kafka
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
##
19
global:
20
imageRegistry: ""
21
## E.g.
22
## imagePullSecrets:
23
## - myRegistryKeySecretName
24
##
25
imagePullSecrets: []
26
defaultStorageClass: ""
27
## Security parameters
28
##
29
security:
30
## @param global.security.allowInsecureImages Allows skipping image verification
31
allowInsecureImages: false
32
## Compatibility adaptations for Kubernetes platforms
33
##
34
compatibility:
35
## Compatibility adaptations for Openshift
36
##
37
openshift:
38
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
39
##
40
adaptSecurityContext: auto
41
org: ""
42
## @section Common parameters
43
44
## @param kubeVersion Override Kubernetes version
45
##
46
kubeVersion: ""
47
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
48
##
49
apiVersions: []
50
## @param nameOverride String to partially override common.names.fullname
51
##
52
nameOverride: ""
53
## @param fullnameOverride String to fully override common.names.fullname
54
##
55
fullnameOverride: ""
56
## @param namespaceOverride String to fully override common.names.namespace
57
##
58
namespaceOverride: ""
59
## @param clusterDomain Default Kubernetes cluster domain
60
##
61
clusterDomain: cluster.local
62
## @param commonLabels Labels to add to all deployed objects
63
##
64
commonLabels: {}
65
## @param commonAnnotations Annotations to add to all deployed objects
66
##
67
commonAnnotations: {}
68
## @param extraDeploy Array of extra objects to deploy with the release
69
##
70
extraDeploy: []
71
## @param usePasswordFiles Mount credentials as files instead of using environment variables
72
##
73
usePasswordFiles: true
74
## Diagnostic mode
75
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
76
## @param diagnosticMode.command Command to override all containers in the chart release
77
## @param diagnosticMode.args Args to override all containers in the chart release
78
##
79
diagnosticMode:
80
enabled: false
81
command:
82
- sleep
83
args:
84
- infinity
85
## @param serviceBindings.enabled Create secret for service binding (Experimental)
86
## Ref: https://servicebinding.io/service-provider/
87
##
88
serviceBindings:
89
enabled: false
90
## @section Kafka common parameters
91
92
## Iamguarded Kafka image version
93
## ref: https://hub.docker.com/r/iamguarded/kafka/tags/
94
## @param image.registry [default: REGISTRY_NAME] Kafka image registry
95
## @param image.repository [default: REPOSITORY_NAME/kafka] Kafka image repository
96
## @skip image.tag Kafka image tag (immutable tags are recommended)
97
## @param image.digest Kafka image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
98
## @param image.pullPolicy Kafka image pull policy
99
## @param image.pullSecrets Specify docker-registry secret names as an array
100
## @param image.debug Specify if debug values should be set
101
##
102
image:
103
registry: cgr.dev
104
repository: chainguard-private/kafka-iamguarded
105
tag: 4.2.0
106
digest: ""
107
## Specify a imagePullPolicy
108
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
109
##
110
pullPolicy: IfNotPresent
111
## Optionally specify an array of imagePullSecrets.
112
## Secrets must be manually created in the namespace.
113
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
114
## e.g:
115
## pullSecrets:
116
## - myRegistryKeySecretName
117
##
118
pullSecrets: []
119
## Set to true if you would like to see extra information on logs
120
##
121
debug: false
122
## @param clusterId Kafka Kraft cluster ID (ignored if existingKraftSecret is set). A random cluster ID will be generated the 1st time Kraft is initialized if not set.
123
## NOTE: Already initialized Kafka nodes will use cluster ID stored in their persisted storage.
124
## If reusing existing PVCs, make sure the cluster ID is set matching the stored cluster ID, otherwise new nodes will fail to join the cluster.
125
## In case the cluster ID stored in the secret does not match the value stored in /iamguarded/kafka/data/meta.properties, remove the secret and upgrade the chart setting the correct value.
126
##
127
clusterId: ""
128
## @param existingKraftSecret Name of the secret containing the Kafka KRaft Cluster ID and one directory ID per controller replica
129
##
130
existingKraftSecret: ""
131
## @param kraftVersion Kraft version to be used. It determines whether static quorum (kraftVersion=0) or dynamic quorum (kraftVersion=1) will be used.
132
## NOTE: Kafka 4.0 does not yet support switching kraft version. This setting was added for backward-compatibility with 3.x clusters.
133
## Ref: https://kafka.apache.org/documentation/#static_versus_dynamic_kraft_quorums
134
##
135
kraftVersion: 1
136
## @param config Specify content for Kafka configuration (auto-generated based on other parameters otherwise)
137
## NOTE: This will override the configuration based on values, please act carefully
138
## Use simple key-value YAML format, then it's transformed to properties format by the chart. e.g:
139
## process.roles: broker
140
## ... will be transformed to:
141
## process.roles=broker
142
##
143
config: {}
144
## @param overrideConfiguration Kafka common configuration override. Values defined here takes precedence over the ones defined at `config`
145
##
146
overrideConfiguration: {}
147
## @param existingConfigmap Name of an existing ConfigMap with the Kafka configuration
148
##
149
existingConfigmap: ""
150
## @param secretConfig Additional configuration to be appended at the end of the generated Kafka configuration (store in a secret)
151
##
152
secretConfig: ""
153
## @param existingSecretConfig Secret with additional configuration that will be appended to the end of the generated Kafka configuration
154
## The key for the configuration should be: server-secret.properties
155
## NOTE: This will override secretConfig value
156
##
157
existingSecretConfig: ""
158
## @param log4j2 Specify content for Kafka log4j2 configuration (default one is used otherwise)
159
## ref: https://github.com/apache/kafka/blob/trunk/config/log4j2.yaml
160
##
161
log4j2: ""
162
## @param existingLog4j2ConfigMap The name of an existing ConfigMap containing the log4j2.yaml file
163
##
164
existingLog4j2ConfigMap: ""
165
## @param heapOpts Kafka Java Heap configuration
166
##
167
heapOpts: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
168
## @param brokerRackAwareness.enabled Enable Kafka Rack Awareness
169
## @param brokerRackAwareness.cloudProvider Cloud provider to use to set Broker Rack Awareness. Allowed values: `aws-az`, `azure`
170
## @param brokerRackAwareness.azureApiVersion Metadata API version to use when brokerRackAwareness.cloudProvider is set to `azure`
171
## ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-392%3A+Allow+consumers+to+fetch+from+closest+replica
172
##
173
brokerRackAwareness:
174
enabled: false
175
cloudProvider: ""
176
azureApiVersion: "2023-11-15"
177
## @param interBrokerProtocolVersion Override the setting 'inter.broker.protocol.version' during the ZK migration.
178
## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html
179
##
180
interBrokerProtocolVersion: ""
181
## Kafka listeners configuration
182
##
183
listeners:
184
## @param listeners.client.name Name for the Kafka client listener
185
## @param listeners.client.containerPort Port for the Kafka client listener
186
## @param listeners.client.protocol Security protocol for the Kafka client listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
187
## @param listeners.client.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required'
188
client:
189
containerPort: 9092
190
protocol: SASL_PLAINTEXT
191
name: CLIENT
192
sslClientAuth: ""
193
## @param listeners.controller.name Name for the Kafka controller listener
194
## @param listeners.controller.containerPort Port for the Kafka controller listener
195
## @param listeners.controller.protocol Security protocol for the Kafka controller listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
196
## @param listeners.controller.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required'
197
## Ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners
198
controller:
199
name: CONTROLLER
200
containerPort: 9093
201
protocol: SASL_PLAINTEXT
202
sslClientAuth: ""
203
## @param listeners.interbroker.name Name for the Kafka inter-broker listener
204
## @param listeners.interbroker.containerPort Port for the Kafka inter-broker listener
205
## @param listeners.interbroker.protocol Security protocol for the Kafka inter-broker listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
206
## @param listeners.interbroker.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required'
207
interbroker:
208
containerPort: 9094
209
protocol: SASL_PLAINTEXT
210
name: INTERNAL
211
sslClientAuth: ""
212
## @param listeners.external.containerPort Port for the Kafka external listener
213
## @param listeners.external.protocol Security protocol for the Kafka external listener. . Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
214
## @param listeners.external.name Name for the Kafka external listener
215
## @param listeners.external.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.sslClientAuth for this listener. Allowed values are 'none', 'requested' and 'required'
216
external:
217
containerPort: 9095
218
protocol: SASL_PLAINTEXT
219
name: EXTERNAL
220
sslClientAuth: ""
221
## @param listeners.extraListeners Array of listener objects to be appended to already existing listeners
222
## E.g.
223
## extraListeners:
224
## - name: CUSTOM
225
## containerPort: 9097
226
## protocol: SASL_PLAINTEXT
227
## sslClientAuth: ""
228
##
229
extraListeners: []
230
## NOTE: If set, below values will override configuration set using the above values (extraListeners.*, controller.*, interbroker.*, client.* and external.*)
231
## @param listeners.overrideListeners Overrides the Kafka 'listeners' configuration setting.
232
## @param listeners.advertisedListeners Overrides the Kafka 'advertised.listener' configuration setting.
233
## @param listeners.securityProtocolMap Overrides the Kafka 'security.protocol.map' configuration setting.
234
overrideListeners: ""
235
advertisedListeners: ""
236
securityProtocolMap: ""
237
## @section Kafka SASL parameters
238
## Kafka SASL settings for authentication, required if SASL_PLAINTEXT or SASL_SSL listeners are configured
239
##
240
sasl:
241
## @param sasl.enabledMechanisms Comma-separated list of allowed SASL mechanisms when SASL listeners are configured. Allowed types: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512`, `OAUTHBEARER`
242
## NOTE: At the moment, Kafka Raft mode does not support SCRAM, that is why only PLAIN is configured.
243
##
244
enabledMechanisms: PLAIN,SCRAM-SHA-256,SCRAM-SHA-512
245
## @param sasl.interBrokerMechanism SASL mechanism for inter broker communication.
246
##
247
interBrokerMechanism: PLAIN
248
## @param sasl.controllerMechanism SASL mechanism for controller communications.
249
##
250
controllerMechanism: PLAIN
251
## Settings for OAuthBearer mechanism
252
## @param sasl.oauthbearer.tokenEndpointUrl The URL for the OAuth/OIDC identity provider
253
## @param sasl.oauthbearer.jwksEndpointUrl The OAuth/OIDC provider URL from which the provider's JWKS (JSON Web Key Set) can be retrieved
254
## @param sasl.oauthbearer.expectedAudience The comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences
255
## @param sasl.oauthbearer.subClaimName The OAuth claim name for the subject.
256
##
257
oauthbearer:
258
tokenEndpointUrl: ""
259
jwksEndpointUrl: ""
260
expectedAudience: ""
261
subClaimName: "sub"
262
## Credentials for inter-broker communications.
263
## @param sasl.interbroker.user Username for inter-broker communications when SASL is enabled
264
## @param sasl.interbroker.password Password for inter-broker communications when SASL is enabled. If not set and SASL is enabled for the controller listener, a random password will be generated.
265
## @param sasl.interbroker.clientId Client ID for inter-broker communications when SASL is enabled with mechanism OAUTHBEARER
266
## @param sasl.interbroker.clientSecret Client Secret for inter-broker communications when SASL is enabled with mechanism OAUTHBEARER. If not set and SASL is enabled for the controller listener, a random secret will be generated.
267
##
268
interbroker:
269
user: inter_broker_user
270
password: ""
271
clientId: inter_broker_client
272
clientSecret: ""
273
## Credentials for controller communications.
274
## @param sasl.controller.user Username for controller communications when SASL is enabled
275
## @param sasl.controller.password Password for controller communications when SASL is enabled. If not set and SASL is enabled for the inter-broker listener, a random password will be generated.
276
## @param sasl.controller.clientId Client ID for controller communications when SASL is enabled with mechanism OAUTHBEARER
277
## @param sasl.controller.clientSecret Client Secret for controller communications when SASL is enabled with mechanism OAUTHBEARER. If not set and SASL is enabled for the inter-broker listener, a random secret will be generated.
