diff --git a/helm/dbrepo/dbrepo-aris-values.yaml b/helm/dbrepo/dbrepo-aris-values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..634adaf4ea9cd0388a1418459242f33f34cbf8ed
--- /dev/null
+++ b/helm/dbrepo/dbrepo-aris-values.yaml
@@ -0,0 +1,265 @@
+namespace: aris-dbrepo-dev
+hostname: dbrepo.arisnet.ac.at
+gateway: https://dbrepo.arisnet.ac.at
+
+dbrepo:
+ namespace: aris-dbrepo-dev
+ hostname: dbrepo.arisnet.ac.at
+ gateway: https://dbrepo.arisnet.ac.at
+
+ admin:
+ username: admin
+ password: admin
+
+ metadatadb:
+ enabled: false
+ rootUser:
+ user: root
+ password: dbrepo
+ galera:
+ mariabackup:
+ user: mariabackup
+ password: mariabackup
+ extraInitDbScripts:
+ 03-additional-data.sql: |
+ BEGIN;
+ INSERT INTO `mdb_containers` (name, internal_name, image_id, host, port, sidecar_host, sidecar_port, privileged_username, privileged_password)
+ VALUES ('MariaDB 11.1.2', 'mariadb_11_1_2', 1, 'data2-db', 3306, 'data2-db', 8080, 'root', 'dbrepo');
+ INSERT INTO `mdb_banner_messages` (type, message)
+ VALUES ('INFO', 'You are currently working on our test environment. Any data upload to this system may be deleted.');
+ COMMIT;
+ persistence:
+ enabled: false
+
+ uploadservice:
+ enabled: false
+
+ authservice:
+ enabled: false
+ auth:
+ adminUser: admin
+ adminPassword: de4aingohyohveeRooZe
+ postgresql:
+ auth:
+ postgresPassword: Zaethie2gai3phogh3wa
+ jwt:
+ pubkey: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqnHQ2BWWW9vDNLRCcxD++xZg/16oqMo/c1l+lcFEjjAIJjJp/HqrPYU/U9GvquGE6PbVFtTzW1KcKawOW+FJNOA3CGo8Q1TFEfz43B8rZpKsFbJKvQGVv1Z4HaKPvLUm7iMm8Hv91cLduuoWx6Q3DPe2vg13GKKEZe7UFghF+0T9u8EKzA/XqQ0OiICmsmYPbwvf9N3bCKsB/Y10EYmZRb8IhCoV9mmO5TxgWgiuNeCTtNCv2ePYqL/U0WvyGFW0reasIK8eg3KrAUj8DpyOgPOVBn3lBGf+3KFSYi+0bwZbJZWqbC/Xlk20Go1YfeJPRIt7ImxD27R/lNjgDO/MwIDAQAB"
+ client:
+ id: dbrepo-client
+ secret: MUwRc7yfXSJwX8AdRMWaQC3Nep1VjwgG
+ persistence:
+ enabled: false
+
+ brokerservice:
+ enabled: false
+ rbac:
+ # OpenShift has problems with clusterroles
+ create: false
+ ldap:
+ bindpw: oNah3caew4ceemiel5ae
+
+ identityservice:
+ enabled: false
+ global:
+ adminUser: admin
+ adminPassword: oNah3caew4ceemiel5ae
+ users: admin
+ userPasswords: eene9Loochai5thaiRoo
+
+ datadb:
+ enabled: false
+ rootUser:
+ user: root
+ password: dbrepo
+ galera:
+ mariabackup:
+ user: mariabackup
+ password: mariabackup
+ sidecars:
+ - name: sidecar
+ image: registry.datalab.tuwien.ac.at/dbrepo/data-db-sidecar:unstable
+ imagePullPolicy: Always
+ securityContext:
+ runAsUser: 1001
+ runAsGroup: 0
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ports:
+ - name: "sidecar"
+ containerPort: 8080
+ protocol: TCP
+ envFrom:
+ - secretRef:
+ name: data-service-secret
+ livenessProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -ec
+ - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
+ initialDelaySeconds: 120
+ periodSeconds: 30
+ readinessProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -ec
+ - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
+ initialDelaySeconds: 30
+ periodSeconds: 30
+ volumeMounts:
+ - name: s3
+ mountPath: /s3
+ extraPorts:
+ - name: "sidecar"
+ port: 8080
+ targetPort: 8080
+ protocol: TCP
+ extraVolumeMounts:
+ - name: s3
+ mountPath: /s3
+ extraVolumes:
+ - name: s3
+ emptyDir: {}
+ replicaCount: 3
+ persistence:
+ enabled: false
+
+ searchdb:
+ enabled: false
+ security:
+ enabled: false
+# adminUsername: admin
+# adminPassword: uMeiphoh8Enasoh3ohCh
+ extraEnvs:
+ - name: DISABLE_INSTALL_DEMO_CONFIG
+ value: "true"
+ persistence:
+ enabled: false
