Documentation Index

Fetch the complete documentation index at: https://docs.plainid.io/llms.txt

Use this file to discover all available pages before exploring further.

Sample values.yaml File

Prev Next

As a best practice, we recommend using the file values-custom.yaml for setting the relevant parameter values.

Additional parameters/configuration can be added from the following values.yaml to the values-custom.yaml as needed.

# Default values for plainid-paa.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Client settings
# These settings can be found under the tenant settings section on the management UI.
# -- Tenant Id (can be found under the Hybrid Agent Keys tab)
tenantId: "ENTER_TENANT_ID"
# -- Agent secret key (can be found under the Hybrid Agent Keys tab)
agentSecretKey: "ENTER_AGENT_SECRET_KEY"
# -- Policy Authorization Agent Id (can be found under the Policy Authorization Agents tab)
paaId: "ENTER_PAA_ID"

# PlainID hybrid URL.
# Possible values (XXXXX): us1,eu1,ca1
# -- PlainID hybrid URL endpoint for tunnel connectivity.
# For example: remoteApi: "wss://remote.us1.plainid.io/wstunnel"
remoteApi: "wss://remote.XXXXX.plainid.io/wstunnel"

# For using https tunneling instead WebSockets, you could set this remoteApi:
# remoteApi: “https://remote.us1.plainid.io/httptunnel”

## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# -- Value for `imagePullSecrets`.
imagePullSecrets: []
# - name: "image-pull-secret"

#nameOverride: "plainid-paa"
#fullnameOverride: "plainid-paa"

# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""

# -- Kubernetes cluster domain name.
clusterDomain: cluster.local

# -- Configuration for `serviceAccount`.
serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # -- If not set and create is true, a name is generated using the fullname template
  name: ""
  # -- Value for `serviceAccount.automountServiceAccountToken`.
  automountServiceAccountToken: "true"

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# -- Value for `podSecurityContext`.
podSecurityContext: {}
# fsGroup: 2000

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
# -- Value for `securityContext`.
securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

# -- Configuration for `tolerations`.
tolerations: []

# -- Value for `global`.
global:
  # -- Additional labels to add to all resources
  additionalLabels: {}
  # app: plainid-paa

# -- Value for `agent`.
agent:
  # -- Value for `agent.fullnameOverride`.
  fullnameOverride: agent-client
  # -- Enable `agent`.
  enabled: true
  # -- Value for `agent.name`.
  name: agent
  # -- Value for `agent.replicaCount`.
  replicaCount: 1
  # -- Configuration for `agent.image`.
  image:
    # -- Value for `agent.image.repository`.
    repository: plainid/agent
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    # -- Value for `agent.image.pullPolicy`.
    pullPolicy: Always
    # -- Value for `agent.image.tag`.
    tag: "5.2624.3"
  # -- If serviceAccount.create is false, these values are used for existing external service account
  serviceAccountName: ""
  # -- Configuration for `agent.serviceAccount`.
  serviceAccount:
    # -- Annotations for `agent.serviceAccount`.
    annotations: {}
  # -- Specify resources on the PlainID agent container.
  resources: {}
  # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  #  requests:
  #    memory: "2000Mi"
  #    cpu: "50m"
  #  limits:
  #    memory: "4000Mi"
  #    cpu: "2000m"
  # -- Override agent start command
  command: []
  #    - /bin/sh
  #    - -ec
  #    - |
  #      keytool -import -alias redis-cert -file /app/conf/cert.pem -storepass changeit -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts -noprompt && \
  #      /app/launch.sh "${JVM_OPTS}  -Djava.net.preferIPv4Stack=true" -jar "$JAR_NAME"
  # -- Additional config files mounted to `/app/conf` (for example `config.json`).
  plainIDConfig: {}
  #  config.json: |
  #    {}
  # -- Configuration for `agent.autoscaling`.
  autoscaling:
    # -- Enable `agent.autoscaling`.
    enabled: false
    # -- Value for `agent.autoscaling.minReplicas`.
    minReplicas: 3
    # -- Value for `agent.autoscaling.maxReplicas`.
    maxReplicas: 6
    # -- Value for `agent.autoscaling.targetCPUUtilizationPercentage`.
    targetCPUUtilizationPercentage: 80
    # -- Value for `agent.autoscaling.targetMemoryUtilizationPercentage`.
    targetMemoryUtilizationPercentage: 80
    # -- Annotations for `agent.autoscaling`.
    annotations: { }
    # -- Value for `agent.autoscaling.behavior`.
    behavior: { }
      # scaleDown:
      #   stabilizationWindowSeconds: 300
      #  policies:
      #   - type: Pods
      #     value: 1
      #     periodSeconds: 180
      # scaleUp:
    #   stabilizationWindowSeconds: 300
    #   policies:
    #   - type: Pods
    #     value: 2
    #     periodSeconds: 60
  # -- Value for `agent.autoscalingTemplate`.
  autoscalingTemplate: []
    # Custom or additional autoscaling metrics
    # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
    # - type: Pods
    #   pods:
    #     metric:
    #       name: nginx_ingress_controller_nginx_process_requests_total
    #     target:
    #       type: AverageValue
  #       averageValue: 10000m
  # Enable vertical pod autoscaler support
  # ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
  # -- Configuration for `agent.verticalPodAutoscaler`.
  verticalPodAutoscaler:
    # -- Enable `agent.verticalPodAutoscaler`.
    enabled: false
    # -- Defaults to chart name
    containerName: ""
    # -- List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
    controlledResources: []

    # -- Define the max allowed resources for the pod
    maxAllowed: {}
    # cpu: 200m
    # memory: 100Mi
    # -- Define the min allowed resources for the pod
    minAllowed: {}
    # cpu: 200m
    # memory: 100Mi

    # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
    # -- are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
    updatePolicy: {}
    # updateMode: "Auto"
  # -- For deployment
  strategy:
    # -- Value for `agent.strategy.rollingUpdate`.
    rollingUpdate:
      # -- Value for `agent.strategy.rollingUpdate.maxSurge`.
      maxSurge: 30%
      # -- Value for `agent.strategy.rollingUpdate.maxUnavailable`.
      maxUnavailable: 30%
  # -- Labels to add to the pod container metadata
  podLabels: {}
  #  key: value
  # -- Annotations for `agent`.
  annotations: {}
  # -- Configuration for `agent.podAnnotations`.
  podAnnotations: {}
  ## Sensible environment variables that will be rendered as new secret object
  ## This can be useful for auth tokens, etc
  # -- Configuration for `agent.extraEnvSecrets`.
  extraEnvSecrets: {}
  # -- When it's set, the secret environment variables is ignored
  existingEnvSecret: ""
  # -- Environment variables to pass to the agent
  extraEnv: {}
  #  KEY: "VALUE"
  # -- PlainID agent log format: Either `text` or `json`
  logFormat: text
  #    KEY: "VALUE"
  # -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`)
  logLevel: info
  # -- Set the message level. (One of: `debug`, `info`, `warn`, `error`, `off`)
  # The messagesLevel parameter defines which message types, if any, are sent to the PlainID Platform for troubleshooting.
  # -- To disable messages, set to `off`
  messagesLevel: error
  # -- Value for `agent.terminationGracePeriodSeconds`.
  terminationGracePeriodSeconds: 25
  # -- Configuration for `agent.debug`.
  debug:
    # -- Enable `agent.debug`.
    enabled: false
    # -- Value for `agent.debug.port`.
    port: 5005
  ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  # -- Configuration for `agent.lifecycle`.
  lifecycle:
    # -- Value for `agent.lifecycle.preStop`.
    preStop:
      # -- Value for `agent.lifecycle.preStop.exec`.
      exec:
        # -- Configuration for `agent.lifecycle.preStop.exec.command`.
        command: [ "/bin/bash", "-c", "kill -SIGTERM `pgrep -f redisync` && sleep 20" ]
  ## Configure extra options for probes
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ##
  # -- livenessProbe configuration for `agent`.
  livenessProbe:
    # -- Enable `agent.livenessProbe`.
    enabled: true
    # -- Value for `agent.livenessProbe.initialDelaySeconds`.
    initialDelaySeconds: "300"
    # -- Value for `agent.livenessProbe.periodSeconds`.
    periodSeconds: "15"
    # -- Value for `agent.livenessProbe.timeoutSeconds`.
    timeoutSeconds: "8"
    # -- Value for `agent.livenessProbe.failureThreshold`.
    failureThreshold: "12"
    # -- Value for `agent.livenessProbe.successThreshold`.
    successThreshold: "1"
  # -- readinessProbe configuration for `agent`.
  readinessProbe:
    # -- Enable `agent.readinessProbe`.
    enabled: true
    # -- Value for `agent.readinessProbe.initialDelaySeconds`.
    initialDelaySeconds: "30"
    # -- Value for `agent.readinessProbe.periodSeconds`.
    periodSeconds: "4"
    # -- Value for `agent.readinessProbe.timeoutSeconds`.
    timeoutSeconds: "3"
    # -- Value for `agent.readinessProbe.failureThreshold`.
    failureThreshold: "5"
    # -- Value for `agent.readinessProbe.successThreshold`.
    successThreshold: "1"
  # -- startupProbe configuration for `agent`.
  startupProbe:
    # -- Enable `agent.startupProbe`.
    enabled: false
    # -- Value for `agent.startupProbe.initialDelaySeconds`.
    initialDelaySeconds: "90"
    # -- Value for `agent.startupProbe.periodSeconds`.
    periodSeconds: "5"
    # -- Value for `agent.startupProbe.timeoutSeconds`.
    timeoutSeconds: "2"
    # -- Value for `agent.startupProbe.failureThreshold`.
    failureThreshold: "300"
    # -- Value for `agent.startupProbe.successThreshold`.
    successThreshold: "1"
  # -- Configuration for `agent.service`.
  service:
    # -- Value for `agent.service.type`.
    type: ClusterIP
    # -- Value for `agent.service.port`.
    port: 8080
    # -- Value for `agent.service.nodePort`.
    nodePort:
    # -- Value for `agent.service.name`.
    name: http
    # -- Annotations for `agent.service`.
    annotations: {}
    # -- Value for `agent.service.management`.
    management:
      # -- Value for `agent.service.management.name`.
      name: http-management
      # -- Value for `agent.service.management.port`.
      port: 8081
  # -- Configuration for `agent.metrics`.
  metrics:
    # -- Enable `agent.metrics`.
    enabled: false
    # -- Value for `agent.metrics.port`.
    port: 8081
    # -- Value for `agent.metrics.serviceMonitor`.
    serviceMonitor:
      # -- When set true then use a ServiceMonitor to configure scraping
      enabled: false
      # -- Value for `agent.metrics.serviceMonitor.path`.
      path: /actuator/prometheus
      # Set the namespace the ServiceMonitor should be deployed
      # namespace: monitoring
      # Set how frequently Prometheus should scrape
      # interval: 30s
      # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
      # labels: {}
      # Set timeout for scrape
      # timeout: 10s
    # -- Annotations for `agent.metrics`.
    annotations: {}
  #    prometheus.io/port: '9090'
  #    prometheus.io/scrape: 'true'
  #    prometheus.io/path: '/actuator/prometheus'
  # Init containers to add to deployment's pod spec. At least one plugin provider image is required.
  # -- Init containers to add to the deployment pod spec.
  initContainers: []
  #    - name: wait-for
  #      image: busybox:1.36
  #      securityContext:
  #        runAsNonRoot: true
  #        runAsUser: 1000
  #        readOnlyRootFilesystem: true
  #      command:
  #        - /bin/sh
  #        - -c
  #        - |
  #          until nc -z plainid-paa-redis-master 6379; do sleep 2; done
  ## Configure PodDisruptionBudget
  ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  # -- Configuration for `agent.podDisruptionBudget`.
  podDisruptionBudget:
    # -- Labels to be added
    labels: {}
    # -- Annotations to be added
    annotations: {}

