### Global configurations section ### --------------------------------------------- ## Please, note that this will override the parameters, including sub-charts, ## configured to use the global value over local values global: cloudbees: imageRegistry: imageTag: ## Enable `imagePullSecrets` if you are using a private registry. ## Secrets must be manually created or already exist in the namespace. ## `imagePullSecrets: ` imagePullSecrets: ### -------------------------------------------- ### Common images configurations section ### --------------------------------------------- images: ## Image registry to pull CloudBees CD/RO images from. ## Example: registry: "123456789012.dkr.ecr.us-east-1.amazonaws.com" registry: "docker.io/cloudbees" ## CloudBees CD/RO flow-server image tag to pull. tag: "2025.03.0.178767_3.2.154_20250318" ## The image pull policy to use. pullPolicy: IfNotPresent ## Enable `imagePullSecrets` if you are using a private registry. ## Secrets must be manually created or already exist in the namespace. ## `imagePullSecrets: ` imagePullSecrets: ## (OPTIONAL) Create an array of `imagePullSecrets` containing private registry credentials. ## when you have one or more secrets to use when pulling images. ## NOTE: Only one instance of `imagePullSecrets:` can be present. ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # imagePullSecrets: # - name: "docker-registry" ## The name of the CloudBees CD/RO flow-server. ## Usually, a fully-qualified domain name, where the server ## is available for all agents (resources) and other components. ## By default, it is the internal cluster hostname for the K8S flow-server ## service. ## By default, the CloudBees CD/RO flow-server is not fully ## accessible to components outside the Kubernetes cluster. However, ## CloudBees CD/RO agents can also be installed in different namespaces ## and configured to communicate with the flow-server service across namespaces ## using their DNS name. For more information on connecting to agents in ## different namespaces, refer to: ## https://docs.cloudbees.com/docs/cloudbees-cd/latest/install-k8s/installation#_install_cloudbees_cdro_agents_in_different_namespaces serverName: flow-server ### -------------------------------------------- ### Ingress configuration section ### --------------------------------------------- ingress: ## Flag that dictates the ingress workload and its accompanying services are installed. enabled: true host: ## CloudBees CD/RO flow-web ingress annotations. ## Nginx is used, but any ingress that supports ## sticky sessions will suffice. annotations: nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/affinity-mode: "persistent" nginx.ingress.kubernetes.io/session-cookie-name: "route" nginx.ingress.kubernetes.io/session-cookie-hash: "sha1" nginx.ingress.kubernetes.io/proxy-body-size: "10G" nginx.ingress.kubernetes.io/secure-backends: "false" nginx.ingress.kubernetes.io/proxy-read-timeout: "4000" nginx.ingress.kubernetes.io/proxy-stream-timeout: "4000" ## If you are using EKS with ALB, enable the follow annotations: # alb.ingress.kubernetes.io/scheme: internet-facing # alb.ingress.kubernetes.io/certificate-arn: "" ## Set to the same value as `ingress-nginx.controller.ingressClassResource.name` if enabled. class: flow-ingress ## If using EKS and need to deploy ALB load balancer with alb controller enabled, set to `alb`. # class: alb ## Certificate for CloudBees flow-web ingress. ## You can also set using `helm install --set-file`. # ingress.certificate.key=path/to/key` `--set-file # ingress.certificate.crt=path/to/certificate` ## Example structure to configure an ingress certificate for TLS. certificate: existingSecret: key: crt: ## Create an OpenShift route rather than a generic ingress. route: false ## Enables platform-specific settings. ## Platform-specific values are: `eks`, `aws`, `gke`, `aks`, `openshift` ## NOTE: `openshift` maps to OpenShift 4.x. platform: standard ### -------------------------------------------- ### Flow server configuration section ### --------------------------------------------- server: ## Flag that dictates the cbflow-server workload and its accompanying services are installed. enabled: true ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-server ## Number of replicas of this component to create. replicas: 1 ## `expose: true` allows cbflow-server service ingress ports `8443` and `61613` ## to be accessed from outside the cluster. expose: true ## The default loglevel for cbflow-server. logLevel: DEBUG zk: host: zookeeper port: 2181 ## Interpreted as if passed to the CloudBees ecconfigure utility within the container. ecconfigure: "--serverInitMemoryMB=4096 --serverMaxMemoryMB=4096" ## Specify the resources to request for this component. resources: limits: cpu: 4 memory: 6Gi requests: cpu: 2 memory: 6Gi nodeSelector: {} tolerations: [] affinity: {} ## Kubernetes Liveness Probes: livenessProbe: initialDelaySeconds: 90 periodSeconds: 60 failureThreshold: 10 timeoutSeconds: 10 ## Kubernetes Readiness Probes: readinessProbe: initialDelaySeconds: 60 periodSeconds: 10 failureThreshold: 10 timeoutSeconds: 10 ## Specify additional volumes to mount in the cbflow-server container. additionalVolumes: [] ## Specify where your additional volumes are mounted in the cbflow-server container. additionalVolumeMounts: [] ## Specify additional containers to mount for cbflow-server. additionalContainers: # - name: container-name # image: image-version # command: # - "/container-command" ## Specify any additional environment variables to set for cbflow-server. extraEnvs: [] # extraEnvs: # - name: FOO # value: "BAR" # - name: FOO # valueFrom: # secretKeyRef: # key: FOO # name: secret-resource ## Enable or disable sending telemetry data to CloudBees. ## NOTE: This option only works for the initial installation of the cbflow-server. ## If your server is already initialized, you can configure this setting in the *Server Setting*. telemetryData: enabled: true ## Requires `server.expose.enable: true` and ports `8443` and `61613` to be open and