# Global Configuration global: licenseKey: "" # Your zymtrace license key goes here # Reference an existing Kubernetes Secret instead of passing the license key in plaintext. # When set, licenseKey above is ignored. # Example: # licenseKeySecretName: "zymtrace-license" # licenseKeySecretKey: "license-key" # the key inside that secret that holds the value licenseKeySecretName: "" licenseKeySecretKey: "license-key" # key name inside the secret — change if your secret uses a different name namePrefix: "zymtrace" imageRegistry: "docker.io" # Default registry appImageRegistry: "ghcr.io/zystem-io" # Specific registry for zymtrace backend services images, e.g docker.io/zystemio registry: requirePullSecret: false # Control if image pull secrets should be used. If this is false, we default to the pub images. username: "" # Required: provide via --set password: "" # Required: provide via --set imagePullPolicy: IfNotPresent dataRetentionDays: 30 # Default retention period in days. 0 = forever. migrateServicesToHeadless: true # Auto-detects and migrates services from ClusterIP to headless. Set to false to disable. skipCapabilityCheck: false # Set to true to skip API capability checks (useful for helm template operations) skipDBMigrations: false # Set to true to skip running database migrations during install/upgrade (useful for quick rollbacks or when migrations are not needed) skipPostgresMigration: false # Set to true to skip PostgreSQL migrations specifically (sets SKIP_PSQL_MIGRATE=true) skipClickHouseMigration: false # Set to true to skip ClickHouse migrations specifically (sets SKIP_CH_MIGRATE=true) # AI Assistant Configuration # Supports multiple AI providers: Anthropic Claude, Google Gemini, and OpenAI ChatGPT aiAssistant: enabled: false # Set to true to enable AI Assistant features # Anthropic Claude Configuration # Get your API key from: https://console.anthropic.com/ anthropic: apiKey: "" # Your Anthropic API key (sets WEB__ASSISTANT__API_KEYS__ANTHROPIC) apiKeySecretName: "" # takes precedence over apiKey apiKeySecretKey: "anthropic-api-key" # Google Gemini Configuration # Get your API key from: https://aistudio.google.com/apikey gemini: apiKey: "" # Your Google Gemini API key (sets WEB__ASSISTANT__API_KEYS__GEMINI) apiKeySecretName: "" # takes precedence over apiKey apiKeySecretKey: "gemini-api-key" # OpenAI Configuration # Get your API key from: https://platform.openai.com/api-keys openai: apiKey: "" # Your OpenAI API key (sets WEB__ASSISTANT__API_KEYS__OPENAI) apiKeySecretName: "" # takes precedence over apiKey apiKeySecretKey: "openai-api-key" # Custom LLM Configuration # Use this for self-hosted or third-party LLM providers with OpenAI-compatible APIs customLLM: url: "" # Your custom LLM endpoint URL. e.g https://example.com/v1/chat/completions apiKey: "" # Your custom LLM API key apiKeySecretName: "" # takes precedence over apiKey apiKeySecretKey: "custom-llm-api-key" models: "" # Comma-separated list of available models, e.g openai/gpt-oss-20b,nvidia/DeepSeek-V3-0324-NVFP4 # Maximum request size for AI assistant queries (in bytes) # Default: 20971520 (20 MiB) requestSizeLimit: 20971520 # Default AI provider to use when multiple are configured # Options: anthropic, gemini, openai, custom # Default: anthropic defaultProvider: "" # Default model for the selected provider (prefix match) # Examples: claude-sonnet-4-5, gemini-2.0-flash, gpt-5-1 # Default: claude-sonnet defaultModel: "" # Session cleanup frequency (in seconds) # How often to remove unused assistant sessions # Default: 3600 (1 hour) sessionClearFreq: 3600 # MCP Server Configuration # Configure MCP servers for assistant integration # Leave away authToken if no auth is required # mcpServers: # - name: my-mcp # Endpoint will be set via environment variable in configmap # This is a placeholder that gets overridden by the deployment # endpoint: "http://localhost:1234/mcp" # authToken: "" # Authentication Configuration auth: # Authentication type: "basic", "oidc", "local", or "none" # This controls which authentication method is used for Gateway and Web services type: "none" # Add branding to the login page (button text and custom logo) info: displayName: null pictureUri: null # Enable service token authentication for ingest and symdb services # Works only when auth.type is "local" or "oidc" serviceToken: enabled: false # HTTP Basic Authentication Configuration # Active when auth.type is "basic" basic: username: "" # Required when type is "basic" password: "" # Required when type is "basic" # Identity service admin user configuration # Admin user is created regardless of used auth.type admin: email: admin@zymtrace.com password: admin passwordSecretName: "" # takes precedence over password passwordSecretKey: "admin-password" roles: - "System Admin" # Cookie settings (applies to web service) # Used when auth is enabled and the type is "local" or "oidc" cookie: refreshMaxAgeSec: 31536000 refreshPath: / loginMaxAgeSec: 60 loginPath: / sameSite: lax secure: true httpOnly: true cookieTtlSec: 60 # Enabled only when the type is "local" or "oidc" validation: # A list of possible token issuers, if not specified, derived from gateway host issuers: # A list of possible token audiences, "zymtrace" by default audiences: # Token signing configuration (original OIDC tokens are wrapped, signed, and verified using this key) # You should generate your own keys for your deployment, i.e.: # openssl genpkey -algorithm ED25519 -out /tmp/private.pem # openssl pkey -in /tmp/private.pem -pubout -out /tmp/public.pem # kubectl -n zymtrace create secret generic sample-private-key \ # --from-file=private-key=/tmp/private.pem # kubectl -n zymtrace create secret generic sample-public-key \ # --from-file=public-key=/tmp/public.pem keys: privateKey: # Private Key (PEM format) - Required for self-hosted auth # Leave empty when using external OIDC providers (Google, Okta, etc.) # Example format: # -----BEGIN CERTIFICATE----- # MIIBrDCCAVKgAwIBAgIUb7Y7r6OKgiFlnu6Zk0KN9qI6eZcwCgYIKoZIzj0EAwIw # ...certificate content... # -----END CERTIFICATE----- # Reference an existing Kubernetes Secret instead of passing the private key in plaintext. # When set, privateKey above is ignored. # Example: # privateKeySecretName: "zymtrace-signing-keys" # privateKeySecretKey: "private-key" # the key inside that secret that holds the PEM value privateKeySecretName: "" privateKeySecretKey: "private-key" # key name inside the secret — change if your secret uses a different name publicKey: # Public Key (PEM format) - Required for self-hosted auth and token validation # Leave empty when using external OIDC providers (Google, Okta, etc.) # Example format: # -----BEGIN CERTIFICATE----- # MIIBrDCCAVKgAwIBAgIUb7Y7r6OKgiFlnu6Zk0KN9qI6eZcwCgYIKoZIzj0EAwIw # ...certificate content... # -----END CERTIFICATE----- # Reference an existing Kubernetes Secret instead of passing the public key in plaintext. # When set, publicKey above is ignored. Can point to the same secret as privateKeySecretName. # Example: # publicKeySecretName: "zymtrace-signing-keys" # publicKeySecretKey: "public-key" # the key inside that secret that holds the PEM value publicKeySecretName: "" publicKeySecretKey: "public-key" # key name inside the secret — change if your secret uses a different name # OIDC (OpenID Connect) Authentication Configuration # Active when auth.type is "oidc" # # DEFAULT: Configured for Google Authentication # For other providers (Okta, Auth0, Azure AD), update the issuer URLs and client credentials below oidc: # OIDC Provider Configuration # These settings apply to all services using OIDC provider: # GOOGLE OAuth 2.0 Configuration (default) # # Setup Instructions: # 1. Go to: https://console.cloud.google.com/apis/credentials # 2. Create OAuth 2.0 Client ID (Application type: Web application) # 3. Add Authorized redirect URI: https://your-zymtrace-domain.com/api/v1/oauth2/callback # 4. Copy the Client ID and Client Secret below # # For other OIDC