    # -- Deploy a Poddisruptionbudget
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 0
  # -- Value for `agent.forceRedeploy`.
  forceRedeploy: false
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  # -- Configuration for `agent.affinity`.
  affinity: {}
  #    podAntiAffinity:
  #      requiredDuringSchedulingIgnoredDuringExecution:
  #        - labelSelector:
  #            matchExpressions:
  #              - key: app.kubernetes.io/component
  #                operator: In
  #                values:
  #                  - agent
  #          topologyKey: "kubernetes.io/hostname"
  # -- Configuration for `agent.nodeSelector`.
  nodeSelector: {}
  # -- JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
  jvmOpts: "-Xms2000m -Xmx2000m"
  # Example
  # -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
  # -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
  # -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
  #jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
  # -- Number of Runtime connections used by the agent.
  numberOfConnections: "1"
  # -- Value for `agent.redisync`.
  redisync:
    # -- JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
    jvmOpts: "-Xms1500m -Xmx1500m"
    # Example
    # -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
    # -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
    # -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
    #jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
    # -- Enable Redis synchronization in the agent container.
    enabled: true
  # -- Extra volumes to be bound to agent pods
  extraVolumes: []
  # - name: tmp
  #   emptyDir: {}
  # -- Extra volume mounts to mount to agent pods
  extraVolumeMounts: []
  # - name: tmp
  #   mountPath: /tmp

# -- Value for `pipOperator`.
pipOperator:
  # -- Enable `pipOperator`.
  enabled: true
  # -- Value for `pipOperator.name`.
  name: pip-operator
  # -- Value for `pipOperator.replicaCount`.
  replicaCount: "1"
  # -- Configuration for `pipOperator.image`.
  image:
    # -- Value for `pipOperator.image.repository`.
    repository: plainid/pip-operator
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    # -- Value for `pipOperator.image.pullPolicy`.
    pullPolicy: Always
    # -- Value for `pipOperator.image.tag`.
    tag: "5.2624.2"
  # -- If serviceAccount.create is false, these values are used for existing external service account
  serviceAccountName: ""
  # -- Configuration for `pipOperator.serviceAccount`.
  serviceAccount:
    # -- Annotations for `pipOperator.serviceAccount`.
    annotations: {}
  # -- Specify resources on the PlainID Pip Operator container.
  resources: {}
  # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  #  requests:
  #    memory: "2000Mi"
  #    cpu: "50m"
  #  limits:
  #    memory: "4000Mi"
  #    cpu: "2000m"
  # Override PIP-Operator start command in case you need to use external DB drivers (e.g. MySQL, MS SQL, Oracle, etc.)
  # Uncomment the following section and add the curl commands to retrieve/download the relevant libraries
  # -- Please note - the folder for the libraries must be under /app/lib
  command: []
  #    - /bin/sh
  #    - -ec
  #    - |
  #      curl -o /app/lib/sample.jar https://www.example.com/sample.jar && \
  #      keytool -import -alias redis-cert -file /app/conf/cert.pem -storepass changeit -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts -noprompt && \
  #      java ${JVM_OPTS} -cp $JAR_NAME -Dorg.apache.cxf.transport.http.forceVersion=1.1 -Djava.net.preferIPv4Stack=true -Dloader.path=/app/lib/ -Dloader.main=com.plainid.pipoperator.Starter org.springframework.boot.loader.launch.PropertiesLauncher
  # NOTE: horizontal autoscaling based on memory utilization for this service is discouraged.
  # Please refer to https://docs.plainid.io
  # -- Configuration for `pipOperator.autoscaling`.
  autoscaling:
    # -- Enable `pipOperator.autoscaling`.
    enabled: false
    # -- Value for `pipOperator.autoscaling.minReplicas`.
    minReplicas: 3
    # -- Value for `pipOperator.autoscaling.maxReplicas`.
    maxReplicas: 6
    # -- Value for `pipOperator.autoscaling.targetCPUUtilizationPercentage`.
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
    # -- Annotations for `pipOperator.autoscaling`.
    annotations: { }
    # -- Value for `pipOperator.autoscaling.behavior`.
    behavior: { }
      # scaleDown:
      #   stabilizationWindowSeconds: 300
      #  policies:
      #   - type: Pods
      #     value: 1
      #     periodSeconds: 180
      # scaleUp:
      #   stabilizationWindowSeconds: 300
    #   policies:
    #   - type: Pods
    #     value: 2
    #     periodSeconds: 60
  # -- Value for `pipOperator.autoscalingTemplate`.
  autoscalingTemplate: []
    # Custom or additional autoscaling metrics
    # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
    # - type: Pods
    #   pods:
    #     metric:
    #       name: nginx_ingress_controller_nginx_process_requests_total
    #     target:
    #       type: AverageValue
  #       averageValue: 10000m
  # Enable vertical pod autoscaler support
  # ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
  # -- Configuration for `pipOperator.verticalPodAutoscaler`.
  verticalPodAutoscaler:
    # -- Enable `pipOperator.verticalPodAutoscaler`.
    enabled: false
    # -- Defaults to chart name
    containerName: ""
    # -- List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
    controlledResources: [ ]

    # -- Define the max allowed resources for the pod
    maxAllowed: { }
    # cpu: 200m
    # memory: 100Mi
    # -- Define the min allowed resources for the pod
    minAllowed: { }
    # cpu: 200m
    # memory: 100Mi

    # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
    # -- are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
    updatePolicy: { }
    # updateMode: "Auto"
  # -- Configuration for `pipOperator.strategy`.
  strategy:
    # -- Value for `pipOperator.strategy.rollingUpdate`.
    rollingUpdate:
      # -- Value for `pipOperator.strategy.rollingUpdate.maxSurge`.
      maxSurge: 30%
      # -- Value for `pipOperator.strategy.rollingUpdate.maxUnavailable`.
      maxUnavailable: 30%
  # -- Labels to add to the pod container metadata
  podLabels: { }
  #  key: value
  # -- Annotations for `pipOperator`.
  annotations: {}
  # -- Configuration for `pipOperator.podAnnotations`.
  podAnnotations: {}
  # -- Additional config files mounted to `/app/conf` (for example `auth-config.xml` for OAuth REST sources).
  plainIDConfig: {}
#    auth-config.xml: |
#      <?xml version='1.0'?>
#      <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
#               xsi:schemaLocation="urn:jboss:security-config:5.0"
#               xmlns="urn:jboss:security-config:5.0"
#               xmlns:jbxb="urn:jboss:security-config:5.0">
#
#          <application-policy name = "teiid-security-file">
#             <authentication>
#                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
#                    <!-- https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/5/html/security_guide/ch12#Using_JBoss_Login_Modules-Password_Hashing -->
#                    <module-option name="usersProperties">users.properties</module-option>
#                    <module-option name="rolesProperties">roles.properties</module-option>
#                    <module-option name="unauthenticatedIdentity">nobody</module-option>
#                    <module-option name="hashAlgorithm">MD5</module-option>
#                    <module-option name="hashEncoding">base64</module-option>
#                </login-module>
#             </authentication>
#          </application-policy>
#      </policy>
  # -- Additional secret files mounted to `/app/conf` (for example `key.json`).
  secretFiles: {}
#    key.json: |
#      {}
  ## Sensible environment variables that will be rendered as new secret object
  ## This can be useful for auth tokens, etc
  # -- Configuration for `pipOperator.extraEnvSecrets`.
  extraEnvSecrets: { }
  # -- When it's set, the secret environment variables is ignored
  existingEnvSecret: ""
  # -- Environment variables to pass to the pip-operator
  extraEnv: {
   #           APP_VDB_LAZY_INVALIDATE:true     - If set to true (Default), cached data will be available during cache refresh,
   #                                               if set to false, data is not available during cache refresh.
   #           MV_STATUS_LOGGING_FREQUENCY: 60  - Determines whether Mat View status is retrieved and logged, 
   #                                               and specifies the logging frequency (default is 60 minutes)
  }
  #  KEY: "VALUE"
  # -- PlainID pip-operator log format: Either `text` or `json`
  logFormat: text
  # -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`)
  logLevel: info
  # -- Value for `pipOperator.terminationGracePeriodSeconds`.
  terminationGracePeriodSeconds: 15
  # -- Set the message level. (One of: `debug`, `info`, `warn`, `error`, `off`)
  # The messagesLevel parameter defines which message types, if any, are sent to the PlainID Platform for troubleshooting.
  # -- To disable messages, set to `off`
  messagesLevel: error
  # -- Configuration for `pipOperator.debug`.
  debug:
    # -- Enable `pipOperator.debug`.
    enabled: false
    # -- Value for `pipOperator.debug.port`.
    port: 5005
  ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  # -- Configuration for `pipOperator.lifecycle`.
  lifecycle: { }
  #  preStop:
  #    exec:
  #      command: ["/bin/sh", "-c", "sleep 10"]
  ## Configure extra options for probes
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ##
  # -- livenessProbe configuration for `pipOperator`.
  livenessProbe:
    # -- Enable `pipOperator.livenessProbe`.
    enabled: true
    # -- Value for `pipOperator.livenessProbe.initialDelaySeconds`.
    initialDelaySeconds: "300"
    # -- Value for `pipOperator.livenessProbe.periodSeconds`.
    periodSeconds: "15"
    # -- Value for `pipOperator.livenessProbe.timeoutSeconds`.
    timeoutSeconds: "8"
    # -- Value for `pipOperator.livenessProbe.failureThreshold`.
    failureThreshold: "12"
    # -- Value for `pipOperator.livenessProbe.successThreshold`.
    successThreshold: "1"
  # -- readinessProbe configuration for `pipOperator`.
  readinessProbe:
    # -- Enable `pipOperator.readinessProbe`.
    enabled: true
    # -- Value for `pipOperator.readinessProbe.initialDelaySeconds`.
    initialDelaySeconds: "30"
    # -- Value for `pipOperator.readinessProbe.periodSeconds`.
    periodSeconds: "4"
    # -- Value for `pipOperator.readinessProbe.timeoutSeconds`.
    timeoutSeconds: "3"
    # -- Value for `pipOperator.readinessProbe.failureThreshold`.
    failureThreshold: "5"
    # -- Value for `pipOperator.readinessProbe.successThreshold`.
    successThreshold: "1"
  # -- startupProbe configuration for `pipOperator`.
  startupProbe:
    # -- Enable `pipOperator.startupProbe`.
    enabled: false
    # -- Value for `pipOperator.startupProbe.initialDelaySeconds`.
    initialDelaySeconds: "40"
    # -- Value for `pipOperator.startupProbe.periodSeconds`.
    periodSeconds: "5"
    # -- Value for `pipOperator.startupProbe.timeoutSeconds`.
    timeoutSeconds: "2"
    # -- Value for `pipOperator.startupProbe.failureThreshold`.
    failureThreshold: "300"
    # -- Value for `pipOperator.startupProbe.successThreshold`.
    successThreshold: "1"
  # -- Configuration for `pipOperator.service`.
  service:
    # -- Value for `pipOperator.service.type`.
    type: ClusterIP
    # -- Value for `pipOperator.service.name`.
    name: http
    # -- Value for `pipOperator.service.port`.
    port: 8080
    # -- Annotations for `pipOperator.service`.
    annotations: {}
    # -- Value for `pipOperator.service.management`.
    management:
      # -- Value for `pipOperator.service.management.name`.
      name: http-management
      # -- Value for `pipOperator.service.management.port`.
      port: 8089
    # -- Value for `pipOperator.service.jdbc`.
    jdbc:
      # -- Value for `pipOperator.service.jdbc.name`.
      name: tcp-jdbc
      # -- Value for `pipOperator.service.jdbc.port`.
      port: 31350
    # -- Value for `pipOperator.service.postgres`.
    postgres:
      # -- Value for `pipOperator.service.postgres.name`.
      name: tcp-postgres
      # -- Value for `pipOperator.service.postgres.port`.
      port: 31351
  # -- Configuration for `pipOperator.metrics`.
  metrics:
    # -- Enable `pipOperator.metrics`.
    enabled: false
    # -- Value for `pipOperator.metrics.port`.
    port: 8089
    # -- Value for `pipOperator.metrics.serviceMonitor`.
    serviceMonitor:
      # -- When set true then use a ServiceMonitor to configure scraping
      enabled: false
      # -- Value for `pipOperator.metrics.serviceMonitor.path`.
      path: /actuator/prometheus
      # Set the namespace the ServiceMonitor should be deployed
      # namespace: monitoring
      # Set how frequently Prometheus should scrape
      # interval: 30s
      # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
      # labels: {}
      # Set timeout for scrape
      # timeout: 10s
    # -- Annotations for `pipOperator.metrics`.
    annotations: {}
  #    prometheus.io/port: '9090'
  #    prometheus.io/scrape: 'true'
  #    prometheus.io/path: '/actuator/prometheus'
  # Init containers to add to deployment's pod spec. At least one plugin provider image is required.
  # -- Init containers to add to the deployment pod spec.
  initContainers: []
  #    - name: wait-for
  #      image: busybox:1.36
  #      securityContext:
  #        runAsNonRoot: true
  #        runAsUser: 1000
  #        readOnlyRootFilesystem: true
  #      command:
  #        - /bin/sh
  #        - -c
  #        - |
  #          until nc -z plainid-paa-redis-master 6379; do sleep 2; done
  ## Configure PodDisruptionBudget
  ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  # -- Configuration for `pipOperator.podDisruptionBudget`.
  podDisruptionBudget:
    # -- Labels to be added
    labels: {}
    # -- Annotations to be added
    annotations: {}

    # -- Deploy a Poddisruptionbudget
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 0
  # -- Value for `pipOperator.forceRedeploy`.
  forceRedeploy: false
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  # -- Configuration for `pipOperator.affinity`.
  affinity: {}
#    podAntiAffinity:
#      preferredDuringSchedulingIgnoredDuringExecution:
#        - weight: 1
#          podAffinityTerm:
#            labelSelector:
#              matchExpressions:
#                - key: app.kubernetes.io/component
#                  operator: In
#                  values:
#                    - pip-operator
#            topologyKey: kubernetes.io/hostname
  # -- Configuration for `pipOperator.nodeSelector`.
  nodeSelector: {}
  # -- JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
  jvmOpts: "-Xms2g -Xmx2g"
  # Example
  # -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
  # -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
  # -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
  #jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
  # -- Extra volumes to be bound to pip-operator pods
  extraVolumes: []
  # - name: tmp
  #   emptyDir: {}
  # -- Extra volume mounts to mount to pip-operator pods
  extraVolumeMounts: []
  # - name: tmp
  #   mountPath: /tmp

# -- Value for `runtime`.
runtime:
  # -- Value for `runtime.name`.
  name: runtime
  # -- Value for `runtime.replicaCount`.
  replicaCount: "1"
  # -- Additional config files mounted to `/app/conf` (for example `config-hybrid.json`).
  plainIDConfig: {}
  #  config-hybrid.json: |
  #    {}
  # -- Configuration for `runtime.image`.
  image:
    # -- Value for `runtime.image.repository`.
    repository: plainid/theruntime
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    # -- Value for `runtime.image.pullPolicy`.
    pullPolicy: Always
    # -- Value for `runtime.image.tag`.
    tag: "5.2624.5"
  # -- If serviceAccount.create is false, these values are used for existing external service account
  serviceAccountName: ""
  # -- Configuration for `runtime.serviceAccount`.
  serviceAccount:
    # -- Annotations for `runtime.serviceAccount`.
    annotations: {}
  # -- Specify resources on the PlainID Runtime container.
  resources: {}
  # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  #  requests:
  #    memory: "500Mi"
  #    cpu: "50m"
  #  limits:
  #    memory: "1000Mi"
  #    cpu: "2000m"
  # -- Override runtime start command
  command: []
  #    - /bin/sh
  #    - -ec
  #    - |
  #      keytool -import -alias redis-cert -file /app/conf/cert.pem -storepass changeit -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts -noprompt && \
  #      java ${JVM_OPTS} --add-exports java.base/sun.security.util=ALL-UNNAMED -Dconf.file=${RUNTIME_CONFIG_PATH} -Dconf.format=json -Dlog4j.configurationFile=${RUNTIME_LOG4J_PATH} -Djava.net.preferIPv4Stack=true -jar theruntime.jar
  # NOTE: horizontal autoscaling based on memory utilization for this service is discouraged.
  # Please refer to https://docs.plainid.io
  # -- Configuration for `runtime.autoscaling`.
  autoscaling:
    # -- Enable `runtime.autoscaling`.
    enabled: false
    # -- Value for `runtime.autoscaling.minReplicas`.
    minReplicas: 3
    # -- Value for `runtime.autoscaling.maxReplicas`.
    maxReplicas: 6
    # -- Value for `runtime.autoscaling.targetCPUUtilizationPercentage`.
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80
    # -- Annotations for `runtime.autoscaling`.
    annotations: {}
    # -- Value for `runtime.autoscaling.behavior`.
    behavior: {}
      # scaleDown:
      #   stabilizationWindowSeconds: 300
      #  policies:
      #   - type: Pods
      #     value: 1
      #     periodSeconds: 180
      # scaleUp:
      #   stabilizationWindowSeconds: 300
      #   policies:
      #   - type: Pods
    #     value: 2
    #     periodSeconds: 60
  # -- Value for `runtime.autoscalingTemplate`.
  autoscalingTemplate: []
    # Custom or additional autoscaling metrics
    # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
    # - type: Pods
    #   pods:
    #     metric:
    #       name: nginx_ingress_controller_nginx_process_requests_total
    #     target:
    #       type: AverageValue
  #       averageValue: 10000m
  # Enable vertical pod autoscaler support
  # ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
  # -- Configuration for `runtime.verticalPodAutoscaler`.
  verticalPodAutoscaler:
    # -- Enable `runtime.verticalPodAutoscaler`.
    enabled: false
    # -- Defaults to chart name
    containerName: ""
    # -- List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
    controlledResources: [ ]

    # -- Define the max allowed resources for the pod
    maxAllowed: { }
    # cpu: 200m
    # memory: 100Mi
    # -- Define the min allowed resources for the pod
    minAllowed: { }
    # cpu: 200m
    # memory: 100Mi

    # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
    # -- are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
    updatePolicy: { }
    # updateMode: "Auto"
  # -- Configuration for `runtime.strategy`.
  strategy:
    # -- Value for `runtime.strategy.rollingUpdate`.
    rollingUpdate:
      # -- Value for `runtime.strategy.rollingUpdate.maxSurge`.
      maxSurge: 30%
      # -- Value for `runtime.strategy.rollingUpdate.maxUnavailable`.
      maxUnavailable: 30%
  # -- Labels to add to the pod container metadata
  podLabels: { }
  #  key: value
  # -- Annotations for `runtime`.
  annotations: {}
  # -- Configuration for `runtime.podAnnotations`.
  podAnnotations: {}
  ## Sensible environment variables that will be rendered as new secret object
  ## This can be useful for auth tokens, etc
  # -- Configuration for `runtime.extraEnvSecrets`.
  extraEnvSecrets: { }
  # -- When it's set, the secret environment variables is ignored
  existingEnvSecret: ""
  # -- Environment variables to pass to the runtime
  extraEnv: {
    # Add support to UUID asset attribute. For hybrid user to change in production
    #RUNTIME_SUPPORT_UUID_ASSET_ATTRIBUTE : "true"

    # Add support to UUID identity attribute. For hybrid user to change in production
    #RUNTIME_SUPPORT_UUID_IDENTITY_ATTRIBUTE : "true"

    # Refresh JWKS time. For hybrid user to change in production
    # REFRESH_JWKS : "3600000"

    # to enable including ip from header in scope cache calculation
    #RUNTIME_INCLUDE_IP_HEADER_IN_SCOPE_CACHE_KEY: "true"

    # to enable including current time in scope cache calculation
    #RUNTIME_INCLUDE_REQUEST_TIME_IN_SCOPE_CACHE_KEY: "true"

    # to ignore nested queries in entity template
    #RUNTIME_OVERRIDE_ENTITY_NESTED_QUERIES: "[]"

    # to ignore nested queries in asset template
    #RUNTIME_OVERRIDE_ASSET_NESTED_QUERIES: "[]"

    # to determine default to skipUnneededOrUnavailableIdentitySources request flag
    #RUNTIME_DEFAULT_SKIP_UNNEEDED_OR_UNAVAILABLE_IDENTITY_SOURCES: "true"


    # to configure asset provider jdbc pool parameters
    # ASSET_EXTERNAL_PROVIDER_HAS_QUERY_TIMEOUT: "true"
    # ASSET_EXTERNAL_PROVIDER_VALIDATION_QUERY: "select 1"
    # ASSET_EXTERNAL_PROVIDER_MAX_POOL_SIZE:"20"
    # ASSET_EXTERNAL_PROVIDER_MIN_POOL_SIZE:"5"
    # ASSET_EXTERNAL_PROVIDER_INITIAL_POOL_SIZE:"5"
    # ASSET_EXTERNAL_PROVIDER_CHECKOUT_TIMEOUT:"10000"
    # ASSET_EXTERNAL_PROVIDER_QUERY_TIMOUT_IN_SEC:"25"
    # ASSET_EXTERNAL_PROVIDER_ACQUIRE_RETRY_ATTEMPTS:"1"
    # ASSET_EXTERNAL_PROVIDER_ACQUIRE_RETRY_DELAY:"1"
    # ASSET_EXTERNAL_PROVIDER_ACQUIRE_INCREMENT:"1"
    # ASSET_EXTERNAL_PROVIDER_MAX_STATEMENTS:"20"
    # ASSET_EXTERNAL_PROVIDER_MAX_IDLE_TIME:"60"
    # ASSET_EXTERNAL_PROVIDER_IDLE_CONNECTION_TEST_PERIOD:"60"
    # ASSET_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKIN:"true"
    # ASSET_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKOUT:"false"
    
    # to configure entity provider jdbc pool parameters
    # ENTITY_EXTERNAL_PROVIDER_HAS_QUERY_TIMEOUT:"true"
    # ENTITY_EXTERNAL_PROVIDER_VALIDATION_QUERY:"select 1"
    # ENTITY_EXTERNAL_PROVIDER_MAX_POOL_SIZE:"20"
    # ENTITY_EXTERNAL_PROVIDER_MIN_POOL_SIZE:"5"
    # ENTITY_EXTERNAL_PROVIDER_INITIAL_POOL_SIZE:"5"
    # ENTITY_EXTERNAL_PROVIDER_CHECKOUT_TIMEOUT:"10000"
    # ENTITY_EXTERNAL_PROVIDER_QUERY_TIMOUT_IN_SEC:"25"
    # ENTITY_EXTERNAL_PROVIDER_ACQUIRE_RETRY_ATTEMPTS:"1"
    # ENTITY_EXTERNAL_PROVIDER_ACQUIRE_RETRY_DELAY:"1"
    # ENTITY_EXTERNAL_PROVIDER_ACQUIRE_INCREMENT:"1"
    # ENTITY_EXTERNAL_PROVIDER_MAX_STATEMENTS:"20"
    # ENTITY_EXTERNAL_PROVIDER_MAX_IDLE_TIME:"60"
    # ENTITY_EXTERNAL_PROVIDER_IDLE_CONNECTION_TEST_PERIOD:"60"
    # ENTITY_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKIN:"true"
    # ENTITY_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKOUT:"false"

    # to configure refresh interval parameters
    # REFRESH_ASSET_TEMPLATES:"60000"
    # REFRESH_IDENTITY_TEMPLATES:"60000"
    # REFRESH_POLICIES:"600000"
    # REFRESH_API_MAPPERS:"60000"
    # REFRESH_DATA_MAPPERS:"60000"
    # REFRESH_SCOPE_JWKS_URLS:"60000"
    # RUNTIME_REFRESH_SNAPSHOT: "30000"



  }
  #  KEY: "VALUE"
  # -- PlainID runtime log format: support text only
  logFormat: text
  # -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`)
  logLevel: info
  # -- Value for `runtime.terminationGracePeriodSeconds`.
  terminationGracePeriodSeconds: 15
  # -- Configuration for `runtime.debug`.
  debug:
    # -- Enable `runtime.debug`.
    enabled: false
    # -- Value for `runtime.debug.port`.
    port: 5005
  ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  # -- Configuration for `runtime.lifecycle`.
  lifecycle: {}
  #  preStop:
  #    exec:
  #      command: ["/bin/sh", "-c", "sleep 10"]
  ## Configure extra options for probes
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ##
  # -- livenessProbe configuration for `runtime`.
  livenessProbe:
    # -- Enable `runtime.livenessProbe`.
    enabled: true
    # -- Value for `runtime.livenessProbe.initialDelaySeconds`.
    initialDelaySeconds: "300"
    # -- Value for `runtime.livenessProbe.periodSeconds`.
    periodSeconds: "15"
    # -- Value for `runtime.livenessProbe.timeoutSeconds`.
    timeoutSeconds: "8"
    # -- Value for `runtime.livenessProbe.failureThreshold`.
    failureThreshold: "12"
    # -- Value for `runtime.livenessProbe.successThreshold`.
    successThreshold: "1"
  # -- readinessProbe configuration for `runtime`.
  readinessProbe:
    # -- Enable `runtime.readinessProbe`.
    enabled: true
    # -- Value for `runtime.readinessProbe.initialDelaySeconds`.
    initialDelaySeconds: "20"
    # -- Value for `runtime.readinessProbe.periodSeconds`.
    periodSeconds: "4"
    # -- Value for `runtime.readinessProbe.timeoutSeconds`.
    timeoutSeconds: "3"
    # -- Value for `runtime.readinessProbe.failureThreshold`.
    failureThreshold: "5"
    # -- Value for `runtime.readinessProbe.successThreshold`.
    successThreshold: "1"
  # -- startupProbe configuration for `runtime`.
  startupProbe:
    # -- Enable `runtime.startupProbe`.
    enabled: false
    # -- Value for `runtime.startupProbe.initialDelaySeconds`.
    initialDelaySeconds: "30"
    # -- Value for `runtime.startupProbe.periodSeconds`.
    periodSeconds: "5"
    # -- Value for `runtime.startupProbe.timeoutSeconds`.
    timeoutSeconds: "2"
    # -- Value for `runtime.startupProbe.failureThreshold`.
    failureThreshold: "300"
    # -- Value for `runtime.startupProbe.successThreshold`.
    successThreshold: "1"
  # -- Configuration for `runtime.service`.
  service:
    # -- Value for `runtime.service.type`.
    type: ClusterIP
    # -- Value for `runtime.service.port`.
    port: 80
    # -- Value for `runtime.service.nodePort`.
    nodePort:
    # -- Annotations for `runtime.service`.
    annotations: {}
  # -- Configuration for `runtime.metrics`.
  metrics:
    # -- Enable `runtime.metrics`.
    enabled: false
    # -- Value for `runtime.metrics.port`.
    port: 8081
    # -- Value for `runtime.metrics.serviceMonitor`.
    serviceMonitor:
      # -- When set true then use a ServiceMonitor to configure scraping
      enabled: false
      # -- Value for `runtime.metrics.serviceMonitor.path`.
      path: /prometheus/metrics
      # Set the namespace the ServiceMonitor should be deployed
      # namespace: monitoring
      # Set how frequently Prometheus should scrape
      # interval: 30s
      # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
      # labels: {}
      # Set timeout for scrape
      # timeout: 10s
    # -- Annotations for `runtime.metrics`.
    annotations: { }
  #    prometheus.io/port: '8081'
  #    prometheus.io/scrape: 'true'
  #    prometheus.io/path: '/actuator/prometheus'
  # Init containers to add to deployment's pod spec. At least one plugin provider image is required.
  # -- Init containers to add to the deployment pod spec.
  initContainers: []
  #    - name: wait-for
  #      image: busybox:1.36
  #      securityContext:
  #        runAsNonRoot: true
  #        runAsUser: 1000
  #        readOnlyRootFilesystem: true
  #      command:
  #        - /bin/sh
  #        - -c
  #        - |
  #          until nc -z plainid-paa-redis-master 6379; do sleep 2; done
  ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
  # -- Configuration for `runtime.ingress`.
  ingress:
    # -- Enable `runtime.ingress`.
    enabled: false
    #  ingressClassName: nginx
    # -- Annotations for `runtime.ingress`.
    annotations: { }
    # kubernetes.io/ingress.class: nginx
    # -- kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        # -- Value for `runtime.ingress.hosts.paths`.
        paths: ["/"]
    # -- Value for `runtime.ingress.tls`.
    tls: [ ]
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  ## Configure PodDisruptionBudget
  ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  # -- Configuration for `runtime.podDisruptionBudget`.
  podDisruptionBudget:
    # -- Labels to be added
    labels: {}
    # -- Annotations to be added
    annotations: {}

