"name": "{{ .Release.Name }}-provisioning-prefill-credentials", "key": "NATS_PASSWORD"}}}]

nubusStackDataUms.nubusProvisioning.nats.global.imageRegistry#: Default value: "docker.io"

nubusStackDataUms.nubusProvisioning.nats.natsBox.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusProvisioning.nats.natsBox.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusProvisioning.nats.natsBox.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusProvisioning.nats.natsBox.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusProvisioning.nats.reloader.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusProvisioning.nats.reloader.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusProvisioning.nats.reloader.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusProvisioning.nats.reloader.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusProvisioning.nats.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusProvisioning.nats.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusProvisioning.nats.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusProvisioning.nats.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusProvisioning.prefill.config.LOG_LEVEL#: Default value: "INFO"

nubusStackDataUms.nubusProvisioning.prefill.nats.auth.existingSecret.keyMapping.prefillPassword#: Default value: "NATS_PASSWORD"

nubusStackDataUms.nubusProvisioning.prefill.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-prefill-credentials"

nubusStackDataUms.nubusProvisioning.prefill.nats.auth.password#: Default value: null

nubusStackDataUms.nubusProvisioning.prefill.nats.connection.host#: Default value: ""

nubusStackDataUms.nubusProvisioning.prefill.nats.connection.port#: Default value: ""

nubusStackDataUms.nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.keyMapping.password#: Default value: "portal-consumer.json"

nubusStackDataUms.nubusProvisioning.registerConsumers.createUsers.portalConsumer.existingSecret.name#

Default value:

"{{- printf \"%s-provisioning-register-consumers-json-secrets\" .Release.Name -}}"

nubusStackDataUms.nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.keyMapping.password#: Default value: "selfservice.json"

nubusStackDataUms.nubusProvisioning.registerConsumers.createUsers.selfserviceConsumer.existingSecret.name#

Default value:

"{{- printf \"%s-provisioning-register-consumers-json-secrets\" .Release.Name -}}"

nubusStackDataUms.nubusProvisioning.resources.api.limits.cpu#: Default value: 288

nubusStackDataUms.nubusProvisioning.resources.api.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusProvisioning.resources.api.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusProvisioning.resources.api.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusProvisioning.resources.dispatcher.limits.cpu#: Default value: 288

nubusStackDataUms.nubusProvisioning.resources.dispatcher.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusProvisioning.resources.dispatcher.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusProvisioning.resources.dispatcher.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusProvisioning.resources.prefill.limits.cpu#: Default value: 288

nubusStackDataUms.nubusProvisioning.resources.prefill.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusProvisioning.resources.prefill.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusProvisioning.resources.prefill.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusProvisioning.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusProvisioning.udmTransformer.config.LOG_LEVEL#: Default value: "INFO"

nubusStackDataUms.nubusProvisioning.udmTransformer.ldap.connection.host#

Default value:

"{{ .Release.Name }}-ldap-server-primary"

nubusStackDataUms.nubusProvisioning.udmTransformer.nats.auth.existingSecret.keyMapping.udmTransformerPassword#: Default value: "NATS_PASSWORD"

nubusStackDataUms.nubusProvisioning.udmTransformer.nats.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-provisioning-udm-transformer-credentials"

nubusStackDataUms.nubusProvisioning.udmTransformer.nats.auth.password#: Default value: null

nubusStackDataUms.nubusSelfServiceConsumer.enabled#: Default value: true

nubusStackDataUms.nubusSelfServiceConsumer.nameOverride#: Default value: "selfservice-listener"

nubusStackDataUms.nubusSelfServiceConsumer.nats.auth.password#: Default value: null

nubusStackDataUms.nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.keyMapping.password#: Default value: "PROVISIONING_API_PASSWORD"

nubusStackDataUms.nubusSelfServiceConsumer.provisioningApi.auth.existingSecret.name#

Default value:

"{{ .Release.Name }}-selfservice-listener-credentials"

nubusStackDataUms.nubusSelfServiceConsumer.provisioningApi.auth.password#

TODO: This needs another iteration, it shows that we set the password, but we also have the existingSecret. Most likely this does belong in the user provisioning configuration around provisioning.

Default value: null

nubusStackDataUms.nubusSelfServiceConsumer.provisioningApi.auth.username#: Default value: "selfservice"

nubusStackDataUms.nubusSelfServiceConsumer.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusSelfServiceConsumer.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusSelfServiceConsumer.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusSelfServiceConsumer.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusSelfServiceConsumer.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusUdmListener.config.debugLevel#: Default value: "2"

nubusStackDataUms.nubusUdmListener.enabled#: Default value: true

nubusStackDataUms.nubusUdmListener.ldap.auth.bindDn#: Default value: "cn=admin,dc=example,dc=org"

nubusStackDataUms.nubusUdmListener.ldap.auth.credentialSecret.key#: Default value: "password"

nubusStackDataUms.nubusUdmListener.ldap.connection.host#: Default value: ""

nubusStackDataUms.nubusUdmListener.ldap.connection.port#: Default value: ""

nubusStackDataUms.nubusUdmListener.nameOverride#: Default value: "provisioning-listener"

nubusStackDataUms.nubusUdmListener.nats.auth.password#: Default value: null

nubusStackDataUms.nubusUdmListener.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusUdmListener.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusUdmListener.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusUdmListener.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusUdmListener.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusUdmRestApi.enabled#: Default value: true

nubusStackDataUms.nubusUdmRestApi.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusStackDataUms.nubusUdmRestApi.nameOverride#: Default value: "udm-rest-api"

nubusStackDataUms.nubusUdmRestApi.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusUdmRestApi.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusUdmRestApi.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusUdmRestApi.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusUdmRestApi.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusUdmRestApi.udmRestApi.ldap.auth.existingSecret.keyMapping.password#

Default value:

"{{ .Values.global.ldap.auth.cnAdmin.existingSecret.keyMapping.password }}"

nubusStackDataUms.nubusUdmRestApi.udmRestApi.ldap.auth.existingSecret.name#

Default value:

"{{- printf \"%s-ldap-server-credentials\" .Release.Name -}}"

nubusStackDataUms.nubusUdmRestApi.udmRestApi.ldap.baseDn#: Default value: ""

nubusStackDataUms.nubusUdmRestApi.udmRestApi.ldap.uri#: Default value: ""

nubusStackDataUms.nubusUmcServer.enabled#: Default value: true

nubusStackDataUms.nubusUmcServer.extraVolumeMounts#

Default value:

[{"name": "certificates", "mountPath": "/var/secrets/ssl"}]

nubusStackDataUms.nubusUmcServer.extraVolumes#

Default value:

[{"name": "certificates", "secret": {"secretName": "{{ .Release.Name }}-saml-tls"}}]

nubusStackDataUms.nubusUmcServer.global.imageRegistry#: Default value: "docker.io"

nubusStackDataUms.nubusUmcServer.image.registry#

Default value:

"artifacts.software-univention.de"

nubusStackDataUms.nubusUmcServer.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusStackDataUms.nubusUmcServer.ldap.existingSecret.keyMapping.ldapPasswordKey#: Default value: "ldap.secret"

nubusStackDataUms.nubusUmcServer.ldap.existingSecret.keyMapping.machinePasswordKey#: Default value: "machine.secret"

nubusStackDataUms.nubusUmcServer.ldap.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-ldap-credentials\" .Release.Name }}"

nubusStackDataUms.nubusUmcServer.memcached.auth.existingPasswordSecret#

Default value:

"{{ printf \"%s-umc-server-memcached-credentials\" .Release.Name }}"

nubusStackDataUms.nubusUmcServer.memcached.auth.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-memcached-credentials\" .Release.Name }}"

nubusStackDataUms.nubusUmcServer.memcached.auth.username#: Default value: "selfservice"

nubusStackDataUms.nubusUmcServer.memcached.connection.host#: Default value: ""

nubusStackDataUms.nubusUmcServer.memcached.connection.port#: Default value: ""

nubusStackDataUms.nubusUmcServer.memcached.connection.username#: Default value: "umcserver"

nubusStackDataUms.nubusUmcServer.memcached.containerSecurityContext.readOnlyRootFilesystem#: Default value: false

nubusStackDataUms.nubusUmcServer.memcached.nameOverride#: Default value: "umc-server-memcached"

nubusStackDataUms.nubusUmcServer.nameOverride#: Default value: "umc-server"

nubusStackDataUms.nubusUmcServer.postgresql.auth.database#: Default value: "selfservice"

nubusStackDataUms.nubusUmcServer.postgresql.auth.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-postgresql-credentials\" .Release.Name }}"

nubusStackDataUms.nubusUmcServer.postgresql.auth.username#: Default value: "selfservice"

nubusStackDataUms.nubusUmcServer.postgresql.connection.host#: Default value: ""

nubusStackDataUms.nubusUmcServer.postgresql.connection.port#: Default value: ""

nubusStackDataUms.nubusUmcServer.proxy.logLevel#: Default value: "INFO"

nubusStackDataUms.nubusUmcServer.replicaCount#: Default value: 1

nubusStackDataUms.nubusUmcServer.resources.limits.cpu#: Default value: 288

nubusStackDataUms.nubusUmcServer.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.nubusUmcServer.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.nubusUmcServer.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.nubusUmcServer.smtp.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-smtp-credentials\" .Release.Name }}"

nubusStackDataUms.nubusUmcServer.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.nubusUmcServer.umcServer.certPemFile#: Default value: "/var/secrets/ssl/tls.crt"

nubusStackDataUms.nubusUmcServer.umcServer.privateKeyFile#: Default value: "/var/secrets/ssl/tls.key"

nubusStackDataUms.podAnnotations#: Default value: {}

nubusStackDataUms.podSecurityContext#: Default value: {}

nubusStackDataUms.resources#: Default value: {}

nubusStackDataUms.resources.limits.cpu#: Default value: 288

nubusStackDataUms.resources.limits.memory#: Default value: "1Gi"

nubusStackDataUms.resources.requests.cpu#: Default value: "10m"

nubusStackDataUms.resources.requests.memory#: Default value: "16Mi"

nubusStackDataUms.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusStackDataUms.serviceAccount.automountServiceAccountToken#

Default value: false

nubusStackDataUms.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusStackDataUms.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusStackDataUms.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusStackDataUms.stackDataContext.domainname#

Domain name of the instance. Chart defaults to univention-organization.intranet Example: “example.org”

Default value: ""

nubusStackDataUms.stackDataContext.externalDomainName#

Domain name of the instance. Chart defaults to univention-organization.intranet Example: “example.org”

Default value: ""

nubusStackDataUms.stackDataContext.externalMailDomain#

Interim. The external mail domain in use. Currently required to create the Administrator account. Chart defaults to univention-organization.test.

Default value: ""

nubusStackDataUms.stackDataContext.hostname#

Host name of the instance. Chart defaults to portal. Example: “souvap”

Default value: ""

nubusStackDataUms.stackDataContext.idpFqdn#

The FQDN of the identity provider (w/o the protocol specification). Example: “id.souvap.example.org”

Default value: null

nubusStackDataUms.stackDataContext.idpSamlMetadataUrl#

SAML Identity Provider metadata URL (as visible from the user/internet). Example: “https://id.souvap.example.org/realms/ucs/protocol/saml/descriptor”

Default value: null

nubusStackDataUms.stackDataContext.idpSamlMetadataUrlInternal#

SAML Identity Provider metadata URL (as visible from inside the container), optional. Example: “http://keycloak:8080/realms/ucs/protocol/saml/descriptor”

Default value: ""

nubusStackDataUms.stackDataContext.initialPasswordAdministrator#

The initial password of the user “Administrator”.

Default value: null

nubusStackDataUms.stackDataContext.initialPasswordSysIdpUser#

The initial password of the user “sys-idp-user.

Default value: null

nubusStackDataUms.stackDataContext.ldapBase#

Base DN of the LDAP directory. Chart defaults to dc=univention-organization,dc=intranet. Example: “dc=example,dc=org”

Default value: ""

nubusStackDataUms.stackDataContext.ldapHost#

Default value:

"{{ include \"nubusTemplates.connections.ldap.primary.host\" . }}"

nubusStackDataUms.stackDataContext.ldapHostDn#

DN of the UMS instance. Chart defaults to cn=admin,dc=univention-organization,dc=intranet. Example: “cn=ucs-1234,cn=dc,cn=computers,dc=example,dc=org”

Default value: ""

nubusStackDataUms.stackDataContext.ldapMasterHost#

Default value:

"{{ include \"nubusTemplates.connections.ldap.primary.host\" . }}"

nubusStackDataUms.stackDataContext.ldapMasterPort#

Port to connect to the primary LDAP server. Chart defaults to 389. Example: 389

Default value: ""

nubusStackDataUms.stackDataContext.ldapPort#

Port to connect to the LDAP server. Chart defaults to 389. Example: 389

Default value: ""

nubusStackDataUms.stackDataContext.ldapSamlSpUrls#

List of SAML Service Provider URLs which the LDAP server should trust (comma-separated). Example: “https://portal.souvap.example.org/univention/saml/metadata”

Default value: null

nubusStackDataUms.stackDataContext.portalAuthMode#

The authentication method to use for the portal. Default is saml.

Default value: "saml"

nubusStackDataUms.stackDataContext.portalFqdn#

Default value:

"portal.{{ include \"stack-data-ums.externalDomainName\" . }}"

nubusStackDataUms.stackDataContext.showUmc#

Default portal show UMC modules

Default value: true

nubusStackDataUms.stackDataContext.smtpHost#

Self-service emails: SMTP host

Default value: ""

nubusStackDataUms.stackDataContext.smtpPort#

Self-service emails: SMTP port (default: 587)

Default value: 587

nubusStackDataUms.stackDataContext.smtpStartTls#

Self-service emails: SMTP via TLS (default: true)

Default value: true

nubusStackDataUms.stackDataContext.smtpUser#

Self-service emails: SMTP username

Default value: ""

nubusStackDataUms.stackDataContext.umcHtmlTitle#

UMC web page title. Chart supports templated values.

