As a best practice, we recommend using the file values-custom.yaml for setting the relevant parameter values.
Additional parameters/configuration can be added from the following values.yaml to the values-custom.yaml as needed.
# Default values for plainid-paa.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Client settings
# These settings can be found under the tenant settings section on the management UI.
tenantId: "ENTER_TENANT_ID" # Tenant Id (can be found under the Hybrid Agent Keys tab)
agentSecretKey: "ENTER_AGENT_SECRET_KEY" # Agent Secret key (can be found under the Hybrid Agent Keys tab)
paaId: "ENTER_PAA_ID" # Policy Authorization Agent Id (can be found under the Policy Authorization Agents tab)
# PlainID hybrid URL.
# Possible values (XXXXX): us1,eu1,ca1
# For example: remoteApi: "wss://remote.us1.plainid.io/wstunnel"
remoteApi: "wss://remote.XXXXX.plainid.io/wstunnel"
# For using https tunneling instead WebSockets, you could set this remoteApi:
# remoteApi: “https://remote.us1.plainid.io/httptunnel”
## Reference to one or more secrets to be used when pulling images
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
imagePullSecrets: []
# - name: "image-pull-secret"
#nameOverride: "plainid-paa"
#fullnameOverride: "plainid-paa"
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
## @param clusterDomain Kubernetes cluster domain name
##
clusterDomain: cluster.local
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
automountServiceAccountToken: "true"
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
podSecurityContext: {}
# fsGroup: 2000
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
tolerations: []
global:
# -- Additional labels to add to all resources
additionalLabels: {}
# app: plainid-paa
agent:
fullnameOverride: agent-client
enabled: true
name: agent
replicaCount: 1
image:
repository: plainid/agent
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
tag: "5.2514.1"
# If serviceAccount.create is false, these values are used for existing external service account
serviceAccountName: ""
serviceAccount:
annotations: {}
# runtime.resources -- Specify resources on the PlainID Runtime container.
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# memory: "2000Mi"
# cpu: "50m"
# limits:
# memory: "4000Mi"
# cpu: "2000m"
# Override agent start command
command: []
# - /bin/sh
# - -ec
# - |
# keytool -import -alias redis-cert -file /app/conf/cert.pem -storepass changeit -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts -noprompt && \
# /app/launch.sh "${JVM_OPTS} -Djava.net.preferIPv4Stack=true" -jar "$JAR_NAME"
# Allows you to add any config files to /app/conf
# such as config.json
plainIDConfig: {}
# config.json: |
# {}
autoscaling:
enabled: false
minReplicas: 3
maxReplicas: 6
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: 80
annotations: { }
behavior: { }
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
autoscalingTemplate: []
# Custom or additional autoscaling metrics
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
# - type: Pods
# pods:
# metric:
# name: nginx_ingress_controller_nginx_process_requests_total
# target:
# type: AverageValue
# averageValue: 10000m
# Enable vertical pod autoscaler support
# ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
verticalPodAutoscaler:
enabled: false
# Defaults to chart name
containerName: ""
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: []
# Define the max allowed resources for the pod
maxAllowed: {}
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: {}
# cpu: 200m
# memory: 100Mi
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updatePolicy: {}
# updateMode: "Auto"
strategy: # For deployment
rollingUpdate:
maxSurge: 30%
maxUnavailable: 30%
# -- Labels to add to the pod container metadata
podLabels: {}
# key: value
annotations: {}
podAnnotations: {}
## Sensible environment variables that will be rendered as new secret object
## This can be useful for auth tokens, etc
extraEnvSecrets: {}
# When it's set, the secret environment variables is ignored
existingEnvSecret: ""
# -- Environment variables to pass to the agent
extraEnv: {}
# KEY: "VALUE"
# -- PlainID agent log format: Either `text` or `json`
logFormat: text
# KEY: "VALUE"
# -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`)
logLevel: info
# -- Set the message level. (One of: `debug`, `info`, `warn`, `error`, `off`)
# The messagesLevel parameter defines which message types, if any, are sent to the PlainID Platform for troubleshooting.
# To disable messages, set to `off`
messagesLevel: error
terminationGracePeriodSeconds: 25
debug:
enabled: false
port: 5005
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle:
preStop:
exec:
command: [ "/bin/bash", "-c", "kill -SIGTERM `pgrep -f redisync` && sleep 20" ]
## Configure extra options for probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: "300"
periodSeconds: "15"
timeoutSeconds: "8"
failureThreshold: "12"
successThreshold: "1"
readinessProbe:
enabled: true
initialDelaySeconds: "30"
periodSeconds: "4"
timeoutSeconds: "3"
failureThreshold: "5"
successThreshold: "1"
startupProbe:
enabled: false
initialDelaySeconds: "90"
periodSeconds: "5"
timeoutSeconds: "2"
failureThreshold: "300"
successThreshold: "1"
service:
type: ClusterIP
port: 8080
nodePort:
name: http
annotations: {}
management:
name: http-management
port: 8081
metrics:
enabled: false
port: 8081
serviceMonitor:
# When set true then use a ServiceMonitor to configure scraping
enabled: false
path: /actuator/prometheus
# Set the namespace the ServiceMonitor should be deployed
# namespace: monitoring
# Set how frequently Prometheus should scrape
# interval: 30s
# Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
# labels: {}
# Set timeout for scrape
# timeout: 10s
annotations: {}
# prometheus.io/port: '9090'
# prometheus.io/scrape: 'true'
# prometheus.io/path: '/actuator/prometheus'
# Init containers to add to deployment's pod spec. At least one plugin provider image is required.
# If the value is a string then it is evaluated as a template.
initContainers:
# - name: wait-for
# image: plainid/wait-for:0.0.9
# securityContext:
# runAsNonRoot: true
# runAsUser: 1000
# readOnlyRootFilesystem: true
# command:
# - /bin/sh
# - -c
# - |
# /wait-for plainid-paa-redis-master:6379 --timeout=600
## Configure PodDisruptionBudget
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
# -- Labels to be added
labels: {}
# -- Annotations to be added
annotations: {}
# -- Deploy a Poddisruptionbudget
enabled: false
# minAvailable: 1
# maxUnavailable: 0
forceRedeploy: false
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
affinity: {}
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: app.kubernetes.io/component
# operator: In
# values:
# - agent
# topologyKey: "kubernetes.io/hostname"
nodeSelector: {}
# JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
jvmOpts: "-Xms2000m -Xmx2000m"
# Example
# -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
# -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
# -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
#jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
numberOfConnections: "1"
redisync:
# JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
jvmOpts: "-Xms1500m -Xmx1500m"
# Example
# -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
# -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
# -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
#jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
enabled: true
pipOperator:
enabled: true
name: pip-operator
replicaCount: "1"
image:
repository: plainid/pip-operator
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
tag: "5.2514.1"
# If serviceAccount.create is false, these values are used for existing external service account
serviceAccountName: ""
serviceAccount:
annotations: {}
# runtime.resources -- Specify resources on the PlainID Pip Operator container.
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# memory: "2000Mi"
# cpu: "50m"
# limits:
# memory: "4000Mi"
# cpu: "2000m"
# Override PIP-Operator start command in case you need to use external DB drivers (e.g. MySQL, MS SQL, Oracle, etc.)
# Uncomment the following section and add the curl commands to retrieve/download the relevant libraries
# Please note - the folder for the libraries must be under /app/lib
command: []
# - /bin/sh
# - -ec
# - |
# curl -o /app/lib/sample.jar https://www.example.com/sample.jar && \
# keytool -import -alias redis-cert -file /app/conf/cert.pem -storepass changeit -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts -noprompt && \
# java ${JVM_OPTS} -cp $JAR_NAME -Dorg.apache.cxf.transport.http.forceVersion=1.1 -Djava.net.preferIPv4Stack=true -Dloader.path=/app/lib/ -Dloader.main=com.plainid.pipoperator.Starter org.springframework.boot.loader.launch.PropertiesLauncher
# NOTE: horizontal autoscaling based on memory utilization for this service is discouraged.
# Please refer to https://docs.plainid.io
autoscaling:
enabled: false
minReplicas: 3
maxReplicas: 6
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
annotations: { }
behavior: { }
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
autoscalingTemplate: []
# Custom or additional autoscaling metrics
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
# - type: Pods
# pods:
# metric:
# name: nginx_ingress_controller_nginx_process_requests_total
# target:
# type: AverageValue
# averageValue: 10000m
# Enable vertical pod autoscaler support
# ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
verticalPodAutoscaler:
enabled: false
# Defaults to chart name
containerName: ""
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: [ ]
# Define the max allowed resources for the pod
maxAllowed: { }
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: { }
# cpu: 200m
# memory: 100Mi
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updatePolicy: { }
# updateMode: "Auto"
strategy:
rollingUpdate:
maxSurge: 30%
maxUnavailable: 30%
# -- Labels to add to the pod container metadata
podLabels: { }
# key: value
annotations: {}
podAnnotations: {}
# Allows you to add any config files to /app/conf
# such as auth-config.xml that is required to configure OAuth connections to REST based data sources (e.g. Azure AD, SCIM, REST, etc.)
plainIDConfig: {}
# auth-config.xml: |
# <?xml version='1.0'?>
# <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
# xsi:schemaLocation="urn:jboss:security-config:5.0"
# xmlns="urn:jboss:security-config:5.0"
# xmlns:jbxb="urn:jboss:security-config:5.0">
#
# <application-policy name = "teiid-security-file">
# <authentication>
# <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
# <!-- https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/5/html/security_guide/ch12#Using_JBoss_Login_Modules-Password_Hashing -->
# <module-option name="usersProperties">users.properties</module-option>
# <module-option name="rolesProperties">roles.properties</module-option>
# <module-option name="unauthenticatedIdentity">nobody</module-option>
# <module-option name="hashAlgorithm">MD5</module-option>
# <module-option name="hashEncoding">base64</module-option>
# </login-module>
# </authentication>
# </application-policy>
# </policy>
# Allows you to add any secret files to /app/conf
# such as key.json etc..
secretFiles: {}
# key.json: |
# {}
## Sensible environment variables that will be rendered as new secret object
## This can be useful for auth tokens, etc
extraEnvSecrets: { }
# When it's set, the secret environment variables is ignored
existingEnvSecret: ""