providers: # Okta: issuerUri: https://your-domain.okta.com # Auth0: issuerUri: https://your-tenant.auth0.com # Azure AD: issuerUri: https://login.microsoftonline.com/{tenant-id}/v2.0 clientId: '' # Required: Your OAuth Client ID (e.g., xxxxx.apps.googleusercontent.com for Google) clientSecret: '' # Required: Your OAuth Client Secret. Ignored when clientSecretSecretName is set. clientSecretSecretName: "" # takes precedence over clientSecret clientSecretSecretKey: "oidc-client-secret" # OIDC Issuer URL # GOOGLE (default): https://accounts.google.com # For self-hosted auth: use your gateway's external URL (e.g., https://zymtrace.company.com) # For NodePort/LoadBalancer: use your accessible URL (e.g., http://your-ip:30080) # REQUIRED when using OIDC issuerUri: "https://accounts.google.com" # Redirect URI - where the OIDC provider sends users after authentication # Must be registered in your OIDC provider's console # If empty: auto-derives from ingress.hosts.gateway.host as https:///api/v1/oauth2/callback # For NodePort/LoadBalancer or custom URLs: set explicitly (e.g., http://your-ip:30080/api/v1/oauth2/callback) redirectUri: "" scopes: - openid - email - profile extraParams: - prompt=consent - access_type=offline globalSymbolization: enabled: false config: bucketName: "" accessKey: "" secretKey: "" region: "" endpoint: "" # Database Configurations # # Storage Type Options for ClickHouse, PostgreSQL, and MinIO: # - "persistent": Creates a new PVC for persistent storage (default) # - "empty_dir": Uses emptyDir for temporary storage (data lost on pod restart) # - "existing_pvc": Uses an existing PVC (specify pvcName in existing_pvc.pvcName) # # Example using existing volumes: # storage: # type: "existing_pvc" # existing: # pvcName: "my-existing-pvc" # clickhouse: mode: "create" # "create" or "use_existing" nodeSelector: {} tolerations: [] # - key: "key" # operator: "Equal" # value: "value" # effect: "NoSchedule" affinity: {} # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: node-type # operator: In # values: # - database create: image: repository: clickhouse/clickhouse-server tag: "25.3.2.39" config: user: "clickhouse" password: "clickhouse123" # This is a **prefix** prepended to all CH databases. The actual # atabases will then be called `myprefix_profiling`, for example. database: "zymtrace" service: http: port: 8123 native: port: 9000 replicas: 1 resources: requests: cpu: "500m" memory: "1Gi" limits: cpu: "2000m" memory: "4Gi" storage: type: "persistent" # "persistent", "empty_dir", or "existing_pvc" size: 30Gi className: "" # Configuration for existing volumes (only used when type is "existing_pvc") existing_pvc: pvcName: "" # Name of existing PVC to use subPath: "clickhouse" # Optional: subdirectory within PVC (useful for shared storage) healthProbes: liveness: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 3 failureThreshold: 5 readiness: initialDelaySeconds: 50 periodSeconds: 5 timeoutSeconds: 3 use_existing: host: "" # Must include protocol and port: http://myhost:8123 or https://myhost:8443 # NOTE: Only the HTTP interface port is supported due to limitations in the official ClickHouse Rust client. The native protocol port (9000) is not supported. user: "" password: "" # Ignored when passwordSecretName is set # Reference an existing Kubernetes Secret instead of passing the password in plaintext. # When set, password above is ignored. # Example: # passwordSecretName: "my-clickhouse-secret" # passwordSecretKey: "password" passwordSecretName: "" passwordSecretKey: "password" database: "zymtrace" # This is used as the DB prefix, so the actual databases will be `zymtrace_profiling` and `zymtrace_metrics `. clusterName: "" # Optional: ClickHouse cluster name for distributed setups (e.g., "zymtrace_cluster"). # Required when using ClickHouse clusters with multiple shards/replicas. # When enabled, we use the ON CLUSTER macro for distributed queries across cluster nodes. # Leave empty for ClickHouse Cloud or single-node ClickHouse instances. autoCreateDBs: false # When true, sets INGEST__CLICKHOUSE__AUTO_CREATE_DBS=true and INGEST__METRICS__CLICKHOUSE__AUTO_CREATE_DBS=true # NOTE: For autoCreateDBs to work, the database user must have CREATE DATABASE permission postgres: mode: "create" # "create", "use_existing", "aws_aurora", or "gcp_cloudsql" nodeSelector: {} tolerations: [] # - key: "key" # operator: "Equal" # value: "value" # effect: "NoSchedule" affinity: {} # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: node-type # operator: In # values: # - database create: image: repository: postgres tag: "17.4" config: user: "postgres" password: "postgres123" service: port: 5432 replicas: 1 resources: requests: cpu: "200m" memory: "512Mi" limits: cpu: "1000m" memory: "1Gi" storage: type: "persistent" # "persistent", "empty_dir", or "existing_pvc" size: 20Gi className: "" # Configuration for existing volumes (only used when type is "existing_pvc") existing_pvc: pvcName: "" # Name of existing PVC to use subPath: "postgres/pgdata" # Optional: subdirectory within PVC, must match this format: postgres/pgdata use_existing: host: "" # host:port user: "" password: "" # Ignored when passwordSecretName is set # Reference an existing Kubernetes Secret instead of passing the password in plaintext. # When set, password above is ignored. # Example: # passwordSecretName: "my-postgres-secret" # passwordSecretKey: "password" passwordSecretName: "" passwordSecretKey: "password" database: "zymtrace" # This used as the DB prefix, so the actual databases will be `zymtrace_identity` and `zymtrace_symdb`. secure: false # Enable TLS/secure connection autoCreateDBs: false # When true, sets IDENTITY__POSTGRES__AUTO_CREATE_DBS=true and SYMDB__POSTGRES__AUTO_CREATE_DBS=true # NOTE: For autoCreateDBs to work, the database user must have CREATEDB permission. # Grant with: ALTER USER "your-user" CREATEDB; useIAM: "" # If set to "aws", authenticate via IAM instead of password. Ignores password/passwordSecretName. awsIamRegion: "" # Required when useIAM is "aws" (e.g. us-west-2) aws_aurora: host: "" # Aurora cluster endpoint (e.g., cluster-name.cluster-xxxxx.region.rds.amazonaws.com) user: "" # Database user for IAM authentication (must have rds_iam role granted) database: "zymtrace" # This used as the DB prefix, so the actual databases will be `zymtrace_identity` and `zymtrace_symdb`. region: "" # AWS region (e.g., us-west-2, eu-west-1) autoCreateDBs: false # NOTE: For autoCreateDBs to work, the database user must have CREATEDB permission. # Grant with: ALTER USER "your-user" CREATEDB; serviceAccount: "" # Kubernetes service account with IAM role for Aurora access (created externally with eks.amazonaws.com/role-arn annotation) # Leave blank if IAM role is assigned directly to worker nodes (pods will inherit the node's IAM role via IMDS) gcp_cloudsql: instance: "" # PROJECT:REGION:INSTANCE zymtrace-cloudsql-psql-1 user: "" # IAM account, e.g zt-db-762@local-bebop-448118-g4.iam. Ensure that gserviceaccount.com isn't added database: "zymtrace" #this is the db prefix for zymtrace_identity and zymtrace_symdb databases. autoCreateDBs: false # When true, sets IDENTITY__POSTGRES__AUTO_CREATE_DBS=true and SYMDB__POSTGRES__AUTO_CREATE_DBS=true # NOTE: For autoCreateDBs to work, the IAM database user must have CREATEDB permission. # Grant with: ALTER USER "zt-db-762@local-bebop-448118-g4.iam" CREATEDB; privateIP: false # Set to true to use private IP connectivity for Cloud SQL instances without public IP workloadIdentity: enabled: true # Enable Workload Identity for authentication proxy: image: repository: gcr.io/cloud-sql-connectors/cloud-sql-proxy tag: "2.15.0" resources: requests: cpu: "100m" memory: "128Mi" limits: cpu: "500m" memory: "556Mi" port: 5432 serviceAccount: "zymtrace-cloudsql-sa" # Kubernetes service account bound to GCP service account via Workload Identity # Replica configuration for CloudSQL proxy (only applies when HPA is disabled) replicas: 1 # HPA