278
##
279
controller:
280
user: controller_user
281
password: ""
282
clientId: controller_broker_client
283
clientSecret: ""
284
## Credentials for client communications.
285
## @param sasl.client.users Comma-separated list of usernames for client communications when SASL is enabled
286
## @param sasl.client.passwords Comma-separated list of passwords for client communications when SASL is enabled, must match the number of client.users
287
##
288
client:
289
users:
290
- user1
291
passwords: ""
292
## @param sasl.existingSecret Name of the existing secret containing credentials for client.users, interbroker.user and controller.user
293
## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create:
294
## kubectl create secret generic SECRET_NAME --from-literal=client-passwords=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=inter-broker-client-secret=INTER_BROKER_CLIENT_SECRET --from-literal=controller-password=CONTROLLER_PASSWORD --from-literal=controller-client-secret=CONTROLLER_CLIENT_SECRET
295
## The client secrets are only required when using OAuthBearer as SASL mechanism.
296
## Client, inter-broker and controller passwords are only required if the SASL mechanism includes something other than OAuthBearer.
297
##
298
existingSecret: ""
299
## @section Kafka TLS parameters
300
## Kafka TLS settings, required if SSL or SASL_SSL listeners are configured
301
##
302
tls:
303
## @param tls.type Format to use for TLS certificates. Allowed types: `JKS` and `PEM`
304
##
305
type: JKS
306
## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert.
307
## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA.
308
##
309
pemChainIncluded: false
310
## @param tls.autoGenerated.enabled Enable automatic generation of TLS certificates (only supported if `tls.type` is `PEM`)
311
## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
312
## @param tls.autoGenerated.customAltNames List of additional subject alternative names (SANs) for the automatically generated TLS certificates.
313
## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
314
## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
315
## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
316
## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
317
## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
318
## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
319
##
320
autoGenerated:
321
enabled: true
322
engine: helm
323
customAltNames: []
324
certManager:
325
existingIssuer: ""
326
existingIssuerKind: ""
327
keySize: 2048
328
keyAlgorithm: RSA
329
duration: 2160h
330
renewBefore: 360h
331
## @param tls.existingSecret Name of the existing secret containing the TLS certificates for the Kafka nodes.
332
## When using 'jks' format for certificates, each secret should contain a truststore and a keystore.
333
## Create these secrets following the steps below:
334
## 1) Generate your truststore and keystore files. Helpful script: https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh
335
## 2) Rename your truststore to `kafka.truststore.jks`.
336
## 3) Rename your keystores to `kafka-<role>-X.keystore.jks` where X is the replica number of the .
337
## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create):
338
## kubectl create secret generic SECRET_NAME_0 --from-file=kafka.truststore.jks=./kafka.truststore.jks \
339
## --from-file=kafka-controller-0.keystore.jks=./kafka-controller-0.keystore.jks --from-file=kafka-broker-0.keystore.jks=./kafka-broker-0.keystore.jks ...
340
##
341
## NOTE: Alternatively, a single keystore can be provided for all nodes under the key 'kafka.keystore.jks', this keystore will be used by all nodes unless overridden by the 'kafka-<role>-X.keystore.jks' file
342
##
343
## When using 'pem' format for certificates, each secret should contain a public CA certificate, a public certificate and one private key.
344
## Create these secrets following the steps below:
345
## 1) Create a certificate key and signing request per Kafka broker, and sign the signing request with your CA
346
## 2) Rename your CA file to `ca.crt`.
347
## 3) Rename your certificates to `kafka-X.tls.crt` where X is the ID of each Kafka broker.
348
## 3) Rename your keys to `kafka-X.tls.key` where X is the ID of each Kafka broker.
349
## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create):
350
## kubectl create secret generic SECRET_NAME_0 --from-file=ca.crt=./ca.crt --from-file=kafka-controller-0.crt=./kafka-controller-0.crt --from-file=kafka-controller-0.key=./kafka-controller-0.key \
351
## --from-file=kafka-broker-0.crt=./kafka-broker-0.crt --from-file=kafka-broker-0.key=./kafka-broker-0.key ...
352
##
353
## NOTE: Alternatively, a single key and certificate can be provided for all nodes under the keys 'tls.crt' and 'tls.key'. These certificates will be used by all nodes unless overridden by the 'kafka-<role>-X.key' and 'kafka-<role>-X.crt' files
354
##
355
existingSecret: ""
356
## @param tls.passwordsSecret Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`)
357
##
358
passwordsSecret: ""
359
## @param tls.passwordsSecretKeystoreKey The secret key from the tls.passwordsSecret containing the password for the Keystore.
360
##
361
passwordsSecretKeystoreKey: keystore-password
362
## @param tls.passwordsSecretTruststoreKey The secret key from the tls.passwordsSecret containing the password for the Truststore.
363
##
364
passwordsSecretTruststoreKey: truststore-password
365
## @param tls.passwordsSecretPemPasswordKey The secret key from the tls.passwordsSecret containing the password for the PEM key inside 'tls.passwordsSecret'.
366
##
367
passwordsSecretPemPasswordKey: ""
368
## @param tls.keystorePassword Password to access the JKS keystore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided.
369
## When using tls.type=PEM, the generated keystore will use this password or randomly generate one.
370
##
371
keystorePassword: ""
372
## @param tls.truststorePassword Password to access the JKS truststore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided.
373
## When using tls.type=PEM, the generated keystore will use this password or randomly generate one.
374
##
375
truststorePassword: ""
376
## @param tls.keyPassword Password to access the PEM key when it is password-protected.
377
## Note: ignored when using 'tls.passwordsSecret'
378
##
379
keyPassword: ""
380
## @param tls.jksKeystoreKey The secret key from the `tls.existingSecret` containing the keystore
381
## Note: ignored when using 'pem' format for certificates.
382
##
383
jksKeystoreKey: ""
384
## @param tls.jksTruststoreSecret Name of the existing secret containing your truststore if truststore not existing or different from the one in the `tls.existingSecret`
385
## Note: ignored when using 'pem' format for certificates.
386
##
387
jksTruststoreSecret: ""
388
## @param tls.jksTruststoreKey The secret key from the `tls.existingSecret` or `tls.jksTruststoreSecret` containing the truststore
389
## Note: ignored when using 'pem' format for certificates.
390
##
391
jksTruststoreKey: ""
392
## @param tls.endpointIdentificationAlgorithm The endpoint identification algorithm to validate server hostname using server certificate
393
## Disable server host name verification by setting it to an empty string.
394
## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings
395
##
396
endpointIdentificationAlgorithm: https
397
## @param tls.sslClientAuth Sets the default value for the ssl.client.auth Kafka setting.
398
## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings
399
##
400
sslClientAuth: "required"
401
## @param extraEnvVars Extra environment variables to add to Kafka pods
402
## ref: https://github.com/iamguarded/containers/tree/main/iamguarded/kafka#configuration
403
## e.g:
404
## extraEnvVars:
405
## - name: KAFKA_CFG_BACKGROUND_THREADS
406
## value: "10"
407
##
408
extraEnvVars: []
409
## @param extraEnvVarsCM ConfigMap with extra environment variables
410
##
411
extraEnvVarsCM: ""
412
## @param extraEnvVarsSecret Secret with extra environment variables
413
##
414
extraEnvVarsSecret: ""
415
## @param extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s)
416
## e.g:
417
## extraVolumes:
418
## - name: kafka-jaas
419
## secret:
420
## secretName: kafka-jaas
421
##
422
extraVolumes: []
423
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s)
424
## extraVolumeMounts:
425
## - name: kafka-jaas
426
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
427
## subPath: kafka_jaas.conf
428
##
429
extraVolumeMounts: []
430
## @param sidecars Add additional sidecar containers to the Kafka pod(s)
431
## e.g:
432
## sidecars:
433
## - name: your-image-name
434
## image: your-image
435
## imagePullPolicy: Always
436
## ports:
437
## - name: portname
438
## containerPort: 1234
439
##
440
sidecars: []
441
## @param initContainers Add additional Add init containers to the Kafka pod(s)
442
## e.g:
443
## initContainers:
444
## - name: your-image-name
445
## image: your-image
446
## imagePullPolicy: Always
447
## ports:
448
## - name: portname
449
## containerPort: 1234
450
##
451
initContainers: []
452
## DNS-Pod services
453
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
454
## @param dnsPolicy Specifies the DNS policy for the Kafka pods
455
## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies.
456
## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None
457
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
458
dnsPolicy: ""
459
## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None`
460
## The dnsConfig field is optional and it can work with any dnsPolicy settings.
461
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
462
## E.g.
463
## dnsConfig:
464
## nameservers:
465
## - 192.0.2.1 # this is an example
466
## searches:
467
## - ns1.svc.cluster-domain.example
468
## - my.dns.search.suffix
469
## options:
470
## - name: ndots
471
## value: "2"
472
## - name: edns0
473
dnsConfig: {}
474
## Default init Containers
475
##
476
defaultInitContainers:
477
## 'volume-permissions' init container
478
## Used to change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
479
##
480
volumePermissions:
481
## @param defaultInitContainers.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
482
##
483
enabled: false
484
## @param defaultInitContainers.volumePermissions.image.registry [default: REGISTRY_NAME] "volume-permissions" init-containers' image registry
485
## @param defaultInitContainers.volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] "volume-permissions" init-containers' image repository
486
## @skip defaultInitContainers.volumePermissions.image.tag "volume-permissions" init-containers' image tag (immutable tags are recommended)
487
## @param defaultInitContainers.volumePermissions.image.digest "volume-permissions" init-containers' image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
488
## @param defaultInitContainers.volumePermissions.image.pullPolicy "volume-permissions" init-containers' image pull policy
489
## @param defaultInitContainers.volumePermissions.image.pullSecrets "volume-permissions" init-containers' image pull secrets
490
##
491
image:
492
registry: cgr.dev
493
repository: chainguard-private/os-shell-iamguarded
494
tag: 1.0.0
495
digest: ""
496
pullPolicy: IfNotPresent
497
## Optionally specify an array of imagePullSecrets.
498
## Secrets must be manually created in the namespace.
499
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
500
## Example:
501
## pullSecrets:
502
## - myRegistryKeySecretName
503
##
504
pullSecrets: []
505
## Configure "volume-permissions" init-container Security Context
506
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
507
## @param defaultInitContainers.volumePermissions.containerSecurityContext.enabled Enabled "volume-permissions" init-containers' Security Context
508
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "volume-permissions" init-containers
509
## @param defaultInitContainers.volumePermissions.containerSecurityContext.runAsUser Set runAsUser in "volume-permissions" init-containers' Security Context
510
## @param defaultInitContainers.volumePermissions.containerSecurityContext.privileged Set privileged in "volume-permissions" init-containers' Security Context
511
## @param defaultInitContainers.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "volume-permissions" init-containers' Security Context
512
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.add List of capabilities to be added in "volume-permissions" init-containers
513
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "volume-permissions" init-containers
514
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seccompProfile.type Set seccomp profile in "volume-permissions" init-containers
515
##
516
containerSecurityContext:
517
enabled: true
518
seLinuxOptions: {}
519
runAsUser: 0
520
privileged: false
521
allowPrivilegeEscalation: false
522
capabilities:
523
add: []
524
drop: ["ALL"]
525
seccompProfile:
526
type: "RuntimeDefault"
527
## Kafka "volume-permissions" init container resource requests and limits
528
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
529
## @param defaultInitContainers.volumePermissions.resourcesPreset Set Kafka "volume-permissions" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.volumePermissions.resources is set (defaultInitContainers.volumePermissions.resources is recommended for production).