+
+ analyseservice:
+ enabled: false
+ image:
+ name: registry.datalab.tuwien.ac.at/dbrepo/analyse-service:unstable
+ pullPolicy: Always
+
+ metadataservice:
+ enabled: false
+ image:
+ name: registry.datalab.tuwien.ac.at/dbrepo/metadata-service:unstable
+ pullPolicy: Always
+ debug: true
+ admin:
+ email: noreply@example.com
+ deletedRecord: permanent
+ repositoryName: Database Repository
+ granularity: YYYY-MM-DDThh:mm:ssZ
+ datacite:
+ enabled: false
+ url: https://api.datacite.org
+ prefix: ""
+ username: ""
+ password: ""
+
+ dataservice:
+ enabled: false
+ image:
+ name: registry.datalab.tuwien.ac.at/dbrepo/data-service:unstable
+ pullPolicy: Always
+ debug: true
+ rabbitmq:
+ consumer:
+ username: admin
+ password: eene9Loochai5thaiRoo
+ s3:
+ filePath: /s3
+
+ searchservice:
+ enabled: false
+ image:
+ name: registry.datalab.tuwien.ac.at/dbrepo/search-service:unstable
+ pullPolicy: Always
+ debug: false
+ init:
+ image:
+ name: registry.datalab.tuwien.ac.at/dbrepo/search-service-init:unstable
+ pullPolicy: Always
+
+ storageservice:
+ enabled: false
+ global:
+ # OpenShift has problems with clusterroles
+ createClusterRole: false
+ init:
+ image: registry.datalab.tuwien.ac.at/dbrepo/storage-service-init:unstable
+
+ ui:
+ enabled: true
+ image:
+ name: registry.datalab.tuwien.ac.at/dbrepo/ui:unstable
+ pullPolicy: Always
+ public:
+ api:
+ client: https://dbrepo.arisnet.ac.at
+ server: https://dbrepo.arisnet.ac.at
+ title: "Database Repository"
+ logo: "/logo.svg"
+ icon: "/favicon.ico"
+ touch: "/apple-touch-icon.png"
+ broker:
+ host: dbrepo.arisnet.ac.at
+ port:
+ 5671: true
+ 5672: false
+ extra: "128.130.0.0/15"
+ database:
+ extra: "128.130.0.0/15"
+ pid:
+ default:
+ publisher: "TU Wien"
+ doi:
+ enabled: false
+ endpoint: https://doi.org
+ extraVolumes: [ ]
+ # - name: images-map
+ # configMap:
+ # name: ui-config
+ extraVolumeMounts: [ ]
+ # - name: images-map
+ # mountPath: /static/logo.svg
+ # subPath: logo.svg
+
+ ingress:
+ enabled: true
+ className: nginx
+ tls:
+ enabled: true
+ secretName: dbrepo-ingress-tls-cert
+ annotations:
+ basic:
+# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+ nginx.ingress.kubernetes.io/use-regex: "true"
+ rewriteApi:
+# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+ nginx.ingress.kubernetes.io/use-regex: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /api/$1
+ rewriteRoot:
+# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+ nginx.ingress.kubernetes.io/use-regex: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /$1
+ rewriteRootSecure:
+# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+ nginx.ingress.kubernetes.io/use-regex: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /$1
+ rewritePid:
+# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+ nginx.ingress.kubernetes.io/use-regex: "true"
+ nginx.ingress.kubernetes.io/rewrite-target: /api/pid/$1
+
diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml
index 8515c024cedf7c86a0a7aa2af628a6c496472bab..cefd74d04d3505d468f9fed757da55d9b018d47b 100644
--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -1,11 +1,21 @@
# Copyright the DBRepo developers
# SPDX-License-Identifier: APACHE-2.0
+## @section Global parameters
+
+global:
+ ## Compatibility adaptations for Kubernetes platforms
+ compatibility:
+ ## Compatibility adaptations for Openshift
+ openshift:
+ ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+ adaptSecurityContext: auto
+ ## @param global.storageClass Global StorageClass for Persistent Volume(s)
+ storageClass: ""
+
## @section Common parameters
-##
## @param namespace The namespace to install the chart
-##
namespace: aris-dbrepo-dev
## @param hostname The hostname.
##
@@ -14,700 +24,808 @@ hostname: dbrepo.arisnet.ac.at
##
gateway: https://arisnet.ac.at
## @param strategyType The image pull
-##
strategyType: RollingUpdate
## @param clusterDomain The cluster domain.
-##
clusterDomain: cluster.local
-## @section Internal Admin User
-
-## @param admin.username The internal admin username.
-## @param admin.password The internal admin password.
-##
-admin:
- username: admin
- password: admin
-
-## resource limits required by ares cluster
-##
-resources:
- limits:
- cpu: 500m
- memory: 756Mi
- requests:
- cpu: 100m
- memory: 256Mi
-
-
-resourcesLittle:
- limits:
- cpu: 100m
- memory: 512Mi
- requests:
- cpu: 50m
- memory: 256Mi
-
## @section Metadata Database
-## @param metadatadb.enabled Enable the Metadata Database.
-## @skip metadatadb.fullnameOverride
-## @param metadatadb.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
-## @param metadatadb.host The hostname for the microservices.
-## @param metadatadb.rootUser.user The root username.
-## @param metadatadb.rootUser.password The root user password.
-## @param metadatadb.jdbcExtraArgs The extra arguments for JDBC connections in the microservices.
-## @param metadatadb.db.name The database name.
-## @skip metadatadb.metrics.enabled The Prometheus settings.
-## @skip metadatadb.galera The Galera settings.
-## @skip metadatadb.initdbScriptsConfigMap The initial database scripts.
-## @param metadatadb.extraInitDbScripts Additional init.db scripts that are executed on the first start.
-## @skip metadatadb.service The initial database scripts.
-## @param metadatadb.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @param metadatadb.replicaCount The number of replicas, should be uneven (2n+1).
-##
metadatadb:
+ ## @param metadatadb.enabled Enable the Metadata Database.
enabled: true
+ ## @skip metadatadb.fullnameOverride
fullnameOverride: metadata-db
- global:
- compatibility:
- openshift:
- adaptSecurityContext: force
- storageClass: "rbd-storagepool-cluster"
- image:
- debug: false
+ ## @param metadatadb.host The hostname for the microservices.
host: metadata-db
rootUser:
+ ## @param metadatadb.rootUser.user The root username.
user: root
+ ## @param metadatadb.rootUser.password The root user password.
password: dbrepo
- jdbcExtraArgs: ""
db:
- name: fda
- metrics:
- enabled: false
+ ## @param metadatadb.db.name The database name.
+ name: dbrepo
galera:
mariabackup:
- user: mariabackup
- password: mariabackup
+ ## @param metadatadb.galera.mariabackup.user The database backup username.
+ user: backup
+ ## @param metadatadb.galera.mariabackup.password The database backup user password
+ password: backup
+ ## @param metadatadb.jdbcExtraArgs The extra arguments for JDBC connections in the microservices.
+ jdbcExtraArgs: ""
+ metrics:
+ ## @skip metadatadb.metrics.enabled The Prometheus settings.
+ enabled: false
+ ## @skip metadatadb.initdbScriptsConfigMap The initial database scripts.
initdbScriptsConfigMap: metadata-db-setup
- extraInitDbScripts: {}
+ ## @param metadatadb.initdbScripts Additional init.db scripts that are executed on the first start.
+ initdbScripts: { }
# 03-additional-data.sql: |
# BEGIN;
# INSERT INTO `mdb_containers` (name, internal_name, image_id, host, port, sidecar_host, sidecar_port, privileged_username, privileged_password)
# VALUES ('MariaDB Galera TEST', 'mariadb_11_1_3', 1, 'data-db', 3306, 'data-db', 80, 'root', 'dbrepo');
# COMMIT;
- service:
- type: ClusterIP
- annotations: {}
- loadBalancerIP: ""
- loadBalancerSourceRanges: []
- persistence:
- enabled: false
- resources:
- requests:
- cpu: 50m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 150m
- ephemeral-storage: 50Mi
- memory: 768Mi
+ ## @param metadatadb.replicaCount The number of cluster nodes, should be uneven i.e. 2n+1
replicaCount: 3
+ persistence:
+ ## @param metadatadb.persistence.enabled Enable persistent storage.
+ enabled: true
## @section Auth Service
-## @param authservice.enabled Enable the Auth Service.
-## @skip authservice.fullnameOverride
-## @param authservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
-## @param authservice.endpoint The hostname for the microservices.
-## @param authservice.auth.adminUser The admin username.
-## @param authservice.auth.adminPassword The admin user password.
-## @skip authservice.postgresql
-## @skip authservice.extraStartupArgs
-## @param authservice.jwt.pubkey The JWT public key from the `dbrepo-client`.
-## @param authservice.tls.enabled Enable TLS/SSL communication. Required for HTTPS.
-## @param authservice.tls.existingSecret The secret containing the `tls.crt`, `tls.key` and `ca.crt`.
-## @param authservice.tls.usePem Use PEM certificates as input instead of PKS12/JKS stores.
-## @param authservice.metrics.enabled Enable the Prometheus metrics export sidecar container.
-## @param authservice.client.id The client id for the microservices.
-## @param authservice.client.secret The client secret for the microservices.
-## @skip authservice.extraEnvVarsCM
-## @skip authservice.extraVolumes
-## @skip authservice.extraVolumeMounts
-## @skip authservice.replicaCount The number of replicas.
-##
authservice:
+ ## @param authservice.enabled Enable the Auth Service.
enabled: true
+ ## @skip authservice.fullnameOverride
fullnameOverride: auth-service
- global:
- compatibility:
- openshift:
- adaptSecurityContext: force
- storageClass: "rbd-storagepool-cluster"
image:
+ ## @param authservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## @param authservice.endpoint The hostname for the microservices.
endpoint: http://auth-service
auth:
- adminUser: fda
- adminPassword: fda
+ adminUser: admin
+ adminPassword: de4aingohyohveeRooZe
postgresql:
- enabled: true
auth:
- postgresPassword: postgres
+ postgresPassword: Zaethie2gai3phogh3wa
+ ## @skip authservice.extraStartupArgs
extraStartupArgs: "--import-realm"
jwt:
+ ## @param authservice.jwt.pubkey The JWT public key from the `dbrepo-client`.
pubkey: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqnHQ2BWWW9vDNLRCcxD++xZg/16oqMo/c1l+lcFEjjAIJjJp/HqrPYU/U9GvquGE6PbVFtTzW1KcKawOW+FJNOA3CGo8Q1TFEfz43B8rZpKsFbJKvQGVv1Z4HaKPvLUm7iMm8Hv91cLduuoWx6Q3DPe2vg13GKKEZe7UFghF+0T9u8EKzA/XqQ0OiICmsmYPbwvf9N3bCKsB/Y10EYmZRb8IhCoV9mmO5TxgWgiuNeCTtNCv2ePYqL/U0WvyGFW0reasIK8eg3KrAUj8DpyOgPOVBn3lBGf+3KFSYi+0bwZbJZWqbC/Xlk20Go1YfeJPRIt7ImxD27R/lNjgDO/MwIDAQAB"
tls:
+ ## @param authservice.tls.enabled Enable TLS/SSL communication. Required for HTTPS.
enabled: true
+ ## @param authservice.tls.existingSecret The secret containing the `tls.crt`, `tls.key` and `ca.crt`.
existingSecret: ingress-cert
+ ## @skip authservice.tls.usePem
usePem: true
metrics:
+ ## @param authservice.metrics.enabled Enable the Prometheus metrics export sidecar container.
enabled: false
client:
+ ## @param authservice.client.id The client id for the microservices.
id: dbrepo-client
+ ## @param authservice.client.secret The client secret for the microservices.
secret: MUwRc7yfXSJwX8AdRMWaQC3Nep1VjwgG
+ ## @skip authservice.extraEnvVarsCM
extraEnvVarsCM: auth-service-config
+ ## @skip authservice.extraVolumes
extraVolumes:
- name: config-map
configMap:
name: auth-service-config
+ ## @skip authservice.extraVolumeMounts
extraVolumeMounts:
- name: config-map
mountPath: /opt/bitnami/keycloak/data/import
- resources:
- requests:
- cpu: 50m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 250m
- ephemeral-storage: 10Mi
- memory: 768Mi
+ ## @skip authservice.replicaCount The number of replicas.
replicaCount: 2
## @section Data Database
-## @param datadb.enabled Enable the Data Database.
-## @skip datadb.fullnameOverride
-## @param datadb.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
-## @skip datadb.extraFlags
-## @param datadb.rootUser.user The root username.
-## @param datadb.rootUser.password The root user password.
-## @skip datadb.metrics.enabled The Prometheus settings.
-## @skip datadb.galera The Galera settings.
-## @skip datadb.service
-## @skip datadb.sidecars
-## @skip datadb.extraVolumeMounts
-## @skip datadb.extraVolumes
-## @param datadb.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @param datadb.replicaCount The number of replicas, should be uneven (2n+1).
-##
datadb:
+ ## @param datadb.enabled Enable the Data Database.
enabled: true
- global:
- compatibility:
- openshift:
- adaptSecurityContext: force
- storageClass: "rbd-storagepool-cluster"
+ ## @skip datadb.fullnameOverride
fullnameOverride: data-db
image:
+ ## @param datadb.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
- extraFlags: "--character-set-server=utf8mb4 --collation-server=utf8mb4_general_ci"
- rootUser:
- user: root
- password: dbrepo
+ auth:
+ ## @param datadb.auth.rootPassword The root user password.
+ rootPassword: dbrepo
+ ## @param datadb.auth.replicationUser The database replication user password
+ replicationUser: replication
+ ## @param datadb.auth.replicationPassword The database replication user password
+ replicationPassword: replication
metrics:
+ ## @skip datadb.metrics.enabled
enabled: true
- resources:
- requests:
- cpu: 50m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 150m
- ephemeral-storage: 10Mi
- memory: 768Mi
- galera:
- mariabackup:
- user: mariabackup
- password: mariabackup
- bootstrap:
- forceBootstrap: true
- forceSafeToBootstrap: true
- service:
- extraPorts:
- - name: "sidecar"
- port: 8080
- targetPort: 8080
- protocol: TCP
- sidecars:
- - name: sidecar
- image: s210.dl.hpc.tuwien.ac.at/dbrepo/data-db-sidecar:1.4.4
- imagePullPolicy: Always
- securityContext:
- allowPrivilegeEscalation: false
- seccompProfile:
- type: RuntimeDefault
- capabilities:
- drop:
- - ALL
- resources:
- requests:
- cpu: 25m
- memory: 512Mi
- limits:
- cpu: 100m
- memory: 768Mi
- ports:
+ ## @skip datadb.primary
+ primary:
+ service:
+ extraPorts:
- name: "sidecar"
- containerPort: 8080
+ port: 8080
+ targetPort: 8080
protocol: TCP
- envFrom:
- - secretRef:
- name: data-service-secret
- livenessProbe:
- exec:
- command:
- - /bin/bash
- - -ec
- - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
- initialDelaySeconds: 120
- periodSeconds: 30
- readinessProbe:
- exec:
- command:
- - /bin/bash
- - -ec
- - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
- initialDelaySeconds: 30
- periodSeconds: 30
- volumeMounts:
- - name: s3
- mountPath: /s3
- extraVolumeMounts:
- - name: s3
- mountPath: /s3
- extraVolumes:
- - name: s3
- emptyDir: {}
- persistence:
- enabled: true
- resources:
- requests:
- cpu: 25m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 100m
- ephemeral-storage: 10Mi
- memory: 768Mi
- replicaCount: 3
+ sidecars:
+ - name: sidecar
+ image: registry.datalab.tuwien.ac.at/dbrepo/data-db-sidecar:1.4.5
+ imagePullPolicy: Always
+ securityContext:
+ runAsUser: 1001
+ runAsGroup: 0
+ runAsNonRoot: true
+ allowPrivilegeEscalation: false
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ports:
+ - name: "sidecar"
+ containerPort: 8080
+ protocol: TCP
+ envFrom:
+ - secretRef:
+ name: data-service-secret
+ livenessProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -ec
+ - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
+ initialDelaySeconds: 120
+ periodSeconds: 30
+ readinessProbe:
+ exec:
+ command:
+ - /bin/bash
+ - -ec
+ - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
+ initialDelaySeconds: 30
+ periodSeconds: 30
+ volumeMounts:
+ - name: s3
+ mountPath: /s3
+ extraVolumeMounts:
+ - name: s3
+ mountPath: /s3
+ extraVolumes:
+ - name: s3
+ emptyDir: { }
+ persistence:
+ enabled: true
+ ## @skip datadb.secondary
+ secondary:
+ replicaCount: 2
## @section Search Database
-## @param searchdb.enabled Enable the Search Database.