externally exposed. ## Creates extra Kubernetes service with type LoadBalancer. externalService: enabled: false ## server LoadBalancer service annotations for ## creating internal LoadBalancer on GCP or AWS. annotations: # networking.gke.io/load-balancer-type: "Internal" # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" ## Enable or disable creating init container for volume permissions for cbflow-server. volumesPermissionsInitContainer: enabled: true ## Horizontal Pod Autoscaling configuration for cbflow-server. ## This is only supported when `clusteredMode:true`. autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 templates: [] ## Specify custom or additional autoscaling metrics. ## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics # - type: Pods # pods: # metric: # name: server_process_requests_total # target: # type: AverageValue # averageValue: 10000m ## Custom labels for CD/RO flow-server pods customLabels: {} jobInit: annotations: "helm.sh/hook": "post-install,post-upgrade" "helm.sh/hook-weight": "1" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation nodeSelector: {} tolerations: [] affinity: {} ## Specify the resources to request for this component. resources: limits: cpu: 4 memory: 6Gi requests: cpu: 2 memory: 6Gi ## Kubernetes Liveness Probes: livenessProbe: initialDelaySeconds: 60 periodSeconds: 60 timeoutSeconds: 10 ## Custom labels for CD/RO job-init pods customLabels: {} ### -------------------------------------------- ### Flow web server configuration section ### --------------------------------------------- web: ## Flag that dictates the cbflow-web workload and its accompanying services are installed. enabled: true ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-web ## Number of replicas of this component to create. replicas: 1 service: type: ClusterIP ## Interpreted as if passed to the CloudBees ecconfigure utility within the container. ecconfigure: "" ## Specify the resources to request for this component. resources: limits: cpu: 1 memory: 512Mi requests: cpu: 0.25 memory: 256Mi nodeSelector: {} tolerations: [] affinity: {} ## Additional environment variables to set for cbflow-web. extraEnvs: [] # extraEnvs: # - name: FOO # value: "BAR" # - name: FOO # valueFrom: # secretKeyRef: # key: FOO # name: secret-resource ## Enable shared plugin volume mount (PVC) on flow-web pods. ## Mounts empty dir instead if `sharedPluginsEnabled` is false. sharedPluginsEnabled: true ## Specify additional volumes to mount in the cbflow-web container. additionalVolumes: [] ## Specify where your additional volumes are mounted in the cbflow-web container. additionalVolumeMounts: [] ## Specify additional containers to mount for cbflow-web. additionalContainers: # - name: container-name # image: image-version # command: # - "/container-command" ## Kubernetes Liveness Probes: livenessProbe: initialDelaySeconds: 10 periodSeconds: 60 timeoutSeconds: 10 failureThreshold: 3 ## Kubernetes Readiness Probes: readinessProbe: initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 10 failureThreshold: 3 ## Horizontal Pod Autoscaling configuration for cbflow-web. ## This is only supported when `clusteredMode: true`. autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 templates: [] ## Specify custom or additional autoscaling metrics. ## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics # - type: Pods # pods: # metric: # name: server_process_requests_total # target: # type: AverageValue # averageValue: 10000m ## Custom labels for CD/RO web pods customLabels: {} ### -------------------------------------------- ### Flow repository configuration section ### --------------------------------------------- repository: ## Flag that dictates the cbflow-repository workload and its accompanying services are installed. enabled: true ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-repository ## Number of replicas of this component to create. replicas: 1 ## `expose: true` allows cbflow-repository service ingress port `8200` ## to be accessed from outside the cluster. expose: true ## The zone (must exist in the flow-server instance) assigned ## to the repository instance created in the flow-server to represent this ## repository instance. zoneName: ## The endpoint for the cbflow-repository service. ## ## If `cbflow-server.enabled:true` this setting is OPTIONAL, and ## the service name is automatically determined based on `.serverName` value. ## ## If `cbflow-server.enabled:false` and the cbflow-repository should be connected to ## a cbflow-server outside of this deployment, `serviceEndpoint` is *REQUIRED.* ## ## Usual helm templates may be used for `serviceEndpoint`. serviceEndpoint: ## The default loglevel for cbflow-repository. logLevel: DEBUG ## Interpreted as if passed to the CloudBees ecconfigure utility within the container. ecconfigure: "--repositoryInitMemoryMB=512 --repositoryMaxMemoryMB=1024" ## Specify the resources to request for this component. resources: requests: cpu: 0.25 memory: 1024Mi limits: cpu: 0.25 memory: 2048Mi nodeSelector: {} tolerations: [] affinity: {} ## Additional environment variables to set for cbflow-repository. extraEnvs: [] # extraEnvs: # - name: FOO # value: "BAR" # - name: FOO # valueFrom: # secretKeyRef: # key: FOO # name: secret-resource ## Requires `repository.expose.enable: true` and port `8200` to be open and externally exposed. ## Creates extra Kubernetes service with type LoadBalancer. externalService: enabled: false ## repository LoadBalancer service annotations for ## creating internal LoadBalancer on GCP or AWS. annotations: # networking.gke.io/load-balancer-type: "Internal" # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" ## Enable or disable creating init container for volume permissions for cbflow-repository. volumesPermissionsInitContainer: enabled: true ## Specify additional volumes to mount in the cbflow-repository container. additionalVolumes: [] ## Specify where your additional volumes are mounted in the cbflow-repository container. additionalVolumeMounts: [] ## Specify additional