configuration for CloudSQL proxy hpa: enabled: false # Set to true to enable HPA for CloudSQL proxy minReplicas: 1 maxReplicas: 5 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 # Object Storage Configuration storage: mode: "create" # "create" or "use_existing" nodeSelector: {} tolerations: [] # - key: "key" # operator: "Equal" # value: "value" # effect: "NoSchedule" affinity: {} # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: node-type # operator: In # values: # - storage create: image: repository: minio/minio tag: "RELEASE.2024-12-18T13-15-44Z" config: user: "minio" password: "minio123" service: api: port: 9000 console: port: 9001 replicas: 1 resources: requests: cpu: "200m" memory: "512Mi" limits: cpu: "1000m" memory: "1Gi" storage: type: "persistent" # "persistent", "empty_dir", or "existing_pvc" size: 20Gi className: "" # Configuration for existing volumes (only used when type is "existing_pvc") existing_pvc: pvcName: "" # Name of existing PVC to use subPath: "minio" # Optional: subdirectory within PVC (useful for shared storage) healthProbes: liveness: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 3 readiness: initialDelaySeconds: 50 periodSeconds: 5 timeoutSeconds: 3 use_existing: type: "minio" # "minio", "s3", or "gcs" minio: endpoint: "" # must be a url, http/s user: "" userSecretName: "" # takes precedence over user userSecretKey: "user" password: "" passwordSecretName: "" # takes precedence over password passwordSecretKey: "password" s3: region: "" accessKey: "" accessKeySecretName: "" # takes precedence over accessKey accessKeySecretKey: "access-key" secretKey: "" secretKeySecretName: "" # takes precedence over secretKey secretKeySecretKey: "secret-key" useIAM: null # If set, ignore accessKey/secretKey and authenticate via IAM. Valid values: null, "aws" serviceAccount: "" # Only applies if using IAM. SA annotated with eks.amazonaws.com/role-arn for IRSA. # Leave blank if IAM role is assigned directly to worker nodes (pods will inherit the node's IAM role via IMDS). Ref -https://docs.zymtrace.com/databases/object-storage gcs: endpoint: "https://storage.googleapis.com" # GCS endpoint, defaults to https://storage.googleapis.com accessKey: "" accessKeySecretName: "" # takes precedence over accessKey accessKeySecretKey: "access-key" secretKey: "" secretKeySecretName: "" # takes precedence over secretKey secretKeySecretKey: "secret-key" buckets: symbols: "zymtrace-symdb" # Application Services services: activateNetworkPolicies: true # Dev CNIs like standard Flannel doesn't support NetworkPolicies. zymtrace will still create it, but it won't be enforced. healthProbes: # NOTE: If you're using managed services such as ClickHouse, Postgres, and if there's loss in connection to the dependent services, # there's a high chance that liveness probe will kill and restart the pod. So if this is enabled and you're seeing multiple # restarts of pods, double check the health of the dependent services. # # These are global settings that apply to all services unless overridden at the service level. # Individual services can override these settings by uncommenting their own healthProbes section. liveness: false # Set to true to enable liveness probes for all services readiness: false # Set to true to enable readiness probes for all services common: imageTag: "" nodeSelector: {} # kubernetes.io/arch: amd64 tolerations: [] # Example tolerations: # - key: "dedicated" # operator: "Equal" # value: "zymtrace" # effect: "NoSchedule" # - key: "node.kubernetes.io/not-ready" # operator: "Exists" # effect: "NoExecute" # tolerationSeconds: 300 env: {} # OTEL_EXPORTER_OTLP_METRICS_ENDPOINT: "http://localhost:9090/api/v1/otlp/v1/metrics" # OTEL_EXPORTER_OTLP_TRACES_ENDPOINT: "http://localhhost:4317" affinity: {} # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: kubernetes.io/arch # operator: In # values: # - amd64 # Example pod anti-affinity: # podAntiAffinity: # preferredDuringSchedulingIgnoredDuringExecution: # - weight: 100 # podAffinityTerm: # labelSelector: # matchExpressions: # - key: app # operator: In # values: # - zymtrace # topologyKey: kubernetes.io/hostname hpa: enabled: false # Set to true to enable HPA for all services. Overide this common config in the service section below. minReplicas: 1 maxReplicas: 10 targetCPUUtilizationPercentage: 60 targetMemoryUtilizationPercentage: 70 behavior: scaleUp: stabilizationWindowSeconds: 60 policies: - type: Percent value: 50 periodSeconds: 60 - type: Pods value: 2 periodSeconds: 60 scaleDown: stabilizationWindowSeconds: 300 policies: - type: Percent value: 25 periodSeconds: 60 ingest: image: repository: zymtrace-backend tag: "" # Optional: overrides Chart.AppVersion if set, applied to all service tags below. port: 8375 portTrusted: 8376 portHealth: 8377 replicas: 1 service: annotations: {} # app: zymtrace labels: {} # team: zymtrace # Use common HPA settings unless you need service-specific values #hpa: # enabled: false # minReplicas: 1 # targetCPUUtilizationPercentage: 80 # maxReplicas: 5 # targetMemoryUtilizationPercentage: 80 # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "500m" memory: "512Mi" limits: cpu: "4000m" memory: "2Gi" nodeSelector: {} # kubernetes.io/arch: amd64 # workload-type: compute-intensive tolerations: [] # - key: "workload" # operator: "Equal" # value: "ingest" # effect: "NoSchedule" env: {} # CUSTOM_INGEST_SETTING: "value" # RUST_LOG: "debug" affinity: {} # Individual service affinity takes precedence over common affinity web: image: repository: zymtrace-backend tag: "" port: 9933 replicas: 1 service: annotations: {} labels: {} # Use common HPA settings unless you need service-specific values #hpa: # enabled: false # minReplicas: 1 # targetCPUUtilizationPercentage: 80 # maxReplicas: 5 # targetMemoryUtilizationPercentage: 80 # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "500m" memory: "512Mi" limits: cpu: "4000m" memory: "4Gi" nodeSelector: {} # kubernetes.io/arch: amd64 # disk-type: ssd tolerations: [] # - key: "workload" # operator: "Equal" # value: "web" # effect: "NoSchedule" allowRecommendations: true env: {} # RUST_LOG: "info" affinity: {} # Individual service affinity takes precedence over common affinity symdb: image: repository: zymtrace-backend tag: "" port: 6107 portTrusted: 6108 portHealth: 6109 replicas: 1 service: annotations: {} labels: {} # Use common HPA settings unless you need service-specific values #hpa: # enabled: false # minReplicas: 1 # targetCPUUtilizationPercentage: 80 # maxReplicas: 5 # targetMemoryUtilizationPercentage: 80 # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "500m" memory: "512Mi" limits: cpu: "1000m" memory: "1Gi" nodeSelector: {} # kubernetes.io/arch: amd64 # storage-type: high-iops tolerations: [] # - key: "workload" # operator: "Equal" # value: "symdb" # effect: "NoSchedule" env: {} # set to increase max symbfile size if needed, useful for profiling CLICKHOUSE or other exec binaries # SYMDB__MAX_SYMBFILE_SIZE=157286400 # RUST_LOG: "debug" # SYMDB__DEBUGINFOD_SERVERS: "https://debuginfod.ubuntu.com" affinity: {} # Individual service affinity takes precedence over common affinity ui: image: repository: zymtrace-ui tag: "" port: 80 replicas: 1 service: annotations: {} labels: {} # Use common HPA settings unless you need service-specific values # Individual HPA settings take precedence over common settings when uncommented #hpa: # enabled: true # minReplicas: 1 # targetCPUUtilizationPercentage: 70 # maxReplicas: 5 # targetMemoryUtilizationPercentage: 80 # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "200m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" nodeSelector: {} # kubernetes.io/arch: amd64 # node-type: frontend tolerations: [] # - key: "workload" # operator: "Equal" # value: "ui" # effect: "NoSchedule" env: {} # NODE_ENV: "production" affinity: {} # Individual service affinity takes precedence over common affinity identity: image: repository: zymtrace-backend tag: "" port: 7829 