# Default values for Fybrik. # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Overrides names nameOverride: "" fullnameOverride: "" # If Fybrik should not create cluster scope resources, set it to false. # Note that these resources are still required for a valid # deployment. Only set this to false if you deployed cluster # scoped resources using a different method. clusterScoped: true # The namespace where Fybrik deploys data path components (modules) modulesNamespace: # The Fybrik namespace name, if not defined, default "fybrik-blueprints" is used name: "" # if it is true, Fybrik, during its deployment, creates this namespace and removes it when Fybrik is uninstalled. # Otherwise, it is a user responsibility to create this namespace, before Fybrik deployment. managedByFybrik: true # Define a specific namespace, if Fybrik should watch for FybrikApplication from a specific namespace only, # or when we work with "clusterScope:false" # The namespace must already exist applicationNamespace: "" # Taxonomy file for taxonomy ConfigMap taxonomyOverride: "" # Global configuration applies to multiple components installed by this chart global: # Default hub for Fybrik images. hub: ghcr.io/fybrik # Default tag for Fybrik images. # If no value is set, the chart's appVersion will be used. tag: "" # Default image pull policy for Fybrik images # Default behavior: Always. # ref: https://kubernetes.io/docs/concepts/containers/images/#updating-images imagePullPolicy: "Always" # Reference to one or more secrets to be used when pulling images. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ imagePullSecrets: [] # Human readable logs prettyLogging: false # zerolog verbosity level # ref: https://github.com/rs/zerolog#leveled-logging loggingVerbosity: -1 # Pod Security Context. This is the default setting for all pods, and can be # overwritten by a specific podSecurityContext settings. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context podSecurityContext: runAsNonRoot: true # Ignored on openshift. It can be set in a specific podSecurityContext settings. runAsUser: 10001 # Ignored on openshift. It can be set in a specific podSecurityContext settings. seccompProfile: type: RuntimeDefault # Container Security Context. This is the default setting for all containers, and can be # overwritten by a specific containerSecurityContext settings. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 containerSecurityContext: readOnlyRootFilesystem: true privileged: false allowPrivilegeEscalation: false capabilities: drop: - ALL # Settings for readinessProbe. This is the default setting for all containers, and can be # overwritten by a specific readinessProbe settings. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ readinessProbe: failureThreshold: 3 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 initialDelaySeconds: 20 # Settings for livenessProbe. This is the default setting for all containers, and can be # overwritten by a specific livenessProbe settings. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ livenessProbe: failureThreshold: 3 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 initialDelaySeconds: 20 # Cluster metadata values cluster: # Set to the name of the cluster. name: thegreendragon # Set to cluster zone. zone: hobbiton # Set to cluster region. region: theshire # Set to the cluster Vault auth method path. vaultAuthPath: kubernetes # Configuration when deploying to a coordinator cluster. coordinator: # Set to false to disable coordinator components in manager. enabled: true # Configures the catalog system name to be used by the coordinator manager. # Accepted values are "katalog", "openmetadata", "egeria" or any meaningful name if a third party connector is used. catalog: "openmetadata" # Overrides the catalog connector URL. # Defaults to `http://-connector:8080`. # For tls connection use: "https://-connector:8443" catalogConnectorURL: "" # Configures the policy manager system name to be used by the coordinator manager. # Accepted values are "opa" or any meaningful name if a third party connector is used. policyManager: "opa" # Overrides the policy manager connector URL. # Defaults to `http://-connector:8080`. # For tls connection use: "https://-connector:8443" policyManagerConnectorURL: "" # Configure the vault instance to be used by the coordinator manager vault: # WARNING: it's an advanced feature, set it to "false" if all your modules and connectors do not require getting # credentials from Fybrik. # If it is "false", you can remove all other entries below. enabled: true # Set to the Vault address. address: "http://vault.{{ .Release.Namespace }}:8200" # Login method to Vault login: # Token authentication token: "root" # Configures the Razee instance to be used by the coordinator manager in a multicluster setup razee: # Overrides the multicluster group that should be used. # Using Razee one can bundle clusters in a group. The controller is then limited to all # the clusters registered in this group. multiclusterGroup: "" # URL for Razee local deployment url: "" # Usernane for Razee local deployment user: "" # Password for Razee local deployment password: "" # Razee deployment with oauth API key authentication requires the apiKey parameter apiKey: "" # Razee deployment with IBM Cloud Satellite Config requires the iamKey parameter iamKey: "" # Configuration when deploying the manager to a worker cluster. # Note that a coordinator can also act as a worker. worker: # Set to false to disable worker components in manager. enabled: true # Manager component manager: # Set to true to deploy the manager component or false to skip its deployment. # Defaults to true if `coordinator.enabled` or `worker.enabled` is true. enabled: true # Override data path limits in manager dataPathMaxSize: "2" # Image name or a hub/image[:tag] image: "manager" # Overrides global.imagePullPolicy imagePullPolicy: "Always" # Set to true to enable socat in the manager pod to forward # traffic from a localhost registry. Used only for development. socat: false # Overrides arguments to be passed to manager container overrideArgs: # Set to the time interval to check the status of the resources # deployed by the manager. The interval is specified in milliseconds. # Default value is 2000 milliseconds. resourcePollingInterval: 2000 # Allows increasing burst used for discovery, this is useful in clusters with many registered resources # Fybrik manager uses it during modules helm operations # value is int discoveryBurst: "" # Allows increasing qps used for discovery, this is useful in clusters with many registered resources # Fybrik manager uses it during modules helm operations # value is float32 discoveryQPS: "" tls: # Relavent if the connection between the manager and one of the connectors # uses tls. # MinVersion contains the minimum TLS version that is acceptable. # If not provided, the system default value is used. # Possible values are TLS-1.0, TLS-1.1, TLS-1.2 and TLS-1.3. minVersion: TLS-1.3 certs: # Name of kubernetes secret that holds the manager certificate and # private key. # The secret should be of `kubernetes.io/tls` type. # certSecretName: "test-tls-manager-certs" certSecretName: "" # Name of kubernetes secret that holds the certificate authority (CA) certificates # which are used by the manager to validate the connection to the connectors. # The CA certificates key in the secret should have `.crt` suffix. # The provided certificates replaces the certificates in the system CA certificate store. # If the secret is not provided then the CA certificates are taken from the system # CA certificate store, for example `/etc/ssl/certs/`. # cacertSecretName: "test-tls-ca-certs" cacertSecretName: "" # Extra environment variables to be set for manager container extraEnvs: # - name: env_name # value: env_value replicaCount: 1 serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use name: manager podAnnotations: {} # To enable Istio automatic sidecar injection add: # sidecar.istio.io/inject: "true" # Pod Security Context. If set, the fields of podSecurityContext override # the equivalent fields of .Values.global.podSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context podSecurityContext: {} # Container Security Context. If set, the fields of containerSecurityContext override # the equivalent fields of .Values.global.containerSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 containerSecurityContext: {} readinessProbe: {} livenessProbe: {} resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi # Set the size limit of the data directory. dataDirSizeLimit: 200Mi nodeSelector: {} tolerations: [] affinity: {} prometheus: false # CSP solver for data plane optimization solver: # image of the container with solver binary and libs # when specified, the solver will be deployed in the manager pod image: "ghcr.io/fybrik/optimizer:0.0.1" # Set to true to enable the use of the solver by Fybrik enabled: false # Set the size limit of the directory which holds the solver image. dirSizeLimit: 200Mi # Specify a persistent volume claim, to be mounted by the manager, that can contain # helm charts that can be referenced by a FybrikModule. Manager will check if a chart # is available on volume first, then try to pull from a Docker registry if it does not exist. # To populate the volume, create a 'charts' directory at the root of the mount, # and place helm charts within the charts directory. chartsPersistentVolumeClaim: "" # OPA server component opaServer: # Set to true to deploy OPA service or false to skip its deployment. # Defaults to true if the opa connector is enabled. enabled: auto # Image name or a hub/image[:tag] image: "openpolicyagent/opa:0.36.0" # Overrides global.imagePullPolicy imagePullPolicy: "Always" args: - "run" - "--server" - "--log-level=debug" - "--set=decision_logs.console=true" # for tls support add: # more information can be found in https://www.openpolicyagent.org/docs/latest/security/ # - "--tls-cert-file=/data/tls-cert/tls.crt" # - "--tls-private-key-file=/data/tls-cert/tls.key" # - "--authentication=tls" # - "--tls-ca-cert-file=/data/tls-cacert/ca.crt" # - "--addr=https://0.0.0.0:8443" tls: # Specifies whether the opa-server communication should use tls. # For more information please refer to https://www.openpolicyagent.org/docs/latest/security/ use_tls: false certs: # Name of kubernetes tls secret that holds the opa server certificate and # private key. # The secret should be of `kubernetes.io/tls` type such that the certificates # in tls.crt and tls.key are passed as parameters to opa server at startup # via the command line flags `--tls-cert-file=`and `--tls-private-key-file` respectively. # Relavent if tls is used. # certSecretName: "test-tls-opa-server-certs" certSecretName: "" # Name of kubernetes secret that holds the certificate authority (CA) certificates # which are used by opa-server to validate the connection to the clients # if mtls is enabled. # The CA certificates key in the secret should have `.crt` suffix. # The certificates are passed as parameters to opa server at startup via # the command line flags `--tls-ca-cert-file`. # The provided certificates replaces the certificates in the system CA certificate store. # If the secret is not provided then the CA certificates are taken from the system # CA certificate store, for example `/etc/ssl/certs/`. # cacertSecretName: "test-tls-ca-certs" cacertSecretName: "" kubemgmt: image: openpolicyagent/kube-mgmt:0.11 # Used if autoscaling is not enabled replicaCount: 1 # Set the size limit of the data directory. dataDirSizeLimit: 200Mi serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use name: opa podAnnotations: {} # Pod Security Context. If set, the fields of podSecurityContext override # the equivalent fields of .Values.global.podSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context podSecurityContext: {} # Container Security Context. If set, the fields of containerSecurityContext override # the equivalent fields of .Values.global.containerSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 containerSecurityContext: {} # In OPA server, readiness is defined by HTTPS request when using TLS # which means that certificates verification is required # between kubelet (the client) and OPA server. # Avoid configurating kubelet by setting enabled to false. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ enableReadinessProbe: true # In OPA server, liveness is defined by HTTPS request when using TLS # which means that certificates verification is required # between kubelet (the client) and OPA server. # Avoid configurating kubelet by setting enabled to false. # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ enableLivenessProbe: true readinessProbe: {} livenessProbe: {} service: type: ClusterIP # For tls connection use port 8443 port: 8181 resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: # targetMemoryUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} # Bootstrap policies to load upon startup # Define policies in the form of: # : |- # # For example, to mask the entire input body in the decision logs: # bootstrapPolicies: # log: |- # package system.log # mask["/input"] # Bootstrap policies to load upon startup bootstrapPolicies: {} # Katalog connector component katalogConnector: # Set to true to deploy the katalog connector or false to skip its deployment. # Defaults to true if `coordinator.catalog` is set to "katalog" enabled: auto # Image name or a hub/image[:tag] image: "katalog-connector" # Overrides global.imagePullPolicy imagePullPolicy: "Always" # Used if autoscaling is not enabled replicaCount: 1 serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use name: katalog-connector tls: # MinVersion contains the minimum TLS version that is acceptable. # If not provided, the system default value is used. # Possible values are TLS-1.0, TLS-1.1, TLS-1.2 and TLS-1.3. minVersion: TLS-1.3 # Specifies whether the katalog connector communication should use tls. use_tls: false # Specifies whether the katalog connector communication should use mutual tls. use_mtls: false certs: # Name of kubernetes tls secret that holds the katalog-connector certificate # and private key. # The secret should be of `kubernetes.io/tls` type. # Relavent if tls is used. # certSecretName: "test-tls-katalog-connector-certs" certSecretName: "" # Name of kubernetes secret that holds the certificate authority (CA) certificates # which are used by katalog-connector to validate the connection to the manager # if mtls is enabled. # The CA certificates key in the secret should have `.crt` suffix. # The provided certificates replaces the certificates in the system CA certificate store. # If the secret is not provided then the CA certificates are taken from the system # CA certificate store, for example `/etc/ssl/certs/`. # cacertSecretName: "test-tls-ca-certs" cacertSecretName: "" podAnnotations: {} # Pod Security Context. If set, the fields of podSecurityContext override # the equivalent fields of .Values.global.podSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context podSecurityContext: {} # Container Security Context. If set, the fields of containerSecurityContext override # the equivalent fields of .Values.global.containerSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 containerSecurityContext: {} readinessProbe: {} livenessProbe: {} service: type: ClusterIP # For tls connection use port 8443 port: 8080 # Set the size limit of the data directory. dataDirSizeLimit: 200Mi resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: # targetMemoryUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} # OpenMetadata connector component openmetadataConnector: # Set to true to deploy the openmetadata connector or false to skip its deployment. # Defaults to true if `coordinator.catalog` is set to "openmetadata" enabled: auto # Image name or a hub/image[:tag] image: "ghcr.io/fybrik/openmetadata-connector:0.3.0" # Overrides global.imagePullPolicy imagePullPolicy: "Always" # Used if autoscaling is not enabled replicaCount: 1 serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use name: openmetadata-connector tls: # MinVersion contains the minimum TLS version that is acceptable. # If not provided, the system default value is used. # Possible values are TLS-1.0, TLS-1.1, TLS-1.2 and TLS-1.3. minVersion: TLS-1.3 # Specifies whether the openmetadata connector communication should use tls. use_tls: false # Specifies whether the openmetadata connector communication should use mutual tls. use_mtls: false certs: # Name of kubernetes tls secret that holds the openmetadata-connector certificate # and private key. # The secret should be of `kubernetes.io/tls` type. # Relevant if tls is used. # certSecretName: "test-tls-openmetadata-connector-certs" certSecretName: "" # Name of kubernetes secret that holds the certificate authority (CA) certificates # which are used by openmetadata-connector to validate the connection to the manager # if mtls is enabled. # The CA certificates key in the secret should have `.crt` suffix. # The provided certificates replaces the certificates in the system CA certificate store. # If the secret is not provided then the CA certificates are taken from the system # CA certificate store, for example `/etc/ssl/certs/`. # cacertSecretName: "test-tls-ca-certs" cacertSecretName: "" podAnnotations: {} # Pod Security Context. If set, the fields of podSecurityContext override # the equivalent fields of .Values.global.podSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context podSecurityContext: {} # Container Security Context. If set, the fields of containerSecurityContext override # the equivalent fields of .Values.global.containerSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 containerSecurityContext: {} readinessProbe: {} livenessProbe: {} service: type: ClusterIP # For tls connection use port 8443 port: 8080 # Set the size limit of the data directory. dataDirSizeLimit: 200Mi resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: # targetMemoryUtilizationPercentage: 80 dirSizeLimit: 200Mi openmetadata_endpoint: "http://openmetadata.open-metadata:8585/api" openmetadata_sleep_interval: 100 openmetadata_num_retries: 1000 vault: role: "fybrik" jwt_file_path: "/var/run/secrets/kubernetes.io/serviceaccount/token" nodeSelector: {} tolerations: [] affinity: {} # V2 OPA connector component opaConnector: # Set to true to deploy the opa connector or false to skip its deployment. # Defaults to true if `coordinator.policyManager` is set to "opa" enabled: auto # Overrides the URL of the OPA server # Defaults to the address of the deployed OPA server # If the OPA server is configured with TLS then use https://opa:8443 serverURL: # Image name or a hub/image[:tag] image: "opa-connector" # Overrides `.global.imagePullPolicy` imagePullPolicy: "Always" # Used if autoscaling is not enabled replicaCount: 1 serviceAccount: # Specifies whether a service account should be created create: true # Annotations to add to the service account annotations: {} # The name of the service account to use name: opa-connector tls: # MinVersion contains the minimum TLS version that is acceptable. # If not provided, the system default value is used. # Possible values are TLS-1.0, TLS-1.1, TLS-1.2 and TLS-1.3. minVersion: TLS-1.3 # Specifies whether the opa connector communication should use tls. use_tls: false # Specifies whether the opa connector communication should use mutual tls. use_mtls: false # Relevant if the connection between the manager and the connectors # uses tls. certs: # Name of kubernetes tls secret that holds opa-connector certificate # and private key. # The secret should be of `kubernetes.io/tls` type. # Relavent if tls is used. # certSecretName: "test-tls-opa-connector-certs" certSecretName: "" # Name of kubernetes secret that holds the certificate authority (CA) certificates # which are used by opa-connector to validate the connection to the manager if # mtls is enabled. # The CA certificates key in the secret should have `.crt` suffix. # The provided certificates replaces the certificates in the system CA certificate store. # If the secret is not provided then the CA certificates are taken from the system # CA certificate store, for example `/etc/ssl/certs/`. # cacertSecretName: "test-tls-ca-certs" cacertSecretName: "" podAnnotations: {} # Pod Security Context. If set, the fields of podSecurityContext override # the equivalent fields of .Values.global.podSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context podSecurityContext: {} # Container Security Context. If set, the fields of containerSecurityContext override # the equivalent fields of .Values.global.containerSecurityContext. # ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 containerSecurityContext: {} readinessProbe: {} livenessProbe: {} service: type: ClusterIP # For tls connection use port 8443 port: 8080 # Set the size limit of the data directory. dataDirSizeLimit: 200Mi resources: {} # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 100m # memory: 128Mi autoscaling: enabled: false minReplicas: 1 maxReplicas: 100 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: # targetMemoryUtilizationPercentage: 80 nodeSelector: {} tolerations: [] affinity: {} # S3 mock service installed in fybrik namespace s3mock: enabled: false