containers to mount for cbflow-repository. additionalContainers: # - name: container-name # image: image-version # command: # - "/container-command" ## Kubernetes Liveness Probes: livenessProbe: initialDelaySeconds: 120 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 ## Kubernetes Readiness Probes: readinessProbe: initialDelaySeconds: 120 periodSeconds: 5 timeoutSeconds: 5 failureThreshold: 3 ## Horizontal Pod Autoscaling configuration for cbflow-repository. ## This is only supported when `clusteredMode: true`. autoscaling: enabled: false minReplicas: 1 maxReplicas: 3 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 templates: [] ## Specify custom or additional autoscaling metrics. ## Ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics # - type: Pods # pods: # metric: # name: server_process_requests_total # target: # type: AverageValue # averageValue: 10000m ## Custom labels for CD/RO repository pods customLabels: {} ### -------------------------------------------- ### Analytics server configuration section ### --------------------------------------------- analytics: ## Flag that dictates the cbflow-analytics workload and its accompanying services are installed. enabled: true ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-analytics ## Number of replicas of this component to create. replicas: 1 ## `expose: true` allows cbflow-analytics service ingress port `9201` ## to be accessed from outside the cluster. expose: true ## The service endpoint configured on the remote CloudBees CD/RO server. ## It is assumed the remote CloudBees CD/RO server is located in the same ## Kubernetes cluster. serviceEndpoint: "flow-analytics.{{ .Release.Namespace }}" ## The name of the Analytic's cluster. clusterName: ## The number of primary shards that an index should have. numberOfShards: ## Analytics server credentials ## Specify either: ## * The secret where the report user password and the admin user ## password will be stored (Recommended for production). ## or ## * The reportUserPassword and adminPassword values. ## ## When using the secret: ## * Store the `reportUser` password under the `CBF_ANALYTICS_PASSWORD` key. ## * Store the `adminPassword` under the `CBF_ANALYTICS_ADMIN_PASSWORD` key. ## ## ## IMPORTANT: If the `adminPassword` is left empty, *no admin user is created*, ## and administrative access is *not* granted to any user. credentials: existingSecret: adminPassword: ## If `reportUserPassword` is an empty string, a random 20 characters password is generated. reportUserPassword: ## The heap size in MB for server service. heapSize: 1024 ## Specify the resources to request for this component. resources: limits: cpu: 1 memory: 2Gi requests: cpu: 0.1 memory: 1536Mi nodeSelector: {} tolerations: [] affinity: {} ## Adds an OpenShift node tuning label to analytics pods, which adjusts ## the required value of 'vm.max_map_count'. ## For more information, refer to: ## https://developers.redhat.com/blog/2019/11/12/using-the-red-hat-openshift-tuned-operator-for-elasticsearch/ openshiftNodeTuning: false ## Additional environment variables to set for cbflow-analytics. extraEnvs: [] # extraEnvs: # - name: FOO # value: "BAR" # - name: FOO # valueFrom: # secretKeyRef: # key: FOO # name: secret-resource ## Kubernetes Liveness Probes: livenessProbe: initialDelaySeconds: 60 periodSeconds: 20 failureThreshold: 3 timeoutSeconds: 10 ## Kubernetes Readiness Probes: readinessProbe: initialDelaySeconds: 60 periodSeconds: 5 failureThreshold: 3 timeoutSeconds: 10 ## Enable or disable a *privileged* `sysctlInitContainer` if ## the sysctl `vm.max_map_count setting` is set by another method. sysctlInitContainer: enabled: true ## The `sysctlInitContainer.imageRepository` sysctlInitContainer image repository. imageRepository: busybox ## The `sysctlInitContainer.imageTag` sysctlInitContainer image tag . imageTag: stable ## Enable or disable creating an init container for cbflow-analytics volume permissions. volumesPermissionsInitContainer: enabled: true ## Enable or disable registering the analytics server on CD/RO using `setAnalyticsServerConfiguration`. ## Set `analytics.autoRegister: false` to prevent the analytics server configuration from being created or updated. ## If the analytics server configuration already exists in your deployment, setting this value to `false` has no effect. autoRegister: true ## Enable or disable creating a backup of cbflow-analytics data. backup: ## NOTE: If you change `analytics.backup.enabled` for an existing installation, ## you must delete the statefulset for the installation prior to upgrading. ## To do so, you can use `kubectl delete statefulset flow-analytics`. enabled: false schedule_cron: "0 */12 * * *" retentionDays: 15 location: "/os-backups" ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-tools cleanupImageRepository: "python" cleanupImageTag: "3.7.7" restoreSnapshot: false restoreSnapshotName: externalRepo: ## Enable if you are backing up in Amazon S3 or GCS. enabled: false ## Type can be Amazon S3 or GCS. type: s3 # Name of bucket in Amazon S3 or GCS bucketName: # base path for backups in Bucket basePath: "os-backups" ## Use GKE Workload Identity with Kubernetes service account to impersonate a Google Cloud ## Use The AWS IAM roles for service accounts to impersonate access to a S3 ## Enable serviceAccountsIdentity or provide IAM or GCS credentials below serviceAccountsIdentity: false ## For `existingSecret`, either: ## * Specify where the AWS or GCS credentials are stored. ## or ## * Provide the secret in the values file. ## ## For AWS S3: ## Create a secret for AWS S3 with permission to read/write ## to the bucket policy with keys `AWS_ACCESS_KEY` and `AWS_SECRET_KEY`. ## Example: ## `kubectl create secret generic s3awssecret --from-literal=AWS_ACCESS_KEY="XXXXX" --from-literal=AWS_SECRET_KEY="XXXXX"` ## ## For GCS: ## Create a secret for GCS with permission to read/write ## to the bucket policy using `KEY GCS_SA_KEY` referencing ## the file with the service account key. ## Example: ## `kubectl create secret generic gcssasecret --from-file=GCS_SA_KEY=/tmp/gke-credentials.json` existingSecret: secret: ## Provide *only* if type is AWS S3. awsAccessKey: awsSecretKey: ## Provide *only* if type is GCS. gcsSaKey: ## Region of the AWS S3 or GCS bucket. Example: us-east-1 region: ## Custom Pip config file configuration to install pip packages using private PyPi repo pipConfig: {} ## pip.conf: | ## [global] ## index-url = http:// ## trusted-host = ## Requires `analytics.expose.enable: true` and port `9201` to be open and externally exposed. ## Creates extra Kubernetes service with type LoadBalancer. externalService: enabled: false ## cbflow-analytics LoadBalancer service annotations for ## creating internal LoadBalancer on GCP or AWS. annotations: # networking.gke.io/load-balancer-type: "Internal" # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" ## For `analytics.certificates`, you must provide either: ## * The certificates for ca, sign, node, admin, ## and bundle in the fields below. ## or ## * A `analytics.certificates.existingSecret` that references ## where the ca, sign, node, admin, and bundle are stored. ## IMPORTANT: ## If you have cbflow-analytics replicas, you must define one of ## the following supported certificate options: ## * Define certificates.bundle. ## * Define certificates.ca.crt and certificates.ca.key. ## * Define certificates.ca.crt and certificates.sign.crt, and certificates.sign.key. ## * Define certificates.ca.crt, certificates.sign.crt, certificates.node.crt, certificates.node.key, ## certificates.admin.crt, and certificates.admin.key. ## For more information, refer to: ## https://docs.cloudbees.com/docs/cloudbees-cd/latest/install-k8s/installation#_configure_cloudbees_analytics_server_certificates ## cbflow-analytics supported certificates: certificates: ca: crt: key: sign: crt: key: node: crt: key: admin: crt: key: dname: bundle: ## For `analytics.certificates.existingSecret`: ## Specify the secret where the certificates ca, sign, node, ## admin, and bundle are stored (recommended for production). existingSecret: ## When using the existingSecret use the following keys: ## Store the 'ca.crt' value under CBF_ANALYTICS_CA_CRT key. ## Store the 'ca.key' value under CBF_ANALYTICS_CA_KEY key. ## Store the 'sign.crt' value under CBF_ANALYTICS_SIGN_CRT key. ## Store the 'sign.key' value under CBF_ANALYTICS_SIGN_KEY key. ## Store the 'node.crt' value under CBF_ANALYTICS_NODE_CRT key. ## Store the 'node.key' value under CBF_ANALYTICS_NODE_KEY key. ## Store the 'admin.crt' value under CBF_ANALYTICS_ADMIN_CRT key. ## Store the 'admin.key' value under CBF_ANALYTICS_ADMIN_KEY key. ## Store the 'bundle' value under CBF_ANALYTICS_CRT_BUNDLE key. ## NOTE: Do not store your 'admin.dnname' in any secret. Instead, pass it as a value. ## Reindexing settings reindex: remote: ## Specifies the hosts that can be reindexed from remotely. Consists of a comma-delimited ## list of host:port entries. The default value is '127.0.0.1:*,[::1]:*,localhost:*'. ## But a value is specified here to allow re-indexing of data from an outdated ## Analytics server. allowlist: "flow-devopsinsight.*:*" ## Specify additional containers. additionalContainers: null # additionalContainers: # - name: container-name # image: image-version # command: # - "/container-command" ## Custom labels for CD/RO analytics pods customLabels: {} ### -------------------------------------------- ### (LEGACY) Flow DevOps Insight (DOIS/dois) configuration section ### --------------------------------------------- dois: ## Flag that dictates the cbflow-dois workload and its accompanying services are installed. enabled: true ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-dois ## Number replicas of Elasticsearch nodes to create. replicas: 1 ## `expose: true` allows cbflow-dois service ingress ports `9200` ## to be accessed from outside the cluster. expose: true ## The DOIS service endpoint configured on the remote CloudBees CD/RO server. ## It is assumed the remote CloudBees CD/RO server is located in the same ## Kubernetes cluster. serviceEndpoint: "flow-devopsinsight.{{ .Release.Namespace }}" ## The name of the Elasticsearch cluster. esClusterName: ## Minimum number of master-eligible nodes that must be visible in order to ## form an Elasticsearch cluster. esMinMasterNodes: 1 ## The number of primary shards that an index should have. esNumberOfShards: ## DOIS credentials ## Specify either: ## * The secret where the report user password and the admin user ## password will be stored (Recommended for production). ## or ## * The reportUserPassword and adminPassword values. ## ## When using the secret: ## * Store the `reportUser` password under the `CBF_DOIS_PASSWORD` key. ## * Store the `adminPassword` under the `CBF_DOIS_ADMIN_PASSWORD` key. ## ## ## IMPORTANT: If the `adminPassword` is left empty, *no admin user is created*, ## and administrative access is *not* granted to any user. credentials: existingSecret: adminPassword: ## If `reportUserPassword` is an empty string, a random 20 characters password is generated. reportUserPassword: ## The heap size in MB for Elasticsearch and Logstash services. esRam: 1024 ## Specify the resources to request for this component. resources: limits: cpu: 1 memory: 3Gi requests: cpu: 0.1 memory: 2Gi nodeSelector: {} tolerations: [] affinity: {} ## Adds an OpenShift node tuning label to DOIS pods that ## configures the 'vm.max_map_count' value required to run Elasticsearch. ## For more information, refer to: ## https://developers.redhat.com/blog/2019/11/12/using-the-red-hat-openshift-tuned-operator-for-elasticsearch/ openshiftNodeTuning: false ## Additional environment variables to set for cbflow-dois. extraEnvs: [] # extraEnvs: # - name: FOO # value: "BAR" # - name: FOO # valueFrom: # secretKeyRef: # key: FOO # name: secret-resource ## DOIS Readiness probe variables: healthProbeReadinessPeriodSeconds: 5 healthProbeReadinessFailureThreshold: 3 healthProbeReadinessInitialDelaySeconds: 60 ## DOIS Liveness probe variables: healthProbeLivenessPeriodSeconds: 20 healthProbeLivenessFailureThreshold: 