Default value: "Univention Portal"

nubusStackDataUms.stackDataContext.umcMemcachedHostname#

Hostname to use for memcached of the selfservice in UMC. This does set the UCR variable umc/self-service/memcached/socket. Chart default is umc-server-memcached.

Default value: ""

nubusStackDataUms.stackDataContext.umcMemcachedUsername#

Username to use for memcached of the selfservice in UMC. This does set the UCR variable umc/self-service/memcached/username. UCR has no default.

Default value: ""

nubusStackDataUms.stackDataContext.umcPostgresqlDatabase#

This does set the UCR variable umc/self-service/postgresql/database. UCR default is selfservice. Chart default is selfservice.

Default value: ""

nubusStackDataUms.stackDataContext.umcPostgresqlHostname#

Hostname to use for postgresql of the selfservice in UMC. This does set the UCR variable umc/self-service/postgresql/hostname. UCR default is localhost. Chart default is umc-server-postgresql.

Default value: ""

nubusStackDataUms.stackDataContext.umcPostgresqlPort#

Port to use for postgresql of the selfservice in UMC. This does set the UCR variable umc/self-service/postgresql/port. UCR default is 5432. Chart default is 5432.

Default value: ""

nubusStackDataUms.stackDataContext.umcPostgresqlUsername#

Username to use for postgresql of the selfservice in UMC. This does set the UCR variable umc/self-service/postgresql/username. UCR default is selfservice. Chart default is selfservice.

Default value: ""

nubusStackDataUms.stackDataContext.umcSamlSchemes#

Which address scheme to consider for SAML ACS (string, comma-separated). Chart default is https. Example: “https, http”

Default value: "https"

nubusStackDataUms.stackDataContext.umcSamlSpFqdn#

SAML Service Provider hostname (FQDN of the UMC, which is the service provider) Example: “portal.souvap.example.org”

Default value: null

nubusStackDataUms.stackDataUms.dependencyUdmApiWait#

Wait for the udm-rest-api to be available

Default value: true

nubusStackDataUms.stackDataUms.extraDataFiles#

Allow to configure additional data files. This has to be a map from the desired filename to the content. The content has to be a valid YAML stream which the data loader is able to process.

Default value: null

nubusStackDataUms.stackDataUms.logContext#

Enables logging of the template context used to render the template files. # Be aware that this may log sensitive information.

Default value: false

nubusStackDataUms.stackDataUms.logTemplate#

Enables logging of the rendered templates for troubleshooting. # Be aware that this may log sensitive information.

Default value: false

nubusStackDataUms.stackDataUms.udmApiPassword#

The password to access the UDM Rest API

Default value: ""

nubusStackDataUms.stackDataUms.udmApiPasswordFile#

The filename which contains the password

Default value:

"/run/secrets/univention.de/data-loader/udm_secret"

nubusStackDataUms.stackDataUms.udmApiPort#

The port on which the UDM Rest API is listening. Chart defaults to 9979.

Default value: ""

nubusStackDataUms.stackDataUms.udmApiUrl#

The URL by which the UDM Rest API can be reached. Chart defaults to http://udm-rest-api/udm/. Nubus defaults to http://$RELEASE_NAME-udm-rest-api/udm/.

Default value: ""

nubusStackDataUms.stackDataUms.udmApiUser#

The username to use to connect to the UDM Rest API

Default value: "cn=admin"

nubusStackDataUms.systemExtensions#

Default value: []

nubusStackDataUms.templateContext.domainName#

Domain name of the instance. Chart defaults to univention-organization.intranet Example: “example.org”

Default value:

"{{ include \"stack-data-ums.domainName\" . }}"

nubusStackDataUms.templateContext.enableDefaultLogin#

Enable the plain UMC login. Enabling it will show the UMC login tile. This value is also controlled globally, which will cause the ingress to be disabled as well. Enabling it here will show the UMC login tile, but will not enable the ingress path. Example: false

Default value:

"{{ include \"stack-data-ums.enableDefaultLogin\" . }}"

nubusStackDataUms.templateContext.externalMailDomain#

Interim. The external mail domain in use. Currently required to create the Administrator account. Chart defaults to univention-organization.test.

Default value:

"{{ include \"stack-data-ums.externalMailDomain\" . }}"

nubusStackDataUms.templateContext.initialPasswordAdministrator#

Default value:

"{{ include \"nubusTemplates.credentials.administrator.password\" . }}"

nubusStackDataUms.templateContext.ldapBaseDn#

Base DN of the LDAP directory. Chart defaults to dc=univention-organization,dc=intranet. Example: “dc=example,dc=org”

Default value:

"{{ include \"stack-data-ums.ldapBaseDn\" . }}"

nubusStackDataUms.templateContext.ldapSearchUsers#: Default value: []

nubusStackDataUms.templateContext.ldapSystemUsers#

Default value:

[{"username": "readonly", "lastname": "LDAP-system-User", "password": "{{ include \"nubusTemplates.credentials.ldap.users.readonly.password\" . }}"}]

nubusStackDataUms.templateContext.loadDevData#

Load development data, such as test users.

Default value: true

nubusStackDataUms.templateContext.readonlyUserPassword#

Default value:

"{{ include \"nubusTemplates.credentials.ldap.users.readonly.password\" . }}"

nubusStackDataUms.templateContext.showUmc#

Default value:

"{{ include \"stack-data-ums.showUmc\" . }}"

nubusStackDataUms.templateContext.subDomainsKeycloak#

Default value:

"{{ include \"stack-data-ums.subDomains.keycloak\" . }}"

nubusStackDataUms.terminationGracePeriodSeconds#: Default value: 5

nubusStackDataUms.tolerations#: Default value: []

10.2.23. `nubusUdmListener`#

nubusUdmListener.affinity#: Default value: {}

nubusUdmListener.config.caCert#

CA root certificate, base64-encoded. Optional; will be written to “caCertFile” if set.

Default value: ""

nubusUdmListener.config.caCertFile#

Where to search for the CA Certificate file. caCertFile: “/var/secrets/ca_cert”

Default value: ""

nubusUdmListener.config.debugLevel#: Default value: "2"

nubusUdmListener.config.eventsPasswordUdm#: Default value: "udmpass"

nubusUdmListener.config.eventsUsernameUdm#: Default value: "udm"

nubusUdmListener.config.ldapBaseDn#: Default value: null

nubusUdmListener.config.ldapHost#

The LDAP Server host, should point to the service name of the ldap-server-primary that the ldap-notifier is sharing a volume with. Example: “ldap-server-notifier”

Default value: ""

nubusUdmListener.config.ldapHostDn#: Default value: null

nubusUdmListener.config.ldapPassword#

LDAP password for cn=admin. Will be written to “ldapPasswordFile” if set.

Default value: ""

nubusUdmListener.config.ldapPasswordFile#

The path to the “ldapPasswordFile” docker secret or a plain file

Default value: "/var/secrets/ldap_secret"

nubusUdmListener.config.ldapPort#: Default value: "389"

nubusUdmListener.config.natsHost#

NATS: host (required if nats.bundled == false)

Default value: null

nubusUdmListener.config.natsPassword#

NATS: password

Default value: "udmlistenerpass"

nubusUdmListener.config.natsPort#

NATS: port (required if nats.bundled == false)

Default value: "4222"

nubusUdmListener.config.natsUser#

NATS: user name

Default value: "udmlistener"

nubusUdmListener.config.nats_max_reconnect_attempts#

NATS: maximum number of reconnect attempts to the NATS server

Default value: "5"

nubusUdmListener.config.notifierServer#

Defaults to “ldapHost” if not set.

Default value: "ldap-notifier"

nubusUdmListener.config.provisioningApi.auth.credentialSecret.name#: Default value: ""

nubusUdmListener.config.provisioningApi.auth.credentialSecret.passwordKey#: Default value: "EVENTS_PASSWORD_UDM"

nubusUdmListener.config.provisioningApi.auth.credentialSecret.userNameKey#: Default value: "EVENTS_USERNAME_UDM"

nubusUdmListener.config.provisioningApiHost#

Provisioning-API Hostname

Default value: "provisioning-api"

nubusUdmListener.config.provisioningApiPort#

Provisioning-API Port

Default value: "80"

nubusUdmListener.config.secretMountPath#

Path to mount the secrets to.

Default value: "/var/secrets"

nubusUdmListener.config.tlsMode#

Whether to start encryption and validate certificates. Chose from “off”, “unvalidated” and “secure”.

Default value: "off"

nubusUdmListener.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusUdmListener.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusUdmListener.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusUdmListener.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusUdmListener.containerSecurityContext.runAsGroup#

Process group id.

Default value: 65534

nubusUdmListener.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusUdmListener.containerSecurityContext.runAsUser#

Process user id.

Default value: 102

nubusUdmListener.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusUdmListener.enabled#: Default value: true

nubusUdmListener.environment#: Default value: {}

nubusUdmListener.extraInitContainers#

Define extra init containers. # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

Default value: []

nubusUdmListener.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusUdmListener.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusUdmListener.fullnameOverride#: Default value: ""

nubusUdmListener.global.imagePullPolicy#

Default value: "IfNotPresent"

nubusUdmListener.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusUdmListener.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusUdmListener.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusUdmListener.image.imagePullPolicy#: Default value: "Always"

nubusUdmListener.image.registry#: Default value: ""

nubusUdmListener.image.repository#

Default value:

"nubus/images/provisioning-udm-listener"

nubusUdmListener.image.tag#

Default value:

"0.46.0@sha256:648101e9115fa9c32583f2588a722201fed8b537167931cce3aee1111c6f50b2"

nubusUdmListener.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusUdmListener.ldap.auth.bindDn#: Default value: "cn=admin,dc=example,dc=org"

nubusUdmListener.ldap.auth.credentialSecret.key#: Default value: "password"

nubusUdmListener.ldap.connection.host#: Default value: ""

nubusUdmListener.ldap.connection.port#: Default value: ""

nubusUdmListener.ldap.credentialSecret.ldapPasswordKey#: Default value: "ldap.secret"

nubusUdmListener.ldap.credentialSecret.machinePasswordKey#: Default value: "machine.secret"

nubusUdmListener.ldap.credentialSecret.name#: Default value: ""

nubusUdmListener.ldap.tlsSecret.caCertKey#: Default value: "ca.crt"

nubusUdmListener.ldap.tlsSecret.name#: Default value: ""

nubusUdmListener.livenessProbe.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusUdmListener.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUdmListener.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusUdmListener.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusUdmListener.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUdmListener.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUdmListener.mountSecrets#: Default value: true

nubusUdmListener.nameOverride#: Default value: "provisioning-listener"

nubusUdmListener.nats.auth.credentialSecret.key#: Default value: "NATS_PASSWORD"

nubusUdmListener.nats.auth.credentialSecret.name#: Default value: ""

nubusUdmListener.nats.auth.password#: Default value: null

nubusUdmListener.nats.bundled#: Default value: true

nubusUdmListener.nodeSelector#: Default value: {}

nubusUdmListener.podAnnotations#: Default value: {}

nubusUdmListener.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusUdmListener.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 65534

nubusUdmListener.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusUdmListener.podSecurityContext.sysctls#

Allow binding to ports below 1024 without root access.

Default value: []

nubusUdmListener.readinessProbe.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusUdmListener.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUdmListener.readinessProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusUdmListener.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusUdmListener.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUdmListener.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUdmListener.replicaCount#: Default value: 1

nubusUdmListener.resources.limits.cpu#: Default value: 288

nubusUdmListener.resources.limits.memory#: Default value: "1Gi"

nubusUdmListener.resources.requests.cpu#: Default value: "10m"

nubusUdmListener.resources.requests.memory#: Default value: "16Mi"

nubusUdmListener.securityContext#: Default value: {}

nubusUdmListener.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusUdmListener.serviceAccount.automountServiceAccountToken#

Default value: false

nubusUdmListener.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusUdmListener.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusUdmListener.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusUdmListener.startupProbe.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusUdmListener.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUdmListener.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusUdmListener.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusUdmListener.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUdmListener.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUdmListener.terminationGracePeriodSeconds#: Default value: 5

nubusUdmListener.tolerations#: Default value: []

nubusUdmListener.topologySpreadConstraints#

Default value: []

10.2.24. `nubusUdmRestApi`#

nubusUdmRestApi.additionalAnnotations#

Additional custom annotations to add to all deployed objects.

Default value: {}

nubusUdmRestApi.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusUdmRestApi.affinity#

Default value: {}

nubusUdmRestApi.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusUdmRestApi.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusUdmRestApi.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusUdmRestApi.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusUdmRestApi.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusUdmRestApi.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusUdmRestApi.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusUdmRestApi.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusUdmRestApi.enabled#: Default value: true

nubusUdmRestApi.extensions#

Extensions to load. This will override the configuration in global.extensions.

Default value: []

nubusUdmRestApi.extraEnvVars#

Array with extra environment variables to add to containers. # extraEnvVars: - name: FOO value: “bar”

Default value: []

nubusUdmRestApi.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusUdmRestApi.extraVolumeMounts#

Optionally specify an extra list of additional volumeMounts.

Default value: []

nubusUdmRestApi.extraVolumes#

Optionally specify an extra list of additional volumes.

Default value: []

nubusUdmRestApi.fullnameOverride#

Provide a name to substitute for the full names of resources.

Default value: ""

nubusUdmRestApi.global.configMapUcr#

ConfigMap name to read UCR values from.