    # -- Deploy a Poddisruptionbudget
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 0
  # -- Value for `runtime.forceRedeploy`.
  forceRedeploy: false
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  # -- Configuration for `runtime.affinity`.
  affinity: {}
  # -- Configuration for `runtime.nodeSelector`.
  nodeSelector: {}
  # -- JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
  jvmOpts: "-Xms2g -Xmx2g"
  # Example
  # -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
  # -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
  # -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
  #jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
  # -- Audit runtime calls to syslog.
  syslog:
    # -- Enable `runtime.syslog`.
    enabled: false
    # -- Value for `runtime.syslog.host`.
    host: ""
    # -- Value for `runtime.syslog.port`.
    port: ""
    # Supported protocols: UDP
    # -- Value for `runtime.syslog.protocol`.
    protocol: "UDP"
  # ref: https://en.wikipedia.org/wiki/Syslog
  # ref: https://docs.plainid.io/v1/docs/en/authorization-audit-configuration
  # -- Enable SSL enforcement for runtime (PDP) java process
  ssl:
    # @schema
    # anyOf:
    #   - type: boolean
    #   - type: string
    # @schema
    # -- Enable `runtime.ssl`.
    enabled: false
  # -- Extra volumes to be bound to runtime (PDP) pods
  extraVolumes: []
  # -- Extra volumes to mount to runtime (PDP) pods
  extraVolumeMounts: []

# -- Redis parameters
externalRedis:
  # -- External Redis server host
  host: ""
  # -- External Redis user
  # -- Optional - only if used with Redis ACL
  username: ""
  # -- External Redis password
  password: ""
  # -- External Redis server port
  port: 6379
  # -- The name of an existing secret with Redis credentials (must contain key `redis-password`).
  # -- When it's set, the `externalRedis.password` parameter is ignored
  existingSecret: ""
  # -- Name of the key inside the secret containing the password
  existingSecretKeyName: "redis-password"
  # -- Value for `externalRedis.tls`.
  tls: false

# This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true)
# the custom redis deployment is omitted
# -- Check the redis-ha chart for more properties
redis-ha:
  # -- Enables the Redis HA subchart
  enabled: false
  # -- Value for `redis-ha.auth`.
  auth: true
  # -- Configuration for `redis-ha.image`.
  image:
    # -- Value for `redis-ha.image.repository`.
    repository: docker.io/redis
    # -- Value for `redis-ha.image.tag`.
    tag: 8.0.2-alpine
  # -- Value for `redis-ha.redisPassword`.
  redisPassword: "abcd1234"
  # -- Value for `redis-ha.replicas`.
  replicas: 3
  # -- Value for `redis-ha.persistentVolume`.
  persistentVolume:
    # -- Configures persistency on Redis nodes
    enabled: false
  # -- Value for `redis-ha.hardAntiAffinity`.
  hardAntiAffinity: false
  # -- Value for `redis-ha.haproxy`.
  haproxy:
    # -- Enabled HAProxy LoadBalancing/Proxy
    enabled: true
    # -- Value for `redis-ha.haproxy.replicas`.
    replicas: 2
    # -- Value for `redis-ha.haproxy.hardAntiAffinity`.
    hardAntiAffinity: false
    # -- Configuration for `redis-ha.haproxy.image`.
    image:
      # -- Value for `redis-ha.haproxy.image.tag`.
      tag: 2.6.21-alpine
    # Prevent sockets closing
    # Ref: https://www.papertrail.com/solution/tips/haproxy-logging-how-to-tune-timeouts-for-performance/
    # -- Value for `redis-ha.haproxy.timeout`.
    timeout:
      # -- Value for `redis-ha.haproxy.timeout.server`.
      server: "0"
      # -- Value for `redis-ha.haproxy.timeout.client`.
      client: "0"
  # -- Value for `redis-ha.configmapTest`.
  configmapTest:
    # -- Configuration for `redis-ha.configmapTest.image`.
    image:
      # -- Value for `redis-ha.configmapTest.image.repository`.
      repository: koalaman/shellcheck
      # -- Value for `redis-ha.configmapTest.image.tag`.
      tag: v0.10.0
  # -- Value for `redis-ha.exporter`.
  exporter:
    # -- Configuration for `redis-ha.exporter.image`.
    image: oliver006/redis_exporter
    # -- Value for `redis-ha.exporter.tag`.
    tag: v1.61.0
  # -- Value for `redis-ha.sysctlImage`.
  sysctlImage:
    # -- Value for `redis-ha.sysctlImage.tag`.
    tag: 1-musl
  # -- Value for `redis-ha.redis`.
  redis:
    # -- Value for `redis-ha.redis.disableCommands`.
    disableCommands: []
  #    - FLUSHDB
  #    - FLUSHALL

# -- Value for `redis`.
redis:
  # -- Enables the Redis subchart
  enabled: true
  # -- Value for `redis.architecture`.
  architecture: standalone
  # -- Value for `redis.auth`.
  auth:
    # -- Value for `redis.auth.password`.
    password: "abcd1234"
  # Below configurations are for using official docker of redis
  # -- If you want to use the bitnami flavour of redis, you can comment out below configurations
  image:
    # -- Value for `redis.image.repository`.
    repository: redis
    # -- Value for `redis.image.tag`.
    tag: 8.0.2-alpine
  # -- Value for `redis.master`.
  master:
    # -- Value for `redis.master.customLivenessProbe`.
    customLivenessProbe:
      # -- Value for `redis.master.customLivenessProbe.initialDelaySeconds`.
      initialDelaySeconds: 20
      # -- Value for `redis.master.customLivenessProbe.periodSeconds`.
      periodSeconds: 4
      # -- Value for `redis.master.customLivenessProbe.timeoutSeconds`.
      timeoutSeconds: 3
      # -- Value for `redis.master.customLivenessProbe.successThreshold`.
      successThreshold: 1
      # -- Value for `redis.master.customLivenessProbe.failureThreshold`.
      failureThreshold: 5
      # -- Value for `redis.master.customLivenessProbe.exec`.
      exec:
        # -- Configuration for `redis.master.customLivenessProbe.exec.command`.
        command:
          - redis-cli
          - ping
    # -- Value for `redis.master.customReadinessProbe`.
    customReadinessProbe:
      # -- Value for `redis.master.customReadinessProbe.initialDelaySeconds`.
      initialDelaySeconds: 10
      # -- Value for `redis.master.customReadinessProbe.periodSeconds`.
      periodSeconds: 4
      # -- Value for `redis.master.customReadinessProbe.timeoutSeconds`.
      timeoutSeconds: 3
      # -- Value for `redis.master.customReadinessProbe.successThreshold`.
      successThreshold: 1
      # -- Value for `redis.master.customReadinessProbe.failureThreshold`.
      failureThreshold: 3
      # -- Value for `redis.master.customReadinessProbe.exec`.
      exec:
        # -- Configuration for `redis.master.customReadinessProbe.exec.command`.
        command:
          - redis-cli
          - ping
    # -- Configuration for `redis.master.command`.
    command:
      - /bin/sh
      - -c
    # -- Value for `redis.master.args`.
    args:
      - |
        redis-server \
          --maxmemory-policy volatile-lru \
          --maxmemory 2000mb \
          --save 60 1 \
          --loglevel warning \
          --port 6379 \
          --notify-keyspace-events KA \
          --requirepass "$REDIS_PASSWORD" \
          --masterauth "$REDIS_PASSWORD"
    # -- Value for `redis.master.disableCommands`.
    disableCommands: []
  #    - FLUSHDB
  #    - FLUSHALL
  # -- Configuration for `redis.metrics`.
  metrics:
    # -- Configuration for `redis.metrics.image`.
    image:
      # -- Value for `redis.metrics.image.tag`.
      tag: 1.62.0-debian-12-r3
  # -- Value for `redis.sentinel`.
  sentinel:
    # -- Configuration for `redis.sentinel.image`.
    image:
      # -- Value for `redis.sentinel.image.tag`.
      tag: 8.0.2-debian-12-r2
  # -- Value for `redis.volumePermissions`.
  volumePermissions:
    # -- Configuration for `redis.volumePermissions.image`.
    image:
      # -- Value for `redis.volumePermissions.image.tag`.
      tag: 12-debian-12-r27

# -- Value for `secretsMgmt`.
secretsMgmt:
  # -- Enable `secretsMgmt`.
  enabled: false
  # -- Configuration for `secretsMgmt.image`.
  image:
    # -- Value for `secretsMgmt.image.repository`.
    repository: plainid/secrets-mgmt
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    # -- Value for `secretsMgmt.image.pullPolicy`.
    pullPolicy: Always
    # -- Value for `secretsMgmt.image.tag`.
    tag: "5.2624.2"
  # -- Value for `secretsMgmt.name`.
  name: secrets-mgmt
  # -- Value for `secretsMgmt.forceRedeploy`.
  forceRedeploy: false
  # -- Value for `secretsMgmt.terminationGracePeriodSeconds`.
  terminationGracePeriodSeconds: 15
  # -- Value for `secretsMgmt.replicaCount`.
  replicaCount: 1
  # -- If serviceAccount.create is false, these values are used for existing external service account
  serviceAccountName: ""
  # -- Configuration for `secretsMgmt.serviceAccount`.
  serviceAccount:
    # -- Annotations for `secretsMgmt.serviceAccount`.
    annotations: {}
  # -- Labels to add to the pod container metadata
  podLabels: {}
  #  key: value
  # -- Annotations for `secretsMgmt`.
  annotations: {}
  # -- Configuration for `secretsMgmt.podAnnotations`.
  podAnnotations: {}
  # -- Configuration for `secretsMgmt.autoscaling`.
  autoscaling:
    # -- Enable `secretsMgmt.autoscaling`.
    enabled: false
    # -- Value for `secretsMgmt.autoscaling.minReplicas`.
    minReplicas: 3
    # -- Value for `secretsMgmt.autoscaling.maxReplicas`.
    maxReplicas: 6
    # -- Value for `secretsMgmt.autoscaling.targetCPUUtilizationPercentage`.
    targetCPUUtilizationPercentage: 2000
    # -- Value for `secretsMgmt.autoscaling.targetMemoryUtilizationPercentage`.
    targetMemoryUtilizationPercentage: 160
    # -- Annotations for `secretsMgmt.autoscaling`.
    annotations: {}
    # -- Value for `secretsMgmt.autoscaling.behavior`.
    behavior: {}
      # scaleDown:
      #   stabilizationWindowSeconds: 300
      #  policies:
      #   - type: Pods
      #     value: 1
      #     periodSeconds: 180
      # scaleUp:
      #   stabilizationWindowSeconds: 300
      #   policies:
    #   - type: Pods
    #     value: 2
    #     periodSeconds: 60
  # -- Value for `secretsMgmt.autoscalingTemplate`.
  autoscalingTemplate: []
  # Custom or additional autoscaling metrics
  # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
  # - type: Pods
  #   pods:
  #     metric:
  #       name: nginx_ingress_controller_nginx_process_requests_total
  #     target:
  #       type: AverageValue
  #       averageValue: 10000m
  ## Configure PodDisruptionBudget
  ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  # Enable vertical pod autoscaler support
  # ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
  # -- Configuration for `secretsMgmt.verticalPodAutoscaler`.
  verticalPodAutoscaler:
    # -- Enable `secretsMgmt.verticalPodAutoscaler`.
    enabled: false
    # -- Defaults to chart name
    containerName: ""
    # -- List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
    controlledResources: [ ]