3 healthProbeLivenessInitialDelaySeconds: 60 ## Enable or disable a *privileged* `sysctlInitContainer` if ## the sysctl `vm.max_map_count setting` is set by another method. sysctlInitContainer: enabled: true ## The `sysctlInitContainer.imageRepository` sysctlInitContainer image repository. imageRepository: busybox ## The `sysctlInitContainer.imageTag` sysctlInitContainer image tag . imageTag: stable ## Enable or disable creating an init container for cbflow-dois volume permissions. volumesPermissionsInitContainer: enabled: true ## Enable or disable creating a backup of cbflow-dois data. backup: ## NOTE: If you change `dois.backup.enabled` for an existing installation, ## you must delete the statefulset for the installation prior to upgrading. ## To do so, you can use `kubectl delete statefulset flow-devopsinsight`. enabled: false schedule_cron: "0 */12 * * *" retentionDays: 15 location: "/es-backups" ## The `imageRepository` in the `images.registry` to pull component image from. imageRepository: cbflow-tools restoreSnapshot: false restoreSnapshotName: externalRepo: ## Enable if you are backing up in Amazon S3 or GCS. enabled: false ## Type can be Amazon S3 or GCS. type: s3 # Name of bucket in Amazon S3 or GCS bucketName: ## Use GKE Workload Identity with Kubernetes service account to impersonate a Google Cloud ## Use The AWS IAM roles for service accounts to impersonate access to a S3 ## Enable serviceAccountsIdentity or provide IAM or GCS credentials below serviceAccountsIdentity: false ## For `existingSecret`, either: ## * Specify where the AWS or GCS credentials are stored. ## or ## * Provide the secret in the values file. ## ## For AWS S3: ## Create a secret for AWS S3 with permission to read/write ## to the bucket policy with keys `AWS_ACCESS_KEY` and `AWS_SECRET_KEY`. ## Example: ## `kubectl create secret generic s3awssecret --from-literal=AWS_ACCESS_KEY="XXXXX" --from-literal=AWS_SECRET_KEY="XXXXX"` ## ## For GCS: ## Create a secret for GCS with permission to read/write ## to the bucket policy using `KEY GCS_SA_KEY` referencing ## the file with the service account key. ## Example: ## `kubectl create secret generic gcssasecret --from-file=GCS_SA_KEY=/tmp/gke-credentials.json` existingSecret: secret: ## Provide *only* if type is AWS S3. awsAccessKey: awsSecretKey: ## Provide *only* if type is GCS. gcsSaKey: ## Region of the AWS S3 or GCS bucket. Example: us-east-1 region: ## Custom Pip config file configuration to install pip packages using private PyPi repo pipConfig: {} ## pip.conf: | ## [global] ## index-url = http:// ## trusted-host = ## Requires `dois.expose.enable: true` and ports `9200` to be open and externally exposed. ## Creates extra Kubernetes service with type LoadBalancer. externalService: enabled: false ## cbflow-dois LoadBalancer service annotations for ## creating internal LoadBalancer on GCP or AWS. annotations: # networking.gke.io/load-balancer-type: "Internal" # service.beta.kubernetes.io/aws-load-balancer-internal: "0.0.0.0/0" ## For `dois.certificates`, you must provide either: ## * The certificates for ca, sign, node, admin, ## and bundle in the fields below. ## or ## * A `dois.certificates.existingSecret` that references ## where the ca, sign, node, admin, and bundle are stored. ## IMPORTANT: ## If you have cbflow-dois replicas, you must define one of ## the following supported certificate options: ## * Define certificates.bundle. ## * Define certificates.ca.crt and certificates.ca.key. ## * Define certificates.ca.crt and certificates.sign.crt, and certificates.sign.key. ## * Define certificates.ca.crt, certificates.sign.crt, certificates.node.crt, certificates.node.key, ## certificates.admin.crt, and certificates.admin.key. ## For more information, refer to: ## https://docs.cloudbees.com/docs/cloudbees-cd/latest/install-k8s/installation#_configure_cloudbees_analytics_server_certificates ## cbflow-dois supported certificates: certificates: ca: crt: key: sign: crt: key: node: crt: key: admin: crt: key: dname: bundle: ## For `dois.certificates.existingSecret`: ## Specify the secret where the certificates ca, sign, node, ## admin, and bundle are stored (recommended for production). existingSecret: ## When using the existingSecret use the following keys: ## Store the 'ca.crt' value under CBF_DOIS_CA_CRT key. ## Store the 'ca.key' value under CBF_DOIS_CA_KEY key. ## Store the 'sign.crt' value under CBF_DOIS_SIGN_CRT key. ## Store the 'sign.key' value under CBF_DOIS_SIGN_KEY key. ## Store the 'node.crt' value under CBF_DOIS_NODE_CRT key. ## Store the 'node.key' value under CBF_DOIS_NODE_KEY key. ## Store the 'admin.crt' value under CBF_DOIS_ADMIN_CRT key. ## Store the 'admin.key' value under CBF_DOIS_ADMIN_KEY key. ## Store the 'bundle' value under CBF_DOIS_CRT_BUNDLE key. ## NOTE: Do not store your 'admin.dnname' in any secret. Instead, pass it as a value. ## Specify additional containers. additionalContainers: null # additionalContainers: # - name: container-name # image: image-version # command: # - "/container-command" ## Custom labels for CD/RO dois pods customLabels: {} ### -------------------------------------------- ### Flow bound agent configuration section ### --------------------------------------------- ## This is an internal component that serves the cbflow-web and the cbflow-repository ## connections to the cbflow-server. It is automatically enabled or disabled if ## deployment of cbflow-web and cbflow-repository are enabled. boundAgent: ## Number of replicas of this component to create. replicas: 1 ## The default loglevel for cbflow-agent. logLevel: DEBUG flowCredentials: ## Enable `serverSecretReference` to re-use flow-server secrets in the agent charts. serverSecretReference: true releaseNamePrefix: cb-flow-bound-agent resourceName: local resourcePools: default service: publicHostName: cb-flow-bound-agent name: cb-flow-bound-agent ## Interpreted as if passed to the CloudBees ecconfigure utility within the container. ecconfigure: "--agentInitMemoryMB=256 --agentMaxMemoryMB=256" ## Specify the resources to