# -- Environment variables to pass to the pip-operator
extraEnv: {
# APP_VDB_LAZY_INVALIDATE:true - If set to true (Default), cached data will be available during cache refresh,
# if set to false, data is not available during cache refresh.
# MV_STATUS_LOGGING_FREQUENCY: 60 - Determines whether Mat View status is retrieved and logged,
# and specifies the logging frequency (default is 60 minutes)
}
# KEY: "VALUE"
# -- PlainID pip-operator log format: Either `text` or `json`
logFormat: text
# -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`)
logLevel: info
terminationGracePeriodSeconds: 15
# -- Set the message level. (One of: `debug`, `info`, `warn`, `error`, `off`)
# The messagesLevel parameter defines which message types, if any, are sent to the PlainID Platform for troubleshooting.
# To disable messages, set to `off`
messagesLevel: error
debug:
enabled: false
port: 5005
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle: { }
# preStop:
# exec:
# command: ["/bin/sh", "-c", "sleep 10"]
## Configure extra options for probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: "300"
periodSeconds: "15"
timeoutSeconds: "8"
failureThreshold: "12"
successThreshold: "1"
readinessProbe:
enabled: true
initialDelaySeconds: "30"
periodSeconds: "4"
timeoutSeconds: "3"
failureThreshold: "5"
successThreshold: "1"
startupProbe:
enabled: false
initialDelaySeconds: "40"
periodSeconds: "5"
timeoutSeconds: "2"
failureThreshold: "300"
successThreshold: "1"
service:
type: ClusterIP
name: http
port: 8080
annotations: {}
management:
name: http-management
port: 8089
jdbc:
name: tcp-jdbc
port: 31350
postgres:
name: tcp-postgres
port: 31351
metrics:
enabled: false
port: 8089
serviceMonitor:
# When set true then use a ServiceMonitor to configure scraping
enabled: false
path: /actuator/prometheus
# Set the namespace the ServiceMonitor should be deployed
# namespace: monitoring
# Set how frequently Prometheus should scrape
# interval: 30s
# Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
# labels: {}
# Set timeout for scrape
# timeout: 10s
annotations: {}
# prometheus.io/port: '9090'
# prometheus.io/scrape: 'true'
# prometheus.io/path: '/actuator/prometheus'
# Init containers to add to deployment's pod spec. At least one plugin provider image is required.
# If the value is a string then it is evaluated as a template.
initContainers:
# - name: wait-for
# image: plainid/wait-for:0.0.9
# securityContext:
# runAsNonRoot: true
# runAsUser: 1000
# readOnlyRootFilesystem: true
# command:
# - /bin/sh
# - -c
# - |
# /wait-for plainid-paa-redis-master:6379 --timeout=600
## Configure PodDisruptionBudget
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
# -- Labels to be added
labels: {}
# -- Annotations to be added
annotations: {}
# -- Deploy a Poddisruptionbudget
enabled: false
# minAvailable: 1
# maxUnavailable: 0
forceRedeploy: false
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
affinity: {}
# podAntiAffinity:
# preferredDuringSchedulingIgnoredDuringExecution:
# - weight: 1
# podAffinityTerm:
# labelSelector:
# matchExpressions:
# - key: app.kubernetes.io/component
# operator: In
# values:
# - pip-operator
# topologyKey: kubernetes.io/hostname
nodeSelector: {}
# JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
jvmOpts: "-Xms2g -Xmx2g"
# Example
# -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
# -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
# -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
#jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
runtime:
name: runtime
replicaCount: "1"
# Allows you to add any config files to /app/conf
# such as config-hybrid.json
plainIDConfig: {}
# config-hybrid.json: |
# {}
image:
repository: plainid/theruntime
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
tag: "5.2514.3"
# If serviceAccount.create is false, these values are used for existing external service account
serviceAccountName: ""
serviceAccount:
annotations: {}
# runtime.resources -- Specify resources on the PlainID Runtime container.
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
resources: {}
# requests:
# memory: "500Mi"
# cpu: "50m"
# limits:
# memory: "1000Mi"
# cpu: "2000m"
# Override runtime start command
command: []
# - /bin/sh
# - -ec
# - |
# keytool -import -alias redis-cert -file /app/conf/cert.pem -storepass changeit -keystore /usr/lib/jvm/default-jvm/lib/security/cacerts -noprompt && \
# java ${JVM_OPTS} --add-exports java.base/sun.security.util=ALL-UNNAMED -Dconf.file=${RUNTIME_CONFIG_PATH} -Dconf.format=json -Dlog4j.configurationFile=${RUNTIME_LOG4J_PATH} -Djava.net.preferIPv4Stack=true -jar theruntime.jar