Default value: null

nubusUdmRestApi.global.extensions#

Allows to configure extensions globally.

Default value: []

nubusUdmRestApi.global.imagePullPolicy#

Define an ImagePullPolicy. # Ref.: https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy # “IfNotPresent” => The image is pulled only if it is not already present locally.udm-rest-api.secretRef “Always” => Every time the kubelet launches a container, the kubelet queries the container image registry to resolve the name to an image digest. If the kubelet has a container image with that exact digest cached locally, the kubelet uses its cached image; otherwise, the kubelet pulls the image with the resolved digest, and uses that image to launch the container. “Never” => The kubelet does not try fetching the image. If the image is somehow already present locally, the kubelet attempts to start the container; otherwise, startup fails.

Default value: "IfNotPresent"

nubusUdmRestApi.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusUdmRestApi.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusUdmRestApi.global.ldap.baseDn#

The LDAP base DN to use when connecting. Example: “dc=univention-organization,dc=intranet”

Default value: ""

nubusUdmRestApi.global.ldap.uri#

The LDAP URI to connect to. Example: “ldap://example-ldap-server:389”

Default value: ""

nubusUdmRestApi.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusUdmRestApi.global.systemExtensions#

Allows to configure system extensions globally.

Default value: []

nubusUdmRestApi.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusUdmRestApi.ingress.annotations.nginx.ingress.kubernetes.io/configuration-snippet-disabled#

Default value:

"rewrite ^/univention(/udm/.*)$ $1 break;\n"

nubusUdmRestApi.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size#

Some responses of the UDM Rest API contain very large response headers

Default value: "64k"

nubusUdmRestApi.ingress.annotations.nginx.ingress.kubernetes.io/rewrite-target#: Default value: "/$2$3"

nubusUdmRestApi.ingress.annotations.nginx.ingress.kubernetes.io/use-regex#: Default value: "true"

nubusUdmRestApi.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusUdmRestApi.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusUdmRestApi.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusUdmRestApi.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusUdmRestApi.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusUdmRestApi.ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

nubusUdmRestApi.ingress.paths#

Define the Ingress paths.

Default value:

[{"path": "/(univention/)(udm/.*)$", "pathType": "ImplementationSpecific"}]

nubusUdmRestApi.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusUdmRestApi.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusUdmRestApi.initResources#

Configure resource requests and limits for initContainers

Default value: {}

nubusUdmRestApi.lifecycleHooks#

Lifecycle to automate configuration before or after startup.

Default value: {}

nubusUdmRestApi.livenessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUdmRestApi.livenessProbe.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusUdmRestApi.livenessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusUdmRestApi.livenessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUdmRestApi.livenessProbe.tcpSocket.port#: Default value: 9979

nubusUdmRestApi.livenessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUdmRestApi.nameOverride#: Default value: "udm-rest-api"

nubusUdmRestApi.nodeSelector#

Node labels for pod assignment. Ref: https://kubernetes.io/docs/user-guide/node-selection/

Default value: {}

nubusUdmRestApi.persistence.accessModes#

Default value: ["ReadWriteOnce"]

nubusUdmRestApi.persistence.annotations#

Annotations for the PVC.

Default value: {}

nubusUdmRestApi.persistence.dataSource#

Custom PVC data source.

Default value: {}

nubusUdmRestApi.persistence.enabled#

Enable data persistence (true) or use temporary storage (false).

Default value: true

nubusUdmRestApi.persistence.existingClaim#

Use an already existing claim.

Default value: ""

nubusUdmRestApi.persistence.labels#

Labels for the PVC.

Default value: {}

nubusUdmRestApi.persistence.selector#

Selector to match an existing Persistent Volume (this value is evaluated as a template). # selector: matchLabels: app: my-app #

Default value: {}

nubusUdmRestApi.persistence.size#

The volume size with unit.

Default value: "1Gi"

nubusUdmRestApi.persistence.storageClass#

The (storage) class of PV.

Default value: ""

nubusUdmRestApi.podAnnotations#

Pod Annotations. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

Default value: {}

nubusUdmRestApi.podLabels#

Pod Labels. Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

Default value: {}

nubusUdmRestApi.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusUdmRestApi.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusUdmRestApi.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusUdmRestApi.readinessProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUdmRestApi.readinessProbe.initialDelaySeconds#

Delay after container start until ReadinessProbe is executed.

Default value: 15

nubusUdmRestApi.readinessProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusUdmRestApi.readinessProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUdmRestApi.readinessProbe.tcpSocket.port#: Default value: 9979

nubusUdmRestApi.readinessProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUdmRestApi.replicaCount#

Set the amount of replicas of deployment.

Default value: 1

nubusUdmRestApi.resources#

Configure resource requests and limits. # Ref: https://kubernetes.io/docs/user-guide/compute-resources/

Default value: {}

nubusUdmRestApi.resources.limits.cpu#: Default value: 288

nubusUdmRestApi.resources.limits.memory#: Default value: "1Gi"

nubusUdmRestApi.resources.requests.cpu#: Default value: "10m"

nubusUdmRestApi.resources.requests.memory#: Default value: "16Mi"

nubusUdmRestApi.service.annotations#

Additional custom annotations.

Default value: {}

nubusUdmRestApi.service.clusterIP#

This creates a headless service. Instead of load balancing, it creates a DNS A record for each pod.

Default value: "None"

nubusUdmRestApi.service.enabled#

Enable kubernetes service creation.

Default value: true

nubusUdmRestApi.service.ports.http.containerPort#

Internal port.

Default value: 9979

nubusUdmRestApi.service.ports.http.port#

Accessible port.

Default value: 9979

nubusUdmRestApi.service.ports.http.protocol#

service protocol.

Default value: "TCP"

nubusUdmRestApi.service.sessionAffinity#

@param service.sessionAffinity Session Affinity for Kubernetes service, can be “None” or “ClientIP” If “ClientIP”, consecutive client requests will be directed to the same Pod ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies #

Default value: ""

nubusUdmRestApi.service.sessionAffinityConfig#

@param service.sessionAffinityConfig Additional settings for the sessionAffinity sessionAffinityConfig: clientIP: timeoutSeconds: 300

Default value: {}

nubusUdmRestApi.service.type#

Choose the kind of Service, one of “ClusterIP”, “NodePort” or “LoadBalancer”.

Default value: "ClusterIP"

nubusUdmRestApi.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusUdmRestApi.serviceAccount.automountServiceAccountToken#

Default value: false

nubusUdmRestApi.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusUdmRestApi.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusUdmRestApi.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusUdmRestApi.startupProbe.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUdmRestApi.startupProbe.initialDelaySeconds#

Delay after container start until StartupProbe is executed.

Default value: 15

nubusUdmRestApi.startupProbe.periodSeconds#

Time between probe executions.

Default value: 20

nubusUdmRestApi.startupProbe.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUdmRestApi.startupProbe.tcpSocket.port#: Default value: 9979

nubusUdmRestApi.startupProbe.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUdmRestApi.systemExtensions#

Default value: []

nubusUdmRestApi.terminationGracePeriodSeconds#: Default value: 5

nubusUdmRestApi.tolerations#

Tolerations for pod assignment. Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

Default value: []

nubusUdmRestApi.topologySpreadConstraints#

Default value: []

nubusUdmRestApi.udmRestApi.debug#

The verbosity of log messages. Possible values: 0-4/99 (0: Error, 1: Warn, 2: Info, 3: Debug, 4: Trace, 99: sensitive data like cleartext passwords is logged as well).

Default value: "2"

nubusUdmRestApi.udmRestApi.image.imagePullPolicy#

Image pull policy. This setting has higher precedence than global.imagePullPolicy.

Default value: "IfNotPresent"

nubusUdmRestApi.udmRestApi.image.registry#

Container registry address. This setting has higher precedence than global.registry.

Default value: ""

nubusUdmRestApi.udmRestApi.image.repository#: Default value: "nubus/images/udm-rest-api"

nubusUdmRestApi.udmRestApi.image.tag#

Default value:

"0.26.1@sha256:7b5e2fd05ebdd388a9f4af7fb254f95fe120ea6e038e0436070e581b2c0b4abd"

nubusUdmRestApi.udmRestApi.ldap.auth.existingSecret.keyMapping.password#

Default value:

"{{ .Values.global.ldap.auth.cnAdmin.existingSecret.keyMapping.password }}"

nubusUdmRestApi.udmRestApi.ldap.auth.existingSecret.name#

Default value:

"{{- printf \"%s-ldap-server-credentials\" .Release.Name -}}"

nubusUdmRestApi.udmRestApi.ldap.baseDn#: Default value: ""

nubusUdmRestApi.udmRestApi.ldap.uri#: Default value: ""

nubusUdmRestApi.udmRestApi.tls.caCertificateFile#

Path the CA certificate file (TLSCACertPath (slapd), CA_CERT_FILE(entrypoint))

Default value: "/certificates/ca.crt"

nubusUdmRestApi.udmRestApi.tls.certificateFile#

Path the servers certificate file

Default value: "/certificates/tls.crt"

nubusUdmRestApi.udmRestApi.tls.certificateKeyFile#

Path the servers private-key file

Default value: "/certificates/tls.key"

nubusUdmRestApi.udmRestApi.tls.enabled#

Enable TLS for LDAP connection.

Default value: false

nubusUdmRestApi.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

10.2.25. `nubusUmcGateway`#

nubusUmcGateway.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusUmcGateway.affinity#

#Global values

Default value: {}

nubusUmcGateway.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusUmcGateway.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusUmcGateway.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusUmcGateway.containerSecurityContext.privileged#: Default value: false

nubusUmcGateway.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusUmcGateway.containerSecurityContext.runAsGroup#

Process group id.

Default value: 1000

nubusUmcGateway.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: true

nubusUmcGateway.containerSecurityContext.runAsUser#

Process user id.

Default value: 1000

nubusUmcGateway.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusUmcGateway.enabled#: Default value: true

nubusUmcGateway.environment#: Default value: {}

nubusUmcGateway.extensions#

Extensions to load. This will override the configuration in global.extensions.

Default value: []

nubusUmcGateway.fullnameOverride#: Default value: ""

nubusUmcGateway.global.configMapUcr#

ConfigMap name to read UCR values from.

Default value: null

nubusUmcGateway.global.domain#: Default value: ""

nubusUmcGateway.global.extensions#

Allows to configure extensions globally.

Default value: []

nubusUmcGateway.global.imageRegistry#

Container registry address.

Default value:

"artifacts.software-univention.de"

nubusUmcGateway.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusUmcGateway.global.subDomains.keycloak#: Default value: "id"

nubusUmcGateway.global.subDomains.portal#: Default value: "portal"

nubusUmcGateway.global.systemExtensions#

Allows to configure system extensions globally.

Default value: []

nubusUmcGateway.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusUmcGateway.image.registry#: Default value: ""

nubusUmcGateway.image.repository#: Default value: "nubus/images/umc-gateway"

nubusUmcGateway.image.tag#

Default value:

"0.35.5@sha256:f9a13261821de731f3c3a665aa128b16d7e48e6f3d79a9d4038f9667069542c8"

nubusUmcGateway.ingress.annotations.nginx.ingress.kubernetes.io/rewrite-target#: Default value: "/$2$3"

nubusUmcGateway.ingress.annotations.nginx.ingress.kubernetes.io/use-regex#: Default value: "true"

nubusUmcGateway.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusUmcGateway.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusUmcGateway.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusUmcGateway.ingress.enableLoginPath#

Enable plain UMC login path (non IdP). Defaults to false.

Default value: ""

nubusUmcGateway.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusUmcGateway.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusUmcGateway.ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

nubusUmcGateway.ingress.loginPath#

Default value:

[{"path": "/()(univention/)(login/.*)$", "pathType": "ImplementationSpecific"}]

nubusUmcGateway.ingress.paths#

Define the Ingress paths.

Default value:

[{"path": "/()(univention/)(languages.json|meta.json|theme.css)$", "pathType": "ImplementationSpecific"}, {"path": "/()(univention/)((js|management|themes)/.*)$", "pathType": "ImplementationSpecific"}, {"path": "/()(univention/login/)(dialog.js|main.js|LoginDialog.js|i18n/en/main.json)$", "pathType": "ImplementationSpecific"}]

nubusUmcGateway.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusUmcGateway.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusUmcGateway.initResources#: Default value: {}

nubusUmcGateway.mountUcr#: Default value: true

nubusUmcGateway.nameOverride#: Default value: "umc-gateway"

nubusUmcGateway.nodeSelector#: Default value: {}

nubusUmcGateway.podAnnotations#: Default value: {}

nubusUmcGateway.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusUmcGateway.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 1000

nubusUmcGateway.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusUmcGateway.probes.liveness.enabled#: Default value: true

nubusUmcGateway.probes.liveness.failureThreshold#: Default value: 3

nubusUmcGateway.probes.liveness.initialDelaySeconds#: Default value: 10

nubusUmcGateway.probes.liveness.periodSeconds#: Default value: 30

nubusUmcGateway.probes.liveness.successThreshold#: Default value: 1

nubusUmcGateway.probes.liveness.timeoutSeconds#: Default value: 3

nubusUmcGateway.probes.readiness.enabled#: Default value: true

nubusUmcGateway.probes.readiness.failureThreshold#: Default value: 30

nubusUmcGateway.probes.readiness.initialDelaySeconds#: Default value: 10

nubusUmcGateway.probes.readiness.periodSeconds#: Default value: 15

nubusUmcGateway.probes.readiness.successThreshold#: Default value: 1

nubusUmcGateway.probes.readiness.timeoutSeconds#: Default value: 3

nubusUmcGateway.replicaCount#: Default value: 1

nubusUmcGateway.resources#

#Deployment resources

Default value: {}

nubusUmcGateway.resources.limits.cpu#: Default value: 288

nubusUmcGateway.resources.limits.memory#: Default value: "1Gi"

nubusUmcGateway.resources.requests.cpu#: Default value: "10m"

nubusUmcGateway.resources.requests.memory#: Default value: "16Mi"

nubusUmcGateway.service.enabled#: Default value: true

nubusUmcGateway.service.ports.http.containerPort#: Default value: 8080

nubusUmcGateway.service.ports.http.port#: Default value: 80

nubusUmcGateway.service.ports.http.protocol#: Default value: "TCP"

nubusUmcGateway.service.sessionAffinity.enabled#: Default value: false

nubusUmcGateway.service.sessionAffinity.timeoutSeconds#: Default value: 10800

nubusUmcGateway.service.type#: Default value: "ClusterIP"

nubusUmcGateway.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusUmcGateway.serviceAccount.automountServiceAccountToken#

Default value: false

nubusUmcGateway.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusUmcGateway.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusUmcGateway.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusUmcGateway.systemExtensions#

Default value: []

nubusUmcGateway.terminationGracePeriodSeconds#: Default value: 5

nubusUmcGateway.tolerations#: Default value: []

nubusUmcGateway.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

10.2.26. `nubusUmcServer`#

nubusUmcServer.additionalLabels#

Additional custom labels to add to all deployed objects.