portHealth: 7831 replicas: 1 service: annotations: {} labels: {} # Use common HPA settings unless you need service-specific values #hpa: # enabled: false # minReplicas: 1 # targetCPUUtilizationPercentage: 80 # maxReplicas: 5 # targetMemoryUtilizationPercentage: 80 # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "200m" memory: "512Mi" limits: cpu: "500m" memory: "512Mi" nodeSelector: {} # kubernetes.io/arch: amd64 # workload-type: auth tolerations: [] # - key: "workload" # operator: "Equal" # value: "identity" # effect: "NoSchedule" env: {} # RUST_LOG: "info" affinity: {} # Individual service affinity takes precedence over common affinity #HPA setting doesn't apply to the migration service. migrate: image: repository: zymtrace-backend tag: "" # Timeout for migration job in seconds (default: 3600 = 1 hour) timeoutSeconds: 3600 # HPA is explicitly disabled for migration service to avoid/reduce the chance of anything bad happening if lock misbehaves hpa: enabled: false # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "200m" memory: "256Mi" limits: cpu: "500m" memory: "512Mi" nodeSelector: {} # kubernetes.io/arch: amd64 # workload-type: migration tolerations: [] # - key: "workload" # operator: "Equal" # value: "migration" # effect: "NoSchedule" env: {} # RUST_LOG: "debug" affinity: {} # Individual service affinity takes precedence over common affinity gateway: replicas: 1 image: repository: zymtrace-gateway tag: "" # Service type configuration: ClusterIP, NodePort, or LoadBalancer service: type: ClusterIP # Used for NodePort service type nodePort: "" annotations: {} labels: {} port: 80 portTrusted: 9900 adminPort: 9901 xff_append: false xff_num_trusted_hops: 2 # Use common HPA settings unless you need service-specific values # Individual HPA settings take precedence over common settings when uncommented #hpa: # enabled: true # minReplicas: 2 # maxReplicas: 8 # targetCPUUtilizationPercentage: 75 # targetMemoryUtilizationPercentage: 80 # Health probe overrides - takes precedence over common healthProbes settings #healthProbes: # liveness: true # Override common setting for this service # readiness: true # Override common setting for this service resources: requests: cpu: "500m" memory: "512Mi" limits: cpu: "1000m" memory: "1Gi" nodeSelector: {} # kubernetes.io/arch: amd64 # node-type: gateway tolerations: [] # - key: "workload" # operator: "Equal" # value: "gateway" # effect: "NoSchedule" env: {} # ENVOY_CUSTOM_SETTING: "value" # LOG_LEVEL: "debug" affinity: {} # Individual service affinity takes precedence over common affinity # mTLS configuration for Gateway service # IMPORTANT: SSL Passthrough must be enabled on your NGINX ingress controller for this work. # # To check if SSL passthrough is enabled: # kubectl get deployment nginx-controller -n ingress-nginx -o yaml | grep "enable-ssl-passthrough" # # To enable SSL passthrough if not already enabled: # Method 1 - Via ConfigMap (immediate, no restart required): # kubectl patch configmap nginx-configuration -n ingress-nginx --patch '{"data":{"enable-ssl-passthrough":"true"}}' # Method 2 - Via Helm (if installed via Helm): # helm upgrade nginx-ingress ingress-nginx/ingress-nginx -n ingress-nginx --set controller.extraArgs.enable-ssl-passthrough=true # # For other ingress controllers, consult their documentation for SSL passthrough configuration. mtls: enabled: false # mTLS (Mutual TLS) Configuration for Gateway # # mTLS provides bidirectional authentication where both client and server authenticate each other using certificates. # This configuration sets up the Gateway as the TLS server that requires client certificate authentication. # Please provide certificates in plain text format (PEM). They will be automatically base64 encoded in the Kubernetes secret. # You can use --set-file to load certificates from files: # --set-file services.gateway.mtls.cert=path/to/server.crt # --set-file services.gateway.mtls.key=path/to/server.key # --set-file services.gateway.mtls.ca=path/to/ca.crt