# NOTE: horizontal autoscaling based on memory utilization for this service is discouraged.
# Please refer to https://docs.plainid.io
autoscaling:
enabled: false
minReplicas: 3
maxReplicas: 6
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
annotations: {}
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
autoscalingTemplate: []
# Custom or additional autoscaling metrics
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
# - type: Pods
# pods:
# metric:
# name: nginx_ingress_controller_nginx_process_requests_total
# target:
# type: AverageValue
# averageValue: 10000m
# Enable vertical pod autoscaler support
# ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
verticalPodAutoscaler:
enabled: false
# Defaults to chart name
containerName: ""
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: [ ]
# Define the max allowed resources for the pod
maxAllowed: { }
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: { }
# cpu: 200m
# memory: 100Mi
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updatePolicy: { }
# updateMode: "Auto"
strategy:
rollingUpdate:
maxSurge: 30%
maxUnavailable: 30%
# -- Labels to add to the pod container metadata
podLabels: { }
# key: value
annotations: {}
podAnnotations: {}
## Sensible environment variables that will be rendered as new secret object
## This can be useful for auth tokens, etc
extraEnvSecrets: { }
# When it's set, the secret environment variables is ignored
existingEnvSecret: ""
# -- Environment variables to pass to the runtime
extraEnv: {
# Add support to UUID asset attribute. For hybrid user to change in production
#RUNTIME_SUPPORT_UUID_ASSET_ATTRIBUTE : "true"
# Add support to UUID identity attribute. For hybrid user to change in production
#RUNTIME_SUPPORT_UUID_IDENTITY_ATTRIBUTE : "true"
# Refresh JWKS time. For hybrid user to change in production
# REFRESH_JWKS : "3600000"
# to enable including ip from header in scope cache calculation
#RUNTIME_INCLUDE_IP_HEADER_IN_SCOPE_CACHE_KEY: "true"
# to enable including current time in scope cache calculation
#RUNTIME_INCLUDE_REQUEST_TIME_IN_SCOPE_CACHE_KEY: "true"
# to ignore nested queries in entity template
#RUNTIME_OVERRIDE_ENTITY_NESTED_QUERIES: "[]"
# to ignore nested queries in asset template
#RUNTIME_OVERRIDE_ASSET_NESTED_QUERIES: "[]"
# to determine default to skipUnneededOrUnavailableIdentitySources request flag
#RUNTIME_DEFAULT_SKIP_UNNEEDED_OR_UNAVAILABLE_IDENTITY_SOURCES: "true"
# to configure asset provider jdbc pool parameters
# ASSET_EXTERNAL_PROVIDER_HAS_QUERY_TIMEOUT: "true"
# ASSET_EXTERNAL_PROVIDER_VALIDATION_QUERY: "select 1"
# ASSET_EXTERNAL_PROVIDER_MAX_POOL_SIZE:"20"
# ASSET_EXTERNAL_PROVIDER_MIN_POOL_SIZE:"5"
# ASSET_EXTERNAL_PROVIDER_INITIAL_POOL_SIZE:"5"
# ASSET_EXTERNAL_PROVIDER_CHECKOUT_TIMEOUT:"10000"
# ASSET_EXTERNAL_PROVIDER_QUERY_TIMOUT_IN_SEC:"25"
# ASSET_EXTERNAL_PROVIDER_ACQUIRE_RETRY_ATTEMPTS:"1"
# ASSET_EXTERNAL_PROVIDER_ACQUIRE_RETRY_DELAY:"1"
# ASSET_EXTERNAL_PROVIDER_ACQUIRE_INCREMENT:"1"
# ASSET_EXTERNAL_PROVIDER_MAX_STATEMENTS:"20"
# ASSET_EXTERNAL_PROVIDER_MAX_IDLE_TIME:"60"
# ASSET_EXTERNAL_PROVIDER_IDLE_CONNECTION_TEST_PERIOD:"60"
# ASSET_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKIN:"true"
# ASSET_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKOUT:"false"
# to configure entity provider jdbc pool parameters
# ENTITY_EXTERNAL_PROVIDER_HAS_QUERY_TIMEOUT:"true"
# ENTITY_EXTERNAL_PROVIDER_VALIDATION_QUERY:"select 1"
# ENTITY_EXTERNAL_PROVIDER_MAX_POOL_SIZE:"20"
# ENTITY_EXTERNAL_PROVIDER_MIN_POOL_SIZE:"5"
# ENTITY_EXTERNAL_PROVIDER_INITIAL_POOL_SIZE:"5"
# ENTITY_EXTERNAL_PROVIDER_CHECKOUT_TIMEOUT:"10000"
# ENTITY_EXTERNAL_PROVIDER_QUERY_TIMOUT_IN_SEC:"25"
# ENTITY_EXTERNAL_PROVIDER_ACQUIRE_RETRY_ATTEMPTS:"1"
# ENTITY_EXTERNAL_PROVIDER_ACQUIRE_RETRY_DELAY:"1"
# ENTITY_EXTERNAL_PROVIDER_ACQUIRE_INCREMENT:"1"
# ENTITY_EXTERNAL_PROVIDER_MAX_STATEMENTS:"20"
# ENTITY_EXTERNAL_PROVIDER_MAX_IDLE_TIME:"60"
# ENTITY_EXTERNAL_PROVIDER_IDLE_CONNECTION_TEST_PERIOD:"60"
# ENTITY_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKIN:"true"
# ENTITY_EXTERNAL_PROVIDER_TEST_CONNECTION_ON_CHECKOUT:"false"
# to configure refresh interval parameters
# REFRESH_ASSET_TEMPLATES:"60000"
# REFRESH_IDENTITY_TEMPLATES:"60000"
# REFRESH_POLICIES:"600000"
# REFRESH_API_MAPPERS:"60000"
# REFRESH_DATA_MAPPERS:"60000"
# REFRESH_SCOPE_JWKS_URLS:"60000"
# RUNTIME_REFRESH_SNAPSHOT: "30000"
}