request for this component. resources: limits: cpu: 0.25 memory: 1024Mi requests: cpu: 0.25 memory: 512Mi nodeSelector: {} tolerations: [] affinity: {} storage: volumes: agentWorkspace: ## Set `volumes.enable: true` to use Persistent Volume for the bound agent workspace. enabled: false name: flow-bound-agent-workspace accessMode: ReadWriteOnce storage: 5Gi ## To use a custom storage class, provide the `storageClass` name. storageClass: ## To use an existing PVC, set: ## * Set `storage.volumes.repositoryStorage.name` to your PVC name. ## * Set `existingClaim: true`. ## If you are using a PVC, it *must be* `ReadWriteMany` accessible. existingClaim: false ## Additional environment variables to set for cbflow-agent. extraEnvs: [] # - name: FOO # value: "BAR" # - name: FOO # valueFrom: # secretKeyRef: # key: FOO # name: secret-resource ## Enable or disable creating init container for volume permissions for cbflow-agent. volumePermissions: enabled: true ## Specify additional volumes to mount in the cbflow-agent container. additionalVolumes: [] ## Specify where your additional volumes are mounted in the cbflow-agent container. additionalVolumeMounts: [] ## Specify additional containers. additionalContainers: # - name: container-name # image: image-version # command: # - "/container-command" ### -------------------------------------------- ### Flow storage configuration section ### --------------------------------------------- storage: volumes: ## Storage configuration for plugins directory, which: ## * Is shared across all cbflow-server and cbflow-web replicas. ## * *Must be* `ReadWriteMany` accessible. ## ## To use an existing PVC, set: ## * Set `storage.volumes.serverPlugins.name` to your PVC name. ## * Set `existingClaim: true`. ## If you are using a PVC, it *must be* `ReadWriteMany` accessible. serverPlugins: name: flow-server-shared accessMode: ReadWriteMany ## To use a custom storage class, provide the storageClass name. storageClass: storage: 5Gi existingClaim: false ## To use an existing PVC, set: ## * Set `storage.volumes.repositoryStorage.name` to your PVC name. ## * Set `existingClaim: true`. ## If you are using a PVC, it *must be* `ReadWriteMany` accessible. repositoryStorage: name: flow-repo-artifacts accessMode: ReadWriteOnce storage: 20Gi ## To use a custom storage class, provide the storageClass name. storageClass: existingClaim: false doisStorage: name: elasticsearch-data accessMode: ReadWriteOnce storage: 10Gi ## To use a custom storage class, provide the storageClass name. storageClass: analyticsStorage: name: analytics-data accessMode: ReadWriteOnce storage: 10Gi ## To use a custom storage class, provide the storageClass name. storageClass: ### -------------------------------------------- ### Flow server database configuration section ### --------------------------------------------- ## Db endpoint, `database` or `schema`, principal with full privileges on ## that schema (rw access) - `dbUser` and `dbPassword`. database: ## URL of you external Db. # externalEndpoint: "my.db.somewhere.com" ## Use this option if your database resides in the same k8s cluster ## as the flow-server with the notation as .. ## If deploying into the same namespace, `.` can be omitted. # clusterEndpoint: "." ## Use this option if you have an existing credentials or will deploy the ## secret yourself. The value *must* given in the format: ## existingSecret: server-secrets.yaml::dbSecret # existingSecret: dbName: dbUser: ## If dbPassword is an empty string, a random 20 characters password is generated. dbPassword: ## Remote database port to connect to. dbPort: ## Database type for flow persistence to work with. ## Must be one of: ## * `mysql` - MYSQL ## * `mariadb` - MariaDB ## * `sqlserver` - MSSQLServer ## * `oracle` - Oracle ## * `postgresql` - PostgreSql ## For more information on supported databases, refer to ## https://docs/cloudbees/com/docs/cloudbees-common/latest/supported-platforms/cloudbees-cd-k8s#database-plat: dbType: ## External Mysql Connector URL to download during CloudBees CD/RO installation. mysqlConnector: enabled: true externalUrl: ## configure the database connection to use either built-in database authentication or IAM database authentication ## using customDatabaseUrl . ## example customDatabaseUrl:jdbc:postgresql:///?cloudSqlInstance=::&socketFactory=com.google.cloud.sql.postgres.SocketFactory&ipTypes=PRIVATE ## for more information on supported configuration, refer to ## https://docs.cloudbees.com/docs/cloudbees-cd/latest/install-k8s/k8s-platform-specific-configurations#_using_cloudbees_cdro_with_google_cloud_sql # customDatabaseUrl: ### -------------------------------------------- ### Flow server credentials configuration section ### --------------------------------------------- flowCredentials: ## Specify either: ## * The secret where the admin user password is stored using ## the 'CBF_SERVER_ADMIN_PASSWORD' key (recommended for production). ## or ## * The adminPassword. existingSecret: ## If `adminPassword` is an empty string, a random 20 characters password is generated. adminPassword: ### -------------------------------------------- ### Flow server license configuration optional section ### --------------------------------------------- ## This optional section allows you to configure licenses with flow-server during the ## first initialization only. Allows you to either create a secret from this chart or supply ## your own pre-created one. ## IMPORTANT: Pre-created secrets must have a single field named CBF_LICENSE with value ## containing the license file contents, *REQUIRED* to use with `flowLicense.existingSecret`. ## TIP: For installations or upgrades, licence automations ## can be created using the following API: ## https://docs.cloudbees.com/docs/cloudbees-cd-api/latest/flow-api/apiserver flowLicense: ## Provide your existing secret name with license data. ## For `existingSecret`, must have `CBF_LICENSE` field with value of license file contents. existingSecret: ## TIP: Your `licenseData` can be passed as an XML file path or ## passed with the `helm --set-file` option. licenseData: ### -------------------------------------------- ### Pods security context ### --------------------------------------------- ## Requires `securityContext.enabled=true` to apply `securityContext` settings for pod spec. ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: enabled: false fsGroup: 1000 runAsUser: 1000 ## Configure pod security context, which applied to pod spec. ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#podsecuritycontext-v1-core # fsGroup: 1000 # fsGroupChangePolicy: OnRootMismatch # runAsGroup: 1000 # runAsNonRoot: true # runAsUser: 1000 # seLinuxOptions: {} # seccompProfile: {} # supplementalGroups: # sysctls: ## Requires `securityContext.enabled=true` to apply `containerSecurityContext` settings for containers. containerSecurityContext: {} ## Configure container security context, which is applied to containers. ## Ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#securitycontext-v1-core # allowPrivilegeEscalation: false # capabilities: # drop: [ "ALL" ] # privileged: false # procMount: "Default" # readOnlyRootFilesystem: true # runAsGroup: 1000 # runAsNonRoot: true # runAsUser: 1000 # seLinuxOptions: {} # seccompProfile: {} volumePermissions: enabled: true ### -------------------------------------------- ### RBAC resources ### --------------------------------------------- rbac: ## Specify if RBAC resources should be created. create: false serviceAccountName: annotations: {} role: ## Rules to create RBAC resources. rules: [] ### -------------------------------------------- ### Network isolation configuration ### --------------------------------------------- networkIsolation: ## Enabled network policies for CloudBees CD/RO components. Set `networkPolicies.enabled: false` to ## implement custom network policies. ## IMPORTANT: If `networkPolicies.enabled: false`, you must provide the `additionalIngressSelector` for ## CloudBees CD/RO components. ## For more information on network policies, refer to: ## https://docs.cloudbees.com/docs/cloudbees-cd/latest/install-k8s/cdro-k8s-how-tos networkPolicies: enabled: true ## `allowFromCidr` allows you to define a CIDR allowed ## to make connections to all exposed CloudBees CD/RO endpoints. allowFromCidr: "0.0.0.0/0" ## Additional ingress selectors for network policies. ## Example: ## web: ## additionalIngressSelector: ## - namespaceSelector: ## matchLabels: ## kubernetes.io/metadata.name: kube-system web: additionalIngressSelector: [] server: additionalIngressSelector: [] zookeeper: additionalIngressSelector: [] repository: additionalIngressSelector: [] dois: additionalIngressSelector: [] analytics: additionalIngressSelector: [] ### -------------------------------------------- ### Zookeeper configuration section ### --------------------------------------------- ## CloudBees CD/RO includes a bundled ZooKeeper installation. ## If you already have an available ZooKeeper installation, or ## your security policy demands, you can disable this ZooKeeper. ## If you disable the bundled ZooKeeper, enter your ZooKeeper endpoint ## address into `workloads.server.zk.host` and `workloads.server.zk.port`. ## ## IMPORTANT: Currently, CloudBees CD/RO *can not* share a ZooKeeper ## with any other application. zookeeper: image: ## Container repository to pull ZooKeeper image from. repository: docker.io/cloudbees/cbflow-tools ## Zookeeper image tag to pull. tag: "2025.03.0.178767_3.2.154_20250318" ## Added Image repository for global values support imageRepository: cbflow-tools fullnameOverride: zookeeper replicaCount: 3 podLabels: ownerApp: "cloudbees-flow" role: "cluster-coordinator" mode: "private" ## Specify the resources to request for this component. resources: limits: cpu: "250m" memory: "1Gi" requests: memory: "512Mi" cpu: "250m" livenessProbe: initialDelaySeconds: 20 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 2 successThreshold: 1 readinessProbe: initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 successThreshold: 1 ### -------------------------------------------- ### Flow ingress configuration section ### --------------------------------------------- ## CloudBees CD/RO requires cbflow-server, cbflow-repository, and ## cbflow-analytics/cbflow-dois (only if installed) to be exposed as externally available services. ## Ingress requires the following ports to be exposed: ## * `8200` (cbflow-repository) ## * `8443` and `61613` (cbflow-server) ## * `9200` (cbflow-dois) ## * `9201` (cbflow-analytics) ## ## As per Kubernetes ingress specification, this is not organically supported. ## This is why flow-ingress comes bundled with CloudBees CD/RO. ## **Only use ingress-nginx for Kubernetes installations v1.22 or later.** ## IMPORTANT: If you are upgrading from K8s v1.21 or earlier ## to v1.22 or later, ensure you configure `nginx-ingress.enabled: false` ## and `ingress-nginx.enabled: true` before upgrading. ## For more information this type of upgrade, refer to: ## https://docs.cloudbees.com/docs/cloudbees-cd/latest/upgrade/overview-k8s-environment#Prereq_upgrading_from_K8s_1.21_or_less_to_1.22_or_above ingress-nginx: ## `ingress-nginx.enabled: true` installs the following ingress-nginx controller: ## https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx ## (OPTIONAL) Enable this section if you don't have an existing ingress-nginx controller installation. enabled: true controller: service: externalTrafficPolicy: Local ingressClassResource: name: flow-ingress ## `publishService` allows you to customize the external service ## ingress-nginx is bound to via DNS. publishService: enabled: true scope: enabled: true # Set the default `admissionWebhooks.port`. admissionWebhooks: port: 8445 # extraArgs: ## Additional log messages that may be useful for debugging. ## Shows diff detail about changes in the ingress-nginx configuration. # v: 2 ## Shows details about the service, Ingress rule, endpoint changes, and ## dumps the ingress-nginx configuration in JSON format. # v: 3 ## Configures NGINX in debug mode # v: 5 config: ## Ingress must support