Default value: {}

nubusUmcServer.affinity#

#Global values

Default value: {}

nubusUmcServer.autoscaling.enabled#: Default value: false

nubusUmcServer.containerSecurityContext.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusUmcServer.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

nubusUmcServer.containerSecurityContext.enabled#

Enable security context.

Default value: true

nubusUmcServer.containerSecurityContext.privileged#: Default value: false

nubusUmcServer.containerSecurityContext.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusUmcServer.containerSecurityContext.runAsGroup#

Process group id.

Default value: 0

nubusUmcServer.containerSecurityContext.runAsNonRoot#

Run container as a user.

Default value: false

nubusUmcServer.containerSecurityContext.runAsUser#

Process user id.

Default value: 0

nubusUmcServer.containerSecurityContext.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusUmcServer.containerSecurityContextInit.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: false

nubusUmcServer.containerSecurityContextInit.capabilities.add#

Default value:

["DAC_OVERRIDE", "SETGID", "SETUID", "SYS_ADMIN", "NET_ADMIN", "AUDIT_CONTROL", "CHOWN", "FOWNER"]

nubusUmcServer.containerSecurityContextInit.capabilities.drop#: Default value: ["ALL"]

nubusUmcServer.containerSecurityContextInit.enabled#

Enable security context.

Default value: true

nubusUmcServer.containerSecurityContextInit.privileged#: Default value: false

nubusUmcServer.containerSecurityContextInit.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusUmcServer.containerSecurityContextInit.runAsGroup#

Process group id.

Default value: 0

nubusUmcServer.containerSecurityContextInit.runAsNonRoot#

Run container as a user.

Default value: false

nubusUmcServer.containerSecurityContextInit.runAsUser#

Process user id.

Default value: 0

nubusUmcServer.containerSecurityContextInit.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusUmcServer.containerSecurityContextSssd.allowPrivilegeEscalation#

Enable container privileged escalation.

Default value: true

nubusUmcServer.containerSecurityContextSssd.capabilities.add#

Default value:

["DAC_OVERRIDE", "SETGID", "AUDIT_WRITE", "SETUID", "CHOWN", "SETPCAP", "FOWNER", "FSETID", "KILL", "MKNOD", "NET_RAW", "NET_BIND_SERVICE", "SYS_CHROOT"]

nubusUmcServer.containerSecurityContextSssd.capabilities.drop#: Default value: ["ALL"]

nubusUmcServer.containerSecurityContextSssd.enabled#

Enable security context.

Default value: true

nubusUmcServer.containerSecurityContextSssd.privileged#: Default value: false

nubusUmcServer.containerSecurityContextSssd.readOnlyRootFilesystem#

Mounts the container’s root filesystem as read-only.

Default value: true

nubusUmcServer.containerSecurityContextSssd.runAsGroup#

Process group id.

Default value: 0

nubusUmcServer.containerSecurityContextSssd.runAsNonRoot#

Run container as a user.

Default value: false

nubusUmcServer.containerSecurityContextSssd.runAsUser#

Process user id.

Default value: 0

nubusUmcServer.containerSecurityContextSssd.seccompProfile.type#

Disallow custom Seccomp profile by setting it to RuntimeDefault.

Default value: "RuntimeDefault"

nubusUmcServer.enabled#: Default value: true

nubusUmcServer.environment#: Default value: {}

nubusUmcServer.extensions#

Extensions to load. This will override the configuration in global.extensions.

Default value: []

nubusUmcServer.extraSecrets#

Optionally specify a secret to create (primarily intended to be used in development environments to provide custom certificates)

Default value: []

nubusUmcServer.extraVolumeMounts#

Default value:

[{"name": "certificates", "mountPath": "/var/secrets/ssl"}]

nubusUmcServer.extraVolumes#

Default value:

[{"name": "certificates", "secret": {"secretName": "{{ .Release.Name }}-saml-tls"}}]

nubusUmcServer.fullnameOverride#: Default value: ""

nubusUmcServer.global.configMapUcr#

ConfigMap name to read UCR values from.

Default value: null

nubusUmcServer.global.extensions#

Allows to configure extensions globally.

Default value: []

nubusUmcServer.global.imagePullPolicy#: Default value: ""

nubusUmcServer.global.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusUmcServer.global.imageRegistry#: Default value: "docker.io"

nubusUmcServer.global.nubusDeployment#

Indicates wether this chart is part of a Nubus deployment.

Default value: false

nubusUmcServer.global.postgresql.connection.host#: Default value: ""

nubusUmcServer.global.postgresql.connection.port#: Default value: 5432

nubusUmcServer.global.systemExtensions#

Allows to configure system extensions globally.

Default value: []

nubusUmcServer.image.imagePullPolicy#: Default value: "IfNotPresent"

nubusUmcServer.image.registry#

Default value:

"artifacts.software-univention.de"

nubusUmcServer.image.repository#: Default value: "nubus/images/umc-server"

nubusUmcServer.image.tag#

Default value:

"0.35.5@sha256:f81ce86b16f03d8c840c2f5f6d6814b8119caf2a08f0f01b0a5dab5a528d228a"

nubusUmcServer.imagePullSecrets#

Credentials to fetch images from private registry. Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: - “docker-registry”

Default value: []

nubusUmcServer.ingress.annotations.nginx.ingress.kubernetes.io/configuration-snippet#

Default value:

"proxy_set_header X-UMC-HTTPS 'on';\n"

nubusUmcServer.ingress.annotations.nginx.ingress.kubernetes.io/rewrite-target#: Default value: "/$2$3"

nubusUmcServer.ingress.annotations.nginx.ingress.kubernetes.io/use-regex#: Default value: "true"

nubusUmcServer.ingress.certManager.enabled#

Enable cert-manager.io annotaion.

Default value: true

nubusUmcServer.ingress.certManager.issuerRef.kind#

Type of Issuer, f.e. “Issuer” or “ClusterIssuer”.

Default value: "ClusterIssuer"

nubusUmcServer.ingress.certManager.issuerRef.name#

Name of cert-manager.io Issuer resource.

Default value: ""

nubusUmcServer.ingress.enabled#

Enable creation of Ingress.

Default value: true

nubusUmcServer.ingress.host#

Default value:

"{{ .Values.global.subDomains.portal }}.{{ .Values.global.domain }}"

nubusUmcServer.ingress.ingressClassName#

The Ingress controller class name.

Default value: ""

nubusUmcServer.ingress.paths#

Define the Ingress paths.

Default value:

[{"path": "/(univention)/(auth|logout|saml|get|set|command|upload)(.*)$", "pathType": "ImplementationSpecific"}]

nubusUmcServer.ingress.tls.enabled#

Enable TLS/SSL/HTTPS for Ingress.

Default value: true

nubusUmcServer.ingress.tls.secretName#

The name of the kubernetes secret which contains a TLS private key and certificate. Hint: This secret is not created by this chart and must be provided.

Default value: ""

nubusUmcServer.ldap.existingSecret.keyMapping.ldapPasswordKey#: Default value: "ldap.secret"

nubusUmcServer.ldap.existingSecret.keyMapping.machinePasswordKey#: Default value: "machine.secret"

nubusUmcServer.ldap.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-ldap-credentials\" .Release.Name }}"

nubusUmcServer.ldap.tlsSecret.caCertKey#: Default value: "ca.crt"

nubusUmcServer.ldap.tlsSecret.certificateKey#: Default value: "tls.crt"

nubusUmcServer.ldap.tlsSecret.name#: Default value: ""

nubusUmcServer.ldap.tlsSecret.privateKeyKey#: Default value: "tls.key"

nubusUmcServer.memcached.auth.enabled#

This parameter is only used by the bundled memcached.

Default value: true

nubusUmcServer.memcached.auth.existingPasswordSecret#

Default value:

"{{ printf \"%s-umc-server-memcached-credentials\" .Release.Name }}"

nubusUmcServer.memcached.auth.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-memcached-credentials\" .Release.Name }}"

nubusUmcServer.memcached.auth.password#

Memcached password.

Default value: ""

nubusUmcServer.memcached.auth.username#: Default value: "selfservice"

nubusUmcServer.memcached.bundled#

Set to true if you want Memcached to be installed as well. # When setting this to false be sure to also adjust memcached.auth.password below, and the connection settings in the stack-data chart: stackDataContext.umcMemcachedHostname and stackDataContext.umcMemcachedUsername

Default value: true

nubusUmcServer.memcached.connection.host#: Default value: ""

nubusUmcServer.memcached.connection.port#: Default value: ""

nubusUmcServer.memcached.connection.username#: Default value: "umcserver"

nubusUmcServer.memcached.containerSecurityContext.readOnlyRootFilesystem#: Default value: false

nubusUmcServer.memcached.extraEnvVars#

Defaults from /ucs/management/univention-self-service/conffiles/etc/memcached_univention-self-service.conf # These parameters are only used by the bundled memcached.

Default value:

[{"name": "MEMCACHED_CACHE_SIZE", "value": "64"}, {"name": "MEMCACHED_EXTRA_FLAGS", "value": "--disable-evictions"}]

nubusUmcServer.memcached.nameOverride#: Default value: "umc-server-memcached"

nubusUmcServer.mountSecrets#: Default value: true

nubusUmcServer.mountUcr#: Default value: true

nubusUmcServer.nameOverride#: Default value: "umc-server"

nubusUmcServer.nodeSelector#: Default value: {}

nubusUmcServer.podAnnotations#: Default value: {}

nubusUmcServer.podSecurityContext.enabled#

Enable security context.

Default value: true

nubusUmcServer.podSecurityContext.fsGroup#

If specified, all processes of the container are also part of the supplementary group.

Default value: 0

nubusUmcServer.podSecurityContext.fsGroupChangePolicy#

Change ownership and permission of the volume before being exposed inside a Pod.

Default value: "Always"

nubusUmcServer.postgresql.auth.database#: Default value: "selfservice"

nubusUmcServer.postgresql.auth.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-postgresql-credentials\" .Release.Name }}"

nubusUmcServer.postgresql.auth.password#

PostgreSQL user password if bundled is set to true.

Default value: ""

nubusUmcServer.postgresql.auth.postgresPassword#

PostgreSQL admin password if bundled is set to true.

Default value: ""

nubusUmcServer.postgresql.auth.username#: Default value: "selfservice"

nubusUmcServer.postgresql.bundled#

Set to true if you want PostgreSQL to be installed as well.

Default value: false

nubusUmcServer.postgresql.connection.host#: Default value: ""

nubusUmcServer.postgresql.connection.port#: Default value: ""

nubusUmcServer.probes.liveness.failureThreshold#: Default value: 3

nubusUmcServer.probes.liveness.initialDelaySeconds#: Default value: 10

nubusUmcServer.probes.liveness.periodSeconds#: Default value: 30

nubusUmcServer.probes.liveness.successThreshold#: Default value: 1

nubusUmcServer.probes.liveness.tcpSocket.port#: Default value: "http"

nubusUmcServer.probes.liveness.timeoutSeconds#: Default value: 3

nubusUmcServer.probes.readiness.failureThreshold#: Default value: 3

nubusUmcServer.probes.readiness.initialDelaySeconds#: Default value: 10

nubusUmcServer.probes.readiness.periodSeconds#: Default value: 30

nubusUmcServer.probes.readiness.successThreshold#: Default value: 1

nubusUmcServer.probes.readiness.tcpSocket.port#: Default value: "http"

nubusUmcServer.probes.readiness.timeoutSeconds#: Default value: 3

nubusUmcServer.proxy.image.pullPolicy#: Default value: "IfNotPresent"

nubusUmcServer.proxy.image.registry#

Default value:

"artifacts.software-univention.de"

nubusUmcServer.proxy.image.repository#: Default value: "library/traefik"

nubusUmcServer.proxy.image.tag#

Default value:

"3.0@sha256:a208c74fd80a566d4ea376053bff73d31616d7af3f1465a7747b8b89ee34d97e"

nubusUmcServer.proxy.logLevel#: Default value: "INFO"

nubusUmcServer.proxy.replicaCount#: Default value: 1

nubusUmcServer.proxy.service.enabled#: Default value: true

nubusUmcServer.proxy.service.ports.http.containerPort#: Default value: 8080

nubusUmcServer.proxy.service.ports.http.port#: Default value: 80

nubusUmcServer.proxy.service.ports.http.protocol#: Default value: "TCP"

nubusUmcServer.proxy.service.type#: Default value: "ClusterIP"

nubusUmcServer.proxy.updateStrategy.type#: Default value: "RollingUpdate"

nubusUmcServer.replicaCount#: Default value: 1

nubusUmcServer.resources.limits.cpu#: Default value: 288

nubusUmcServer.resources.limits.memory#: Default value: "1Gi"

nubusUmcServer.resources.requests.cpu#: Default value: "10m"

nubusUmcServer.resources.requests.memory#: Default value: "16Mi"

nubusUmcServer.selfService.passwordresetEmailBody#

Content of the email sent for new user sign-ups and password reset requests. The text can contain the following strings which will be substituted accordingly: * {username}: The user wishing to reset his/her password. * {token}: The token to be sent. * {link}: Link to the “Password Reset” website. * {tokenlink}: Link to the “Password Reset” website with the user name and token already entered.