# KEY: "VALUE"
# -- PlainID runtime log format: support text only
logFormat: text
# -- Set the logging level. (One of: `debug`, `info`, `warn`, `error`)
logLevel: info
terminationGracePeriodSeconds: 15
debug:
enabled: false
port: 5005
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle: {}
# preStop:
# exec:
# command: ["/bin/sh", "-c", "sleep 10"]
## Configure extra options for probes
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: "300"
periodSeconds: "15"
timeoutSeconds: "8"
failureThreshold: "12"
successThreshold: "1"
readinessProbe:
enabled: true
initialDelaySeconds: "20"
periodSeconds: "4"
timeoutSeconds: "3"
failureThreshold: "5"
successThreshold: "1"
startupProbe:
enabled: false
initialDelaySeconds: "30"
periodSeconds: "5"
timeoutSeconds: "2"
failureThreshold: "300"
successThreshold: "1"
service:
type: ClusterIP
port: 80
nodePort:
annotations: {}
metrics:
enabled: false
port: 8081
serviceMonitor:
# When set true then use a ServiceMonitor to configure scraping
enabled: false
path: /prometheus/metrics
# Set the namespace the ServiceMonitor should be deployed
# namespace: monitoring
# Set how frequently Prometheus should scrape
# interval: 30s
# Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
# labels: {}
# Set timeout for scrape
# timeout: 10s
annotations: { }
# prometheus.io/port: '8081'
# prometheus.io/scrape: 'true'
# prometheus.io/path: '/actuator/prometheus'
# Init containers to add to deployment's pod spec. At least one plugin provider image is required.
# If the value is a string then it is evaluated as a template.
initContainers:
# - name: wait-for
# image: plainid/wait-for:0.0.9
# securityContext:
# runAsNonRoot: true
# runAsUser: 1000
# readOnlyRootFilesystem: true
# command:
# - /bin/sh
# - -c
# - |
# /wait-for plainid-paa-redis-master:6379 --timeout=600
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
# ingressClassName: nginx
annotations: { }
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: ["/"]
tls: [ ]
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## Configure PodDisruptionBudget
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
podDisruptionBudget:
# -- Labels to be added
labels: {}
# -- Annotations to be added
annotations: {}
# -- Deploy a Poddisruptionbudget
enabled: false
# minAvailable: 1
# maxUnavailable: 0
forceRedeploy: false
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
affinity: {}
nodeSelector: {}
# JVM options are configuration parameters and settings that are used to control the behavior of the Java Virtual Machine (JVM). The JVM is the underlying engine that executes Java bytecode, and these options allow you to fine-tune various aspects of its performance, behavior, and debugging capabilities.
jvmOpts: "-Xms2g -Xmx2g"
# Example
# -- `-XX:InitialRAMPercentage=70.0`: This option sets the initial size of the heap as a percentage of the total RAM available to the system. In this case, it is set to 50%, meaning that the heap will be initialized to occupy half of the system's available RAM.
# -- `-XX:MaxRAMPercentage=70.0`: This option sets the maximum heap size as a percentage of the total RAM available to the system. Again, it is set to 50%, meaning that the maximum heap size will be limited to half of the available RAM. The JVM will not allocate more heap space than this, even if there is more free memory available on the system.
# -- `-XX:+ExitOnOutOfMemoryError`: This option tells the JVM to exit immediately if it encounters an out-of-memory error (`OutOfMemoryError`). By default, the JVM may simply throw an `OutOfMemoryError` and continue to run, but with this option enabled, it will shut down. This can be useful in environments where automatic recovery is set up, and you want the system to restart the JVM if it runs out of memory.
#jvmOpts: "-XX:InitialRAMPercentage=70.0 -XX:MaxRAMPercentage=70.0 -XX:+ExitOnOutOfMemoryError"
# Audit runtime calls to syslog
# ref: https://en.wikipedia.org/wiki/Syslog
# ref: https://docs.plainid.io/v1/docs/en/authorization-audit-configuration
syslog:
enabled: false
host: ""
port: ""
# Supported protocols: UDP
protocol: "UDP"
# Redis parameters
externalRedis:
# -- External Redis server host
host: ""
# -- External Redis user
# Optional - only if used with Redis ACL
username: ""
# -- External Redis password
password: ""