long-running requests without resetting the connection. ## By default, AWS ELB resets connections after `60` seconds of inactivity. With ## this annotation, the timeout will be increased to `4000` seconds. This is ## the maximum timeout supported by AWS ELB. proxy-stream-timeout: "4000s" ## `error-log-level` allows you to increase the detail of the error log, which ## may be useful for debugging. # error-log-level: debug tcp: 8200: "{{ .Release.Namespace }}/flow-repository:8200" 8443: "{{ .Release.Namespace }}/flow-server:8443" 61613: "{{ .Release.Namespace }}/flow-server:61613" ## Additional TCP ports to access DOIS Elasticsearch over the ingress endpoint: # 7800: "{{ .Release.Namespace }}/gateway-external-agent-flow-agents:7800" # 9200: "{{ .Release.Namespace }}/flow-devopsinsight:9200" ## Additional TCP ports to access Analytics over the ingress endpoint: # 9201: "{{ .Release.Namespace }}/flow-analytics:9201" ## Additional port to enable external agents to connect to flow-server. # 8000: "{{ .Release.Namespace }}/flow-server:8000" ### -------------------------------------------- ### Miscellaneous configuration section ### --------------------------------------------- clusteredMode: true ## Flag used to configure the cloudbees-sda chart. ## Should not be used from a standalone CloudBees CD/RO installation. sda: false mariadb: enabled: false image: tag: "10.11.2-debian-11-r19" fullnameOverride: mariadb replication: enabled: false volumePermissions: enabled: true initdbScriptsConfigMap: mariadb-initdb-scripts existingSecret: mariadb-initdb-secret ## You *must* provide the same `db.user` name as `database.dbUser`(default is "flow"). db: user: "" rootUser: ## MariaDB admin password ## If `rootuser.password` is an empty string, a random 10 characters password is generated. ## ref: https://github.com/bitnami/bitnami-docker-mariadb#setting-the-root-password-on-first-run password: "" master: nodeSelector: kubernetes.io/os: linux ## cloudbees-flow-agent chart configuration to create ## an internal gateway agent. internalGatewayAgent: enabled: false releaseNamePrefix: gateway-default-agent resourceName: gateway-default-agent ## Number of replicas of this component to create. replicas: 1 trustedAgent: false flowCredentials: ## Enable `serverSecretReference` to re-use flow-server secrets in agents chart. serverSecretReference: true ## Horizontal Pod Autoscaling configuration for internalGatewayAgent. ## IMPORTANT: This is only supported when `clusteredMode: true`. autoscaling: enabled: false minReplicas: 1 maxReplicas: 2 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 gateway: ## Recognize as internal gateway agent. enabled: true ## cloudbees-flow-agent chart configurations used for creating an ## external gateway agent. externalGatewayAgent: enabled: false releaseNamePrefix: gateway-external-agent resourceName: gateway-external-agent ## Number of replicas of this component to create. replicas: 1 trustedAgent: false zoneName: external service: ## External DNS hostname external agents use to communicate ## with the external gateway agent publicHostName: ## Enabling `externalService` creates a Load Balancer Kubernetes service named `-flow-agents-external`. ## If `externalGatewayAgent.service.publicHostName` above is configured with a DNS Endpoint (DNS Entry added for LB Endpoint), an ## External Gateway Agent with the specified Agent Host Name is automatically created. ## The port can be set to ports other than 7800. The load balancer will route any requests ## to the specified port to the internal service on port 7800. externalService: enabled: false port: 7800 ## Configure gateway using external gateway agent. gateway: ## Configure gateway using this agent. enabled: true ## Name of the gateway to create. name: external ## Name of the gateway agent to pair with as gateway resource 2. pairedResourceName: gateway-default-agent flowCredentials: ## Enable `serverSecretReference` to re-use flow-server secrets in agents chart. serverSecretReference: true ## Horizontal Pod Autoscaling configuration for externalGatewayAgent. ## This is only supported when `clusteredMode: true`. autoscaling: enabled: false minReplicas: 1 maxReplicas: 2 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 gitops: enabled: false repo: ## Specify either: ## Your gitToken gitToken: ## or ## * Your secret where the git access token is stored under the 'CBF_GIT_TOKEN' key (recommended for production) existingSecret: ## (OPTIONAL) CloudBees CD/RO Sidecar injector configuration ## Sidecar injectors are useful when running infrastructure (GitHub Enterprise, Nexus, etc.) using a self-signed certificate. ## They allow you to inject certificate bundles in pods running in CloudBees CD/RO, so they can trust provided certificates ## without having to build custom docker images. ## ## IMPORTANT: If you are using SDA and CI has `sidecarinjector.enabled` you can *not* enable cdsidecarinjector. ## As both refer to same chart, and this generates name conflicts. ## ## To enable sidecar-injector, label your namespace with `sidecar-injector-cd=enabled`: ## `kubectl label namespace mynamespace cdsidecarinjector=enabled` ## Use `helm inspect readme cloudbees/cloudbees-sidecar-injector` to read more on sidecar injectors. cdsidecarinjector: ## `cdsidecarinjector.enabled: true` installs sidecar injector. enabled: false caBundleName: ca-bundles injectionCaCertificates: - /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem injectionJavaKeystore: ## Alpine/Debian/Ubuntu/Gentoo etc. - /opt/cbflow/jre/lib/security/cacerts namespaceLabel: sidecar-injector annotationPrefix: com.cloudbees.sidecar-injector ## Use `batch/v1beta1` if using Kubernetes v1.22 or later. batchApiVersion: batch/v1 ## Helm tests configuration helmTests: image: cbflowtest/wget ## Custom Labels for CDRO workload pods customLabels: product: cdro ## The resourceOptions variable is used to specify additional parameters to ## configure or modify a resource for CD/RO agent installation. ## Example resourceOptions: "--stepLimit 2" resourceOptions: