forked from pegasystems/pega-helm-charts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvalues.yaml
208 lines (185 loc) · 10.2 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
---
global:
imageCredentials:
registry: "YOUR_DOCKER_REGISTRY"
username: "YOUR_DOCKER_REGISTRY_USERNAME"
password: "YOUR_DOCKER_REGISTRY_PASSWORD"
# Specify the value of your Kubernetes provider
k8sProvider: "YOUR_KUBERNETES_PROVIDER"
# Search and Reporting Service (SRS) Configuration
srs:
# Set srs.enabled=true to enable SRS
enabled: true
# specify unique name for the deployment based on org app and/or srs applicable environment name. eg: acme-demo-dev-srs
deploymentName: "YOUR_SRS_DEPLOYMENT_NAME"
# Configure the location of the busybox image that is used during the deployment process of
# the internal Elasticsearch cluster
busybox:
image: "alpine:3.20.2"
imagePullPolicy: "IfNotPresent"
srsRuntime:
# Number of pods to provision
replicaCount: 2
# docker image of the srs-service, platform-services/search-n-reporting-service:dockerTag
srsImage: "YOUR_SRS_IMAGE:TAG"
# To avoid exposing Docker credentials, optionally create a separate Docker config secret.
# Specify secret names as an array of comma-separated strings. For example: ["secret1", "secret2"]
imagePullSecretNames: []
env:
# AuthEnabled may be set to true when there is an authentication mechanism in place between SRS and Pega Infinity.
AuthEnabled: false
# When `AuthEnabled` is `true`, enter the appropriate public key URL. When `AuthEnabled` is `false`(default), leave this parameter empty.
OAuthPublicKeyURL: ""
# Use this parameter to configure values for Java options.
javaOpts: ""
# Set to true if you require a highly secured connection that complies with NIST SP 800-53 and NIST SP 800-131. Otherwise, set to false.
enableSecureCryptoMode: false
# Apply securityContext to SRS pods. Example:
# securityContext:
# runAsUser: 9999
# fsGroup: 0
# Apply securityContext to SRS containers. Example:
# containerSecurityContext:
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# runAsNonRoot: true
# This section specifies the elasticsearch cluster configuration.
srsStorage:
# Setting srsStorage.provisionInternalESCluster to true will provision an internal elasticsearch cluster using the configuration
# specified in the `elasticsearch` section
# If you do not enable SRS and the srs.enabled parameter is set to false, always set srs.srsStorage.provisionInternalESCluster=false
provisionInternalESCluster: true
# To use your own Elasticsearch/OpenSearch cluster, set srsStorage.provisionInternalESCluster to false and then
# set the external Elasticsearch/OpenSearch cluster URL and port details below when using an externally managed Elasticsearch/OpenSearch
# Ensure that the specified endpoint is accessible from the kubernetes cluster pods.
# domain: ""
# port: 9200
# protocol: https
# The Elasticsearch/OpenSearch connection supports three authentication methods: basic authentication ,
# AWS IAM role-based authentication and Elasticsearch/OpenSearch secure connection(tls).
# Set srs.srsStorage.tls.enabled: true to enable the use of TLS-based authentication to your Elasticsearch/OpenSearch service
# whether is it running as an internalized or externalized service in your SRS cluster.
tls:
enabled: false
# To specify a certificate used to authenticate an external Elasticsearch/OpenSearch service (with tls.enabled: true and srsStorage.provisionInternalESCluster: false),
# uncomment the following lines to specify the TLS certificate name with password for your Elasticsearch/OpenSearch service.
# Default certificatePassword value will be empty if not used.
# certificateName: "Certificate_Name"
# certificatePassword: "password"
# To specify a certificate using a secret, uncomment the certsSecret parameter and provide the secret name containing your certificate and certificate password.
# Use the full name of the certificate file (together with file extension, for example, “certificate.p12” or “certificate.jks”) as a key name in the secret. Use this key name
# to configure the “certificateName” parameter. Use a key name “password” to provide the certificate password in the secret.
# certsSecret: srs-certificates
# Set srs.srsStorage.basicAuthentication.enabled: true to enable the use of basic authentication to your Elasticsearch/OpenSearch service
# whether is it running as an internalized or externalized service in your SRS cluster.
basicAuthentication:
enabled: true
# To configure basic authentication or TLS-based authentication to your externally-managed Elasticsearch/OpenSearch service in your SRS cluster,
# uncomment and add the parameter details: srs.srsStorage.authCredentials.username and srs.srsStorage.authCredentials.password
# Auth Credentials added under authCredentials field which supports both Elasticsearch and OpenSearch credentials.
# authCredentials:
# username: "username"
# password: "password"
# for your externally managed Elasticsearch cluster.
# uncomment and add the parameter details: srs.srsStorage.esCredentials.username and srs.srsStorage.esCredentials.password for your externally managed elasticsearch cluster.
# esCredentials will be deprecated in future releases, please switch to authCredentials.
# esCredentials:
# username: "username"
# password: "password"
# To use a secret to configure basic authentication or TLS-based authentication between your external Elasticsearch/OpenSearch service and SRS,
# uncomment the authSecret parameter and set it to the secret name. Use "username" and "password" as keys for your secret.
# authSecret: srs-elastic-credentials
# To configure AWS IAM role-based authentication to your externally-managed Elasticsearch/OpenSearch cluster, uncomment
# and add the parameter details: srs.srsStorage.awsIAM and its associated region, srs.srsStorage.awsIAM.region
# awsIAM:
# region: "AWS_ELASTICSEARCH_REGION"/"AWS_OPENSEARCH_REGION"
# To configure either authentication method, when the Elasticsearch/OpenSearch domain requires an open internet connection,
# set the requireInternetAccess parameter to "true".
requireInternetAccess: false
constellation:
enabled: false
constellation-messaging:
enabled: false
deployment:
name: YOUR_MESSAGING_SERVICE_DEPLOYMENT_NAME
image: YOUR_MESSAGING_SERVICE_IMAGE:TAG
replicas: 1
# This section specifies the configuration for deploying an internal elasticsearch cluster for use with SRS.
# The configuration for rest of the values defined under 'elasticsearch' are to define the elasticsearch cluster
# based on helm charts defined at https://github.com/elastic/helm-charts/tree/master/elasticsearch and may be modified
# as per runtime and storage requirements.
elasticsearch:
# For internally provisioned Elasticsearch server, the imageTag parameter is set by default to 7.17.9, which is the
# recommended Elasticsearch server version for k8s version >= 1.25.
# Use this parameter to change it to 7.10.2 or 7.16.3 for k8s version < 1.25 and make sure to update the Elasticsearch helm chart version in requirements.yaml.
imageTag: 7.17.9
# Permit co-located instances for solitary minikube virtual machines.
antiAffinity: "soft"
# Shrink default JVM heap.
esJavaOpts: "-Xmx1024m -Xms1024m"
# Allocate smaller chunks of memory per pod.
# This section specifies the elasticsearch cluster configuration for authentication and TLS.
# If you previously set srs.srsStorage.tls.enabled: true, you must uncomment the line to use protocol: https parameter.
# protocol: https
# Uncomment the below lines if you want to deploy/upgrade Elasticsearch server version >= 8.x
# createCert: false
# secret:
# enabled: false
# protocol: http
# For deployments that use TLS-based authentication to an internal Elasticsearch service in the SRS cluster,
# uncomment and appropriately add below lines under esConfig.elasticsearch.yml.
# xpack.security.http.ssl.enabled: true
# xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
# xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
esConfig:
elasticsearch.yml: |
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
# Uncomment the below lines if you want to deploy/upgrade Elasticsearch server version >= 8.x by adding below lines under esConfig.elasticsearch.yml.
# action.destructive_requires_name: false
# ingest.geoip.downloader.enabled: false
# Use this section to include additional, supported environmental variables for Elasticsearch basic authentication.
# The parameter values can be read from a specified secrets file.
extraEnvs:
- name: ELASTIC_PASSWORD
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
key: password
- name: ELASTIC_USERNAME
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
key: username
resources:
requests:
cpu: "1000m"
memory: "2Gi"
limits:
cpu: "2000m"
memory: "3Gi"
volumeClaimTemplate:
accessModes: ["ReadWriteOnce"]
resources:
requests:
# configure volume size of the elasticsearch nodes based on search data storage requirements. The default storage size from elasticsearch is 30Gi.
storage: 30Gi
# elasticsearch.secretMounts will help reading certificates from elastic-certificates secret.
secretMounts:
- name: elastic-certificates
secretName: elastic-certificates
path: /usr/share/elasticsearch/config/certs
# For Openshift deployments, you must enable the following custom values. For details
# refer to https://github.com/elastic/helm-charts/tree/master/elasticsearch/examples/openshift.
# securityContext:
# runAsUser: null
# podSecurityContext:
# fsGroup: null
# runAsUser: null
# sysctlInitContainer:
# enabled: false