530
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
531
##
532
resourcesPreset: "nano"
533
## @param defaultInitContainers.volumePermissions.resources Set Kafka "volume-permissions" init container requests and limits for different resources like CPU or memory (essential for production workloads)
534
## E.g:
535
## resources:
536
## requests:
537
## cpu: 2
538
## memory: 512Mi
539
## limits:
540
## cpu: 3
541
## memory: 1024Mi
542
##
543
resources: {}
544
## Kafka "prepare-config" init container
545
## Used to prepare the Kafka configuration files for main containers to use them
546
##
547
prepareConfig:
548
## Configure "prepare-config" init-container Security Context
549
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
550
## @param defaultInitContainers.prepareConfig.containerSecurityContext.enabled Enabled "prepare-config" init-containers' Security Context
551
## @param defaultInitContainers.prepareConfig.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "prepare-config" init-containers
552
## @param defaultInitContainers.prepareConfig.containerSecurityContext.runAsUser Set runAsUser in "prepare-config" init-containers' Security Context
553
## @param defaultInitContainers.prepareConfig.containerSecurityContext.runAsGroup Set runAsUser in "prepare-config" init-containers' Security Context
554
## @param defaultInitContainers.prepareConfig.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "prepare-config" init-containers' Security Context
555
## @param defaultInitContainers.prepareConfig.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "prepare-config" init-containers' Security Context
556
## @param defaultInitContainers.prepareConfig.containerSecurityContext.privileged Set privileged in "prepare-config" init-containers' Security Context
557
## @param defaultInitContainers.prepareConfig.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "prepare-config" init-containers' Security Context
558
## @param defaultInitContainers.prepareConfig.containerSecurityContext.capabilities.add List of capabilities to be added in "prepare-config" init-containers
559
## @param defaultInitContainers.prepareConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "prepare-config" init-containers
560
## @param defaultInitContainers.prepareConfig.containerSecurityContext.seccompProfile.type Set seccomp profile in "prepare-config" init-containers
561
##
562
containerSecurityContext:
563
enabled: true
564
seLinuxOptions: {}
565
runAsUser: 1001
566
runAsGroup: 1001
567
runAsNonRoot: true
568
readOnlyRootFilesystem: true
569
privileged: false
570
allowPrivilegeEscalation: false
571
capabilities:
572
add: []
573
drop: ["ALL"]
574
seccompProfile:
575
type: "RuntimeDefault"
576
## Kafka "prepare-config" init container resource requests and limits
577
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
578
## @param defaultInitContainers.prepareConfig.resourcesPreset Set Kafka "prepare-config" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.prepareConfig.resources is set (defaultInitContainers.prepareConfig.resources is recommended for production).
579
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
580
##
581
resourcesPreset: "nano"
582
## @param defaultInitContainers.prepareConfig.resources Set Kafka "prepare-config" init container requests and limits for different resources like CPU or memory (essential for production workloads)
583
## E.g:
584
## resources:
585
## requests:
586
## cpu: 2
587
## memory: 512Mi
588
## limits:
589
## cpu: 3
590
## memory: 1024Mi
591
##
592
resources: {}
593
## @param defaultInitContainers.prepareConfig.extraInit Additional content for the "prepare-config" init script, rendered as a template.
594
##
595
extraInit: ""
596
## 'auto-discovery' init container
597
## Used to auto-detect LB IPs or node ports by querying the K8s API
598
## Note: RBAC might be required
599
##
600
autoDiscovery:
601
## @param defaultInitContainers.autoDiscovery.enabled Enable init container that auto-detects external IPs/ports by querying the K8s API
602
##
603
enabled: false
604
## Iamguarded Kubectl image
605
## @param defaultInitContainers.autoDiscovery.image.registry [default: REGISTRY_NAME] "auto-discovery" init-containers' image registry
606
## @param defaultInitContainers.autoDiscovery.image.repository [default: REPOSITORY_NAME/os-shell] "auto-discovery" init-containers' image repository
607
## @skip defaultInitContainers.autoDiscovery.image.tag "auto-discovery" init-containers' image tag (immutable tags are recommended)
608
## @param defaultInitContainers.autoDiscovery.image.digest "auto-discovery" init-containers' image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
609
## @param defaultInitContainers.autoDiscovery.image.pullPolicy "auto-discovery" init-containers' image pull policy
610
## @param defaultInitContainers.autoDiscovery.image.pullSecrets "auto-discovery" init-containers' image pull secrets
611
##
612
image:
613
registry: cgr.dev
614
repository: chainguard-private/kubectl-iamguarded
615
tag: 1.35.2
616
digest: ""
617
## Specify a imagePullPolicy
618
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
619
##
620
pullPolicy: IfNotPresent
621
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
622
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
623
## e.g:
624
## pullSecrets:
625
## - myRegistryKeySecretName
626
##
627
pullSecrets: []
628
## Configure "auto-discovery" init-container Security Context
629
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
630
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.enabled Enabled "auto-discovery" init-containers' Security Context
631
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "auto-discovery" init-containers
632
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.runAsUser Set runAsUser in "auto-discovery" init-containers' Security Context
633
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.runAsGroup Set runAsUser in "auto-discovery" init-containers' Security Context
634
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "auto-discovery" init-containers' Security Context
635
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "auto-discovery" init-containers' Security Context
636
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.privileged Set privileged in "auto-discovery" init-containers' Security Context
637
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "auto-discovery" init-containers' Security Context
638
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.capabilities.add List of capabilities to be added in "auto-discovery" init-containers
639
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "auto-discovery" init-containers
640
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.seccompProfile.type Set seccomp profile in "auto-discovery" init-containers
641
##
642
containerSecurityContext:
643
enabled: true
644
seLinuxOptions: {}
645
runAsUser: 1001
646
runAsGroup: 1001
647
runAsNonRoot: true
648
readOnlyRootFilesystem: true
649
privileged: false
650
allowPrivilegeEscalation: false
651
capabilities:
652
add: []
653
drop: ["ALL"]
654
seccompProfile:
655
type: "RuntimeDefault"
656
## Kafka "auto-discovery" init container resource requests and limits
657
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
658
## @param defaultInitContainers.autoDiscovery.resourcesPreset Set Kafka "auto-discovery" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.autoDiscovery.resources is set (defaultInitContainers.autoDiscovery.resources is recommended for production).
659
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
660
##
661
resourcesPreset: "nano"
662
## @param defaultInitContainers.autoDiscovery.resources Set Kafka "auto-discovery" init container requests and limits for different resources like CPU or memory (essential for production workloads)
663
## E.g:
664
## resources:
665
## requests:
666
## cpu: 2
667
## memory: 512Mi
668
## limits:
669
## cpu: 3
670
## memory: 1024Mi
671
##
672
resources: {}
673
## @section Controller-eligible statefulset parameters
674
##
675
controller:
676
## @param controller.replicaCount Number of Kafka controller-eligible nodes
677
##
678
replicaCount: 3
679
## @param controller.controllerOnly If set to true, controller nodes will be deployed as dedicated controllers, instead of controller+broker processes.
680
##
681
controllerOnly: false
682
## @param controller.quorumBootstrapServers Override the Kafka controller quorum bootstrap servers of the Kafka Kraft cluster. If not set, it will be automatically configured to use all controller-eligible nodes.
683
##
684
quorumBootstrapServers: ""
685
## @param controller.minId Minimal node.id values for controller-eligible nodes. Do not change after first initialization.
686
## Broker-only id increment their ID starting at this minimal value.
687
## We recommend setting this this value high enough, as IDs under this value will be used by controller-elegible nodes
688
##
689
minId: 0
690
## @param controller.config Specify content for Kafka configuration for Kafka controller-eligible nodes (auto-generated based on other parameters otherwise)
691
## NOTE: This will override the configuration based on values, please act carefully
692
## Use simple key-value YAML format, then it's transformed to properties format by the chart. e.g:
693
## process.roles: controller
694
## ... will be transformed to:
695
## process.roles=controller
696
##
697
config: {}
698
## @param controller.overrideConfiguration Kafka configuration override for Kafka controller-eligible nodes. Values defined here takes precedence over the ones defined at `controller.config`
699
##
700
overrideConfiguration: {}
701
## @param controller.existingConfigmap Name of an existing ConfigMap with the Kafka configuration for Kafka controller-eligible nodes
702
##
703
existingConfigmap: ""
704
## @param controller.secretConfig Additional configuration to be appended at the end of the generated Kafka configuration for Kafka controller-eligible nodes (store in a secret)
705
##
706
secretConfig: ""
707
## @param controller.existingSecretConfig Secret with additional configuration that will be appended to the end of the generated Kafka configuration for Kafka controller-eligible nodes
708
## The key for the configuration should be: server-secret.properties
709
## NOTE: This will override secretConfig value
710
##
711
existingSecretConfig: ""
712
## @param controller.heapOpts Kafka Java Heap configuration for controller-eligible nodes
713
##
714
heapOpts: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
715
## @param controller.command Override Kafka container command
716
##
717
command: []
718
## @param controller.args Override Kafka container arguments
719
##
720
args: []
721
## @param controller.extraEnvVars Extra environment variables to add to Kafka pods
722
## ref: https://github.com/iamguarded/containers/tree/main/iamguarded/kafka#configuration
723
## e.g:
724
## extraEnvVars:
725
## - name: KAFKA_CFG_BACKGROUND_THREADS
726
## value: "10"
727
##
728
extraEnvVars: []
729
## @param controller.extraEnvVarsCM ConfigMap with extra environment variables
730
##
731
extraEnvVarsCM: ""
732
## @param controller.extraEnvVarsSecret Secret with extra environment variables
733
##
734
extraEnvVarsSecret: ""
735
## @param controller.extraContainerPorts Kafka controller-eligible extra containerPorts.
736
##
737
extraContainerPorts: []
738
## Configure extra options for Kafka containers' liveness, readiness and startup probes
739
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
740
## @param controller.livenessProbe.enabled Enable livenessProbe on Kafka containers
741
## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
742
## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe
743
## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
744
## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe
745
## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe
746
##
747
livenessProbe:
748
enabled: true
749
initialDelaySeconds: 10
750
timeoutSeconds: 5
751
failureThreshold: 3
752
periodSeconds: 10
753
successThreshold: 1
754
## @param controller.readinessProbe.enabled Enable readinessProbe on Kafka containers
755
## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
756
## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe
757
## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
758
## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe
759
## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe
760
##
761
readinessProbe:
762
enabled: true
763
initialDelaySeconds: 5
764
failureThreshold: 6
765
timeoutSeconds: 5
766
periodSeconds: 10
767
successThreshold: 1
768
## @param controller.startupProbe.enabled Enable startupProbe on Kafka containers
769
## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
770
## @param controller.startupProbe.periodSeconds Period seconds for startupProbe
771
## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe
772
## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe
773
## @param controller.startupProbe.successThreshold Success threshold for startupProbe
774
##
775
startupProbe:
776
enabled: false
777
initialDelaySeconds: 30
778
periodSeconds: 10
779
timeoutSeconds: 1
780
failureThreshold: 15
781
successThreshold: 1
782
## @param controller.customLivenessProbe Custom livenessProbe that overrides the default one
783
##
784
customLivenessProbe: {}
785
## @param controller.customReadinessProbe Custom readinessProbe that overrides the default one
786
##
787
customReadinessProbe: {}
788
## @param controller.customStartupProbe Custom startupProbe that overrides the default one
789
##
790
customStartupProbe: {}
791
## @param controller.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup
792
##
793
lifecycleHooks: {}
794
## Kafka resource requests and limits
795
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
796
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
797
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
798
##
799
resourcesPreset: "small"
800
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
801
## Example:
802
## resources:
803
## requests:
804
## cpu: 2
805
## memory: 512Mi
806
## limits:
807
## cpu: 3
808
## memory: 1024Mi
809
##
810
resources: {}
811
## Kafka pods' Security Context
812
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
813
## @param controller.podSecurityContext.enabled Enable security context for the pods
814
## @param controller.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
815
## @param controller.podSecurityContext.sysctls Set kernel settings using the sysctl interface
816
## @param controller.podSecurityContext.supplementalGroups Set filesystem extra groups
817
## @param controller.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup
818
## @param controller.podSecurityContext.seccompProfile.type Set Kafka pods's Security Context seccomp profile
819
##
820
podSecurityContext:
821
enabled: true
822
fsGroupChangePolicy: Always
823
sysctls: []
824
supplementalGroups: []
825
fsGroup: 1001
826
seccompProfile:
827
type: "RuntimeDefault"
828
## Kafka containers' Security Context
829
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
830
## @param controller.containerSecurityContext.enabled Enable Kafka containers' Security Context
831
## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
832
## @param controller.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
833
## @param controller.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
834
## @param controller.containerSecurityContext.runAsGroup Set Kafka containers' Security Context runAsGroup
835
## @param controller.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot
836
## @param controller.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged
837
## @param controller.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only
838
## @param controller.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped
839
## e.g:
840
## containerSecurityContext:
841
## enabled: true
842
## capabilities:
843
## drop: ["NET_RAW"]
844
## readOnlyRootFilesystem: true
845
##
846
containerSecurityContext:
847
enabled: true
848
seLinuxOptions: {}
849
runAsUser: 1001
850
runAsGroup: 1001
851
runAsNonRoot: true
852
allowPrivilegeEscalation: false
853
readOnlyRootFilesystem: true
854
capabilities:
855
drop: ["ALL"]
856
## @param controller.automountServiceAccountToken Mount Service Account token in pod
857
##
858
automountServiceAccountToken: false
859
## @param controller.hostAliases Kafka pods host aliases
860
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
861
##
862
hostAliases: []
863
## @param controller.hostNetwork Specify if host network should be enabled for Kafka pods
864
##
865
hostNetwork: false
866
## @param controller.hostIPC Specify if host IPC should be enabled for Kafka pods
867
##
868
hostIPC: false
869
## @param controller.podLabels Extra labels for Kafka pods
870
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
871
##
872
podLabels: {}
873
## @param controller.podAnnotations Extra annotations for Kafka pods
874
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
875
##
876
podAnnotations: {}
877
## @param controller.topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used
878
## i.e. topologyKey: topology.kubernetes.io/zone
879
##
880
topologyKey: ""
881
## @param controller.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
882
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
883
##
884
podAffinityPreset: ""
885
## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
886
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
887
##
888
podAntiAffinityPreset: soft
889
## Node affinity preset
890
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
891
##
892
nodeAffinityPreset:
893
## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
894
##
895
type: ""