    # -- Define the max allowed resources for the pod
    maxAllowed: { }
    # cpu: 200m
    # memory: 100Mi
    # -- Define the min allowed resources for the pod
    minAllowed: { }
    # cpu: 200m
    # memory: 100Mi

    # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
    # -- are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
    updatePolicy: { }
    # updateMode: "Auto"
  # -- For deployment
  strategy:
    # -- Value for `secretsMgmt.strategy.rollingUpdate`.
    rollingUpdate:
      # -- Value for `secretsMgmt.strategy.rollingUpdate.maxSurge`.
      maxSurge: 30%
      # -- Value for `secretsMgmt.strategy.rollingUpdate.maxUnavailable`.
      maxUnavailable: 30%
  # -- Configuration for `secretsMgmt.podDisruptionBudget`.
  podDisruptionBudget:
    # -- Labels to be added
    labels: { }
    # -- Annotations to be added
    annotations: { }

    # -- Deploy a Poddisruptionbudget
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 0
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ##
  # -- livenessProbe configuration for `secretsMgmt`.
  livenessProbe:
    # -- Enable `secretsMgmt.livenessProbe`.
    enabled: true
    # -- Value for `secretsMgmt.livenessProbe.initialDelaySeconds`.
    initialDelaySeconds: 60
    # -- Value for `secretsMgmt.livenessProbe.periodSeconds`.
    periodSeconds: 7
    # -- Value for `secretsMgmt.livenessProbe.timeoutSeconds`.
    timeoutSeconds: 5
    # -- Value for `secretsMgmt.livenessProbe.successThreshold`.
    successThreshold: 1
    # -- Value for `secretsMgmt.livenessProbe.failureThreshold`.
    failureThreshold: 6
    # -- Value for `secretsMgmt.livenessProbe.httpGet`.
    httpGet:
      # -- Value for `secretsMgmt.livenessProbe.httpGet.path`.
      path: /health/liveness
      # -- Value for `secretsMgmt.livenessProbe.httpGet.port`.
      port: 8081
  # -- readinessProbe configuration for `secretsMgmt`.
  readinessProbe:
    # -- Enable `secretsMgmt.readinessProbe`.
    enabled: true
    # -- Value for `secretsMgmt.readinessProbe.initialDelaySeconds`.
    initialDelaySeconds: 20
    # -- Value for `secretsMgmt.readinessProbe.periodSeconds`.
    periodSeconds: 3
    # -- Value for `secretsMgmt.readinessProbe.timeoutSeconds`.
    timeoutSeconds: 2
    # -- Value for `secretsMgmt.readinessProbe.successThreshold`.
    successThreshold: 1
    # -- Value for `secretsMgmt.readinessProbe.failureThreshold`.
    failureThreshold: 3
    # -- Value for `secretsMgmt.readinessProbe.httpGet`.
    httpGet:
      # -- Value for `secretsMgmt.readinessProbe.httpGet.path`.
      path: /health/readiness
      # -- Value for `secretsMgmt.readinessProbe.httpGet.port`.
      port: 8081
  # -- startupProbe configuration for `secretsMgmt`.
  startupProbe:
    # -- Enable `secretsMgmt.startupProbe`.
    enabled: true
    # -- Value for `secretsMgmt.startupProbe.initialDelaySeconds`.
    initialDelaySeconds: 20
    # -- Value for `secretsMgmt.startupProbe.periodSeconds`.
    periodSeconds: 5
    # -- Value for `secretsMgmt.startupProbe.timeoutSeconds`.
    timeoutSeconds: 3
    # -- Value for `secretsMgmt.startupProbe.successThreshold`.
    successThreshold: 1
    # -- Value for `secretsMgmt.startupProbe.failureThreshold`.
    failureThreshold: 180
    # -- Value for `secretsMgmt.startupProbe.httpGet`.
    httpGet:
      # -- Value for `secretsMgmt.startupProbe.httpGet.path`.
      path: /health/liveness
      # -- Value for `secretsMgmt.startupProbe.httpGet.port`.
      port: 8081
  # -- Configuration for `secretsMgmt.service`.
  service:
    # -- Enable `secretsMgmt.service`.
    enabled: true
    # -- Value for `secretsMgmt.service.type`.
    type: ClusterIP
    # -- Value for `secretsMgmt.service.name`.
    name: http
    # -- Value for `secretsMgmt.service.port`.
    port: 8080
    # -- Value for `secretsMgmt.service.nodePort`.
    nodePort:
    # -- Annotations for `secretsMgmt.service`.
    annotations: {}
    # -- Value for `secretsMgmt.service.management`.
    management:
      # -- Value for `secretsMgmt.service.management.name`.
      name: http-management
      # -- Value for `secretsMgmt.service.management.port`.
      port: 8081
  # -- Configuration for `secretsMgmt.debug`.
  debug:
    # -- Enable `secretsMgmt.debug`.
    enabled: false
    # -- Value for `secretsMgmt.debug.port`.
    port: 5005
  ## Enable Redis integration to use cloud secret stores
  ## The redis configuration will be inherited from the global Redis configuration
  # -- Value for `secretsMgmt.redisIntegration`.
  redisIntegration:
    # -- Enable `secretsMgmt.redisIntegration`.
    enabled: false
  ## Sensible environment variables that will be rendered as new secret object
  ## This can be useful for auth tokens, etc
  # -- Configuration for `secretsMgmt.extraEnvSecrets`.
  extraEnvSecrets: {}
  # Allows you to add any secret files to /app/conf
  # such as key.json etc..
  # -- Environment variables to pass to the agent
  extraEnv: {}
  # -- When it's set, the secret environment variables is ignored
  existingEnvSecret: ""
  # -- Resource requests and limits for `secretsMgmt`.
  resources: {}
#    requests:
#      memory: "100Mi"
#      cpu: "10m"
#    limits:
#      memory: "2000Mi"
#      cpu: "2000m"
  # -- Configuration for `secretsMgmt.command`.
  command: []
  # -- Value for `secretsMgmt.plainIDConfigFileBasePath`.
  plainIDConfigFileBasePath: "/app/config"
  # @schema
  # type: object
  # additionalProperties: true
  # @schema
  # -- Allows you to add any config files to /app/config
  plainIDConfig:
    # -- Value for `secretsMgmt.plainIDConfig.config.yaml`.
    config.yaml:
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.app`.
      app:
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.app.isCloud`.
        isCloud: ${CLOUD_INTEGRATION}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.app.paaId`.
        paaId: ${PAA_ID}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.app.tenantId`.
        tenantId: ${TENANT_ID}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.app.secretStoreLRUSize`.
        secretStoreLRUSize: ${SECRET_STORE_LRU_SIZE:10000}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.app.secretRecursionLimit`.
        secretRecursionLimit: ${SECRET_RECURSION_LIMIT:3}
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.server`.
      server:
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.server.port`.
        port: 8080
        # -- Which IP is allowed to make requests to secrets-mgmt
        bindIp: 0.0.0.0
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.server.name`.
        name: secrets-mgmt
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.management`.
      management:
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.management.port`.
        port: ${MANAGEMENT_PORT}
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.log`.
      log:
        # -- debug,trace
        level: "info"
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.log.format`.
        format: "json"
        # -- rolling, file
        logTo: "console"
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.rabbitmq`.
      rabbitmq:
        # -- Enable `secretsMgmt.plainIDConfig.config.yaml.rabbitmq`.
        enabled: false
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.gin`.
      gin:
        # -- debug, release
        mode: release
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.redis`.
      redis:
        # -- Enable `secretsMgmt.plainIDConfig.config.yaml.redis`.
        enabled: ${REDIS_ENABLED}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.redis.host`.
        host: ${REDIS_HOST}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.redis.port`.
        port: ${REDIS_PORT}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.redis.username`.
        username: ${REDIS_USER}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.redis.password`.
        password: ${REDIS_PASS}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.redis.ssl`.
        ssl: ${REDIS_SSL_ENABLED}
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.infra`.
      infra:
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.infra.registry`.
        registry:
          # -- "http://plainid-paa-agent:8080"
          warpUrl: ${AGENT_URL:}
          # -- "http://secrets-mgmt:"${server.port}
          k8service: ${SECRETS_MGMT_ADDRESS:}
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.infra.registry.updateInterval`.
          updateInterval: 60
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.infra.registry.firstTimeInterval`.
          firstTimeInterval: 3
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.infra.management`.
        management:
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.infra.management.port`.
          port: ${MANAGEMENT_PORT}
      # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager`.
      secretManager:
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.useInConfiguration`.
        useInConfiguration: ${SECRET_MANAGER_ENABLED:true}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.returnEmptyValueOnError`.
        returnEmptyValueOnError: ${SECRET_MANAGER_RETURN_EMPTY_VALUE_ON_ERROR:true}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.retryTimeoutOnError`.
        retryTimeoutOnError: ${SECRET_MANAGER_RETRY_TIMEOUT_ON_ERROR:10s}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.apiClient`.
        apiClient:
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.apiClient.url`.
          url: ${SECRET_MANAGER_URL:http://localhost:${APP_PORT}/1.0/secrets/list}
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.apiClient.timeout`.
          timeout: ${SECRET_MANAGER_TIMEOUT:30s}
        # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.cacheManager`.
        cacheManager:
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretManager.cacheManager.ttl`.
          ttl: ${SECRET_MANAGER_CACHE_TTL:1h}
      # -- Secret Store configuration
      secretStore:
        - id: fileSecret
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretStore.type`.
          type: File
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretStore.isDefault`.
          isDefault: true
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretStore.decoder`.
          decoder: Base64
          # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretStore.details`.
          details:
            # -- Value for `secretsMgmt.plainIDConfig.config.yaml.secretStore.details.path`.
            path: /app/config/filename.txt
#        # Examples below for HashiCorp Vault and Environment Variables based Secret Stores
#        - id: vault
#          type: Vault
#          isDefault: true
#          decoder: None # Base64, None
#          details:
#            PathPrefix: prefix
#            defaultPath: vault_
#            skipVerify: true
#            url: vault
#            timeout: 3s
#            enginePath: custom
#          # Authentication method should use either a Token or Kubernetes authentication method with vault
#          auth:
#            method: Token # Token, Kubernetes
#            tokenValue: token
#            tokenFileName: ${VAULT_TOKEN} # instead of token value
#          auth:
#            method: Kubernetes
#            path: /var/run/secrets/kubernetes.io/serviceaccount/token
#            role: secrets-mgmt
#        - id: ENV_VAR_SECRET
#          type: Environment
#          isDefault: false
#          decoder: Base64
#          details:
#            name: ENV_VAR_SECRET
  # -- Configuration for `secretsMgmt.metrics`.
  metrics:
    # -- Enable `secretsMgmt.metrics`.
    enabled: false
    # -- Value for `secretsMgmt.metrics.port`.
    port: 8081
    # -- Value for `secretsMgmt.metrics.serviceMonitor`.
    serviceMonitor:
      # -- When set true then use a ServiceMonitor to configure scraping
      enabled: false
      # -- Value for `secretsMgmt.metrics.serviceMonitor.path`.
      path: /health/metrics
      # Set the namespace the ServiceMonitor should be deployed
      # namespace: monitoring
      # Set how frequently Prometheus should scrape
      # interval: 30s
      # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
      # labels: {}
      # Set timeout for scrape
      # timeout: 10s
    # -- Annotations for `secretsMgmt.metrics`.
    annotations: {}
  #    prometheus.io/port: '9090'
  #    prometheus.io/scrape: 'true'
  #    prometheus.io/path: '/actuator/prometheus'
  # Init containers to add to deployment's pod spec. At least one plugin provider image is required.
  # -- Init containers to add to the deployment pod spec.
  initContainers: []
  #    - name: wait-for
  #      image: busybox:1.36
  #      securityContext:
  #        runAsNonRoot: true
  #        runAsUser: 1000
  #        readOnlyRootFilesystem: true
  #      command:
  #        - /bin/sh
  #        - -c
  #        - |
  #          until nc -z plainid-paa-redis-master 6379; do sleep 2; done
  # -- Configuration for `secretsMgmt.nodeSelector`.
  nodeSelector: {}
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  # -- Configuration for `secretsMgmt.affinity`.
  affinity: {}
  #    podAntiAffinity:
  #      requiredDuringSchedulingIgnoredDuringExecution:
  #        - labelSelector:
  #            matchExpressions:
  #              - key: app.kubernetes.io/component
  #                operator: In
  #                values:
  #                  - secrets-mgmt
  #          topologyKey: "kubernetes.io/hostname"
  ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  # -- Configuration for `secretsMgmt.lifecycle`.
  lifecycle: {}
  #  preStop:
  #    exec:
  #      command: ["/bin/sh", "-c", "sleep 10"]
  # -- Extra volumes to be bound to secrets-mgmt pods
  extraVolumes: []
  # - name: tmp
  #   emptyDir: {}
  # -- Extra volume mounts to mount to secrets-mgmt pods
  extraVolumeMounts: []
  # - name: tmp
  #   mountPath: /tmp

# -- Value for `idpWebhook`.
idpWebhook:
  # -- Enable `idpWebhook`.
  enabled: false
  # -- Configuration for `idpWebhook.image`.
  image:
    # -- Value for `idpWebhook.image.repository`.
    repository: plainid/idp-webhook
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    # -- Value for `idpWebhook.image.pullPolicy`.
    pullPolicy: Always
    # -- Value for `idpWebhook.image.tag`.
    tag: "5.2624.2"
  # -- Value for `idpWebhook.name`.
  name: idp-webhook
  # -- Value for `idpWebhook.forceRedeploy`.
  forceRedeploy: false
  # -- Value for `idpWebhook.terminationGracePeriodSeconds`.
  terminationGracePeriodSeconds: 15
  # -- Value for `idpWebhook.replicaCount`.
  replicaCount: 1
  # -- If serviceAccount.create is false, these values are used for existing external service account
  serviceAccountName: ""
  # -- Configuration for `idpWebhook.serviceAccount`.
  serviceAccount:
    # -- Annotations for `idpWebhook.serviceAccount`.
    annotations: {}
  # -- Labels to add to the pod container metadata
  podLabels: {}
  #  key: value
  # -- Annotations for `idpWebhook`.
  annotations: {}
  # -- Configuration for `idpWebhook.podAnnotations`.
  podAnnotations: {}
  # -- Configuration for `idpWebhook.autoscaling`.
  autoscaling:
    # -- Enable `idpWebhook.autoscaling`.
    enabled: false
    # -- Value for `idpWebhook.autoscaling.minReplicas`.
    minReplicas: 3
    # -- Value for `idpWebhook.autoscaling.maxReplicas`.
    maxReplicas: 6
    # -- Value for `idpWebhook.autoscaling.targetCPUUtilizationPercentage`.
    targetCPUUtilizationPercentage: 2000
    # -- Value for `idpWebhook.autoscaling.targetMemoryUtilizationPercentage`.
    targetMemoryUtilizationPercentage: 160
    # -- Annotations for `idpWebhook.autoscaling`.
    annotations: {}
    # -- Value for `idpWebhook.autoscaling.behavior`.
    behavior: {}
      # scaleDown:
      #   stabilizationWindowSeconds: 300
      #  policies:
      #   - type: Pods
      #     value: 1
      #     periodSeconds: 180
      # scaleUp:
      #   stabilizationWindowSeconds: 300
    #   policies:
    #   - type: Pods
    #     value: 2
    #     periodSeconds: 60
  # -- Value for `idpWebhook.autoscalingTemplate`.
  autoscalingTemplate: []
  # Custom or additional autoscaling metrics
  # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
  # - type: Pods
  #   pods:
  #     metric:
  #       name: nginx_ingress_controller_nginx_process_requests_total
  #     target:
  #       type: AverageValue
  #       averageValue: 10000m
  ## Configure PodDisruptionBudget
  ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  #
  # Enable vertical pod autoscaler support
  # ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
  # -- Configuration for `idpWebhook.verticalPodAutoscaler`.
  verticalPodAutoscaler:
    # -- Enable `idpWebhook.verticalPodAutoscaler`.
    enabled: false
    # -- Defaults to chart name
    containerName: ""
    # -- List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
    controlledResources: [ ]

    # -- Define the max allowed resources for the pod
    maxAllowed: { }
    # cpu: 200m
    # memory: 100Mi
    # -- Define the min allowed resources for the pod
    minAllowed: { }
    # cpu: 200m
    # memory: 100Mi

    # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
    # -- are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
    updatePolicy: { }
    # updateMode: "Auto"
  # -- For deployment
  strategy:
    # -- Value for `idpWebhook.strategy.rollingUpdate`.
    rollingUpdate:
      # -- Value for `idpWebhook.strategy.rollingUpdate.maxSurge`.
      maxSurge: 30%
      # -- Value for `idpWebhook.strategy.rollingUpdate.maxUnavailable`.
      maxUnavailable: 30%
  # -- Configuration for `idpWebhook.podDisruptionBudget`.
  podDisruptionBudget:
    # -- Labels to be added
    labels: { }
    # -- Annotations to be added
    annotations: { }