cert: | # Server Certificate (PEM format) # This is the Gateway's server certificate that identifies the Gateway to connecting clients. # Example format: # -----BEGIN CERTIFICATE----- # MIIBrDCCAVKgAwIBAgIUb7Y7r6OKgiFlnu6Zk0KN9qI6eZcwCgYIKoZIzj0EAwIw # ...certificate content... # -----END CERTIFICATE----- key: | # Server Private Key (PEM format) # This is the private key that corresponds to the server certificate above. # Example format: # -----BEGIN EC PRIVATE KEY----- # MHcCAQEEIAwLRT16LE6S6TT5PIHWhUNoQOwugrcMRIg/rH0nv7VyoAoGCCqGSM49 # ...private key content... # -----END EC PRIVATE KEY----- # # Note: Key format may vary (RSA PRIVATE KEY, EC PRIVATE KEY, PRIVATE KEY, etc.) ca: | # Certificate Authority (CA) Certificate (PEM format) # This CA certificate is used to verify and validate client certificates during mTLS authentication. # Example format: # -----BEGIN CERTIFICATE----- # MIIBmTCCAT+gAwIBAgIUJylhF5Ixs2HWI9i+7kLzPxdoPQQwCgYIKoZIzj0EAwIw # ...ca certificate content... # -----END CERTIFICATE----- port: 9090 # Configuration for exposing services through ingress # NOTE: The Gateway serves as the main entry point and routes traffic to all backend services including the UI.# The Gateway is designed to be the external-facing service, while UI is accessed through the Gateway. # For direct external access to individual services without ingress, you can set service type to LoadBalancer or NodePort in the gat ingress: # Set to true if you want to expose services through an existing ingress controller enabled: false className: "nginx" # e.g nginx, traefik, alb # Common annotations # nginx.ingress.kubernetes.io/ssl-redirect: "true" # Force HTTPS for all traffic # This is also a good place to specify TLS setup. e.g: # For cert-manager (Let's Encrypt): # annotations: # cert-manager.io/cluster-issuer: "letsencrypt-prod" # For cloud certificates: # annotations: # alb.ingress.kubernetes.io/certificate-arn: "arn:aws:acm:region:account:certificate/id" # # For HTTP/2 and gRPC support (different for each ingress controller): # Nginx: # nginx.ingress.kubernetes.io/backend-protocol: "GRPC" # nginx.ingress.kubernetes.io/http2-enable: "true" # # Traefik: # traefik.ingress.kubernetes.io/router.entrypoints: "websecure" # traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/service.serversscheme: "h2c" # # AWS ALB: # alb.ingress.kubernetes.io/backend-protocol-version: "GRPC" # alb.ingress.kubernetes.io/target-type: "ip" annotations: {} hosts: gateway: # Primary gateway ingress - always available when ingress is enabled enabled: true host: "" # e.g zymtrace.company.com paths: - path: / pathType: Prefix annotations: {} # You must set this limit for your ingress type otherwise, you may not be able to upload custom symbols. # For NGINX: # nginx.ingress.kubernetes.io/proxy-body-size: "0" # or 10GB # # For Traefik: # traefik.ingress.kubernetes.io/buffer-size: "0" # or 10GB # # For AWS ALB: # alb.ingress.kubernetes.io/max-request-body-size: "0" # 10737418240 # mTLS gateway ingress - only available when services.gateway.mtls.enabled is true # Requires SSL passthrough and client certificate authentication # mtls: enabled: false host: "" # e.g mtls.zymtrace.company.com - should be different from main gateway host paths: - path: / pathType: Prefix annotations: {} # Required annotations for NGINX ingress with mTLS: # nginx.ingress.kubernetes.io/ssl-passthrough: "true" # nginx.ingress.kubernetes.io/proxy-body-size: "0" # nginx.ingress.kubernetes.io/client-body-buffer-size: "1M" # # For Traefik ingress with mTLS: # traefik.ingress.kubernetes.io/router.tls.passthrough: "true" # traefik.ingress.kubernetes.io/service.serversscheme: "https" # # For AWS ALB ingress with mTLS: # NOTE: AWS ALB doesn't support SSL passthrough like NGINX. # TLS config example: # tls: # - secretName: zymtrace-gateway-tls # hosts: # - zymtrace.company.com tls: [] telemetry: # Set to true to disable telemetry reporting for all services and UI. disableAll: false