Default value:

"Dear user {username},\n\nwe have received a password reset request for your account. If you did not\nwish to change your password, you can safely ignore this message.\n\nTo change your password please follow this link:\n\n{tokenlink}\n\nIf the link does not work, you can go to\n\n{link}\n\nand enter the following token manually:\n\n{token}\n\nGreetings from your password self service system.\n"

nubusUmcServer.service.clusterIP#: Default value: "None"

nubusUmcServer.service.enabled#: Default value: true

nubusUmcServer.service.ports.http.containerPort#: Default value: 8090

nubusUmcServer.service.ports.http.port#: Default value: 8090

nubusUmcServer.service.ports.http.protocol#: Default value: "TCP"

nubusUmcServer.service.type#: Default value: "ClusterIP"

nubusUmcServer.serviceAccount.annotations#

Annotations to add to the service account

Default value: {}

nubusUmcServer.serviceAccount.automountServiceAccountToken#

Default value: false

nubusUmcServer.serviceAccount.create#

Specifies whether a service account should be created

Default value: true

nubusUmcServer.serviceAccount.labels#

Additional custom labels for the ServiceAccount.

Default value: {}

nubusUmcServer.serviceAccount.name#

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

Default value: ""

nubusUmcServer.smtp.existingSecret.name#

Default value:

"{{ printf \"%s-umc-server-smtp-credentials\" .Release.Name }}"

nubusUmcServer.sssdProbes.liveness.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusUmcServer.sssdProbes.liveness.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUmcServer.sssdProbes.liveness.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusUmcServer.sssdProbes.liveness.periodSeconds#

Time between probe executions.

Default value: 20

nubusUmcServer.sssdProbes.liveness.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUmcServer.sssdProbes.liveness.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUmcServer.sssdProbes.readiness.exec.command#: Default value: ["sh", "-c", "exit 0\n"]

nubusUmcServer.sssdProbes.readiness.failureThreshold#

Number of failed executions until container is terminated.

Default value: 10

nubusUmcServer.sssdProbes.readiness.initialDelaySeconds#

Delay after container start until LivenessProbe is executed.

Default value: 15

nubusUmcServer.sssdProbes.readiness.periodSeconds#

Time between probe executions.

Default value: 20

nubusUmcServer.sssdProbes.readiness.successThreshold#

Number of successful executions after failed ones until container is marked healthy.

Default value: 1

nubusUmcServer.sssdProbes.readiness.timeoutSeconds#

Timeout for command return.

Default value: 5

nubusUmcServer.systemExtensions#

Default value: []

nubusUmcServer.terminationGracePeriodSeconds#: Default value: 5

nubusUmcServer.tolerations#: Default value: []

nubusUmcServer.umcServer.caCert#

Additional CA Certificate to trust. The value is optional.

Default value: ""

nubusUmcServer.umcServer.caCertFile#

Path to file with the CA certificate.

Default value: "/var/secrets/ca_cert"

nubusUmcServer.umcServer.certPem#

Certificate used in the context of SAML to verify metadata signatures. A self-signed certificate will be generated together with the private key if none is provided.

Default value: null

nubusUmcServer.umcServer.certPemFile#: Default value: "/var/secrets/ssl/tls.crt"

nubusUmcServer.umcServer.privateKey#

The private key related to “certPem” used to sign messages in the context of SAML.

Default value: null

nubusUmcServer.umcServer.privateKeyFile#: Default value: "/var/secrets/ssl/tls.key"

nubusUmcServer.umcServer.secretMountPath#

Path to mount the secrets to.

Default value: "/var/secrets"

nubusUmcServer.umcServer.smtpSecret#

smtpSecret the password for the SMTP server.

Default value: ""

nubusUmcServer.umcServer.smtpSecretFile#

Path to file with SMTP password.

Default value: "/var/secrets/smtp_secret"

nubusUmcServer.updateStrategy.type#

Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods are destroyed first.

Default value: "RollingUpdate"

10.2.27. `postgresql`#

postgresql.architecture#

#@param architecture PostgreSQL architecture (standalone or replication) ##

Default value: "standalone"

postgresql.audit.clientMinMessages#: Default value: "error"

postgresql.audit.logConnections#: Default value: false

postgresql.audit.logDisconnections#: Default value: false

postgresql.audit.logHostname#: Default value: false

postgresql.audit.logLinePrefix#: Default value: ""

postgresql.audit.logTimezone#: Default value: ""

postgresql.audit.pgAuditLog#: Default value: ""

postgresql.audit.pgAuditLogCatalog#: Default value: "off"

postgresql.auth.database#

#@param auth.database Name for a custom database to create ##

Default value: ""

postgresql.auth.enablePostgresUser#

#@param auth.enablePostgresUser Assign a password to the “postgres” admin user. Otherwise, remote access will be blocked for this user ##

Default value: true

postgresql.auth.existingSecret#

Default value:

"{{ .Release.Name }}-postgresql-credentials"

postgresql.auth.password#

#@param auth.password Password for the custom user to create. Ignored if auth.existingSecret is provided ##

Default value: ""

postgresql.auth.postgresPassword#

#@param auth.postgresPassword Password for the “postgres” admin user. Ignored if auth.existingSecret is provided ##

Default value: ""

postgresql.auth.replicationPassword#

#@param auth.replicationPassword Password for the replication user. Ignored if auth.existingSecret is provided ##

Default value: ""

postgresql.auth.replicationUsername#

#@param auth.replicationUsername Name of the replication user ##

Default value: "repl_user"

postgresql.auth.secretKeys.adminPasswordKey#: Default value: "admin_password"

postgresql.auth.secretKeys.replicationPasswordKey#: Default value: "replication_password"

postgresql.auth.secretKeys.userPasswordKey#: Default value: "user_password"

postgresql.auth.usePasswordFiles#

#@param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable ##

Default value: false

postgresql.auth.username#: Default value: "nubus"

postgresql.backup.cronjob.annotations#

#@param backup.cronjob.annotations Set the cronjob annotations

Default value: {}

postgresql.backup.cronjob.command#

#@param backup.cronjob.command Set backup container’s command to run

Default value:

["/bin/sh", "-c", "pg_dumpall --clean --if-exists --load-via-partition-root --quote-all-identifiers --no-password --file=${PGDUMP_DIR}/pg_dumpall-$(date '+%Y-%m-%d-%H-%M').pgdump"]

postgresql.backup.cronjob.concurrencyPolicy#

#@param backup.cronjob.concurrencyPolicy Set the cronjob parameter concurrencyPolicy

Default value: "Allow"

postgresql.backup.cronjob.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

postgresql.backup.cronjob.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

postgresql.backup.cronjob.containerSecurityContext.readOnlyRootFilesystem#: Default value: true

postgresql.backup.cronjob.containerSecurityContext.runAsGroup#: Default value: 0

postgresql.backup.cronjob.containerSecurityContext.runAsNonRoot#: Default value: true

postgresql.backup.cronjob.containerSecurityContext.runAsUser#: Default value: 1001

postgresql.backup.cronjob.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

postgresql.backup.cronjob.failedJobsHistoryLimit#

#@param backup.cronjob.failedJobsHistoryLimit Set the cronjob parameter failedJobsHistoryLimit

Default value: 1

postgresql.backup.cronjob.labels#

#@param backup.cronjob.labels Set the cronjob labels

Default value: {}

postgresql.backup.cronjob.nodeSelector#

#@param backup.cronjob.nodeSelector Node labels for PostgreSQL backup CronJob pod assignment #ref: https://kubernetes.io/docs/user-guide/node-selection/ ##

Default value: {}

postgresql.backup.cronjob.podSecurityContext.enabled#: Default value: true

postgresql.backup.cronjob.podSecurityContext.fsGroup#: Default value: 1001

postgresql.backup.cronjob.restartPolicy#

#@param backup.cronjob.restartPolicy Set the cronjob parameter restartPolicy

Default value: "OnFailure"

postgresql.backup.cronjob.schedule#

#@param backup.cronjob.schedule Set the cronjob parameter schedule

Default value: "@daily"

postgresql.backup.cronjob.startingDeadlineSeconds#

#@param backup.cronjob.startingDeadlineSeconds Set the cronjob parameter startingDeadlineSeconds

Default value: ""

postgresql.backup.cronjob.storage.accessModes#

#@param backup.cronjob.storage.accessModes PV Access Mode ##

Default value: ["ReadWriteOnce"]

postgresql.backup.cronjob.storage.annotations#

#@param backup.cronjob.storage.annotations PVC annotations ##

Default value: {}

postgresql.backup.cronjob.storage.existingClaim#

#@param backup.cronjob.storage.existingClaim Provide an existing PersistentVolumeClaim (only when architecture=standalone) #If defined, PVC must be created manually before volume will be bound ##

Default value: ""

postgresql.backup.cronjob.storage.mountPath#

#@param backup.cronjob.storage.mountPath Path to mount the volume at ##

Default value: "/backup/pgdump"

postgresql.backup.cronjob.storage.resourcePolicy#

#@param backup.cronjob.storage.resourcePolicy Setting it to “keep” to avoid removing PVCs during a helm delete operation. Leaving it empty will delete PVCs after the chart deleted ##

Default value: ""

postgresql.backup.cronjob.storage.size#

#@param backup.cronjob.storage.size PVC Storage Request for the backup data volume ##

Default value: "8Gi"

postgresql.backup.cronjob.storage.storageClass#

#@param backup.cronjob.storage.storageClass PVC Storage Class for the backup data volume #If defined, storageClassName: <storageClass> #If set to “-”, storageClassName: “”, which disables dynamic provisioning #If undefined (the default) or set to null, no storageClassName spec is #set, choosing the default provisioner. ##

Default value: ""

postgresql.backup.cronjob.storage.subPath#

#@param backup.cronjob.storage.subPath Subdirectory of the volume to mount at #and one PV for multiple services. ##

Default value: ""

postgresql.backup.cronjob.storage.volumeClaimTemplates.selector#

#@param backup.cronjob.storage.volumeClaimTemplates.selector A label query over volumes to consider for binding (e.g. when using local volumes) #A label query over volumes to consider for binding (e.g. when using local volumes) #See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#labelselector-v1-meta for more details ##

Default value: {}

postgresql.backup.cronjob.successfulJobsHistoryLimit#

#@param backup.cronjob.successfulJobsHistoryLimit Set the cronjob parameter successfulJobsHistoryLimit

Default value: 3

postgresql.backup.cronjob.ttlSecondsAfterFinished#

#@param backup.cronjob.ttlSecondsAfterFinished Set the cronjob parameter ttlSecondsAfterFinished

Default value: ""

postgresql.backup.enabled#

#@param backup.enabled Enable the logical dump of the database “regularly”

Default value: false

postgresql.clusterDomain#

#@param clusterDomain Kubernetes Cluster Domain ##

Default value: "cluster.local"

postgresql.commonAnnotations#

#@param commonAnnotations Add annotations to all the deployed resources ##

Default value: {}

postgresql.commonLabels#

#@param commonLabels Add labels to all the deployed resources ##

Default value: {}

postgresql.containerPorts.postgresql#: Default value: 5432

postgresql.diagnosticMode.args#

#@param diagnosticMode.args Args to override all containers in the statefulset ##

Default value: ["infinity"]

postgresql.diagnosticMode.command#

#@param diagnosticMode.command Command to override all containers in the statefulset ##

Default value: ["sleep"]

postgresql.diagnosticMode.enabled#

#@param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) ##

Default value: false

postgresql.enabled#: Default value: true

postgresql.extraDeploy#

#@param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) ##

Default value: []

postgresql.fullnameOverride#

#@param fullnameOverride String to fully override common.names.fullname template ##

Default value: ""

postgresql.global.imagePullSecrets#

#@param global.imagePullSecrets Global Docker registry secret names as an array #e.g. #imagePullSecrets: # - myRegistryKeySecretName ##

Default value: []

postgresql.global.imageRegistry#

#@param global.imageRegistry Global Docker image registry ##

Default value: ""

postgresql.global.postgresql.auth.database#: Default value: ""

postgresql.global.postgresql.auth.existingSecret#: Default value: ""

postgresql.global.postgresql.auth.password#: Default value: ""

postgresql.global.postgresql.auth.postgresPassword#: Default value: ""

postgresql.global.postgresql.auth.secretKeys.adminPasswordKey#: Default value: ""

postgresql.global.postgresql.auth.secretKeys.replicationPasswordKey#: Default value: ""

postgresql.global.postgresql.auth.secretKeys.userPasswordKey#: Default value: ""

postgresql.global.postgresql.auth.username#: Default value: ""

postgresql.global.postgresql.service.ports.postgresql#: Default value: ""

postgresql.global.storageClass#

#@param global.storageClass Global StorageClass for Persistent Volume(s) ##

Default value: ""

postgresql.image.debug#

#Set to true if you would like to see extra information on logs ##

Default value: false

postgresql.image.digest#: Default value: ""

postgresql.image.pullPolicy#

#Specify a imagePullPolicy #Defaults to ‘Always’ if image tag is ‘latest’, else set to ‘IfNotPresent’ #ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images ##

Default value: "IfNotPresent"

postgresql.image.pullSecrets#

Default value: []

postgresql.image.registry#: Default value: "docker.io"

postgresql.image.repository#: Default value: "bitnami/postgresql"

postgresql.image.tag#: Default value: "15.4.0-debian-11-r45"

postgresql.kubeVersion#

#@param kubeVersion Override Kubernetes version ##

Default value: ""

postgresql.ldap.basedn#: Default value: ""

postgresql.ldap.binddn#: Default value: ""

postgresql.ldap.bindpw#: Default value: ""

postgresql.ldap.enabled#: Default value: false

postgresql.ldap.port#: Default value: ""

postgresql.ldap.prefix#: Default value: ""

postgresql.ldap.scheme#: Default value: ""

postgresql.ldap.searchAttribute#: Default value: ""

postgresql.ldap.searchFilter#: Default value: ""

postgresql.ldap.server#: Default value: ""

postgresql.ldap.suffix#: Default value: ""

postgresql.ldap.tls.enabled#: Default value: false

postgresql.ldap.uri#

#@param ldap.uri LDAP URL beginning in the form ldap[s]://host[:port]/basedn. If provided, all the other LDAP parameters will be ignored. #Ref: https://www.postgresql.org/docs/current/auth-ldap.html ##

Default value: ""

postgresql.metrics.containerPorts.metrics#: Default value: 9187

postgresql.metrics.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

postgresql.metrics.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

postgresql.metrics.containerSecurityContext.enabled#: Default value: true

postgresql.metrics.containerSecurityContext.runAsGroup#: Default value: 0

postgresql.metrics.containerSecurityContext.runAsNonRoot#: Default value: true

postgresql.metrics.containerSecurityContext.runAsUser#: Default value: 1001

postgresql.metrics.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

postgresql.metrics.customLivenessProbe#

#@param metrics.customLivenessProbe Custom livenessProbe that overrides the default one ##

Default value: {}

postgresql.metrics.customMetrics#

#@param metrics.customMetrics Define additional custom metrics #ref: wrouesnel/postgres_exporter #customMetrics: # pg_database: # query: “SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, ‘CONNECT’) THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in (‘template0’, ‘template1’, ‘postgres’)” # metrics: # - name: # usage: “LABEL” # description: “Name of the database” # - size_bytes: # usage: “GAUGE” # description: “Size of the database in bytes” ##

Default value: {}

postgresql.metrics.customReadinessProbe#

#@param metrics.customReadinessProbe Custom readinessProbe that overrides the default one ##

Default value: {}

postgresql.metrics.customStartupProbe#

#@param metrics.customStartupProbe Custom startupProbe that overrides the default one ##

Default value: {}

postgresql.metrics.enabled#

#@param metrics.enabled Start a prometheus exporter ##

Default value: false

postgresql.metrics.extraEnvVars#

#@param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter #see: wrouesnel/postgres_exporter #For example: # extraEnvVars: # - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS # value: “true” ##

Default value: []

postgresql.metrics.image.digest#: Default value: ""

postgresql.metrics.image.pullPolicy#: Default value: "IfNotPresent"

postgresql.metrics.image.pullSecrets#

Default value: []

postgresql.metrics.image.registry#: Default value: "docker.io"

postgresql.metrics.image.repository#: Default value: "bitnami/postgres-exporter"

postgresql.metrics.image.tag#: Default value: "0.14.0-debian-11-r2"

postgresql.metrics.livenessProbe.enabled#: Default value: true

postgresql.metrics.livenessProbe.failureThreshold#: Default value: 6

postgresql.metrics.livenessProbe.initialDelaySeconds#: Default value: 5

postgresql.metrics.livenessProbe.periodSeconds#: Default value: 10

postgresql.metrics.livenessProbe.successThreshold#: Default value: 1

postgresql.metrics.livenessProbe.timeoutSeconds#: Default value: 5

postgresql.metrics.prometheusRule.enabled#

#@param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator ##

Default value: false

postgresql.metrics.prometheusRule.labels#

#@param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus ##

Default value: {}

postgresql.metrics.prometheusRule.namespace#

#@param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) ##

Default value: ""

postgresql.metrics.prometheusRule.rules#

#@param metrics.prometheusRule.rules PrometheusRule definitions #Make sure to constraint the rules to the current postgresql service. #rules: # - alert: HugeReplicationLag # expr: pg_replication_lag{service=”{{ printf “%s-metrics” (include “common.names.fullname” .) }}”} / 3600 > 1 # for: 1m # labels: # severity: critical # annotations: # description: replication for {{ include “common.names.fullname” . }} PostgreSQL is lagging by {{ “{{ $value }}” }} hour(s). # summary: PostgreSQL replication is lagging by {{ “{{ $value }}” }} hour(s). ##

Default value: []

postgresql.metrics.readinessProbe.enabled#: Default value: true

postgresql.metrics.readinessProbe.failureThreshold#: Default value: 6

postgresql.metrics.readinessProbe.initialDelaySeconds#: Default value: 5

postgresql.metrics.readinessProbe.periodSeconds#: Default value: 10

postgresql.metrics.readinessProbe.successThreshold#: Default value: 1

postgresql.metrics.readinessProbe.timeoutSeconds#: Default value: 5

postgresql.metrics.resources.limits#: Default value: {}

postgresql.metrics.resources.requests#: Default value: {}

postgresql.metrics.service.annotations.prometheus.io/port#

Default value:

"{{ .Values.metrics.service.ports.metrics }}"

postgresql.metrics.service.annotations.prometheus.io/scrape#: Default value: "true"

postgresql.metrics.service.clusterIP#

#@param metrics.service.clusterIP Static clusterIP or None for headless services #ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address ##

Default value: ""

postgresql.metrics.service.ports.metrics#: Default value: 9187

postgresql.metrics.service.sessionAffinity#

#@param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin #Values: ClientIP or None #ref: https://kubernetes.io/docs/user-guide/services/ ##

Default value: "None"

postgresql.metrics.serviceMonitor.enabled#

#@param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator ##

Default value: false

postgresql.metrics.serviceMonitor.honorLabels#

#@param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint ##

Default value: false

postgresql.metrics.serviceMonitor.interval#

#@param metrics.serviceMonitor.interval Interval at which metrics should be scraped. #ref: coreos/prometheus-operator ##

Default value: ""

postgresql.metrics.serviceMonitor.jobLabel#

#@param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ##

Default value: ""

postgresql.metrics.serviceMonitor.labels#

#@param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus ##

Default value: {}

postgresql.metrics.serviceMonitor.metricRelabelings#

#@param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion ##

Default value: []

postgresql.metrics.serviceMonitor.namespace#

#@param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) ##

Default value: ""

postgresql.metrics.serviceMonitor.relabelings#

#@param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping ##

Default value: []

postgresql.metrics.serviceMonitor.scrapeTimeout#

#@param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended #ref: coreos/prometheus-operator ##

Default value: ""

postgresql.metrics.serviceMonitor.selector#

#@param metrics.serviceMonitor.selector Prometheus instance selector labels #ref: bitnami/charts ##

Default value: {}

postgresql.metrics.startupProbe.enabled#: Default value: false

postgresql.metrics.startupProbe.failureThreshold#: Default value: 15

postgresql.metrics.startupProbe.initialDelaySeconds#: Default value: 10

postgresql.metrics.startupProbe.periodSeconds#: Default value: 10

postgresql.metrics.startupProbe.successThreshold#: Default value: 1

postgresql.metrics.startupProbe.timeoutSeconds#: Default value: 1

postgresql.nameOverride#

#@param nameOverride String to partially override common.names.fullname template (will maintain the release name) ##

Default value: ""

postgresql.networkPolicy.egressRules.customRules#

#Additional custom egress rules #e.g: #customRules: # - to: # - namespaceSelector: # matchLabels: # label: example ##

Default value: []

postgresql.networkPolicy.egressRules.denyConnectionsToExternal#

Deny connections to external. This is not compatible with an external database.

Default value: false

postgresql.networkPolicy.enabled#

#@param networkPolicy.enabled Enable network policies ##

Default value: false

postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules#

#custom ingress rules #e.g: #customRules: # - from: # - namespaceSelector: # matchLabels: # label: example ##

Default value: []

postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled#: Default value: false

postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector#

#e.g: #namespaceSelector: # label: ingress ##

Default value: {}

postgresql.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector#

#e.g: #podSelector: # label: access ##

Default value: {}

postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules#

#custom ingress rules #e.g: #CustomRules: # - from: # - namespaceSelector: # matchLabels: # label: example ##

Default value: []

postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled#: Default value: false

postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector#

#e.g: #namespaceSelector: # label: ingress ##

Default value: {}

postgresql.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector#

#e.g: #podSelector: # label: access ##

Default value: {}

postgresql.networkPolicy.metrics.enabled#: Default value: false

postgresql.networkPolicy.metrics.namespaceSelector#

#e.g: #namespaceSelector: # label: monitoring ##

Default value: {}

postgresql.networkPolicy.metrics.podSelector#

#e.g: #podSelector: # label: monitoring ##

Default value: {}

postgresql.postgresqlDataDir#

#@param postgresqlDataDir PostgreSQL data dir folder ##

Default value: "/bitnami/postgresql/data"

postgresql.postgresqlSharedPreloadLibraries#

#@param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) ##

Default value: "pgaudit"

postgresql.primary.affinity#

#@param primary.affinity Affinity for PostgreSQL primary pods assignment #ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity #Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it’s set ##

Default value: {}

postgresql.primary.annotations#

#@param primary.annotations Annotations for PostgreSQL primary pods ##

Default value: {}

postgresql.primary.args#

#@param primary.args Override default container args (useful when using custom images) ##

Default value: []

postgresql.primary.command#

#@param primary.command Override default container command (useful when using custom images) ##

Default value: []

postgresql.primary.configuration#

#@param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap #ref: https://www.postgresql.org/docs/current/static/runtime-config.html ##

Default value: ""

postgresql.primary.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

postgresql.primary.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

postgresql.primary.containerSecurityContext.enabled#: Default value: true

postgresql.primary.containerSecurityContext.runAsGroup#: Default value: 0

postgresql.primary.containerSecurityContext.runAsNonRoot#: Default value: true

postgresql.primary.containerSecurityContext.runAsUser#: Default value: 1001

postgresql.primary.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

postgresql.primary.customLivenessProbe#

#@param primary.customLivenessProbe Custom livenessProbe that overrides the default one ##

Default value: {}

postgresql.primary.customReadinessProbe#

#@param primary.customReadinessProbe Custom readinessProbe that overrides the default one ##

Default value: {}

postgresql.primary.customStartupProbe#

#@param primary.customStartupProbe Custom startupProbe that overrides the default one ##

Default value: {}

postgresql.primary.existingConfigmap#

#@param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration #NOTE: primary.configuration and primary.pgHbaConfiguration will be ignored ##

Default value: ""

postgresql.primary.existingExtendedConfigmap#

#@param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration #NOTE: primary.extendedConfiguration will be ignored ##

Default value: ""

postgresql.primary.extendedConfiguration#

#@param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) #ref: bitnami/containers ##

Default value: ""

postgresql.primary.extraEnvVars#

#@param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes #e.g: #extraEnvVars: # - name: FOO # value: “bar” ##

Default value: []

postgresql.primary.extraEnvVarsCM#

#@param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes ##

Default value: ""

postgresql.primary.extraEnvVarsSecret#

#@param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes ##

Default value: ""

postgresql.primary.extraPodSpec#

#@param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) ##

Default value: {}

postgresql.primary.extraVolumeMounts#

#@param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) ##

Default value: []

postgresql.primary.extraVolumes#

#@param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) ##

Default value: []

postgresql.primary.hostAliases#

#@param primary.hostAliases PostgreSQL primary pods host aliases #https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ##

Default value: []

postgresql.primary.hostIPC#

#@param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) ##

Default value: false

postgresql.primary.hostNetwork#

#@param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) ##

Default value: false

postgresql.primary.initContainers#

#@param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) #Example ## #initContainers: # - name: do-something # image: busybox # command: [‘do’, ‘something’] ##

Default value: []

postgresql.primary.initdb.args#

#@param primary.initdb.args PostgreSQL initdb extra arguments ##

Default value: ""

postgresql.primary.initdb.password#

#@param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts ##

Default value: ""

postgresql.primary.initdb.postgresqlWalDir#

#@param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log ##

Default value: ""

postgresql.primary.initdb.scripts#

#@param primary.initdb.scripts Dictionary of initdb scripts #Specify dictionary of scripts to be run at first boot #e.g: #scripts: # my_init_script.sh: | # #!/bin/sh # echo “Do something.” ##

Default value: {}

postgresql.primary.initdb.scriptsConfigMap#

#@param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot #NOTE: This will override primary.initdb.scripts ##

Default value: ""

postgresql.primary.initdb.scriptsSecret#

#@param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) #NOTE: This can work along primary.initdb.scripts or primary.initdb.scriptsConfigMap ##

Default value: ""

postgresql.primary.initdb.user#

#@param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts ##

Default value: ""

postgresql.primary.labels#

#@param primary.labels Map of labels to add to the statefulset (postgresql primary) ##