896
## @param controller.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
897
## E.g.
898
## key: "kubernetes.io/e2e-az-name"
899
##
900
key: ""
901
## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
902
## E.g.
903
## values:
904
## - e2e-az1
905
## - e2e-az2
906
##
907
values: []
908
## @param controller.affinity Affinity for pod assignment
909
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
910
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
911
##
912
affinity: {}
913
## @param controller.nodeSelector Node labels for pod assignment
914
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
915
##
916
nodeSelector: {}
917
## @param controller.tolerations Tolerations for pod assignment
918
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
919
##
920
tolerations: []
921
## @param controller.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
922
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
923
##
924
topologySpreadConstraints: []
925
## @param controller.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate
926
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
927
##
928
terminationGracePeriodSeconds: ""
929
## @param controller.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
930
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
931
##
932
podManagementPolicy: Parallel
933
## @param controller.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update
934
##
935
minReadySeconds: 0
936
## @param controller.priorityClassName Name of the existing priority class to be used by kafka pods
937
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
938
##
939
priorityClassName: ""
940
## @param controller.runtimeClassName Name of the runtime class to be used by pod(s)
941
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
942
##
943
runtimeClassName: ""
944
## @param controller.enableServiceLinks Whether information about services should be injected into pod's environment variable
945
## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace.
946
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
947
##
948
enableServiceLinks: true
949
## @param controller.schedulerName Name of the k8s scheduler (other than default)
950
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
951
##
952
schedulerName: ""
953
## @param controller.updateStrategy.type Kafka statefulset strategy type
954
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
955
##
956
updateStrategy:
957
type: RollingUpdate
958
## @param controller.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s)
959
## e.g:
960
## extraVolumes:
961
## - name: kafka-jaas
962
## secret:
963
## secretName: kafka-jaas
964
##
965
extraVolumes: []
966
## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s)
967
## extraVolumeMounts:
968
## - name: kafka-jaas
969
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
970
## subPath: kafka_jaas.conf
971
##
972
extraVolumeMounts: []
973
## @param controller.sidecars Add additional sidecar containers to the Kafka pod(s)
974
## e.g:
975
## sidecars:
976
## - name: your-image-name
977
## image: your-image
978
## imagePullPolicy: Always
979
## ports:
980
## - name: portname
981
## containerPort: 1234
982
##
983
sidecars: []
984
## @param controller.initContainers Add additional Add init containers to the Kafka pod(s)
985
## e.g:
986
## initContainers:
987
## - name: your-image-name
988
## image: your-image
989
## imagePullPolicy: Always
990
## ports:
991
## - name: portname
992
## containerPort: 1234
993
##
994
initContainers: []
995
## @section Experimental: Kafka Controller Autoscaling configuration
996
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
997
##
998
autoscaling:
999
vpa:
1000
## @param controller.autoscaling.vpa.enabled Enable VPA
1001
##
1002
enabled: false
1003
## @param controller.autoscaling.vpa.annotations Annotations for VPA resource
1004
##
1005
annotations: {}
1006
## @param controller.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1007
##
1008
controlledResources: []
1009
## @param controller.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1010
## cpu: 200m
1011
## memory: 100Mi
1012
maxAllowed: {}
1013
## @param controller.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1014
## cpu: 200m
1015
## memory: 100Mi
1016
minAllowed: {}
1017
updatePolicy:
1018
## @param controller.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1019
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1020
##
1021
updateMode: Auto
1022
hpa:
1023
## @param controller.autoscaling.hpa.enabled Enable HPA for Kafka Controller
1024
##
1025
enabled: false
1026
## @param controller.autoscaling.hpa.annotations Annotations for HPA resource
1027
##
1028
annotations: {}
1029
## @param controller.autoscaling.hpa.minReplicas Minimum number of Kafka Controller replicas
1030
##
1031
minReplicas: ""
1032
## @param controller.autoscaling.hpa.maxReplicas Maximum number of Kafka Controller replicas
1033
##
1034
maxReplicas: ""
1035
## @param controller.autoscaling.hpa.targetCPU Target CPU utilization percentage
1036
##
1037
targetCPU: ""
1038
## @param controller.autoscaling.hpa.targetMemory Target Memory utilization percentage
1039
##
1040
targetMemory: ""
1041
## Kafka Pod Disruption Budget
1042
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
1043
## @param controller.pdb.create Deploy a pdb object for the Kafka pod
1044
## @param controller.pdb.minAvailable Minimum number/percentage of available Kafka replicas
1045
## @param controller.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas
1046
##
1047
pdb:
1048
create: true
1049
minAvailable: ""
1050
maxUnavailable: ""
1051
## persistentVolumeClaimRetentionPolicy
1052
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1053
## @param controller.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
1054
## @param controller.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1055
## @param controller.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1056
##
1057
persistentVolumeClaimRetentionPolicy:
1058
enabled: false
1059
whenScaled: Retain
1060
whenDeleted: Retain
1061
## Enable persistence using Persistent Volume Claims
1062
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1063
##
1064
persistence:
1065
## @param controller.persistence.enabled Enable Kafka data persistence using PVC
1066
##
1067
enabled: true
1068
## @param controller.persistence.existingClaim A manually managed Persistent Volume and Claim
1069
## If defined, PVC must be created manually before volume will be bound
1070
## The value is evaluated as a template
1071
##
1072
existingClaim: ""
1073
## @param controller.persistence.storageClass PVC Storage Class for Kafka data volume
1074
## If defined, storageClassName: <storageClass>
1075
## If set to "-", storageClassName: "", which disables dynamic provisioning
1076
## If undefined (the default) or set to null, no storageClassName spec is
1077
## set, choosing the default provisioner.
1078
##
1079
storageClass: ""
1080
## @param controller.persistence.accessModes Persistent Volume Access Modes
1081
##
1082
accessModes:
1083
- ReadWriteOnce
1084
## @param controller.persistence.size PVC Storage Request for Kafka data volume
1085
##
1086
size: 8Gi
1087
## @param controller.persistence.annotations Annotations for the PVC
1088
##
1089
annotations: {}
1090
## @param controller.persistence.labels Labels for the PVC
1091
##
1092
labels: {}
1093
## @param controller.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1094
## selector:
1095
## matchLabels:
1096
## app: my-app
1097
##
1098
selector: {}
1099
## @param controller.persistence.mountPath Mount path of the Kafka data volume
1100
##
1101
mountPath: /iamguarded/kafka
1102
## Log Persistence parameters
1103
##
1104
logPersistence:
1105
## @param controller.logPersistence.enabled Enable Kafka logs persistence using PVC
1106
##
1107
enabled: false
1108
## @param controller.logPersistence.existingClaim A manually managed Persistent Volume and Claim
1109
## If defined, PVC must be created manually before volume will be bound
1110
## The value is evaluated as a template
1111
##
1112
existingClaim: ""
1113
## @param controller.logPersistence.storageClass PVC Storage Class for Kafka logs volume
1114
## If defined, storageClassName: <storageClass>
1115
## If set to "-", storageClassName: "", which disables dynamic provisioning
1116
## If undefined (the default) or set to null, no storageClassName spec is
1117
## set, choosing the default provisioner.
1118
##
1119
storageClass: ""
1120
## @param controller.logPersistence.accessModes Persistent Volume Access Modes
1121
##
1122
accessModes:
1123
- ReadWriteOnce
1124
## @param controller.logPersistence.size PVC Storage Request for Kafka logs volume
1125
##
1126
size: 8Gi
1127
## @param controller.logPersistence.annotations Annotations for the PVC
1128
##
1129
annotations: {}
1130
## @param controller.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1131
## selector:
1132
## matchLabels:
1133
## app: my-app
1134
##
1135
selector: {}
1136
## @param controller.logPersistence.mountPath Mount path of the Kafka logs volume
1137
##
1138
mountPath: /opt/iamguarded/kafka/logs
1139
## @section Broker-only statefulset parameters
1140
##
1141
broker:
1142
## @param broker.replicaCount Number of Kafka broker-only nodes
1143
##
1144
replicaCount: 0
1145
## @param broker.minId Minimal node.id values for broker-only nodes. Do not change after first initialization.
1146
## Broker-only id increment their ID starting at this minimal value.
1147
## We recommend setting this this value high enough, as IDs under this value will be used by controller-eligible nodes
1148
##
1149
##
1150
minId: 100
1151
## @param broker.config Specify content for Kafka configuration for Kafka broker-only nodes (auto-generated based on other parameters otherwise)
1152
## NOTE: This will override the configuration based on values, please act carefully
1153
## Use simple key-value YAML format, then it's transformed to properties format by the chart. e.g:
1154
## process.roles: broker
1155
## ... will be transformed to:
1156
## process.roles=broker
1157
##
1158
config: {}
1159
## @param broker.overrideConfiguration Kafka configuration override for Kafka broker-only nodes. Values defined here takes precedence over the ones defined at `broker.config`
1160
##
1161
overrideConfiguration: {}
1162
## @param broker.existingConfigmap Name of an existing ConfigMap with the Kafka configuration for Kafka broker-only nodes
1163
##
1164
existingConfigmap: ""
1165
## @param broker.secretConfig Additional configuration to be appended at the end of the generated Kafka configuration for Kafka broker-only nodes (store in a secret)
1166
##
1167
secretConfig: ""
1168
## @param broker.existingSecretConfig Secret with additional configuration that will be appended to the end of the generated Kafka configuration for Kafka broker-only nodes
1169
## The key for the configuration should be: server-secret.properties
1170
## NOTE: This will override secretConfig value
1171
##
1172
existingSecretConfig: ""
1173
## @param broker.heapOpts Kafka Java Heap configuration for broker-only nodes
1174
##
1175
heapOpts: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
1176
## @param broker.command Override Kafka container command
1177
##
1178
command: []
1179
## @param broker.args Override Kafka container arguments
1180
##
1181
args: []
1182
## @param broker.extraEnvVars Extra environment variables to add to Kafka pods
1183
## ref: https://github.com/iamguarded/containers/tree/main/iamguarded/kafka#configuration
1184
## e.g:
1185
## extraEnvVars:
1186
## - name: KAFKA_CFG_BACKGROUND_THREADS
1187
## value: "10"
1188
##
1189
extraEnvVars: []
1190
## @param broker.extraEnvVarsCM ConfigMap with extra environment variables
1191
##
1192
extraEnvVarsCM: ""
1193
## @param broker.extraEnvVarsSecret Secret with extra environment variables
1194
##
1195
extraEnvVarsSecret: ""
