zookeeper
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
20
##
21
global:
22
imageRegistry: ""
23
## E.g.
24
## imagePullSecrets:
25
## - myRegistryKeySecretName
26
##
27
imagePullSecrets: []
28
defaultStorageClass: ""
29
storageClass: ""
30
## Security parameters
31
##
32
security:
33
## @param global.security.allowInsecureImages Allows skipping image verification
34
allowInsecureImages: false
35
## Compatibility adaptations for Kubernetes platforms
36
##
37
compatibility:
38
## Compatibility adaptations for Openshift
39
##
40
openshift:
41
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
42
##
43
adaptSecurityContext: auto
44
org: ""
45
## @section Common parameters
46
##
47
48
## @param kubeVersion Override Kubernetes version
49
##
50
kubeVersion: ""
51
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
52
##
53
nameOverride: ""
54
## @param fullnameOverride String to fully override common.names.fullname template
55
##
56
fullnameOverride: ""
57
## @param clusterDomain Kubernetes Cluster Domain
58
##
59
clusterDomain: cluster.local
60
## @param extraDeploy Extra objects to deploy (evaluated as a template)
61
##
62
extraDeploy: []
63
## @param commonLabels Add labels to all the deployed resources
64
##
65
commonLabels: {}
66
## @param commonAnnotations Add annotations to all the deployed resources
67
##
68
commonAnnotations: {}
69
## @param namespaceOverride Override namespace for ZooKeeper resources
70
## Useful when including ZooKeeper as a chart dependency, so it can be released into a different namespace than the parent
71
##
72
namespaceOverride: ""
73
## @param usePasswordFiles Mount credentials as files instead of using environment variables
74
##
75
usePasswordFiles: true
76
## Enable diagnostic mode in the statefulset
77
##
78
diagnosticMode:
79
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
80
##
81
enabled: false
82
## @param diagnosticMode.command Command to override all containers in the statefulset
83
##
84
command:
85
- sleep
86
## @param diagnosticMode.args Args to override all containers in the statefulset
87
##
88
args:
89
- infinity
90
## @section ZooKeeper chart parameters
91
92
## Iamguarded ZooKeeper image version
93
## ref: https://hub.docker.com/r/iamguarded/zookeeper/tags/
94
## @param image.registry [default: REGISTRY_NAME] ZooKeeper image registry
95
## @param image.repository [default: REPOSITORY_NAME/zookeeper] ZooKeeper image repository
96
## @skip image.tag ZooKeeper image tag (immutable tags are recommended)
97
## @param image.digest ZooKeeper image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
98
## @param image.pullPolicy ZooKeeper image pull policy
99
## @param image.pullSecrets Specify docker-registry secret names as an array
100
## @param image.debug Specify if debug values should be set
101
##
102
image:
103
registry: cgr.dev
104
repository: chainguard-private/zookeeper-iamguarded
105
tag: 3.9.5
106
digest: ""
107
## Specify a imagePullPolicy
108
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
109
##
110
pullPolicy: IfNotPresent
111
## Optionally specify an array of imagePullSecrets.
112
## Secrets must be manually created in the namespace.
113
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
114
## Example:
115
## pullSecrets:
116
## - myRegistryKeySecretName
117
##
118
pullSecrets: []
119
## Set to true if you would like to see extra information on logs
120
##
121
debug: false
122
## Authentication parameters
123
##
124
auth:
125
client:
126
## @param auth.client.enabled Enable ZooKeeper client-server authentication. It uses SASL/Digest-MD5
127
##
128
enabled: false
129
## @param auth.client.clientUser User that will use ZooKeeper clients to auth
130
##
131
clientUser: ""
132
## @param auth.client.clientPassword Password that will use ZooKeeper clients to auth
133
##
134
clientPassword: ""
135
## @param auth.client.serverUsers Comma, semicolon or whitespace separated list of user to be created
136
## Specify them as a string, for example: "user1,user2,admin"
137
##
138
serverUsers: ""
139
## @param auth.client.serverPasswords Comma, semicolon or whitespace separated list of passwords to assign to users when created
140
## Specify them as a string, for example: "pass4user1, pass4user2, pass4admin"
141
##
142
serverPasswords: ""
143
## @param auth.client.existingSecret Use existing secret (ignores previous passwords)
144
##
145
existingSecret: ""
146
quorum:
147
## @param auth.quorum.enabled Enable ZooKeeper server-server authentication. It uses SASL/Digest-MD5
148
##
149
enabled: false
150
## @param auth.quorum.learnerUser User that the ZooKeeper quorumLearner will use to authenticate to quorumServers.
151
## Note: Make sure the user is included in auth.quorum.serverUsers
152
##
153
learnerUser: ""
154
## @param auth.quorum.learnerPassword Password that the ZooKeeper quorumLearner will use to authenticate to quorumServers.
155
##
156
learnerPassword: ""
157
## @param auth.quorum.serverUsers Comma, semicolon or whitespace separated list of users for the quorumServers.
158
## Specify them as a string, for example: "user1,user2,admin"
159
##
160
serverUsers: ""
161
## @param auth.quorum.serverPasswords Comma, semicolon or whitespace separated list of passwords to assign to users when created
162
## Specify them as a string, for example: "pass4user1, pass4user2, pass4admin"
163
##
164
serverPasswords: ""
165
## @param auth.quorum.existingSecret Use existing secret (ignores previous passwords)
166
##
167
existingSecret: ""
168
## @param tickTime Basic time unit (in milliseconds) used by ZooKeeper for heartbeats
169
##
170
tickTime: 2000
171
## @param initLimit ZooKeeper uses to limit the length of time the ZooKeeper servers in quorum have to connect to a leader
172
##
173
initLimit: 10
174
## @param syncLimit How far out of date a server can be from a leader
175
##
176
syncLimit: 5
177
## @param preAllocSize Block size for transaction log file
178
##
179
preAllocSize: 65536
180
## @param snapCount The number of transactions recorded in the transaction log before a snapshot can be taken (and the transaction log rolled)
181
##
182
snapCount: 100000
183
## @param maxClientCnxns Limits the number of concurrent connections that a single client may make to a single member of the ZooKeeper ensemble
184
##
185
maxClientCnxns: 60
186
## @param maxSessionTimeout Maximum session timeout (in milliseconds) that the server will allow the client to negotiate
187
## Defaults to 20 times the tickTime
188
##
189
maxSessionTimeout: 40000
190
## @param heapSize Size (in MB) for the Java Heap options (Xmx and Xms)
191
## This env var is ignored if Xmx an Xms are configured via `jvmFlags`
192
##
193
heapSize: 1024
194
## @param fourlwCommandsWhitelist A list of comma separated Four Letter Words commands that can be executed
195
##
196
fourlwCommandsWhitelist: srvr, mntr, ruok
197
## @param minServerId Minimal SERVER_ID value, nodes increment their IDs respectively
198
## Servers increment their ID starting at this minimal value.
199
## E.g., with `minServerId=10` and 3 replicas, server IDs will be 10, 11, 12 for z-0, z-1 and z-2 respectively.
200
##
201
minServerId: 1
202
## @param listenOnAllIPs Allow ZooKeeper to listen for connections from its peers on all available IP addresses
203
##
204
listenOnAllIPs: false
205
## @param zooServers ZooKeeper space separated servers list. Leave empty to use the default ZooKeeper server names.
206
##
207
zooServers: ""
208
## Ongoing data directory cleanup configuration
209
##
210
autopurge:
211
## @param autopurge.snapRetainCount The most recent snapshots amount (and corresponding transaction logs) to retain
212
##
213
snapRetainCount: 10
214
## @param autopurge.purgeInterval The time interval (in hours) for which the purge task has to be triggered
215
## Set to a positive integer to enable the auto purging. Set to 0 to disable auto purging.
216
##
217
purgeInterval: 1
218
## @param logLevel Log level for the ZooKeeper server. ERROR by default
219
## Have in mind if you set it to INFO or WARN the ReadinessProve will produce a lot of logs
220
##
221
logLevel: ERROR
222
## @param jvmFlags Default JVM flags for the ZooKeeper process
223
##
224
jvmFlags: ""
225
## @param dataLogDir Dedicated data log directory
226
## This allows a dedicated log device to be used, and helps avoid competition between logging and snapshots.
227
## E.g.
228
## dataLogDir: /iamguarded/zookeeper/dataLog
229
##
230
dataLogDir: ""
231
## @param configuration Configure ZooKeeper with a custom zoo.cfg file
232
## e.g:
233
## configuration: |-
234
## deploy-working-dir=/iamguarded/zookeeper/data
235
## log-level=info
236
## ...
237
##
238
configuration: ""
239
## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for ZooKeeper
240
## NOTE: When it's set the `configuration` parameter is ignored
241
##
242
existingConfigmap: ""
243
## @param extraEnvVars Array with extra environment variables to add to ZooKeeper nodes
244
## e.g:
245
## extraEnvVars:
246
## - name: FOO
247
## value: "bar"
248
##
249
extraEnvVars: []
250
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for ZooKeeper nodes
251
##
252
extraEnvVarsCM: ""
253
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for ZooKeeper nodes
254
##
255
extraEnvVarsSecret: ""
256
## @param command Override default container command (useful when using custom images)
257
##
258
command:
259
- /scripts/setup.sh
260
## @param args Override default container args (useful when using custom images)
261
##
262
args: []
263
## @section Statefulset parameters
264
265
## @param replicaCount Number of ZooKeeper nodes
266
##
267
replicaCount: 1
268
## @param revisionHistoryLimit The number of old history to retain to allow rollback
269
##
270
revisionHistoryLimit: 10
271
## @param containerPorts.client ZooKeeper client container port
272
## @param containerPorts.tls ZooKeeper TLS container port
273
## @param containerPorts.follower ZooKeeper follower container port
274
## @param containerPorts.election ZooKeeper election container port
275
## @param containerPorts.adminServer ZooKeeper admin server container port
276
## @param containerPorts.metrics ZooKeeper Prometheus Exporter container port
277
##
278
containerPorts:
279
client: 2181
280
tls: 3181
281
follower: 2888
282
election: 3888
283
adminServer: 8080
284
metrics: 9141
285
## Configure extra options for ZooKeeper containers' liveness, readiness and startup probes
286
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
287
## @param livenessProbe.enabled Enable livenessProbe on ZooKeeper containers
288
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
289
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
290
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
291
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
292
## @param livenessProbe.successThreshold Success threshold for livenessProbe
293
## @param livenessProbe.probeCommandTimeout Probe command timeout for livenessProbe
294
##
295
livenessProbe:
296
enabled: true
297
initialDelaySeconds: 30
298
periodSeconds: 10
299
timeoutSeconds: 5
300
failureThreshold: 6
301
successThreshold: 1
302
probeCommandTimeout: 3
303
## @param readinessProbe.enabled Enable readinessProbe on ZooKeeper containers
304
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
305
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
306
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
307
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
308
## @param readinessProbe.successThreshold Success threshold for readinessProbe
309
## @param readinessProbe.probeCommandTimeout Probe command timeout for readinessProbe
310
##
311
readinessProbe:
312
enabled: true
313
initialDelaySeconds: 5
314
periodSeconds: 10
315
timeoutSeconds: 5
316
failureThreshold: 6
317
successThreshold: 1
318
probeCommandTimeout: 2
319
## @param startupProbe.enabled Enable startupProbe on ZooKeeper containers
320
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
321
## @param startupProbe.periodSeconds Period seconds for startupProbe
322
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
323
## @param startupProbe.failureThreshold Failure threshold for startupProbe
324
## @param startupProbe.successThreshold Success threshold for startupProbe
325
##
326
startupProbe:
327
enabled: false
328
initialDelaySeconds: 30
329
periodSeconds: 10
330
timeoutSeconds: 1
331
failureThreshold: 15
332
successThreshold: 1
333
## @param customLivenessProbe Custom livenessProbe that overrides the default one
334
##
335
customLivenessProbe: {}
336
## @param customReadinessProbe Custom readinessProbe that overrides the default one
337
##
338
customReadinessProbe: {}
339
## @param customStartupProbe Custom startupProbe that overrides the default one
340
##
341
customStartupProbe: {}
342
## @param lifecycleHooks for the ZooKeeper container(s) to automate configuration before or after startup
343
##
344
lifecycleHooks: {}
345
## ZooKeeper resource requests and limits
346
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
347
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
348
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
349
##
350
resourcesPreset: "micro"
351
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
352
## Example:
353
## resources:
354
## requests:
355
## cpu: 2
356
## memory: 512Mi
357
## limits:
358
## cpu: 3
359
## memory: 1024Mi
360
##
361
resources: {}
362
## Configure Pods Security Context
363
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
364
## @param podSecurityContext.enabled Enabled ZooKeeper pods' Security Context
365
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
366
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
367
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
368
## @param podSecurityContext.fsGroup Set ZooKeeper pod's Security Context fsGroup
369
##
370
podSecurityContext:
371
enabled: true
372
fsGroupChangePolicy: Always
373
sysctls: []
374
supplementalGroups: []
375
fsGroup: 1001
376
## Configure Container Security Context
377
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
378
## @param containerSecurityContext.enabled Enabled containers' Security Context
379
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
380
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
381
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
382
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
383
## @param containerSecurityContext.privileged Set container's Security Context privileged
384
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
385
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
386
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
387
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
388
##
389
containerSecurityContext:
390
enabled: true
391
seLinuxOptions: {}
392
runAsUser: 1001
393
runAsGroup: 1001
394
runAsNonRoot: true
395
privileged: false
396
readOnlyRootFilesystem: true
397
allowPrivilegeEscalation: false
398
capabilities:
399
drop: ["ALL"]
400
seccompProfile:
401
type: "RuntimeDefault"
402
## @param automountServiceAccountToken Mount Service Account token in pod
403
##
404
automountServiceAccountToken: false
405
## @param hostAliases ZooKeeper pods host aliases
406
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
407
##
408
hostAliases: []
409
## @param podLabels Extra labels for ZooKeeper pods
410
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
411
##
412
podLabels: {}
413
## @param podAnnotations Annotations for ZooKeeper pods
414
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
415
##
416
podAnnotations: {}
417
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
418
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
419
##
420
podAffinityPreset: ""
421
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
422
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
423
##
424
podAntiAffinityPreset: soft
425
## Node affinity preset
426
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
427
##
428
nodeAffinityPreset:
429
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
430
##
431
type: ""
432
## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
433
## E.g.
434
## key: "kubernetes.io/e2e-az-name"
435
##
436
key: ""
437
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
438
## E.g.
439
## values:
440
## - e2e-az1
441
## - e2e-az2
442
##
443
values: []
444
## @param affinity Affinity for pod assignment
445
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
446
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
447
##
448
affinity: {}
449
## @param nodeSelector Node labels for pod assignment
450
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
451
##
452
nodeSelector: {}
453
## @param tolerations Tolerations for pod assignment
454
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
455
##
456
tolerations: []
457
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
458
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
459
##
460
topologySpreadConstraints: []
461
## @param podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: `OrderedReady` and `Parallel`
462
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
463
##
464
podManagementPolicy: Parallel
465
## @param priorityClassName Name of the existing priority class to be used by ZooKeeper pods, priority class needs to be created beforehand
466
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
467
##
468
priorityClassName: ""
469
## @param schedulerName Kubernetes pod scheduler registry
470
## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
471
##
472
schedulerName: ""
473
## @param updateStrategy.type ZooKeeper statefulset strategy type
474
## @param updateStrategy.rollingUpdate ZooKeeper statefulset rolling update configuration parameters
475
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
476
##
477
updateStrategy:
478
type: RollingUpdate
479
rollingUpdate: {}
480
## @param extraVolumes Optionally specify extra list of additional volumes for the ZooKeeper pod(s)
481
## Example Use Case: mount certificates to enable TLS
482
## e.g:
483
## extraVolumes:
484
## - name: zookeeper-keystore
485
## secret:
486
## defaultMode: 288
487
## secretName: zookeeper-keystore
488
## - name: zookeeper-truststore
489
## secret:
490
## defaultMode: 288
491
## secretName: zookeeper-truststore
492
##
493
extraVolumes: []
494
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the ZooKeeper container(s)
495
## Example Use Case: mount certificates to enable TLS
496
## e.g:
497
## extraVolumeMounts:
498
## - name: zookeeper-keystore
499
## mountPath: /certs/keystore
500
## readOnly: true
501
## - name: zookeeper-truststore
502
## mountPath: /certs/truststore
503
## readOnly: true
504
##
505
extraVolumeMounts: []
506
## @param sidecars Add additional sidecar containers to the ZooKeeper pod(s)
507
## e.g:
508
## sidecars:
509
## - name: your-image-name
510
## image: your-image
511
## imagePullPolicy: Always
512
## ports:
513
## - name: portname
514
## containerPort: 1234
515
##
516
sidecars: []
517
## @param initContainers Add additional init containers to the ZooKeeper pod(s)
518
## Example:
519
## initContainers:
520
## - name: your-image-name
521
## image: your-image
522
## imagePullPolicy: Always
523
## ports:
524
## - name: portname
525
## containerPort: 1234
526
##
527
initContainers: []
528
## ZooKeeper Pod Disruption Budget
529
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
530
## @param pdb.create Deploy a pdb object for the ZooKeeper pod
531
## @param pdb.minAvailable Minimum available ZooKeeper replicas
532
## @param pdb.maxUnavailable Maximum unavailable ZooKeeper replicas. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
533
##
534
pdb:
535
create: true
536
minAvailable: ""
537
maxUnavailable: ""
538
## @param enableServiceLinks Whether information about services should be injected into pod's environment variable
539
## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace.
540
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
541
##
542
enableServiceLinks: true
543
## DNS-Pod services
544
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
545
## @param dnsPolicy Specifies the DNS policy for the zookeeper pods
546
## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies.
547
## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None
548
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
549
dnsPolicy: ""
550
## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None`
551
## The dnsConfig field is optional and it can work with any dnsPolicy settings.
552
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
553
## E.g.
554
## dnsConfig:
555
## nameservers:
556
## - 192.0.2.1 # this is an example
557
## searches:
558
## - ns1.svc.cluster-domain.example
559
## - my.dns.search.suffix
560
## options:
561
## - name: ndots
562
## value: "2"
563
## - name: edns0
564
dnsConfig: {}
565
## @section Traffic Exposure parameters
566
service:
567
## @param service.type Kubernetes Service type
568
##
569
type: ClusterIP
570
## @param service.ports.client ZooKeeper client service port
571
## @param service.ports.tls ZooKeeper TLS service port
572
## @param service.ports.follower ZooKeeper follower service port
573
## @param service.ports.election ZooKeeper election service port
574
##
575
ports:
576
client: 2181
577
tls: 3181
578
follower: 2888
579
election: 3888
580
## Node ports to expose
581
## NOTE: choose port between <30000-32767>
582
## @param service.nodePorts.client Node port for clients
583
## @param service.nodePorts.tls Node port for TLS
584
##
585
nodePorts:
586
client: ""
587
tls: ""
588
## @param service.disableBaseClientPort Remove client port from service definitions.
589
##
590
disableBaseClientPort: false
591
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
592
## Values: ClientIP or None
593
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
594
##
595
sessionAffinity: None
596
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
597
## sessionAffinityConfig:
598
## clientIP:
599
## timeoutSeconds: 300
600
##
601
sessionAffinityConfig: {}
602
## @param service.clusterIP ZooKeeper service Cluster IP
603
## e.g.:
604
## clusterIP: None
605
##
606
clusterIP: ""
607
## @param service.loadBalancerIP ZooKeeper service Load Balancer IP
608
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
609
##
610
loadBalancerIP: ""
611
## @param service.loadBalancerSourceRanges ZooKeeper service Load Balancer sources
612
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
613
## e.g:
614
## loadBalancerSourceRanges:
615
## - 10.10.10.0/24
616
##
617
loadBalancerSourceRanges: []
618
## @param service.externalTrafficPolicy ZooKeeper service external traffic policy
619
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
620
##
621
externalTrafficPolicy: Cluster
622
## @param service.annotations Additional custom annotations for ZooKeeper service
623
##
624
annotations: {}
625
## @param service.extraPorts Extra ports to expose in the ZooKeeper service (normally used with the `sidecar` value)
626
##
627
extraPorts: []
628
## @param service.headless.annotations Annotations for the Headless Service
629
## @param service.headless.publishNotReadyAddresses If the ZooKeeper headless service should publish DNS records for not ready pods
630
## @param service.headless.servicenameOverride String to partially override headless service name
631
##
632
headless:
633
publishNotReadyAddresses: true
634
annotations: {}
635
servicenameOverride: ""
636
## Network policies
637
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
638
##
639
networkPolicy:
640
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
641
##
642
enabled: true
643
## @param networkPolicy.allowExternal Don't require client label for connections
644
## When set to false, only pods with the correct client label will have network access to the port Redis® is
645
## listening on. When true, zookeeper accept connections from any source (with the correct destination port).
646
##
647
allowExternal: true
648
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
649
##
650
allowExternalEgress: true
651
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
652
## e.g:
653
## extraIngress:
654
## - ports:
655
## - port: 1234
656
## from:
657
## - podSelector:
658
## - matchLabels:
659
## - role: frontend
660
## - podSelector:
661
## - matchExpressions:
662
## - key: role
663
## operator: In
664
## values:
665
## - frontend
666
extraIngress: []
667
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
668
## e.g:
669
## extraEgress:
670
## - ports:
671
## - port: 1234
672
## to:
673
## - podSelector:
674
## - matchLabels:
675
## - role: frontend
676
## - podSelector:
677
## - matchExpressions:
678
## - key: role
679
## operator: In
680
## values:
681
## - frontend
682
##
683
extraEgress: []
684
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
685
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
686
##
687
ingressNSMatchLabels: {}
688
ingressNSPodMatchLabels: {}
689
## @section Other Parameters
690
691
## Service account for ZooKeeper to use.
692
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
693
##
694
serviceAccount:
695
## @param serviceAccount.create Enable creation of ServiceAccount for ZooKeeper pod
696
##
697
create: true
698
## @param serviceAccount.name The name of the ServiceAccount to use.
699
## If not set and create is true, a name is generated using the common.names.fullname template
700
##
701
name: ""
702
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
703
## Can be set to false if pods using this serviceAccount do not need to use K8s API
704
##
705
automountServiceAccountToken: false
706
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
707
##
708
annotations: {}
709
## @section Persistence parameters
710
711
## Enable persistence using Persistent Volume Claims
712
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
713
##
714
persistence:
715
## @param persistence.enabled Enable ZooKeeper data persistence using PVC. If false, use emptyDir
716
##
717
enabled: true
718
## @param persistence.existingClaim Name of an existing PVC to use (only when deploying a single replica)
719
##
720
existingClaim: ""
721
## @param persistence.storageClass PVC Storage Class for ZooKeeper data volume
722
## If defined, storageClassName: <storageClass>
723
## If set to "-", storageClassName: "", which disables dynamic provisioning
724
## If undefined (the default) or set to null, no storageClassName spec is
725
## set, choosing the default provisioner. (gp2 on AWS, standard on
726
## GKE, AWS & OpenStack)
727
##
728
storageClass: ""
729
## @param persistence.accessModes PVC Access modes
730
##
731
accessModes:
732
- ReadWriteOnce
733
## @param persistence.size PVC Storage Request for ZooKeeper data volume
734
##
735
size: 8Gi
736
## @param persistence.annotations Annotations for the PVC
737
##
738
annotations: {}
739
## @param persistence.labels Labels for the PVC
740
##
741
labels: {}
742
## @param persistence.selector Selector to match an existing Persistent Volume for ZooKeeper's data PVC
743
## If set, the PVC can't have a PV dynamically provisioned for it
744
## E.g.
745
## selector:
746
## matchLabels:
747
## app: my-app
748
##
749
selector: {}
750
## Persistence for a dedicated data log directory
751
##
752
dataLogDir:
753
## @param persistence.dataLogDir.size PVC Storage Request for ZooKeeper's dedicated data log directory
754
##
755
size: 8Gi
756
## @param persistence.dataLogDir.existingClaim Provide an existing `PersistentVolumeClaim` for ZooKeeper's data log directory
757
## If defined, PVC must be created manually before volume will be bound
758
## The value is evaluated as a template
759
##
760
existingClaim: ""
761
## @param persistence.dataLogDir.selector Selector to match an existing Persistent Volume for ZooKeeper's data log PVC
762
## If set, the PVC can't have a PV dynamically provisioned for it
763
## E.g.
764
## selector:
765
## matchLabels:
766
## app: my-app
767
##
768
selector: {}
769
## @section Volume Permissions parameters
770
##
771
772
## Init containers parameters:
773
## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
774
##
775
volumePermissions:
776
## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
777
##
778
enabled: false
779
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
780
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
781
## @skip volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
782
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
783
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
784
## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
785
##
786
image:
787
registry: cgr.dev
788
repository: chainguard-private/os-shell-iamguarded
789
tag: 1.0.0
790
digest: ""
791
pullPolicy: IfNotPresent
792
## Optionally specify an array of imagePullSecrets.
793
## Secrets must be manually created in the namespace.
794
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
795
## Example:
796
## pullSecrets:
797
## - myRegistryKeySecretName
798
##
799
pullSecrets: []
800
## Init container resource requests and limits
801
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
802
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
803
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
804
##
805
resourcesPreset: "nano"
806
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
807
## Example:
808
## resources:
809
## requests:
810
## cpu: 2
811
## memory: 512Mi
812
## limits:
813
## cpu: 3
814
## memory: 1024Mi
815
##
816
resources: {}
817
## Init container' Security Context
818
## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
819
## and not the below volumePermissions.containerSecurityContext.runAsUser
820
## @param volumePermissions.containerSecurityContext.enabled Enabled init container Security Context
821
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
822
## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
823
##
824
containerSecurityContext:
825
enabled: true
826
seLinuxOptions: {}
827
runAsUser: 0
828
## @section Metrics parameters
829
##
830
831
## ZooKeeper Prometheus Exporter configuration
832
##
833
metrics:
834
## @param metrics.enabled Enable Prometheus to access ZooKeeper metrics endpoint
835
##
836
enabled: false
837
## Service configuration
838
##
839
service:
840
## @param metrics.service.type ZooKeeper Prometheus Exporter service type
841
##
842
type: ClusterIP
843
## @param metrics.service.port ZooKeeper Prometheus Exporter service port
844
##
845
port: 9141
846
## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint
847
##
848
annotations:
849
prometheus.io/scrape: "true"
850
prometheus.io/port: "{{ .Values.metrics.service.port }}"
851
prometheus.io/path: "/metrics"
852
## Prometheus Operator ServiceMonitor configuration
853
##
854
serviceMonitor:
855
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator
856
##
857
enabled: false
858
## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace)
859
##
860
namespace: ""
861
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
862
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
863
##
864
interval: ""
865
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
866
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
867
##
868
scrapeTimeout: ""
869
## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
870
##
871
additionalLabels: {}
872
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
873
## ref: https://github.com/iamguarded/charts/tree/main/iamguarded/prometheus-operator#prometheus-configuration
874
##
875
selector: {}
876
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
877
##
878
relabelings: []
879
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
880
##
881
metricRelabelings: []
882
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
883
##
884
honorLabels: false
885
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
886
##
887
jobLabel: ""
888
## @param metrics.serviceMonitor.scheme The explicit scheme for metrics scraping.
889
##
890
scheme: ""
891
## @param metrics.serviceMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus
892
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
893
## e.g:
894
## tlsConfig:
895
## ca:
896
## secret:
897
## name: existingSecretName
898
##
899
tlsConfig: {}
900
## Prometheus Operator PrometheusRule configuration
901
##
902
prometheusRule:
903
## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator
904
##
905
enabled: false
906
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
907
##
908
namespace: ""
909
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
910
##
911
additionalLabels: {}
912
## @param metrics.prometheusRule.rules PrometheusRule definitions
913
## - alert: ZooKeeperSyncedFollowers
914
## annotations:
915
## message: The number of synced followers for the leader node in ZooKeeper deployment my-release is less than 2. This usually means that some of the ZooKeeper nodes aren't communicating properly. If it doesn't resolve itself you can try killing the pods (one by one).
916
## expr: max(synced_followers{service="my-release-metrics"}) < 2
917
## for: 5m
918
## labels:
919
## severity: critical
920
## - alert: ZooKeeperOutstandingRequests
921
## annotations:
922
## message: The number of outstanding requests for ZooKeeper pod {{ $labels.pod }} is greater than 10. This can indicate a performance issue with the Pod or cluster a whole.
923
## expr: outstanding_requests{service="my-release-metrics"} > 10
924
## for: 5m
925
## labels:
926
## severity: critical
927
##
928
rules: []
929
## @section TLS/SSL parameters
930
##
931
932
## Enable SSL/TLS encryption
933
##
934
tls:
935
client:
936
## @param tls.client.enabled Enable TLS for client connections
937
##
938
enabled: false
939
## @param tls.client.auth SSL Client auth. Can be "none", "want" or "need".
940
##
941
auth: "none"
942
## @param tls.client.autoGenerated Generate automatically self-signed TLS certificates for ZooKeeper client communications
943
## Currently only supports PEM certificates
944
##
945
autoGenerated: false
946
## @param tls.client.existingSecret Name of the existing secret containing the TLS certificates for ZooKeeper client communications
947
##
948
existingSecret: ""
949
## @param tls.client.existingSecretKeystoreKey The secret key from the tls.client.existingSecret containing the Keystore.