Default value: {}

postgresql.primary.lifecycleHooks#

#@param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup ##

Default value: {}

postgresql.primary.livenessProbe.enabled#: Default value: true

postgresql.primary.livenessProbe.failureThreshold#: Default value: 6

postgresql.primary.livenessProbe.initialDelaySeconds#: Default value: 30

postgresql.primary.livenessProbe.periodSeconds#: Default value: 10

postgresql.primary.livenessProbe.successThreshold#: Default value: 1

postgresql.primary.livenessProbe.timeoutSeconds#: Default value: 5

postgresql.primary.name#

#@param primary.name Name of the primary database (eg primary, master, leader, …) ##

Default value: "primary"

postgresql.primary.nodeAffinityPreset.key#

#@param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if primary.affinity is set. #E.g. #key: “kubernetes.io/e2e-az-name” ##

Default value: ""

postgresql.primary.nodeAffinityPreset.type#

#@param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if primary.affinity is set. Allowed values: soft or hard ##

Default value: ""

postgresql.primary.nodeAffinityPreset.values#

#@param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if primary.affinity is set. #E.g. #values: # - e2e-az1 # - e2e-az2 ##

Default value: []

postgresql.primary.nodeSelector#

#@param primary.nodeSelector Node labels for PostgreSQL primary pods assignment #ref: https://kubernetes.io/docs/user-guide/node-selection/ ##

Default value: {}

postgresql.primary.persistence.accessModes#

#@param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume ##

Default value: ["ReadWriteOnce"]

postgresql.primary.persistence.annotations#

#@param primary.persistence.annotations Annotations for the PVC ##

Default value: {}

postgresql.primary.persistence.dataSource#

#@param primary.persistence.dataSource Custom PVC data source ##

Default value: {}

postgresql.primary.persistence.enabled#

#@param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC ##

Default value: true

postgresql.primary.persistence.existingClaim#

#@param primary.persistence.existingClaim Name of an existing PVC to use ##

Default value: ""

postgresql.primary.persistence.labels#

#@param primary.persistence.labels Labels for the PVC ##

Default value: {}

postgresql.primary.persistence.mountPath#

#@param primary.persistence.mountPath The path the volume will be mounted at #Note: useful when using custom PostgreSQL images ##

Default value: "/bitnami/postgresql"

postgresql.primary.persistence.selector#

#@param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) #selector: # matchLabels: # app: my-app ##

Default value: {}

postgresql.primary.persistence.size#

#@param primary.persistence.size PVC Storage Request for PostgreSQL volume ##

Default value: "8Gi"

postgresql.primary.persistence.storageClass#

#@param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume #If defined, storageClassName: <storageClass> #If set to “-”, storageClassName: “”, which disables dynamic provisioning #If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner. (gp2 on AWS, standard on # GKE, AWS & OpenStack) ##

Default value: ""

postgresql.primary.persistence.subPath#

#@param primary.persistence.subPath The subdirectory of the volume to mount to #Useful in dev environments and one PV for multiple services ##

Default value: ""

postgresql.primary.persistentVolumeClaimRetentionPolicy.enabled#

#@param primary.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for Primary Statefulset ##

Default value: false

postgresql.primary.persistentVolumeClaimRetentionPolicy.whenDeleted#

#@param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted ##

Default value: "Retain"

postgresql.primary.persistentVolumeClaimRetentionPolicy.whenScaled#

#@param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced ##

Default value: "Retain"

postgresql.primary.pgHbaConfiguration#

#@param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration #ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html #e.g:# #pgHbaConfiguration: | - # local all all trust # host all all localhost trust # host mydatabase mysuser 192.168.0.0/24 md5 ##

Default value: ""

postgresql.primary.podAffinityPreset#

#@param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if primary.affinity is set. Allowed values: soft or hard #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ##

Default value: ""

postgresql.primary.podAnnotations#

#@param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) ##

Default value: {}

postgresql.primary.podAntiAffinityPreset#

#@param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if primary.affinity is set. Allowed values: soft or hard #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ##

Default value: "soft"

postgresql.primary.podLabels#

#@param primary.podLabels Map of labels to add to the pods (postgresql primary) ##

Default value: {}

postgresql.primary.podSecurityContext.enabled#: Default value: true

postgresql.primary.podSecurityContext.fsGroup#: Default value: 1001

postgresql.primary.priorityClassName#

#@param primary.priorityClassName Priority Class to use for each pod (postgresql primary) ##

Default value: ""

postgresql.primary.readinessProbe.enabled#: Default value: true

postgresql.primary.readinessProbe.failureThreshold#: Default value: 6

postgresql.primary.readinessProbe.initialDelaySeconds#: Default value: 5

postgresql.primary.readinessProbe.periodSeconds#: Default value: 10

postgresql.primary.readinessProbe.successThreshold#: Default value: 1

postgresql.primary.readinessProbe.timeoutSeconds#: Default value: 5

postgresql.primary.resources.limits#: Default value: {}

postgresql.primary.resources.limits.cpu#: Default value: 288

postgresql.primary.resources.limits.memory#: Default value: "1Gi"

postgresql.primary.resources.requests.cpu#: Default value: "10m"

postgresql.primary.resources.requests.memory#: Default value: "16Mi"

postgresql.primary.schedulerName#

#@param primary.schedulerName Use an alternate scheduler, e.g. “stork”. #ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ##

Default value: ""

postgresql.primary.service.annotations#

#@param primary.service.annotations Annotations for PostgreSQL primary service ##

Default value: {}

postgresql.primary.service.clusterIP#

#@param primary.service.clusterIP Static clusterIP or None for headless services #e.g: #clusterIP: None ##

Default value: ""

postgresql.primary.service.externalTrafficPolicy#

#@param primary.service.externalTrafficPolicy Enable client source IP preservation #ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ##

Default value: "Cluster"

postgresql.primary.service.extraPorts#

#@param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service ##

Default value: []

postgresql.primary.service.headless.annotations#

#@param primary.service.headless.annotations Additional custom annotations for headless PostgreSQL primary service ##

Default value: {}

postgresql.primary.service.loadBalancerIP#

#@param primary.service.loadBalancerIP Load balancer IP if service type is LoadBalancer #Set the LoadBalancer service type to internal only #ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ##

Default value: ""

postgresql.primary.service.loadBalancerSourceRanges#

#@param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer #https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## #loadBalancerSourceRanges: #- 10.10.10.0/24 ##

Default value: []

postgresql.primary.service.nodePorts.postgresql#: Default value: ""

postgresql.primary.service.ports.postgresql#: Default value: 5432

postgresql.primary.service.sessionAffinity#

#@param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be “None” or “ClientIP” #If “ClientIP”, consecutive client requests will be directed to the same Pod #ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies ##

Default value: "None"

postgresql.primary.service.sessionAffinityConfig#

#@param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity #sessionAffinityConfig: # clientIP: # timeoutSeconds: 300 ##

Default value: {}

postgresql.primary.service.type#

#@param primary.service.type Kubernetes Service type ##

Default value: "ClusterIP"

postgresql.primary.sidecars#

#@param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) #For example: #sidecars: # - name: your-image-name # image: your-image # imagePullPolicy: Always # ports: # - name: portname # containerPort: 1234 ##

Default value: []

postgresql.primary.standby.enabled#: Default value: false

postgresql.primary.standby.primaryHost#: Default value: ""

postgresql.primary.standby.primaryPort#: Default value: ""

postgresql.primary.startupProbe.enabled#: Default value: false

postgresql.primary.startupProbe.failureThreshold#: Default value: 15

postgresql.primary.startupProbe.initialDelaySeconds#: Default value: 30

postgresql.primary.startupProbe.periodSeconds#: Default value: 10

postgresql.primary.startupProbe.successThreshold#: Default value: 1

postgresql.primary.startupProbe.timeoutSeconds#: Default value: 1

postgresql.primary.terminationGracePeriodSeconds#: Default value: 5

postgresql.primary.tolerations#

#@param primary.tolerations Tolerations for PostgreSQL primary pods assignment #ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ##

Default value: []

postgresql.primary.topologySpreadConstraints#

#@param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template #Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ##

Default value: []

postgresql.primary.updateStrategy.rollingUpdate#: Default value: {}

postgresql.primary.updateStrategy.type#: Default value: "RollingUpdate"

postgresql.provisioning.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

postgresql.provisioning.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

postgresql.provisioning.containerSecurityContext.enabled#: Default value: true

postgresql.provisioning.containerSecurityContext.privileged#: Default value: false

postgresql.provisioning.containerSecurityContext.readOnlyRootFilesystem#: Default value: true

postgresql.provisioning.containerSecurityContext.runAsGroup#: Default value: 1001

postgresql.provisioning.containerSecurityContext.runAsNonRoot#: Default value: true

postgresql.provisioning.containerSecurityContext.runAsUser#: Default value: 1001

postgresql.provisioning.containerSecurityContext.seLinuxOptions#: Default value: {}

postgresql.provisioning.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

postgresql.provisioning.enabled#: Default value: true

postgresql.provisioning.image.registry#: Default value: "docker.io"

postgresql.provisioning.image.repository#: Default value: "bitnami/postgresql"

postgresql.provisioning.image.tag#: Default value: "15.4.0-debian-11-r45"

postgresql.provisioning.ttlSecondsAfterFinished#: Default value: 30

postgresql.psp.create#: Default value: false

postgresql.rbac.create#: Default value: false

postgresql.rbac.rules#

#@param rbac.rules Custom RBAC rules to set #e.g: #rules: # - apiGroups: # - “” # resources: # - pods # verbs: # - get # - list ##

Default value: []

postgresql.readReplicas.affinity#

#@param readReplicas.affinity Affinity for PostgreSQL read only pods assignment #ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity #Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it’s set ##

Default value: {}

postgresql.readReplicas.annotations#

#@param readReplicas.annotations Annotations for PostgreSQL read only pods ##

Default value: {}

postgresql.readReplicas.args#

#@param readReplicas.args Override default container args (useful when using custom images) ##

Default value: []

postgresql.readReplicas.command#

#@param readReplicas.command Override default container command (useful when using custom images) ##

Default value: []

postgresql.readReplicas.containerSecurityContext.allowPrivilegeEscalation#: Default value: false

postgresql.readReplicas.containerSecurityContext.capabilities.drop#: Default value: ["ALL"]

postgresql.readReplicas.containerSecurityContext.enabled#: Default value: true

postgresql.readReplicas.containerSecurityContext.runAsGroup#: Default value: 0

postgresql.readReplicas.containerSecurityContext.runAsNonRoot#: Default value: true

postgresql.readReplicas.containerSecurityContext.runAsUser#: Default value: 1001

postgresql.readReplicas.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

postgresql.readReplicas.customLivenessProbe#

#@param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one ##

Default value: {}

postgresql.readReplicas.customReadinessProbe#

#@param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one ##

Default value: {}

postgresql.readReplicas.customStartupProbe#

#@param readReplicas.customStartupProbe Custom startupProbe that overrides the default one ##

Default value: {}

postgresql.readReplicas.extendedConfiguration#

#@param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) #ref: bitnami/containers ##

Default value: ""

postgresql.readReplicas.extraEnvVars#

#@param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes #e.g: #extraEnvVars: # - name: FOO # value: “bar” ##

Default value: []

postgresql.readReplicas.extraEnvVarsCM#

#@param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes ##

Default value: ""

postgresql.readReplicas.extraEnvVarsSecret#

#@param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes ##

Default value: ""

postgresql.readReplicas.extraPodSpec#

#@param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) ##

Default value: {}

postgresql.readReplicas.extraVolumeMounts#

#@param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) ##

Default value: []

postgresql.readReplicas.extraVolumes#

#@param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) ##

Default value: []

postgresql.readReplicas.hostAliases#

#@param readReplicas.hostAliases PostgreSQL read only pods host aliases #https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ ##

Default value: []

postgresql.readReplicas.hostIPC#

#@param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) ##

Default value: false

postgresql.readReplicas.hostNetwork#

#@param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) ##

Default value: false

postgresql.readReplicas.initContainers#

#@param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) #Example ## #initContainers: # - name: do-something # image: busybox # command: [‘do’, ‘something’] ##

Default value: []

postgresql.readReplicas.labels#

#@param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) ##

Default value: {}

postgresql.readReplicas.lifecycleHooks#

#@param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup ##

Default value: {}

postgresql.readReplicas.livenessProbe.enabled#: Default value: true

postgresql.readReplicas.livenessProbe.failureThreshold#: Default value: 6

postgresql.readReplicas.livenessProbe.initialDelaySeconds#: Default value: 30

postgresql.readReplicas.livenessProbe.periodSeconds#: Default value: 10

postgresql.readReplicas.livenessProbe.successThreshold#: Default value: 1

postgresql.readReplicas.livenessProbe.timeoutSeconds#: Default value: 5

postgresql.readReplicas.name#

#@param readReplicas.name Name of the read replicas database (eg secondary, slave, …) ##

Default value: "read"

postgresql.readReplicas.nodeAffinityPreset.key#

#@param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if primary.affinity is set. #E.g. #key: “kubernetes.io/e2e-az-name” ##

Default value: ""

postgresql.readReplicas.nodeAffinityPreset.type#

#@param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if primary.affinity is set. Allowed values: soft or hard ##

Default value: ""

postgresql.readReplicas.nodeAffinityPreset.values#

#@param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if primary.affinity is set. #E.g. #values: # - e2e-az1 # - e2e-az2 ##

Default value: []

postgresql.readReplicas.nodeSelector#

#@param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment #ref: https://kubernetes.io/docs/user-guide/node-selection/ ##