    # -- Deploy a Poddisruptionbudget
    enabled: false
    # minAvailable: 1
    # maxUnavailable: 0
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ##
  # -- livenessProbe configuration for `idpWebhook`.
  livenessProbe:
    # -- Enable `idpWebhook.livenessProbe`.
    enabled: true
    # -- Value for `idpWebhook.livenessProbe.initialDelaySeconds`.
    initialDelaySeconds: 60
    # -- Value for `idpWebhook.livenessProbe.periodSeconds`.
    periodSeconds: 7
    # -- Value for `idpWebhook.livenessProbe.timeoutSeconds`.
    timeoutSeconds: 5
    # -- Value for `idpWebhook.livenessProbe.successThreshold`.
    successThreshold: 1
    # -- Value for `idpWebhook.livenessProbe.failureThreshold`.
    failureThreshold: 6
    # -- Value for `idpWebhook.livenessProbe.httpGet`.
    httpGet:
      # -- Value for `idpWebhook.livenessProbe.httpGet.path`.
      path: /health/liveness
  # -- readinessProbe configuration for `idpWebhook`.
  readinessProbe:
    # -- Enable `idpWebhook.readinessProbe`.
    enabled: true
    # -- Value for `idpWebhook.readinessProbe.initialDelaySeconds`.
    initialDelaySeconds: 20
    # -- Value for `idpWebhook.readinessProbe.periodSeconds`.
    periodSeconds: 3
    # -- Value for `idpWebhook.readinessProbe.timeoutSeconds`.
    timeoutSeconds: 2
    # -- Value for `idpWebhook.readinessProbe.successThreshold`.
    successThreshold: 1
    # -- Value for `idpWebhook.readinessProbe.failureThreshold`.
    failureThreshold: 3
    # -- Value for `idpWebhook.readinessProbe.httpGet`.
    httpGet:
      # -- Value for `idpWebhook.readinessProbe.httpGet.path`.
      path: /health/readiness
  # -- startupProbe configuration for `idpWebhook`.
  startupProbe:
    # -- Enable `idpWebhook.startupProbe`.
    enabled: true
    # -- Value for `idpWebhook.startupProbe.initialDelaySeconds`.
    initialDelaySeconds: 20
    # -- Value for `idpWebhook.startupProbe.periodSeconds`.
    periodSeconds: 2
    # -- Value for `idpWebhook.startupProbe.timeoutSeconds`.
    timeoutSeconds: 2
    # -- Value for `idpWebhook.startupProbe.successThreshold`.
    successThreshold: 1
    # -- Value for `idpWebhook.startupProbe.failureThreshold`.
    failureThreshold: 240
    # -- Value for `idpWebhook.startupProbe.httpGet`.
    httpGet:
      # -- Value for `idpWebhook.startupProbe.httpGet.path`.
      path: /health/liveness
  # -- Configuration for `idpWebhook.service`.
  service:
    # -- Enable `idpWebhook.service`.
    enabled: true
    # -- Value for `idpWebhook.service.type`.
    type: ClusterIP
    # -- Value for `idpWebhook.service.name`.
    name: http
    # -- Value for `idpWebhook.service.port`.
    port: 8080
    # -- Value for `idpWebhook.service.nodePort`.
    nodePort:
    # -- Annotations for `idpWebhook.service`.
    annotations: {}
    # -- Value for `idpWebhook.service.management`.
    management:
      # -- Value for `idpWebhook.service.management.name`.
      name: http-management
      # -- Value for `idpWebhook.service.management.port`.
      port: 9090
  # -- Configuration for `idpWebhook.debug`.
  debug:
    # -- Enable `idpWebhook.debug`.
    enabled: false
    # -- Value for `idpWebhook.debug.port`.
    port: 5005
  ## Enable Redis-backed shared services such as dynamic logger level.
  ## The redis connection configuration will be inherited from the global Redis configuration.
  # -- Value for `idpWebhook.redis`.
  redis:
    # -- Enable `idpWebhook.redis`.
    enabled: false
  ## Sensible environment variables that will be rendered as new secret object
  ## This can be useful for auth tokens, etc
  # -- Configuration for `idpWebhook.extraEnvSecrets`.
  extraEnvSecrets: {}
  # Allows you to add any secret files to /app/conf
  # such as key.json etc..
  # -- Environment variables to pass to the agent
  extraEnv: {}
  # -- When it's set, the secret environment variables is ignored
  existingEnvSecret: ""
  # -- Resource requests and limits for `idpWebhook`.
  resources: {}
  #    requests:
  #      memory: "100Mi"
  #      cpu: "10m"
  #    limits:
  #      memory: "2000Mi"
  #      cpu: "2000m"
  # -- Configuration for `idpWebhook.command`.
  command: []
  # -- Value for `idpWebhook.plainIDConfigFileBasePath`.
  plainIDConfigFileBasePath: "/app/config"
  # -- Allows you to add any config files to /app/config
  plainIDConfig:
    # -- Value for `idpWebhook.plainIDConfig.config.yaml`.
    config.yaml:
      # -- Value for `idpWebhook.plainIDConfig.config.yaml.app`.
      app:
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.app.paaId`.
        paaId: ${PAA_ID:}
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.app.refreshPaaLogLevel`.
        refreshPaaLogLevel: ${IDP_WEBHOOK_REFRESH_PAA_LOG_LEVEL:10s}
      # -- Value for `idpWebhook.plainIDConfig.config.yaml.redis`.
      redis:
        # -- Enable `idpWebhook.plainIDConfig.config.yaml.redis`.
        enabled: ${REDIS_ENABLED:false}
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.redis.host`.
        host: ${REDIS_HOST}
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.redis.port`.
        port: ${REDIS_PORT}
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.redis.username`.
        username: ${REDIS_USER}
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.redis.password`.
        password: ${REDIS_PASS}
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.redis.ssl`.
        ssl: ${REDIS_SSL_ENABLED:false}
      # -- Value for `idpWebhook.plainIDConfig.config.yaml.infra`.
      infra:
        # -- Value for `idpWebhook.plainIDConfig.config.yaml.infra.registry`.
        registry:
          # -- "http://plainid-paa-agent:8080"
          warpUrl: ${AGENT_URL:}
          # -- "http://plainid-paa-idp-webhook:"${server.port}
          k8service: ${IDP_WEBHOOK_ADDRESS:}
  # Uncomment the following config.yaml section to enable and configure the IDP Web-Hook (Token Enrichment) functionality
#    config.yaml:
#      server:
#        name: idp-webhook
#        auth:
#          secret: ${IDP_HOOK_AUTH_SECRET} # This secret will be used to allow the IDP to authenticate with the IDP Webhook endpoint (Optional)
#
#      http:
#        port: ${IDP_HOOK_HTTP_PORT:8080}
#
#      management:
#        port: ${MANAGEMENT_PORT:9090}
#        # if management endpoint path needs to be changed from the default /health:
#        # prefix: ${MANAGEMENT_PREFIX:/probes}
#
#      log:
#        level: ${IDP_HOOK_LOG_LEVEL:debug} # possible values: trace, debug, info, warn, warning, error, fatal, panic
#        format: ${IDP_HOOK_LOG_FORMAT:json} # possible values: json, text
#        logTo: ${IDP_HOOK_LOG_TO:console} # possible values: console, file, rolling
#        # filePath: ${IDP_HOOK_LOG_FILE_PATH:logs/webhook.log} # only relevant if logTo is file or rolling
#        # if logTo is rolling - use the following optional parameters to configure the rolling file appender
#        # maxSize: 2
#        # maxAge: 1
#        # maxBackups: 5
#        # compress: true
#        # localTime: false
#
#      runtime:
#        host: ${RUNTIME_ADDRESS:https://demo.plainid.cloud}
#        uri: /api/runtime/token/v3
#        timeout: 3s
#        # pattern for tenant-specific PDP Runtime URLs; {{tenant}} is a constant, where the tenant key from the request-host will be set
#        # tenantPattern: "http://{{tenant}}-runtime.runtime"
#
#      apps:
#        Bank Portal:
#          clientid: ${BANK_PORTAL_SCOPE_CLIENT_ID:PPWZYCOMXGNTHMGO8CIT}
#          clientsecret: ${BANK_PORTAL_SCOPE_CLIENT_SECRET}
#          entitytype: User
#          tokentype: identity # possible values: identity, access
#          includeIdentity: true
#          userid: $.identity.claims.sub
#          claims:
#            plainid: $.response[*].access[?(@.resourceType == "assetExternal")].path
#            FirstName_identity: $.identity.attributes.first_name
#
#        Loan Approval:
#          clientid: ${LOAN_APPROVAL_SCOPE_CLIENT_ID:PXY8GCMDLPKSNAFDAA7A}
#          clientsecret: ${LOAN_APPROVAL_SCOPE_CLIENT_SECRET}
#          entitytype: Main
#          tokentype: identity # possible values: identity, access
#          userid: $.identity.claims.sub
#          claims:
#            plainid: $.response[*].access[?(@.resourceType == "portal-permissions")].path
#            FirstName_identity: $.identity.attributes.name
  # -- Configuration for `idpWebhook.metrics`.
  metrics:
    # -- Enable `idpWebhook.metrics`.
    enabled: false
    # -- Value for `idpWebhook.metrics.serviceMonitor`.
    serviceMonitor:
      # -- When set true then use a ServiceMonitor to configure scraping
      enabled: false
      # -- Value for `idpWebhook.metrics.serviceMonitor.path`.
      path: /health/metrics
      # Set the namespace the ServiceMonitor should be deployed
      # namespace: monitoring
      # Set how frequently Prometheus should scrape
      # interval: 30s
      # Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
      # labels: {}
      # Set timeout for scrape
      # timeout: 10s
    # -- Annotations for `idpWebhook.metrics`.
    annotations: {}
  #    prometheus.io/port: '9090'
  #    prometheus.io/scrape: 'true'
  #    prometheus.io/path: '/actuator/prometheus'
  # Init containers to add to deployment's pod spec. At least one plugin provider image is required.
  # -- Init containers to add to the deployment pod spec.
  initContainers: []
  #    - name: wait-for
  #      image: busybox:1.36
  #      securityContext:
  #        runAsNonRoot: true
  #        runAsUser: 1000
  #        readOnlyRootFilesystem: true
  #      command:
  #        - /bin/sh
  #        - -c
  #        - |
  #          until nc -z plainid-paa-redis-master 6379; do sleep 2; done
  # -- Configuration for `idpWebhook.nodeSelector`.
  nodeSelector: {}
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  # -- Configuration for `idpWebhook.affinity`.
  affinity: {}
  #    podAntiAffinity:
  #      requiredDuringSchedulingIgnoredDuringExecution:
  #        - labelSelector:
  #            matchExpressions:
  #              - key: app.kubernetes.io/component
  #                operator: In
  #                values:
  #                  - idp-webhook
  #          topologyKey: "kubernetes.io/hostname"
  ## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  # -- Configuration for `idpWebhook.lifecycle`.
  lifecycle: {}
  #  preStop:
  #    exec:
  #      command: ["/bin/sh", "-c", "sleep 10"]
  # -- Extra volumes to be bound to idp-webhook pods
  extraVolumes: []
  # - name: tmp
  #   emptyDir: {}
  # -- Extra volume mounts to mount to idp-webhook pods
  extraVolumeMounts: []
  # - name: tmp
  #   mountPath: /tmp
  ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
  # -- Configuration for `idpWebhook.ingress`.
  ingress:
    # -- Enable `idpWebhook.ingress`.
    enabled: false
    #  ingressClassName: nginx
    # -- Annotations for `idpWebhook.ingress`.
    annotations: {}
    # kubernetes.io/ingress.class: nginx
    # -- kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        # -- Value for `idpWebhook.ingress.hosts.paths`.
        paths: ["/"]
    # -- Value for `idpWebhook.ingress.tls`.
    tls: [ ]
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local

## extraManifests Array of extra objects to deploy with the release (evaluated as a template)
# -- Value for `extraManifests`.
extraManifests: []

# -- Value for `skipChartValidations`.
skipChartValidations: false


© 2026 PlainID LTD. All rights reserved.