950
##
951
existingSecretKeystoreKey: ""
952
## @param tls.client.existingSecretTruststoreKey The secret key from the tls.client.existingSecret containing the Truststore.
953
##
954
existingSecretTruststoreKey: ""
955
## @param tls.client.keystorePath Location of the KeyStore file used for Client connections
956
##
957
keystorePath: /opt/iamguarded/zookeeper/config/certs/client/zookeeper.keystore.jks
958
## @param tls.client.truststorePath Location of the TrustStore file used for Client connections
959
##
960
truststorePath: /opt/iamguarded/zookeeper/config/certs/client/zookeeper.truststore.jks
961
## @param tls.client.passwordsSecretName Existing secret containing Keystore and truststore passwords
962
##
963
passwordsSecretName: ""
964
## @param tls.client.passwordsSecretKeystoreKey The secret key from the tls.client.passwordsSecretName containing the password for the Keystore.
965
##
966
passwordsSecretKeystoreKey: ""
967
## @param tls.client.passwordsSecretTruststoreKey The secret key from the tls.client.passwordsSecretName containing the password for the Truststore.
968
##
969
passwordsSecretTruststoreKey: ""
970
## @param tls.client.keystorePassword Password to access KeyStore if needed
971
##
972
keystorePassword: ""
973
## @param tls.client.truststorePassword Password to access TrustStore if needed
974
##
975
truststorePassword: ""
976
quorum:
977
## @param tls.quorum.enabled Enable TLS for quorum protocol
978
##
979
enabled: false
980
## @param tls.quorum.auth SSL Quorum Client auth. Can be "none", "want" or "need".
981
##
982
auth: "none"
983
## @param tls.quorum.autoGenerated Create self-signed TLS certificates. Currently only supports PEM certificates.
984
##
985
autoGenerated: false
986
## @param tls.quorum.existingSecret Name of the existing secret containing the TLS certificates for ZooKeeper quorum protocol
987
##
988
existingSecret: ""
989
## @param tls.quorum.existingSecretKeystoreKey The secret key from the tls.quorum.existingSecret containing the Keystore.
990
##
991
existingSecretKeystoreKey: ""
992
## @param tls.quorum.existingSecretTruststoreKey The secret key from the tls.quorum.existingSecret containing the Truststore.
993
##
994
existingSecretTruststoreKey: ""
995
## @param tls.quorum.keystorePath Location of the KeyStore file used for Quorum protocol
996
##
997
keystorePath: /opt/iamguarded/zookeeper/config/certs/quorum/zookeeper.keystore.jks
998
## @param tls.quorum.truststorePath Location of the TrustStore file used for Quorum protocol
999
##
1000
truststorePath: /opt/iamguarded/zookeeper/config/certs/quorum/zookeeper.truststore.jks
1001
## @param tls.quorum.passwordsSecretName Existing secret containing Keystore and truststore passwords
1002
##
1003
passwordsSecretName: ""
1004
## @param tls.quorum.passwordsSecretKeystoreKey The secret key from the tls.quorum.passwordsSecretName containing the password for the Keystore.
1005
##
1006
passwordsSecretKeystoreKey: ""
1007
## @param tls.quorum.passwordsSecretTruststoreKey The secret key from the tls.quorum.passwordsSecretName containing the password for the Truststore.
1008
##
1009
passwordsSecretTruststoreKey: ""
1010
## @param tls.quorum.keystorePassword Password to access KeyStore if needed
1011
##
1012
keystorePassword: ""
1013
## @param tls.quorum.truststorePassword Password to access TrustStore if needed
1014
##
1015
truststorePassword: ""
1016
## Init container resource requests and limits
1017
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1018
## @param tls.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if tls.resources is set (tls.resources is recommended for production).
1019
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
1020
##
1021
resourcesPreset: "nano"
1022
## @param tls.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1023
## Example:
1024
## resources:
1025
## requests:
1026
## cpu: 2
1027
## memory: 512Mi
1028
## limits:
1029
## cpu: 3
1030
## memory: 1024Mi
1031
##
1032
resources: {}
1033
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.