Default value: {}

postgresql.readReplicas.persistence.accessModes#

#@param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume ##

Default value: ["ReadWriteOnce"]

postgresql.readReplicas.persistence.annotations#

#@param readReplicas.persistence.annotations Annotations for the PVC ##

Default value: {}

postgresql.readReplicas.persistence.dataSource#

#@param readReplicas.persistence.dataSource Custom PVC data source ##

Default value: {}

postgresql.readReplicas.persistence.enabled#

#@param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC ##

Default value: true

postgresql.readReplicas.persistence.existingClaim#

#@param readReplicas.persistence.existingClaim Name of an existing PVC to use ##

Default value: ""

postgresql.readReplicas.persistence.labels#

#@param readReplicas.persistence.labels Labels for the PVC ##

Default value: {}

postgresql.readReplicas.persistence.mountPath#

#@param readReplicas.persistence.mountPath The path the volume will be mounted at #Note: useful when using custom PostgreSQL images ##

Default value: "/bitnami/postgresql"

postgresql.readReplicas.persistence.selector#

#@param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) #selector: # matchLabels: # app: my-app ##

Default value: {}

postgresql.readReplicas.persistence.size#

#@param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume ##

Default value: "8Gi"

postgresql.readReplicas.persistence.storageClass#

#@param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume #If defined, storageClassName: <storageClass> #If set to “-”, storageClassName: “”, which disables dynamic provisioning #If undefined (the default) or set to null, no storageClassName spec is # set, choosing the default provisioner. (gp2 on AWS, standard on # GKE, AWS & OpenStack) ##

Default value: ""

postgresql.readReplicas.persistence.subPath#

#@param readReplicas.persistence.subPath The subdirectory of the volume to mount to #Useful in dev environments and one PV for multiple services ##

Default value: ""

postgresql.readReplicas.persistentVolumeClaimRetentionPolicy.enabled#

#@param readReplicas.persistentVolumeClaimRetentionPolicy.enabled Enable Persistent volume retention policy for read only Statefulset ##

Default value: false

postgresql.readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted#

#@param readReplicas.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted ##

Default value: "Retain"

postgresql.readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled#

#@param readReplicas.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced ##

Default value: "Retain"

postgresql.readReplicas.podAffinityPreset#

#@param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if primary.affinity is set. Allowed values: soft or hard #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ##

Default value: ""

postgresql.readReplicas.podAnnotations#

#@param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) ##

Default value: {}

postgresql.readReplicas.podAntiAffinityPreset#

#@param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if primary.affinity is set. Allowed values: soft or hard #ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity ##

Default value: "soft"

postgresql.readReplicas.podLabels#

#@param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) ##

Default value: {}

postgresql.readReplicas.podSecurityContext.enabled#: Default value: true

postgresql.readReplicas.podSecurityContext.fsGroup#: Default value: 1001

postgresql.readReplicas.priorityClassName#

#@param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) ##

Default value: ""

postgresql.readReplicas.readinessProbe.enabled#: Default value: true

postgresql.readReplicas.readinessProbe.failureThreshold#: Default value: 6

postgresql.readReplicas.readinessProbe.initialDelaySeconds#: Default value: 5

postgresql.readReplicas.readinessProbe.periodSeconds#: Default value: 10

postgresql.readReplicas.readinessProbe.successThreshold#: Default value: 1

postgresql.readReplicas.readinessProbe.timeoutSeconds#: Default value: 5

postgresql.readReplicas.replicaCount#

#@param readReplicas.replicaCount Number of PostgreSQL read only replicas ##

Default value: 1

postgresql.readReplicas.resources.limits#: Default value: {}

postgresql.readReplicas.resources.requests.cpu#: Default value: "250m"

postgresql.readReplicas.resources.requests.memory#: Default value: "256Mi"

postgresql.readReplicas.schedulerName#

#@param readReplicas.schedulerName Use an alternate scheduler, e.g. “stork”. #ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ ##

Default value: ""

postgresql.readReplicas.service.annotations#

#@param readReplicas.service.annotations Annotations for PostgreSQL read only service ##

Default value: {}

postgresql.readReplicas.service.clusterIP#

#@param readReplicas.service.clusterIP Static clusterIP or None for headless services #e.g: #clusterIP: None ##

Default value: ""

postgresql.readReplicas.service.externalTrafficPolicy#

#@param readReplicas.service.externalTrafficPolicy Enable client source IP preservation #ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip ##

Default value: "Cluster"

postgresql.readReplicas.service.extraPorts#

#@param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service ##

Default value: []

postgresql.readReplicas.service.headless.annotations#

#@param readReplicas.service.headless.annotations Additional custom annotations for headless PostgreSQL read only service ##

Default value: {}

postgresql.readReplicas.service.loadBalancerIP#

#@param readReplicas.service.loadBalancerIP Load balancer IP if service type is LoadBalancer #Set the LoadBalancer service type to internal only #ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer ##

Default value: ""

postgresql.readReplicas.service.loadBalancerSourceRanges#

#@param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer #https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service ## #loadBalancerSourceRanges: #- 10.10.10.0/24 ##

Default value: []

postgresql.readReplicas.service.nodePorts.postgresql#: Default value: ""

postgresql.readReplicas.service.ports.postgresql#: Default value: 5432

postgresql.readReplicas.service.sessionAffinity#

#@param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be “None” or “ClientIP” #If “ClientIP”, consecutive client requests will be directed to the same Pod #ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies ##

Default value: "None"

postgresql.readReplicas.service.sessionAffinityConfig#

#@param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity #sessionAffinityConfig: # clientIP: # timeoutSeconds: 300 ##

Default value: {}

postgresql.readReplicas.service.type#

#@param readReplicas.service.type Kubernetes Service type ##

Default value: "ClusterIP"

postgresql.readReplicas.sidecars#

#@param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) #For example: #sidecars: # - name: your-image-name # image: your-image # imagePullPolicy: Always # ports: # - name: portname # containerPort: 1234 ##

Default value: []

postgresql.readReplicas.startupProbe.enabled#: Default value: false

postgresql.readReplicas.startupProbe.failureThreshold#: Default value: 15

postgresql.readReplicas.startupProbe.initialDelaySeconds#: Default value: 30

postgresql.readReplicas.startupProbe.periodSeconds#: Default value: 10

postgresql.readReplicas.startupProbe.successThreshold#: Default value: 1

postgresql.readReplicas.startupProbe.timeoutSeconds#: Default value: 1

postgresql.readReplicas.terminationGracePeriodSeconds#

#@param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully #ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods ##

Default value: ""

postgresql.readReplicas.tolerations#

#@param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment #ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ ##

Default value: []

postgresql.readReplicas.topologySpreadConstraints#

#@param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template #Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods ##

Default value: []

postgresql.readReplicas.updateStrategy.rollingUpdate#: Default value: {}

postgresql.readReplicas.updateStrategy.type#: Default value: "RollingUpdate"

postgresql.replication.applicationName#

#@param replication.applicationName Cluster application name. Useful for advanced replication settings ##

Default value: "my_application"

postgresql.replication.numSynchronousReplicas#: Default value: 0

postgresql.replication.synchronousCommit#

#@param replication.synchronousCommit Set synchronous commit mode. Allowed values: on, remote_apply, remote_write, local and off #@param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than readReplicas.replicaCount. #ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT ##

Default value: "off"

postgresql.resources.limits.cpu#: Default value: 288

postgresql.resources.limits.memory#: Default value: "1Gi"

postgresql.resources.requests.cpu#: Default value: "10m"

postgresql.resources.requests.memory#: Default value: "16Mi"

postgresql.serviceAccount.annotations#

#@param serviceAccount.annotations Additional custom annotations for the ServiceAccount ##

Default value: {}

postgresql.serviceAccount.automountServiceAccountToken#

Default value: true

postgresql.serviceAccount.create#

#@param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod ##

Default value: false

postgresql.serviceAccount.name#

#@param serviceAccount.name The name of the ServiceAccount to use. #If not set and create is true, a name is generated using the common.names.fullname template ##

Default value: ""

postgresql.serviceBindings.enabled#: Default value: false

postgresql.shmVolume.enabled#

#@param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) ##

Default value: true

postgresql.shmVolume.sizeLimit#

#@param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs #Note: the size of the tmpfs counts against container’s memory limit #e.g: #sizeLimit: 1Gi ##

Default value: ""

postgresql.tls.autoGenerated#

#@param tls.autoGenerated Generate automatically self-signed TLS certificates ##

Default value: false

postgresql.tls.certCAFilename#

#@param tls.certCAFilename CA Certificate filename #If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate #ref: https://www.postgresql.org/docs/9.6/auth-methods.html ##

Default value: ""

postgresql.tls.certCaFilename#: Default value: "ca.crt"

postgresql.tls.certFilename#: Default value: "tls.crt"

postgresql.tls.certKeyFilename#: Default value: "tls.key"

postgresql.tls.certificatesSecret#

#@param tls.certificatesSecret Name of an existing secret that contains the certificates ##

Default value: ""

postgresql.tls.crlFilename#

#@param tls.crlFilename File containing a Certificate Revocation List ##

Default value: ""

postgresql.tls.enabled#: Default value: false

postgresql.tls.existingSecret#

Default value:

"{{ .Release.Name }}-postgresql-tls"

postgresql.tls.preferServerCiphers#

#@param tls.preferServerCiphers Whether to use the server’s TLS cipher preferences rather than the client’s ##

Default value: true

postgresql.volumePermissions.containerSecurityContext.runAsGroup#: Default value: 0

postgresql.volumePermissions.containerSecurityContext.runAsNonRoot#: Default value: false

postgresql.volumePermissions.containerSecurityContext.runAsUser#: Default value: 0

postgresql.volumePermissions.containerSecurityContext.seccompProfile.type#: Default value: "RuntimeDefault"

postgresql.volumePermissions.enabled#

#@param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume ##

Default value: false

postgresql.volumePermissions.image.digest#: Default value: ""

postgresql.volumePermissions.image.pullPolicy#: Default value: "IfNotPresent"

postgresql.volumePermissions.image.pullSecrets#

Default value: []

postgresql.volumePermissions.image.registry#: Default value: "docker.io"

postgresql.volumePermissions.image.repository#: Default value: "bitnami/os-shell"

postgresql.volumePermissions.image.tag#: Default value: "11-debian-11-r77"

postgresql.volumePermissions.resources.limits#: Default value: {}

postgresql.volumePermissions.resources.requests#: Default value: {}

Nubus for Kubernetes - Operation Manual 1.x

Configuration reference

Contents

10. Configuration reference#

10.1. Aliases#

10.2. Helm Chart reference#

10.2.1. `additionalAnnotations`#

10.2.2. `additionalLabels`#

10.2.3. `certificates`#

10.2.4. `common`#

10.2.5. `extraSecrets`#

10.2.6. `global`#

10.2.7. `ingress`#

10.2.8. `keycloak`#

10.2.9. `minio`#

10.2.10. `nubusDevelopment`#

10.2.11. `nubusGuardian`#

10.2.12. `nubusKeycloakBootstrap`#

10.2.13. `nubusKeycloakExtensions`#

10.2.14. `nubusLdapNotifier`#

10.2.15. `nubusLdapServer`#

10.2.16. `nubusNotificationsApi`#

10.2.17. `nubusPortalConsumer`#

10.2.18. `nubusPortalFrontend`#

10.2.19. `nubusPortalServer`#

10.2.20. `nubusProvisioning`#

10.2.21. `nubusSelfServiceConsumer`#

10.2.22. `nubusStackDataUms`#

10.2.23. `nubusUdmListener`#

10.2.24. `nubusUdmRestApi`#

10.2.25. `nubusUmcGateway`#

10.2.26. `nubusUmcServer`#

10.2.27. `postgresql`#

Nubus for Kubernetes - Operation Manual 1.x

Configuration reference

Contents

10. Configuration reference#

10.1. Aliases#

10.2. Helm Chart reference#

10.2.1. additionalAnnotations#

10.2.2. additionalLabels#

10.2.3. certificates#

10.2.4. common#

10.2.5. extraSecrets#

10.2.6. global#

10.2.7. ingress#

10.2.8. keycloak#

10.2.9. minio#

10.2.10. nubusDevelopment#

10.2.11. nubusGuardian#

10.2.12. nubusKeycloakBootstrap#

10.2.13. nubusKeycloakExtensions#

10.2.14. nubusLdapNotifier#

10.2.15. nubusLdapServer#

10.2.16. nubusNotificationsApi#

10.2.17. nubusPortalConsumer#

10.2.18. nubusPortalFrontend#

10.2.19. nubusPortalServer#

10.2.20. nubusProvisioning#

10.2.21. nubusSelfServiceConsumer#

10.2.22. nubusStackDataUms#

10.2.23. nubusUdmListener#

10.2.24. nubusUdmRestApi#

10.2.25. nubusUmcGateway#

10.2.26. nubusUmcServer#

10.2.27. postgresql#

10.2.1. `additionalAnnotations`#

10.2.2. `additionalLabels`#

10.2.3. `certificates`#

10.2.4. `common`#

10.2.5. `extraSecrets`#

10.2.6. `global`#

10.2.7. `ingress`#

10.2.8. `keycloak`#

10.2.9. `minio`#

10.2.10. `nubusDevelopment`#

10.2.11. `nubusGuardian`#

10.2.12. `nubusKeycloakBootstrap`#

10.2.13. `nubusKeycloakExtensions`#

10.2.14. `nubusLdapNotifier`#

10.2.15. `nubusLdapServer`#

10.2.16. `nubusNotificationsApi`#

10.2.17. `nubusPortalConsumer`#

10.2.18. `nubusPortalFrontend`#

10.2.19. `nubusPortalServer`#

10.2.20. `nubusProvisioning`#

10.2.21. `nubusSelfServiceConsumer`#

10.2.22. `nubusStackDataUms`#

10.2.23. `nubusUdmListener`#

10.2.24. `nubusUdmRestApi`#

10.2.25. `nubusUmcGateway`#

10.2.26. `nubusUmcServer`#

10.2.27. `postgresql`#