1196
## @param broker.extraContainerPorts Kafka broker-only extra containerPorts.
1197
##
1198
extraContainerPorts: []
1199
## Configure extra options for Kafka containers' liveness, readiness and startup probes
1200
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
1201
## @param broker.livenessProbe.enabled Enable livenessProbe on Kafka containers
1202
## @param broker.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1203
## @param broker.livenessProbe.periodSeconds Period seconds for livenessProbe
1204
## @param broker.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1205
## @param broker.livenessProbe.failureThreshold Failure threshold for livenessProbe
1206
## @param broker.livenessProbe.successThreshold Success threshold for livenessProbe
1207
##
1208
livenessProbe:
1209
enabled: true
1210
initialDelaySeconds: 10
1211
timeoutSeconds: 5
1212
failureThreshold: 3
1213
periodSeconds: 10
1214
successThreshold: 1
1215
## @param broker.readinessProbe.enabled Enable readinessProbe on Kafka containers
1216
## @param broker.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1217
## @param broker.readinessProbe.periodSeconds Period seconds for readinessProbe
1218
## @param broker.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1219
## @param broker.readinessProbe.failureThreshold Failure threshold for readinessProbe
1220
## @param broker.readinessProbe.successThreshold Success threshold for readinessProbe
1221
##
1222
readinessProbe:
1223
enabled: true
1224
initialDelaySeconds: 5
1225
failureThreshold: 6
1226
timeoutSeconds: 5
1227
periodSeconds: 10
1228
successThreshold: 1
1229
## @param broker.startupProbe.enabled Enable startupProbe on Kafka containers
1230
## @param broker.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1231
## @param broker.startupProbe.periodSeconds Period seconds for startupProbe
1232
## @param broker.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1233
## @param broker.startupProbe.failureThreshold Failure threshold for startupProbe
1234
## @param broker.startupProbe.successThreshold Success threshold for startupProbe
1235
##
1236
startupProbe:
1237
enabled: false
1238
initialDelaySeconds: 30
1239
periodSeconds: 10
1240
timeoutSeconds: 1
1241
failureThreshold: 15
1242
successThreshold: 1
1243
## @param broker.customLivenessProbe Custom livenessProbe that overrides the default one
1244
##
1245
customLivenessProbe: {}
1246
## @param broker.customReadinessProbe Custom readinessProbe that overrides the default one
1247
##
1248
customReadinessProbe: {}
1249
## @param broker.customStartupProbe Custom startupProbe that overrides the default one
1250
##
1251
customStartupProbe: {}
1252
## @param broker.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup
1253
##
1254
lifecycleHooks: {}
1255
## Kafka resource requests and limits
1256
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1257
## @param broker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if broker.resources is set (broker.resources is recommended for production).
1258
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
1259
##
1260
resourcesPreset: "small"
1261
## @param broker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1262
## Example:
1263
## resources:
1264
## requests:
1265
## cpu: 2
1266
## memory: 512Mi
1267
## limits:
1268
## cpu: 3
1269
## memory: 1024Mi
1270
##
1271
resources: {}
1272
## Kafka pods' Security Context
1273
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1274
## @param broker.podSecurityContext.enabled Enable security context for the pods
1275
## @param broker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1276
## @param broker.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1277
## @param broker.podSecurityContext.supplementalGroups Set filesystem extra groups
1278
## @param broker.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup
1279
## @param broker.podSecurityContext.seccompProfile.type Set Kafka pod's Security Context seccomp profile
1280
##
1281
podSecurityContext:
1282
enabled: true
1283
fsGroupChangePolicy: Always
1284
sysctls: []
1285
supplementalGroups: []
1286
fsGroup: 1001
1287
seccompProfile:
1288
type: "RuntimeDefault"
1289
## Kafka containers' Security Context
1290
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1291
## @param broker.containerSecurityContext.enabled Enable Kafka containers' Security Context
1292
## @param broker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1293
## @param broker.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1294
## @param broker.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1295
## @param broker.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot
1296
## @param broker.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged
1297
## @param broker.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only
1298
## @param broker.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped
1299
## e.g:
1300
## containerSecurityContext:
1301
## enabled: true
1302
## capabilities:
1303
## drop: ["NET_RAW"]
1304
## readOnlyRootFilesystem: true
1305
##
1306
containerSecurityContext:
1307
enabled: true
1308
seLinuxOptions: {}
1309
runAsUser: 1001
1310
runAsGroup: 1001
1311
runAsNonRoot: true
1312
allowPrivilegeEscalation: false
1313
readOnlyRootFilesystem: true
1314
capabilities:
1315
drop: ["ALL"]
1316
## @param broker.automountServiceAccountToken Mount Service Account token in pod
1317
##
1318
automountServiceAccountToken: false
1319
## @param broker.hostAliases Kafka pods host aliases
1320
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1321
##
1322
hostAliases: []
1323
## @param broker.hostNetwork Specify if host network should be enabled for Kafka pods
1324
##
1325
hostNetwork: false
1326
## @param broker.hostIPC Specify if host IPC should be enabled for Kafka pods
1327
##
1328
hostIPC: false
1329
## @param broker.podLabels Extra labels for Kafka pods
1330
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1331
##
1332
podLabels: {}
1333
## @param broker.podAnnotations Extra annotations for Kafka pods
1334
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1335
##
1336
podAnnotations: {}
1337
## @param broker.topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used
1338
## i.e. topologyKey: topology.kubernetes.io/zone
1339
##
1340
topologyKey: ""
1341
## @param broker.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1342
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1343
##
1344
podAffinityPreset: ""
1345
## @param broker.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1346
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1347
##
1348
podAntiAffinityPreset: soft
1349
## Node affinity preset
1350
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1351
##
1352
nodeAffinityPreset:
1353
## @param broker.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1354
##
1355
type: ""
1356
## @param broker.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
1357
## E.g.
1358
## key: "kubernetes.io/e2e-az-name"
1359
##
1360
key: ""
1361
## @param broker.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
1362
## E.g.
1363
## values:
1364
## - e2e-az1
1365
## - e2e-az2
1366
##
1367
values: []
1368
## @param broker.affinity Affinity for pod assignment
1369
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1370
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
1371
##
1372
affinity: {}
1373
## @param broker.nodeSelector Node labels for pod assignment
1374
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1375
##
1376
nodeSelector: {}
1377
## @param broker.tolerations Tolerations for pod assignment
1378
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1379
##
1380
tolerations: []
1381
## @param broker.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1382
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1383
##
1384
topologySpreadConstraints: []
1385
## @param broker.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate
1386
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
1387
##
1388
terminationGracePeriodSeconds: ""
1389
## @param broker.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
1390
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
1391
##
1392
podManagementPolicy: Parallel
1393
## @param broker.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update
1394
##
1395
minReadySeconds: 0
1396
## @param broker.priorityClassName Name of the existing priority class to be used by kafka pods
1397
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
1398
##
1399
priorityClassName: ""
1400
## @param broker.runtimeClassName Name of the runtime class to be used by pod(s)
1401
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
1402
##
1403
runtimeClassName: ""
1404
## @param broker.enableServiceLinks Whether information about services should be injected into pod's environment variable
1405
## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace.
1406
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
1407
##
1408
enableServiceLinks: true
1409
## @param broker.schedulerName Name of the k8s scheduler (other than default)
1410
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1411
##
1412
schedulerName: ""
1413
## @param broker.updateStrategy.type Kafka statefulset strategy type
1414
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1415
##
1416
updateStrategy:
1417
type: RollingUpdate
1418
## @param broker.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s)
1419
## e.g:
1420
## extraVolumes:
1421
## - name: kafka-jaas
1422
## secret:
1423
## secretName: kafka-jaas
1424
##
1425
extraVolumes: []
1426
## @param broker.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s)
1427
## extraVolumeMounts:
1428
## - name: kafka-jaas
1429
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
1430
## subPath: kafka_jaas.conf
1431
##
1432
extraVolumeMounts: []
1433
## @param broker.sidecars Add additional sidecar containers to the Kafka pod(s)
1434
## e.g:
1435
## sidecars:
1436
## - name: your-image-name
1437
## image: your-image
1438
## imagePullPolicy: Always
1439
## ports:
1440
## - name: portname
1441
## containerPort: 1234
1442
##
1443
sidecars: []
1444
## @param broker.initContainers Add additional Add init containers to the Kafka pod(s)
1445
## e.g:
1446
## initContainers:
1447
## - name: your-image-name
1448
## image: your-image
1449
## imagePullPolicy: Always
1450
## ports:
1451
## - name: portname
1452
## containerPort: 1234
1453
##
1454
initContainers: []
1455
## Kafka Pod Disruption Budget
1456
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
1457
## @param broker.pdb.create Deploy a pdb object for the Kafka pod
1458
## @param broker.pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas
1459
## @param broker.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas
1460
##
1461
pdb:
1462
create: true
1463
minAvailable: ""
1464
maxUnavailable: ""
1465
## @section Experimental: Kafka Broker Autoscaling configuration
1466
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1467
##
1468
autoscaling:
1469
vpa:
1470
## @param broker.autoscaling.vpa.enabled Enable VPA
1471
##
1472
enabled: false
1473
## @param broker.autoscaling.vpa.annotations Annotations for VPA resource
1474
##
1475
annotations: {}
1476
## @param broker.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1477
##
1478
controlledResources: []
1479
## @param broker.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1480
## cpu: 200m
1481
## memory: 100Mi
1482
maxAllowed: {}
1483
## @param broker.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1484
## cpu: 200m
1485
## memory: 100Mi
1486
minAllowed: {}
1487
updatePolicy:
1488
## @param broker.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1489
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1490
##
1491
updateMode: Auto
1492
hpa:
1493
## @param broker.autoscaling.hpa.enabled Enable HPA for Kafka Broker
1494
##
1495
enabled: false
1496
## @param broker.autoscaling.hpa.annotations Annotations for HPA resource
1497
##
1498
annotations: {}
1499
## @param broker.autoscaling.hpa.minReplicas Minimum number of Kafka Broker replicas
1500
##
1501
minReplicas: ""
1502
## @param broker.autoscaling.hpa.maxReplicas Maximum number of Kafka Broker replicas
1503
##
1504
maxReplicas: ""
1505
## @param broker.autoscaling.hpa.targetCPU Target CPU utilization percentage
1506
##
1507
targetCPU: ""
1508
## @param broker.autoscaling.hpa.targetMemory Target Memory utilization percentage
1509
##
1510
targetMemory: ""
1511
## persistentVolumeClaimRetentionPolicy
1512
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1513
## @param broker.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
1514
## @param broker.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1515
## @param broker.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1516
##
1517
persistentVolumeClaimRetentionPolicy:
1518
enabled: false
1519
whenScaled: Retain
1520
whenDeleted: Retain
1521
## Enable persistence using Persistent Volume Claims
1522
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1523
##
1524
persistence:
1525
## @param broker.persistence.enabled Enable Kafka data persistence using PVC
1526
##
1527
enabled: true
1528
## @param broker.persistence.existingClaim A manually managed Persistent Volume and Claim
1529
## If defined, PVC must be created manually before volume will be bound
1530
## The value is evaluated as a template
1531
##
1532
existingClaim: ""