# -- External Redis server port
port: 6379
# -- The name of an existing secret with Redis credentials (must contain key `redis-password`).
# When it's set, the `externalRedis.password` parameter is ignored
existingSecret: ""
tls: false
# This key configures Redis-HA subchart and when enabled (redis-ha.enabled=true)
# the custom redis deployment is omitted
# Check the redis-ha chart for more properties
redis-ha:
# -- Enables the Redis HA subchart
enabled: false
auth: true
image:
repository: docker.io/redis
tag: 7.4.2-alpine
redisPassword: "abcd1234"
replicas: 3
persistentVolume:
# -- Configures persistency on Redis nodes
enabled: false
hardAntiAffinity: false
haproxy:
# -- Enabled HAProxy LoadBalancing/Proxy
enabled: true
replicas: 2
hardAntiAffinity: false
image:
tag: 2.6.21-alpine
# Prevent sockets closing
# Ref: https://www.papertrail.com/solution/tips/haproxy-logging-how-to-tune-timeouts-for-performance/
timeout:
server: 0
client: 0
configmapTest:
image:
repository: koalaman/shellcheck
tag: v0.10.0
exporter:
image: oliver006/redis_exporter
tag: v1.61.0
sysctlImage:
tag: 1-musl
redis:
disableCommands: []
# - FLUSHDB
# - FLUSHALL
redis:
# -- Enables the Redis subchart
enabled: true
architecture: standalone
auth:
password: "abcd1234"
# Below configurations are for using official docker of redis
# If you want to use the bitnami flavour of redis, you can comment out below configurations
image:
repository: redis
tag: 7.4.2-alpine
master:
customLivenessProbe:
initialDelaySeconds: 20
periodSeconds: 4
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 5
exec:
command:
- redis-cli
- ping
customReadinessProbe:
initialDelaySeconds: 10
periodSeconds: 4
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
exec:
command:
- redis-cli
- ping
command:
- redis-server
args:
- "--maxmemory-policy volatile-lru"
- "--maxmemory 2000mb"
- "--save 60 1"
- "--loglevel warning"
- "--port 6379"
- "--notify-keyspace-events KA"
- "--requirepass abcd1234"
- "--masterauth abcd1234"
disableCommands: []
# - FLUSHDB
# - FLUSHALL
metrics:
image:
tag: 1.62.0-debian-12-r3
sentinel:
image:
tag: 7.4.2-debian-12-r2
volumePermissions:
image:
tag: 12-debian-12-r27
secretsMgmt:
enabled: false
image:
repository: plainid/secrets-mgmt
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
tag: "5.2514.0"
name: secrets-mgmt
forceRedeploy: false
terminationGracePeriodSeconds: 15
replicaCount: 1
# If serviceAccount.create is false, these values are used for existing external service account
serviceAccountName: ""
serviceAccount:
annotations: {}
# -- Labels to add to the pod container metadata
podLabels: {}
# key: value
annotations: {}
podAnnotations: {}
autoscaling:
enabled: false
minReplicas: 3
maxReplicas: 6
targetCPUUtilizationPercentage: 2000
targetMemoryUtilizationPercentage: 160
annotations: {}
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
autoscalingTemplate: []
# Custom or additional autoscaling metrics
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
# - type: Pods
# pods:
# metric:
# name: nginx_ingress_controller_nginx_process_requests_total
# target:
# type: AverageValue
# averageValue: 10000m
## Configure PodDisruptionBudget
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
# Enable vertical pod autoscaler support
# ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
verticalPodAutoscaler:
enabled: false
# Defaults to chart name
containerName: ""
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: [ ]
# Define the max allowed resources for the pod
maxAllowed: { }
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: { }
# cpu: 200m
# memory: 100Mi
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updatePolicy: { }
# updateMode: "Auto"
strategy: # For deployment
rollingUpdate:
maxSurge: 30%
maxUnavailable: 30%
podDisruptionBudget:
# -- Labels to be added
labels: { }
# -- Annotations to be added
annotations: { }
# -- Deploy a Poddisruptionbudget
enabled: false
# minAvailable: 1
# maxUnavailable: 0
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 7
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
httpGet:
path: /health/liveness
port: 8081
readinessProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 3
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
httpGet:
path: /health/readiness
port: 8081
startupProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 5
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 180
httpGet:
path: /health/liveness
port: 8081
service:
enabled: true
type: ClusterIP
name: http
port: 8080
nodePort:
annotations: {}
management:
name: http-management
port: 8081
debug:
enabled: false
port: 5005
## Sensible environment variables that will be rendered as new secret object
## This can be useful for auth tokens, etc
extraEnvSecrets: {}
# Allows you to add any secret files to /app/conf
# such as key.json etc..
# -- Environment variables to pass to the agent
extraEnv: {}
# When it's set, the secret environment variables is ignored
existingEnvSecret: ""
resources: {}
# requests:
# memory: "100Mi"
# cpu: "10m"
# limits:
# memory: "2000Mi"
# cpu: "2000m"
command: []
plainIDConfigFileBasePath: "/app/config"
# Allows you to add any config files to /app/config
plainIDConfig:
config.yaml:
server:
port: 8080
# Which IP is allowed to make requests to secrets-mgmt
bindIp: 0.0.0.0
name: secrets-mgmt
management:
port: ${MANAGEMENT_PORT}
log:
level: "info" #debug,trace
format: "json"
logTo: "console" # rolling, file
rabbitmq:
enabled: false
gin:
mode: release # debug, release
infra:
registry:
warpUrl: ${AGENT_URL:} #"http://plainid-paa-agent:8080"
k8service: ${SECRETS_MGMT_ADDRESS:} #"http://secrets-mgmt:"${server.port}
updateInterval: 60
firstTimeInterval: 3
management:
port: ${MANAGEMENT_PORT}
# Secret Store configuration
secretStore:
- id: fileSecret
type: File
isDefault: true
decoder: Base64
details:
path: /app/config/filename.txt
# # Examples below for HashiCorp Vault and Environment Variables based Secret Stores
# - id: vault
# type: Vault
# isDefault: true
# decoder: None # Base64, None
# details:
# PathPrefix: prefix
# defaultPath: vault_
# skipVerify: true
# url: vault
# timeout: 3s
# enginePath: custom
# # Authentication method should use either a Token or Kubernetes authentication method with vault
# auth:
# method: Token # Token, Kubernetes
# tokenValue: token
# tokenFileName: ${VAULT_TOKEN} # instead of token value
# auth:
# method: Kubernetes
# path: /var/run/secrets/kubernetes.io/serviceaccount/token
# role: secrets-mgmt
# - id: ENV_VAR_SECRET
# type: Environment
# isDefault: false
# decoder: Base64
# details:
# name: ENV_VAR_SECRET
metrics:
enabled: false
port: 8081
serviceMonitor:
# When set true then use a ServiceMonitor to configure scraping
enabled: false
path: /health/metrics
# Set the namespace the ServiceMonitor should be deployed
# namespace: monitoring
# Set how frequently Prometheus should scrape
# interval: 30s
# Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
# labels: {}
# Set timeout for scrape
# timeout: 10s
annotations: {}
# prometheus.io/port: '9090'
# prometheus.io/scrape: 'true'
# prometheus.io/path: '/actuator/prometheus'
# Init containers to add to deployment's pod spec. At least one plugin provider image is required.
# If the value is a string then it is evaluated as a template.
initContainers:
# - name: wait-for
# image: plainid/wait-for:0.0.9
# securityContext:
# runAsNonRoot: true
# runAsUser: 1000
# readOnlyRootFilesystem: true
# command:
# - /bin/sh
# - -c
# - |
# /wait-for plainid-paa-redis-master:6379 --timeout=600
nodeSelector: {}
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
affinity: {}
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: app.kubernetes.io/component
# operator: In
# values:
# - secrets-mgmt
# topologyKey: "kubernetes.io/hostname"
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle: {}
# preStop:
# exec:
# command: ["/bin/sh", "-c", "sleep 10"]
idpWebhook:
enabled: false
image:
repository: plainid/idp-webhook
## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
pullPolicy: Always
tag: "5.2514.0"
name: idp-webhook
forceRedeploy: false
terminationGracePeriodSeconds: 15
replicaCount: 1
# If serviceAccount.create is false, these values are used for existing external service account
serviceAccountName: ""
serviceAccount:
annotations: {}
# -- Labels to add to the pod container metadata
podLabels: {}
# key: value
annotations: {}
podAnnotations: {}
autoscaling:
enabled: false
minReplicas: 3
maxReplicas: 6
targetCPUUtilizationPercentage: 2000
targetMemoryUtilizationPercentage: 160
annotations: {}
behavior: {}
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 180
# scaleUp:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 2
# periodSeconds: 60
autoscalingTemplate: []
# Custom or additional autoscaling metrics
# ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
# - type: Pods
# pods:
# metric:
# name: nginx_ingress_controller_nginx_process_requests_total
# target:
# type: AverageValue
# averageValue: 10000m
## Configure PodDisruptionBudget
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
#
# Enable vertical pod autoscaler support
# ref: https://github.com/kubernetes/autoscaler/blob/master/vertical-pod-autoscaler/FAQ.md
verticalPodAutoscaler:
enabled: false
# Defaults to chart name
containerName: ""
# List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
controlledResources: [ ]
# Define the max allowed resources for the pod
maxAllowed: { }
# cpu: 200m
# memory: 100Mi
# Define the min allowed resources for the pod
minAllowed: { }
# cpu: 200m
# memory: 100Mi
# Specifies whether recommended updates are applied when a Pod is started and whether recommended updates
# are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
updatePolicy: { }
# updateMode: "Auto"
strategy: # For deployment
rollingUpdate:
maxSurge: 30%
maxUnavailable: 30%
podDisruptionBudget:
# -- Labels to be added
labels: { }
# -- Annotations to be added
annotations: { }
# -- Deploy a Poddisruptionbudget
enabled: false
# minAvailable: 1
# maxUnavailable: 0
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
##
livenessProbe:
enabled: true
initialDelaySeconds: 60
periodSeconds: 7
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 6
httpGet:
path: /health/liveness
readinessProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 3
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 3
httpGet:
path: /health/readiness
startupProbe:
enabled: true
initialDelaySeconds: 20
periodSeconds: 2
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 240
httpGet:
path: /health/liveness
service:
enabled: true
type: ClusterIP
name: http
port: 8080
nodePort:
annotations: {}
management:
name: http-management
port: 9090
debug:
enabled: false
port: 5005
## Sensible environment variables that will be rendered as new secret object
## This can be useful for auth tokens, etc
extraEnvSecrets: {}
# Allows you to add any secret files to /app/conf
# such as key.json etc..
# -- Environment variables to pass to the agent
extraEnv: {}
# When it's set, the secret environment variables is ignored
existingEnvSecret: ""
resources: {}
# requests:
# memory: "100Mi"
# cpu: "10m"
# limits:
# memory: "2000Mi"
# cpu: "2000m"
command: []
plainIDConfigFileBasePath: "/app/config"
# Allows you to add any config files to /app/config
plainIDConfig: {}
# Uncomment the following config.yaml section to enable and configure the IDP Web-Hook (Token Enrichment) functionality
# config.yaml:
# server:
# name: idp-webhook
# auth:
# secret: ${IDP_HOOK_AUTH_SECRET} # This secret will be used to allow the IDP to authenticate with the IDP Webhook endpoint (Optional)
#
# http:
# port: ${IDP_HOOK_HTTP_PORT:8080}
#
# management:
# port: ${MANAGEMENT_PORT:9090}
# # if management endpoint path needs to be changed from the default /health:
# # prefix: ${MANAGEMENT_PREFIX:/probes}
#
# log:
# level: ${IDP_HOOK_LOG_LEVEL:debug} # possible values: trace, debug, info, warn, warning, error, fatal, panic
# format: ${IDP_HOOK_LOG_FORMAT:json} # possible values: json, text
# logTo: ${IDP_HOOK_LOG_TO:console} # possible values: console, file, rolling
# # filePath: ${IDP_HOOK_LOG_FILE_PATH:logs/webhook.log} # only relevant if logTo is file or rolling
# # if logTo is rolling - use the following optional parameters to configure the rolling file appender
# # maxSize: 2
# # maxAge: 1
# # maxBackups: 5
# # compress: true
# # localTime: false
#
# runtime:
# host: ${RUNTIME_ADDRESS:https://demo.plainid.cloud}
# uri: /api/runtime/token/v3
# timeout: 3s
# # pattern for tenant-specific PDP Runtime URLs; {{tenant}} is a constant, where the tenant key from the request-host will be set
# # tenantPattern: "http://{{tenant}}-runtime.runtime"
#
# apps:
# Bank Portal:
# clientid: ${BANK_PORTAL_SCOPE_CLIENT_ID:PPWZYCOMXGNTHMGO8CIT}
# clientsecret: ${BANK_PORTAL_SCOPE_CLIENT_SECRET}
# entitytype: User
# tokentype: identity # possible values: identity, access
# includeIdentity: true
# userid: $.identity.claims.sub
# claims:
# plainid: $.response[*].access[?(@.resourceType == "assetExternal")].path
# FirstName_identity: $.identity.attributes.first_name
#
# Loan Approval:
# clientid: ${LOAN_APPROVAL_SCOPE_CLIENT_ID:PXY8GCMDLPKSNAFDAA7A}
# clientsecret: ${LOAN_APPROVAL_SCOPE_CLIENT_SECRET}
# entitytype: Main
# tokentype: identity # possible values: identity, access
# userid: $.identity.claims.sub
# claims:
# plainid: $.response[*].access[?(@.resourceType == "portal-permissions")].path
# FirstName_identity: $.identity.attributes.name
metrics:
enabled: false
serviceMonitor:
# When set true then use a ServiceMonitor to configure scraping
enabled: false
path: /health/metrics
# Set the namespace the ServiceMonitor should be deployed
# namespace: monitoring
# Set how frequently Prometheus should scrape
# interval: 30s
# Set labels for the ServiceMonitor, use this to define your scrape label for Prometheus Operator
# labels: {}
# Set timeout for scrape
# timeout: 10s
annotations: {}
# prometheus.io/port: '9090'
# prometheus.io/scrape: 'true'
# prometheus.io/path: '/actuator/prometheus'
# Init containers to add to deployment's pod spec. At least one plugin provider image is required.
# If the value is a string then it is evaluated as a template.
initContainers:
# - name: wait-for
# image: plainid/wait-for:0.0.9
# securityContext:
# runAsNonRoot: true
# runAsUser: 1000
# readOnlyRootFilesystem: true
# command:
# - /bin/sh
# - -c
# - |
# /wait-for plainid-paa-redis-master:6379 --timeout=600
nodeSelector: {}
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
affinity: {}
# podAntiAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# - labelSelector:
# matchExpressions:
# - key: app.kubernetes.io/component
# operator: In
# values:
# - idp-webhook
# topologyKey: "kubernetes.io/hostname"
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
lifecycle: {}
# preStop:
# exec:
# command: ["/bin/sh", "-c", "sleep 10"]
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
enabled: false
# ingressClassName: nginx
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths: ["/"]
tls: [ ]
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## extraManifests Array of extra objects to deploy with the release (evaluated as a template)
extraManifests: []
skipChartValidations: false