1533
## @param broker.persistence.storageClass PVC Storage Class for Kafka data volume
1534
## If defined, storageClassName: <storageClass>
1535
## If set to "-", storageClassName: "", which disables dynamic provisioning
1536
## If undefined (the default) or set to null, no storageClassName spec is
1537
## set, choosing the default provisioner.
1538
##
1539
storageClass: ""
1540
## @param broker.persistence.accessModes Persistent Volume Access Modes
1541
##
1542
accessModes:
1543
- ReadWriteOnce
1544
## @param broker.persistence.size PVC Storage Request for Kafka data volume
1545
##
1546
size: 8Gi
1547
## @param broker.persistence.annotations Annotations for the PVC
1548
##
1549
annotations: {}
1550
## @param broker.persistence.labels Labels for the PVC
1551
##
1552
labels: {}
1553
## @param broker.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1554
## selector:
1555
## matchLabels:
1556
## app: my-app
1557
##
1558
selector: {}
1559
## @param broker.persistence.mountPath Mount path of the Kafka data volume
1560
##
1561
mountPath: /iamguarded/kafka
1562
## Log Persistence parameters
1563
##
1564
logPersistence:
1565
## @param broker.logPersistence.enabled Enable Kafka logs persistence using PVC
1566
##
1567
enabled: false
1568
## @param broker.logPersistence.existingClaim A manually managed Persistent Volume and Claim
1569
## If defined, PVC must be created manually before volume will be bound
1570
## The value is evaluated as a template
1571
##
1572
existingClaim: ""
1573
## @param broker.logPersistence.storageClass PVC Storage Class for Kafka logs volume
1574
## If defined, storageClassName: <storageClass>
1575
## If set to "-", storageClassName: "", which disables dynamic provisioning
1576
## If undefined (the default) or set to null, no storageClassName spec is
1577
## set, choosing the default provisioner.
1578
##
1579
storageClass: ""
1580
## @param broker.logPersistence.accessModes Persistent Volume Access Modes
1581
##
1582
accessModes:
1583
- ReadWriteOnce
1584
## @param broker.logPersistence.size PVC Storage Request for Kafka logs volume
1585
##
1586
size: 8Gi
1587
## @param broker.logPersistence.annotations Annotations for the PVC
1588
##
1589
annotations: {}
1590
## @param broker.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1591
## selector:
1592
## matchLabels:
1593
## app: my-app
1594
##
1595
selector: {}
1596
## @param broker.logPersistence.mountPath Mount path of the Kafka logs volume
1597
##
1598
mountPath: /opt/iamguarded/kafka/logs
1599
## @section Traffic Exposure parameters
1600
##
1601
1602
## Service parameters
1603
##
1604
service:
1605
## @param service.type Kubernetes Service type
1606
##
1607
type: ClusterIP
1608
## @param service.ports.client Kafka svc port for client connections
1609
## @param service.ports.controller Kafka svc port for controller connections
1610
## @param service.ports.interbroker Kafka svc port for inter-broker connections
1611
## @param service.ports.external Kafka svc port for external connections
1612
##
1613
ports:
1614
client: 9092
1615
controller: 9093
1616
interbroker: 9094
1617
external: 9095
1618
## @param service.extraPorts Extra ports to expose in the Kafka service (normally used with the `sidecar` value)
1619
##
1620
extraPorts: []
1621
## @param service.nodePorts.client Node port for the Kafka client connections
1622
## @param service.nodePorts.external Node port for the Kafka external connections
1623
## NOTE: choose port between <30000-32767>
1624
##
1625
nodePorts:
1626
client: ""
1627
external: ""
1628
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
1629
## Values: ClientIP or None
1630
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1631
##
1632
sessionAffinity: None
1633
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
1634
## sessionAffinityConfig:
1635
## clientIP:
1636
## timeoutSeconds: 300
1637
##
1638
sessionAffinityConfig: {}
1639
## @param service.clusterIP Kafka service Cluster IP
1640
## e.g.:
1641
## clusterIP: None
1642
##
1643
clusterIP: ""
1644
## @param service.loadBalancerIP Kafka service Load Balancer IP
1645
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
1646
##
1647
loadBalancerIP: ""
1648
## @param service.loadBalancerClass Kafka service Load Balancer Class
1649
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1650
##
1651
loadBalancerClass: ""
1652
## @param service.loadBalancerSourceRanges Kafka service Load Balancer sources
1653
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1654
## e.g:
1655
## loadBalancerSourceRanges:
1656
## - 10.10.10.0/24
1657
##
1658
loadBalancerSourceRanges: []
1659
## @param service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1660
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1661
##
1662
allocateLoadBalancerNodePorts: true
1663
## @param service.externalTrafficPolicy Kafka service external traffic policy
1664
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1665
##
1666
externalTrafficPolicy: Cluster
1667
## @param service.annotations Additional custom annotations for Kafka service
1668
##
1669
annotations: {}
1670
## Headless service properties
1671
##
1672
headless:
1673
controller:
1674
## @param service.headless.controller.annotations Annotations for the controller-eligible headless service.
1675
##
1676
annotations: {}
1677
## @param service.headless.controller.labels Labels for the controller-eligible headless service.
1678
##
1679
labels: {}
1680
broker:
1681
## @param service.headless.broker.annotations Annotations for the broker-only headless service.
1682
##
1683
annotations: {}
1684
## @param service.headless.broker.labels Labels for the broker-only headless service.
1685
##
1686
labels: {}
1687
## @param service.headless.ipFamilies IP families for the headless service
1688
##
1689
ipFamilies: []
1690
## @param service.headless.ipFamilyPolicy IP family policy for the headless service
1691
##
1692
ipFamilyPolicy: ""
1693
## External Access to Kafka brokers configuration
1694
##
1695
externalAccess:
1696
## @param externalAccess.enabled Enable Kubernetes external cluster access to Kafka brokers
1697
##
1698
enabled: false
1699
## Service settings
1700
controller:
1701
## @param externalAccess.controller.forceExpose If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes
1702
##
1703
forceExpose: false
1704
## Parameters to configure K8s service(s) used to externally access Kafka brokers
1705
## Note: A new service per broker will be created
1706
##
1707
service:
1708
## @param externalAccess.controller.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP
1709
##
1710
type: LoadBalancer
1711
## @param externalAccess.controller.service.ports.external Kafka port used for external access when service type is LoadBalancer
1712
##
1713
ports:
1714
external: 9094
1715
## @param externalAccess.controller.service.loadBalancerClass Kubernetes Service Load Balancer class for external access when service type is LoadBalancer
1716
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1717
##
1718
loadBalancerClass: ""
1719
## @param externalAccess.controller.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount
1720
## e.g:
1721
## loadBalancerIPs:
1722
## - X.X.X.X
1723
## - Y.Y.Y.Y
1724
##
1725
loadBalancerIPs: []
1726
## @param externalAccess.controller.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount
1727
## e.g:
1728
## loadBalancerNames:
1729
## - broker1.external.example.com
1730
## - broker2.external.example.com
1731
##
1732
loadBalancerNames: []
1733
## @param externalAccess.controller.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount
1734
## e.g:
1735
## loadBalancerAnnotations:
1736
## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com.
1737
## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com.
1738
##
1739
loadBalancerAnnotations: []
1740
## @param externalAccess.controller.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer
1741
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1742
## e.g:
1743
## loadBalancerSourceRanges:
1744
## - 10.10.10.0/24
1745
##
1746
loadBalancerSourceRanges: []
1747
## @param externalAccess.controller.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1748
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1749
##
1750
allocateLoadBalancerNodePorts: true
1751
## @param externalAccess.controller.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount
1752
## e.g:
1753
## nodePorts:
1754
## - 30001
1755
## - 30002
1756
##
1757
nodePorts: []
1758
## @param externalAccess.controller.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount
1759
## e.g:
1760
## externalIPs:
1761
## - X.X.X.X
1762
## - Y.Y.Y.Y
1763
##
1764
externalIPs: []
1765
## @param externalAccess.controller.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort
1766
##
1767
useHostIPs: false
1768
## @param externalAccess.controller.service.usePodIPs using the MY_POD_IP address for external access.
1769
##
1770
usePodIPs: false
1771
## @param externalAccess.controller.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP
1772
## NodePort: If not specified, the container will try to get the kubernetes node external IP
1773
## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured
1774
##
1775
domain: ""
1776
## @param externalAccess.controller.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready
1777
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/
1778
##
1779
publishNotReadyAddresses: false
1780
## @param externalAccess.controller.service.labels Service labels for external access
1781
##
1782
labels: {}
1783
## @param externalAccess.controller.service.annotations Service annotations for external access
1784
##
1785
annotations: {}
1786
## @param externalAccess.controller.service.extraPorts Extra ports to expose in the Kafka external service
1787
##
1788
extraPorts: []
1789
## @param externalAccess.controller.service.ipFamilies IP families for the external controller service
1790
##
1791
ipFamilies: []
1792
## @param externalAccess.controller.service.ipFamilyPolicy IP family policy for the external controller service
1793
##
1794
ipFamilyPolicy: ""
1795
broker:
1796
## Parameters to configure K8s service(s) used to externally access Kafka brokers
1797
## Note: A new service per broker will be created
1798
##
1799
service:
1800
## @param externalAccess.broker.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP
1801
##
1802
type: LoadBalancer
1803
## @param externalAccess.broker.service.ports.external Kafka port used for external access when service type is LoadBalancer
1804
##
1805
ports:
1806
external: 9094
1807
## @param externalAccess.broker.service.loadBalancerClass Kubernetes Service Load Balancer class for external access when service type is LoadBalancer
1808
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1809
##
1810
loadBalancerClass: ""
1811
## @param externalAccess.broker.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount
1812
## e.g:
1813
## loadBalancerIPs:
1814
## - X.X.X.X
1815
## - Y.Y.Y.Y
1816
##
1817
loadBalancerIPs: []
1818
## @param externalAccess.broker.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount
1819
## e.g:
1820
## loadBalancerNames:
1821
## - broker1.external.example.com
1822
## - broker2.external.example.com
1823
##
1824
loadBalancerNames: []
1825
## @param externalAccess.broker.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount
1826
## e.g:
1827
## loadBalancerAnnotations:
1828
## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com.
1829
## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com.
1830
##
1831
loadBalancerAnnotations: []
1832
## @param externalAccess.broker.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer
1833
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1834
## e.g:
1835
## loadBalancerSourceRanges:
1836
## - 10.10.10.0/24
1837
##
1838
loadBalancerSourceRanges: []
1839
## @param externalAccess.broker.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1840
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1841
##
1842
allocateLoadBalancerNodePorts: true
1843
## @param externalAccess.broker.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount
1844
## e.g:
1845
## nodePorts:
1846
## - 30001
1847
## - 30002
1848
##
1849
nodePorts: []
1850
## @param externalAccess.broker.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount
1851
## e.g:
1852
## externalIPs:
1853
## - X.X.X.X
1854
## - Y.Y.Y.Y
1855
##
1856
externalIPs: []
1857
## @param externalAccess.broker.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort
1858
##
1859
useHostIPs: false
1860
## @param externalAccess.broker.service.usePodIPs using the MY_POD_IP address for external access.
1861
##
1862
usePodIPs: false
1863
## @param externalAccess.broker.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP
1864
## NodePort: If not specified, the container will try to get the kubernetes node external IP
1865
## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured
1866
##
1867
domain: ""
1868
## @param externalAccess.broker.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready
1869
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/
1870
##
1871
publishNotReadyAddresses: false
1872
## @param externalAccess.broker.service.labels Service labels for external access
1873
##
1874
labels: {}
1875
## @param externalAccess.broker.service.annotations Service annotations for external access
1876
##
1877
annotations: {}
1878
## @param externalAccess.broker.service.extraPorts Extra ports to expose in the Kafka external service
1879
##
1880
extraPorts: []
1881
## @param externalAccess.broker.service.ipFamilies IP families for the external broker service
1882
##
1883
ipFamilies: []
1884
## @param externalAccess.broker.service.ipFamilyPolicy IP family policy for the external broker service
1885
##
1886
ipFamilyPolicy: ""
1887
## Network policies
1888
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1889
##
1890
networkPolicy:
1891
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1892
##
1893
enabled: true
1894
## @param networkPolicy.allowExternal Don't require client label for connections
1895
## When set to false, only pods with the correct client label will have network access to the port Kafka is
1896
## listening on. When true, Kafka accept connections from any source (with the correct destination port).
1897
##
1898
allowExternal: true
1899
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1900
##
1901
allowExternalEgress: true
1902
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
1903
##
1904
addExternalClientAccess: true
1905
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1906
## e.g:
1907
## extraIngress:
1908
## - ports:
1909
## - port: 1234
1910
## from:
1911
## - podSelector:
1912
## - matchLabels:
1913
## - role: frontend
1914
## - podSelector:
1915
## - matchExpressions:
1916
## - key: role
1917
## operator: In
1918
## values:
1919
## - frontend
1920
extraIngress: []
1921
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1922
## e.g:
1923
## extraEgress:
1924
## - ports:
1925
## - port: 1234
1926
## to:
1927
## - podSelector:
1928
## - matchLabels:
1929
## - role: frontend
1930
## - podSelector:
1931
## - matchExpressions:
1932
## - key: role
1933
## operator: In
1934
## values:
1935
## - frontend
1936
##
1937
extraEgress: []
1938
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
1939
## e.g:
1940
## ingressPodMatchLabels:
1941
## my-client: "true"
1942
#
1943
ingressPodMatchLabels: {}
1944
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
1945
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
1946
##
1947
ingressNSMatchLabels: {}
1948
ingressNSPodMatchLabels: {}
1949
## @section Other Parameters
1950
1951
## ServiceAccount for Kafka
1952
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1953
##
1954
serviceAccount:
1955
## @param serviceAccount.create Enable creation of ServiceAccount for Kafka pods
1956
##
1957
create: true
1958
## @param serviceAccount.name The name of the service account to use. If not set and `create` is `true`, a name is generated
1959
## If not set and create is true, a name is generated using the kafka.serviceAccountName template
1960
##
1961
name: ""
1962
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1963
## Can be set to false if pods using this serviceAccount do not need to use K8s API
1964
##
1965
automountServiceAccountToken: false
1966
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
1967
##
1968
annotations: {}
1969
## Role Based Access Control
1970
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
1971
##
1972
rbac:
1973
## @param rbac.create Whether to create & use RBAC resources or not
1974
## binding Kafka ServiceAccount to a role
1975
## that allows Kafka pods querying the K8s API
1976
##
1977
create: false
1978
## @section Metrics parameters
1979
1980
## Prometheus Exporters / Metrics
1981
##
1982
metrics:
1983
## Prometheus JMX exporter: exposes the majority of Kafka metrics
1984
##
1985
jmx:
1986
## @param metrics.jmx.enabled Whether or not to expose JMX metrics to Prometheus
1987
##
1988
enabled: false
1989
## @param metrics.jmx.kafkaJmxPort JMX port where the exporter will collect metrics, exposed in the Kafka container.
1990
##
1991
kafkaJmxPort: 5555
1992
## Iamguarded JMX exporter image
1993
## ref: https://hub.docker.com/r/iamguarded/jmx-exporter/tags/
1994
## @param metrics.jmx.image.registry [default: REGISTRY_NAME] JMX exporter image registry
1995
## @param metrics.jmx.image.repository [default: REPOSITORY_NAME/jmx-exporter] JMX exporter image repository
1996
## @skip metrics.jmx.image.tag JMX exporter image tag (immutable tags are recommended)
1997
## @param metrics.jmx.image.digest JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1998
## @param metrics.jmx.image.pullPolicy JMX exporter image pull policy
1999
## @param metrics.jmx.image.pullSecrets Specify docker-registry secret names as an array
2000
##
2001
image:
2002
registry: cgr.dev
2003
repository: chainguard-private/jmx-exporter-iamguarded
2004
tag: 1.5.0
2005
digest: ""
2006
## Specify a imagePullPolicy
2007
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
2008
##
2009
pullPolicy: IfNotPresent
2010
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
2011
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2012
## e.g:
2013
## pullSecrets:
2014
## - myRegistryKeySecretName
2015
##
2016
pullSecrets: []
2017
## Prometheus JMX exporter containers' Security Context
2018
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2019
## @param metrics.jmx.containerSecurityContext.enabled Enable Prometheus JMX exporter containers' Security Context
2020
## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2021
## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2022
## @param metrics.jmx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2023
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set Prometheus JMX exporter containers' Security Context runAsNonRoot
2024
## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation
2025
## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set Prometheus JMX exporter containers' Security Context readOnlyRootFilesystem
2026
## @param metrics.jmx.containerSecurityContext.capabilities.drop Set Prometheus JMX exporter containers' Security Context capabilities to be dropped
2027
## e.g:
2028
## containerSecurityContext:
2029
## enabled: true
2030
## capabilities:
2031
## drop: ["NET_RAW"]
2032
## readOnlyRootFilesystem: true
2033
##
2034
containerSecurityContext:
2035
enabled: true
2036
seLinuxOptions: {}
2037
runAsUser: 1001
2038
runAsGroup: 1001
2039
runAsNonRoot: true
2040
allowPrivilegeEscalation: false
2041
readOnlyRootFilesystem: true
2042
capabilities:
2043
drop: ["ALL"]
2044
## @param metrics.jmx.containerPorts.metrics Prometheus JMX exporter metrics container port
2045
##
2046
containerPorts:
2047
metrics: 5556
2048
## Prometheus JMX exporter resource requests and limits
2049
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2050
## @param metrics.jmx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production).
2051
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
2052
##
2053
resourcesPreset: "micro"
2054
## @param metrics.jmx.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2055
## Example:
2056
## resources:
2057
## requests:
2058
## cpu: 2
2059
## memory: 512Mi
2060
## limits:
2061
## cpu: 3
2062
## memory: 1024Mi
2063
##
2064
resources: {}
2065
## Configure extra options for liveness probe
2066
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2067
## @param metrics.jmx.livenessProbe.enabled Enable livenessProbe
2068
## @param metrics.jmx.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2069
## @param metrics.jmx.livenessProbe.periodSeconds Period seconds for livenessProbe
2070
## @param metrics.jmx.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2071
## @param metrics.jmx.livenessProbe.failureThreshold Failure threshold for livenessProbe
2072
## @param metrics.jmx.livenessProbe.successThreshold Success threshold for livenessProbe
2073
##
2074
livenessProbe:
2075
enabled: true
2076
initialDelaySeconds: 60
2077
periodSeconds: 10
2078
timeoutSeconds: 10
2079
successThreshold: 1
2080
failureThreshold: 3
2081
## Configure extra options for readiness probe
2082
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2083
## @param metrics.jmx.readinessProbe.enabled Enable readinessProbe
2084
## @param metrics.jmx.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2085
## @param metrics.jmx.readinessProbe.periodSeconds Period seconds for readinessProbe
2086
## @param metrics.jmx.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2087
## @param metrics.jmx.readinessProbe.failureThreshold Failure threshold for readinessProbe
2088
## @param metrics.jmx.readinessProbe.successThreshold Success threshold for readinessProbe
2089
##
2090
readinessProbe:
2091
enabled: true
2092
initialDelaySeconds: 30
2093
periodSeconds: 10
2094
timeoutSeconds: 10
2095
successThreshold: 1
2096
failureThreshold: 3
2097
## Prometheus JMX exporter service configuration
2098
##
2099
service:
2100
## @param metrics.jmx.service.ports.metrics Prometheus JMX exporter metrics service port
2101
##
2102
ports:
2103
metrics: 5556
2104
## @param metrics.jmx.service.clusterIP Static clusterIP or None for headless services
2105
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
2106
##
2107
clusterIP: ""
2108
## @param metrics.jmx.service.sessionAffinity Control where client requests go, to the same pod or round-robin
2109
## Values: ClientIP or None
2110
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2111
##
2112
sessionAffinity: None
2113
## @param metrics.jmx.service.annotations [object] Annotations for the Prometheus JMX exporter service
2114
##
2115
annotations:
2116
prometheus.io/scrape: "true"
2117
prometheus.io/port: "{{ .Values.metrics.jmx.service.ports.metrics }}"
2118
prometheus.io/path: "/metrics"
2119
## @param metrics.jmx.service.ipFamilies IP families for the jmx metrics service
2120
##
2121
ipFamilies: []
2122
## @param metrics.jmx.service.ipFamilyPolicy IP family policy for the jmx metrics service
2123
##
2124
ipFamilyPolicy: ""
2125
## @param metrics.jmx.whitelistObjectNames Allows setting which JMX objects you want to expose to via JMX stats to JMX exporter
2126
## Only whitelisted values will be exposed via JMX exporter. They must also be exposed via Rules. To expose all metrics
2127
## (warning its crazy excessive and they aren't formatted in a prometheus style) (1) `whitelistObjectNames: []`
2128
## (2) commented out above `overrideConfig`.
2129
##
2130
whitelistObjectNames:
2131
- kafka.controller:*
2132
- kafka.server:*
2133
- java.lang:*
2134
- kafka.network:*
2135
- kafka.log:*
2136
## @param metrics.jmx.config [string] Configuration file for JMX exporter
2137
## Specify content for jmx-kafka-prometheus.yml. Evaluated as a template
2138
##
2139
## Credits to the incubator/kafka chart for the JMX configuration.
2140
## https://github.com/helm/charts/tree/master/incubator/kafka
2141
##
2142
config: |-
2143
jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:{{ .Values.metrics.jmx.kafkaJmxPort }}/jmxrmi
2144
lowercaseOutputName: true
2145
lowercaseOutputLabelNames: true
2146
ssl: false
2147
{{- if .Values.metrics.jmx.whitelistObjectNames }}
2148
whitelistObjectNames: ["{{ join "\",\"" .Values.metrics.jmx.whitelistObjectNames }}"]
2149
{{- end }}
2150
## @param metrics.jmx.existingConfigmap Name of existing ConfigMap with JMX exporter configuration
2151
## NOTE: This will override metrics.jmx.config
2152
##
2153
existingConfigmap: ""
2154
## @param metrics.jmx.extraRules Add extra rules to JMX exporter configuration
2155
## e.g:
2156
## extraRules: |-
2157
## - pattern: kafka.server<type=socket-server-metrics, listener=(.+), networkProcessor=(.+)><>(connection-count)
2158
## name: kafka_server_socket_server_metrics_$3
2159
## labels:
2160
## listener: $1
2161
##
2162
extraRules: ""
2163
## Prometheus Operator ServiceMonitor configuration
2164
##
2165
serviceMonitor:
2166
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.jmx.enabled` to be `true`)
2167
##
2168
enabled: false
2169
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
2170
##
2171
namespace: ""
2172
## @param metrics.serviceMonitor.path Path where JMX exporter serves metrics
2173
##
2174
path: /metrics
2175
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
2176
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2177
##
2178
interval: ""
2179
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2180
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2181
##
2182
scrapeTimeout: ""
2183
## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
2184
##
2185
labels: {}
2186
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
2187
## ref: https://github.com/iamguarded/charts/tree/main/iamguarded/prometheus-operator#prometheus-configuration
2188
##
2189
selector: {}
2190
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
2191
##
2192
relabelings: []
2193
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
2194
##
2195
metricRelabelings: []
2196
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
2197
##
2198
honorLabels: false
2199
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
2200
##
2201
jobLabel: ""
2202
prometheusRule:
2203
## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (requires `metrics.jmx.enabled` to be `true`)
2204
##
2205
enabled: false
2206
## @param metrics.prometheusRule.namespace Namespace in which Prometheus is running
2207
##
2208
namespace: ""
2209
## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
2210
##
2211
labels: {}
2212
## @param metrics.prometheusRule.groups Prometheus Rule Groups for Kafka
2213
##
2214
groups: []
2215
## @section Kafka provisioning parameters
2216
##
2217
2218
## Kafka provisioning
2219
##
2220
provisioning:
2221
## @param provisioning.enabled Enable Kafka provisioning Job
2222
##
2223
enabled: false
2224
## @param provisioning.waitForKafka Whether an init container should be created to wait until Kafka is ready before provisioning
2225
##
2226
waitForKafka: true
2227
## @param provisioning.useHelmHooks Flag to indicate usage of helm hooks
2228
##
2229
useHelmHooks: true
2230
## @param provisioning.automountServiceAccountToken Mount Service Account token in pod
2231
##
2232
automountServiceAccountToken: false
2233
## @param provisioning.numPartitions Default number of partitions for topics when unspecified
2234
##
2235
numPartitions: 1
2236
## @param provisioning.replicationFactor Default replication factor for topics when unspecified
2237
##
2238
replicationFactor: 1
2239
## @param provisioning.topics Kafka topics to provision
2240
## - name: topic-name
2241
## partitions: 1
2242
## replicationFactor: 1
2243
## ## https://kafka.apache.org/documentation/#topicconfigs
2244
## config:
2245
## max.message.bytes: 64000
2246
## flush.messages: 1
2247
##
2248
topics: []
2249
## @param provisioning.nodeSelector Node labels for pod assignment
2250
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2251
##
2252
nodeSelector: {}
2253
## @param provisioning.tolerations Tolerations for pod assignment
2254
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2255
##
2256
tolerations: []
2257
## @param provisioning.extraProvisioningCommands Extra commands to run to provision cluster resources
2258
## - echo "Allow user to consume from any topic"
2259
## - >-
2260
## /opt/iamguarded/kafka/bin/kafka-acls.sh
2261
## --bootstrap-server $KAFKA_SERVICE
2262
## --command-config /shared/client.properties
2263
## --add
2264
## --allow-principal User:user
2265
## --consumer --topic *
2266
## - "/opt/iamguarded/kafka/bin/kafka-acls.sh
2267
## --bootstrap-server $KAFKA_SERVICE
2268
## --command-config /shared/client.properties
2269
## --list"
2270
##
2271
extraProvisioningCommands: []
2272
## @param provisioning.parallel Number of provisioning commands to run at the same time
2273
##
2274
parallel: 1
2275
## @param provisioning.preScript Extra bash script to run before topic provisioning. /shared/client.properties is path to properties file with most needed configurations
2276
##
2277
preScript: ""
2278
## @param provisioning.postScript Extra bash script to run after topic provisioning. /shared/client.properties is path to properties file with most needed configurations
2279
##
2280
postScript: ""
2281
## Auth Configuration for kafka provisioning Job
2282
##
2283
auth:
2284
## TLS configuration for kafka provisioning Job
2285
##
2286
tls:
2287
## @param provisioning.auth.tls.type Format to use for TLS certificates. Allowed types: `JKS` and `PEM`.
2288
## Note: ignored if auth.tls.client.protocol different from one of these values: "SSL" "SASL_SSL"
2289
##
2290
type: jks
2291
## @param provisioning.auth.tls.certificatesSecret Existing secret containing the TLS certificates for the Kafka provisioning Job.
2292
## When using 'jks' format for certificates, the secret should contain a truststore and a keystore.
2293
## When using 'pem' format for certificates, the secret should contain one of the following:
2294
## 1. A public CA certificate, a public certificate and one private key.
2295
## 2. A truststore and a keystore in PEM format
2296
## If caCert is set, option 1 will be taken, otherwise option 2.
2297
##
2298
certificatesSecret: ""
2299
## @param provisioning.auth.tls.cert The secret key from the certificatesSecret if 'cert' key different from the default (tls.crt)
2300
##
2301
cert: tls.crt
2302
## @param provisioning.auth.tls.key The secret key from the certificatesSecret if 'key' key different from the default (tls.key)
2303
##
2304
key: tls.key
2305
## @param provisioning.auth.tls.caCert The secret key from the certificatesSecret if 'caCert' key different from the default (ca.crt)
2306
##
2307
caCert: ca.crt
2308
## @param provisioning.auth.tls.keystore The secret key from the certificatesSecret if 'keystore' key different from the default (keystore.jks)
2309
##
2310
keystore: keystore.jks
2311
## @param provisioning.auth.tls.truststore The secret key from the certificatesSecret if 'truststore' key different from the default (truststore.jks)
2312
##
2313
truststore: truststore.jks
2314
## @param provisioning.auth.tls.passwordsSecret Name of the secret containing passwords to access the JKS files or PEM key when they are password-protected.
2315
## It should contain two keys called "keystore-password" and "truststore-password", or "key-password" if using a password-protected PEM key.
2316
##
2317
passwordsSecret: ""
2318
## @param provisioning.auth.tls.keyPasswordSecretKey The secret key from the passwordsSecret if 'keyPasswordSecretKey' key different from the default (key-password)
2319
## Note: must not be used if `passwordsSecret` is not defined.
2320
##
2321
keyPasswordSecretKey: key-password
2322
## @param provisioning.auth.tls.keystorePasswordSecretKey The secret key from the passwordsSecret if 'keystorePasswordSecretKey' key different from the default (keystore-password)
2323
## Note: must not be used if `passwordsSecret` is not defined.
2324
##
2325
keystorePasswordSecretKey: keystore-password
2326
## @param provisioning.auth.tls.truststorePasswordSecretKey The secret key from the passwordsSecret if 'truststorePasswordSecretKey' key different from the default (truststore-password)
2327
## Note: must not be used if `passwordsSecret` is not defined.
2328
##
2329
truststorePasswordSecretKey: truststore-password
2330
## @param provisioning.auth.tls.keyPassword Password to access the password-protected PEM key if necessary. Ignored if 'passwordsSecret' is provided.
2331
##
2332
keyPassword: ""
2333
## @param provisioning.auth.tls.keystorePassword Password to access the JKS keystore. Ignored if 'passwordsSecret' is provided.
2334
##
2335
keystorePassword: ""
2336
## @param provisioning.auth.tls.truststorePassword Password to access the JKS truststore. Ignored if 'passwordsSecret' is provided.
2337
##
2338
truststorePassword: ""
2339
## @param provisioning.command Override provisioning container command
2340
##
2341
command: []
2342
## @param provisioning.args Override provisioning container arguments
2343
##
2344
args: []
2345
## @param provisioning.extraEnvVars Extra environment variables to add to the provisioning pod
2346
## e.g:
2347
## extraEnvVars:
2348
## - name: KAFKA_CFG_BACKGROUND_THREADS
2349
## value: "10"
2350
##
2351
extraEnvVars: []
2352
## @param provisioning.extraEnvVarsCM ConfigMap with extra environment variables
2353
##
2354
extraEnvVarsCM: ""
2355
## @param provisioning.extraEnvVarsSecret Secret with extra environment variables
2356
##
2357
extraEnvVarsSecret: ""
2358
## @param provisioning.podAnnotations Extra annotations for Kafka provisioning pods
2359
##
2360
podAnnotations: {}
2361
## @param provisioning.podLabels Extra labels for Kafka provisioning pods
2362
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
2363
##
2364
podLabels: {}
2365
## Kafka provisioning pods ServiceAccount
2366
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
2367
##
2368
serviceAccount:
2369
## @param provisioning.serviceAccount.create Enable creation of ServiceAccount for Kafka provisioning pods
2370
##
2371
create: true
2372
## @param provisioning.serviceAccount.name The name of the service account to use. If not set and `create` is `true`, a name is generated
2373
## If not set and create is true, a name is generated using the provisioning.serviceAccount.name template
2374
##
2375
name: ""
2376
## @param provisioning.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
2377
## Can be set to false if pods using this serviceAccount do not need to use K8s API
2378
##
2379
automountServiceAccountToken: false
2380
## Kafka provisioning resource requests and limits
2381
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2382
## @param provisioning.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if provisioning.resources is set (provisioning.resources is recommended for production).
2383
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
2384
##
2385
resourcesPreset: "micro"
2386
## @param provisioning.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2387
## Example:
2388
## resources:
2389
## requests:
2390
## cpu: 2
2391
## memory: 512Mi
2392
## limits:
2393
## cpu: 3
2394
## memory: 1024Mi
2395
##
2396
resources: {}
2397
## Kafka provisioning pods' Security Context
2398
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2399
## @param provisioning.podSecurityContext.enabled Enable security context for the pods
2400
## @param provisioning.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
2401
## @param provisioning.podSecurityContext.sysctls Set kernel settings using the sysctl interface
2402
## @param provisioning.podSecurityContext.supplementalGroups Set filesystem extra groups
2403
## @param provisioning.podSecurityContext.fsGroup Set Kafka provisioning pod's Security Context fsGroup
2404
## @param provisioning.podSecurityContext.seccompProfile.type Set Kafka provisioning pod's Security Context seccomp profile
2405
##
2406
podSecurityContext:
2407
enabled: true
2408
fsGroupChangePolicy: Always
2409
sysctls: []
2410
supplementalGroups: []
2411
fsGroup: 1001
2412
seccompProfile:
2413
type: "RuntimeDefault"
2414
## Kafka provisioning containers' Security Context
2415
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2416
## @param provisioning.containerSecurityContext.enabled Enable Kafka provisioning containers' Security Context
2417
## @param provisioning.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2418
## @param provisioning.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2419
## @param provisioning.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2420
## @param provisioning.containerSecurityContext.runAsNonRoot Set Kafka provisioning containers' Security Context runAsNonRoot
2421
## @param provisioning.containerSecurityContext.allowPrivilegeEscalation Set Kafka provisioning containers' Security Context allowPrivilegeEscalation
2422
## @param provisioning.containerSecurityContext.readOnlyRootFilesystem Set Kafka provisioning containers' Security Context readOnlyRootFilesystem
2423
## @param provisioning.containerSecurityContext.capabilities.drop Set Kafka provisioning containers' Security Context capabilities to be dropped
2424
## e.g:
2425
## containerSecurityContext:
2426
## enabled: true
2427
## capabilities:
2428
## drop: ["NET_RAW"]
2429
## readOnlyRootFilesystem: true
2430
##
2431
containerSecurityContext:
2432
enabled: true
2433
seLinuxOptions: {}
2434
runAsUser: 1001
2435
runAsGroup: 1001
2436
runAsNonRoot: true
2437
allowPrivilegeEscalation: false
2438
readOnlyRootFilesystem: true
2439
capabilities:
2440
drop: ["ALL"]
2441
## @param provisioning.schedulerName Name of the k8s scheduler (other than default) for kafka provisioning
2442
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2443
##
2444
schedulerName: ""
2445
## @param provisioning.enableServiceLinks Whether information about services should be injected into pod's environment variable
2446
## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace.
2447
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
2448
##
2449
enableServiceLinks: true
2450
## @param provisioning.extraVolumes Optionally specify extra list of additional volumes for the Kafka provisioning pod(s)
2451
## e.g:
2452
## extraVolumes:
2453
## - name: kafka-jaas
2454
## secret:
2455
## secretName: kafka-jaas
2456
##
2457
extraVolumes: []
2458
## @param provisioning.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka provisioning container(s)
2459
## extraVolumeMounts:
2460
## - name: kafka-jaas
2461
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
2462
## subPath: kafka_jaas.conf
2463
##
2464
extraVolumeMounts: []
2465
## @param provisioning.sidecars Add additional sidecar containers to the Kafka provisioning pod(s)
2466
## e.g:
2467
## sidecars:
2468
## - name: your-image-name
2469
## image: your-image
2470
## imagePullPolicy: Always
2471
## ports:
2472
## - name: portname
2473
## containerPort: 1234
2474
##
2475
sidecars: []
2476
## @param provisioning.initContainers Add additional Add init containers to the Kafka provisioning pod(s)
2477
## e.g:
2478
## initContainers:
2479
## - name: your-image-name
2480
## image: your-image
2481
## imagePullPolicy: Always
2482
## ports:
2483
## - name: portname
2484
## containerPort: 1234
2485
##
2486
initContainers: []
2487