-## @skip searchdb.fullnameOverride
-## @param searchdb.host The hostname for the microservices.
-## @param searchdb.port The port for the microservices.
-## @skip searchdb.protocol
-## @param searchdb.username The admin username.
-## @param searchdb.password The admin user password.
-## @skip searchdb.clusterName
-## @skip searchdb.masterService
-## @param searchdb.replicas The number of replicas.
-## @skip searchdb.sysctlInit
-## @param searchdb.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @skip searchdb.service
-## @skip searchdb.extraEnvs
-## @skip searchdb.extraVolumeMounts
-## @skip searchdb.extraVolumes
-## @skip searchdb.config
-##
searchdb:
+ ## @param searchdb.enabled Enable the Data Database.
enabled: true
+ ## @skip searchdb.fullnameOverride
fullnameOverride: search-db
+ ## @skip searchdb.servicenameOverride
+ servicenameOverride: search-db
+ ## @param searchdb.host The hostname for the microservices.
host: search-db
+ ## @param searchdb.port The port for the microservices.
port: 9200
- protocol: http
- username: admin
- password: admin
- clusterName: search-db
- masterService: search-db
- replicas: 3
- sysctlInit:
- enabled: false
- persistence:
+ ## @skip searchdb.security
+ security:
enabled: false
- service:
- type: ClusterIP
- annotations: {}
- loadBalancerSourceRanges: []
- extraEnvs:
- - name: DISABLE_INSTALL_DEMO_CONFIG
- value: "true"
- extraVolumeMounts:
- - name: node-cert
- mountPath: /usr/share/opensearch/config/tls
- readOnly: true
- extraVolumes:
- - name: node-cert
- secret:
- secretName: search-db-secret
- securityContext:
- capabilities:
- drop:
- - ALL
- runAsNonRoot: true
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
- runAsUser: null
- podSecurityContext:
- runAsNonRoot: true
- fsGroup: null
- runAsUser: null
- resources:
- requests:
- cpu: 50m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 150m
- ephemeral-storage: 100Mi
- memory: 768Mi
- initResources:
- requests:
- cpu: 50m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 150m
- ephemeral-storage: 100Mi
- memory: 768Mi
- config:
- opensearch.yml: |
- cluster.name: search-db
- network.host: 0.0.0.0
- plugins:
- security:
- ssl:
- transport:
- pemcert_filepath: tls/tls.crt
- pemkey_filepath: tls/tls.key
- pemtrustedcas_filepath: tls/ca.crt
- enforce_hostname_verification: false
- http:
- #enabled: true # uncomment to force ssl connections
- pemcert_filepath: tls/tls.crt
- pemkey_filepath: tls/tls.key
- pemtrustedcas_filepath: tls/ca.crt
- allow_unsafe_democertificates: false
- allow_default_init_securityindex: true
- authcz:
- admin_dn:
- - CN=search-db
- nodes_dn:
- - CN=search-db
- audit.type: internal_opensearch
- enable_snapshot_restore_privilege: true
- check_snapshot_restore_write_privileges: true
- restapi:
- roles_enabled: [ "all_access", "security_rest_api_access" ]
- system_indices:
- enabled: true
- indices:
- [
- ".opendistro-alerting-config",
- ".opendistro-alerting-alert*",
- ".opendistro-anomaly-results*",
- ".opendistro-anomaly-detector*",
- ".opendistro-anomaly-checkpoints",
- ".opendistro-anomaly-detection-state",
- ".opendistro-reports-*",
- ".opendistro-notifications-*",
- ".opendistro-notebooks",
- ".opendistro-asynchronous-search-response*",
- ]
+ adminUsername: admin
+ adminPassword: admin
+ ## @param searchdb.clusterName The cluster name.
+ clusterName: search-db
## @section Upload Service
-## @param uploadservice.enabled Enable the Upload Service.
-## @skip uploadservice.fullnameOverride
-## @skip uploadservice.image
-## @skip uploadservice.containerArgs
-## @skip uploadservice.envFrom
-## @param uploadservice.replicaCount The number of replicas.
-##
uploadservice:
+ ## @param uploadservice.enabled Enable the Upload Service.
enabled: true
+ ## @skip uploadservice.fullnameOverride
fullnameOverride: upload-service
+ ## @skip uploadservice.image
image:
repository: tusproject/tusd
tag: v1.12
+ ## @skip uploadservice.securityContext
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsUser: 1000
+ runAsGroup: 1000
+ runAsNonRoot: true
+ seccompProfile:
+ type: RuntimeDefault
+ capabilities:
+ drop:
+ - ALL
+ ## @skip uploadservice.containerArgs
containerArgs:
- - "--base-path=/api/upload/files/"
- - "-s3-endpoint=https://sos-at-vie-1.exo.io"
- - "-s3-bucket=s3-bucket-dbrepo-upload"
+ - "-behind-proxy"
+ - "-max-size=2000000000"
+ - "-base-path=/api/upload/files/"
+ - "-s3-endpoint=http://storage-service-s3:8333"
+ - "-s3-bucket=dbrepo-upload"
+ ## @skip uploadservice.envFrom
+ envFrom:
+ - secretRef:
+ name: upload-service-secret
+ ## @param uploadservice.replicaCount The number of replicas.
replicaCount: 2
## @section Broker Service
-## @param brokerservice.enabled Enable the Broker Service.
-## @skip brokerservice.fullnameOverride
-## @skip brokerservice.image
-## @param brokerservice.endpoint The management api endpoint for the microservices.
-## @param brokerservice.host The hostname for the microservices.
-## @param brokerservice.port The port for the microservices.
-## @param brokerservice.virtualHost The default virtual host name.
-## @param brokerservice.queueName The default queue name.
-## @param brokerservice.exchangeName The default exchange name.
-## @param brokerservice.routingKey The default routing key binding from the default queue to the default exchange.
-## @param brokerservice.connectionTimeout The connection timeout in ms.
-## @skip brokerservice.auth
-## @skip brokerservice.extraConfiguration
-## @skip brokerservice.loadDefinition
-## @skip brokerservice.extraVolumes
-## @skip brokerservice.extraPlugins
-## @param brokerservice.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @skip brokerservice.service
-## @param brokerservice.replicaCount The number of replicas.
-##
brokerservice:
+ ## @param brokerservice.enabled Enable the Broker Service.
enabled: true
+ ## @skip brokerservice.fullnameOverride
fullnameOverride: broker-service
image:
+ ## @param brokerservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: true
+ ## @param brokerservice.endpoint The management api endpoint for the microservices.
endpoint: http://broker-service:15672
+ ## @param brokerservice.host The hostname for the microservices.
host: broker-service
+ ## @param brokerservice.port The port for the microservices.
port: 5672
+ ## @param brokerservice.virtualHost The default virtual host name.
virtualHost: dbrepo
+ ## @param brokerservice.queueName The default queue name.
queueName: dbrepo
+ ## @param brokerservice.exchangeName The default exchange name.
exchangeName: dbrepo
+ ## @param brokerservice.routingKey The default routing key binding from the default queue to the default exchange.
routingKey: dbrepo.#
+ ## @param brokerservice.connectionTimeout The connection timeout in ms.
connectionTimeout: 60000
rbac:
create: false
+ ldap:
+ ## @skip brokerservice.ldap.enabled
+ enabled: true
+ ## @skip brokerservice.ldap.authorisationEnabled
+ authorisationEnabled: true
+ ## @skip brokerservice.ldap.servers
+ servers:
+ - identity-service
+ ## @skip brokerservice.ldap.port
+ port: 389
+ ## @param brokerservice.ldap.binddn The domain name the broker service should bind to. In many cases this is the admin user from `identityservice.global.adminUser`.
+ binddn: cn=admin,dc=dbrepo,dc=at
+ ## @param brokerservice.ldap.bindpw The password to bind on the identity service. In many cases this value is equal to `identityservice.global.adminPassword`.
+ bindpw: admin
+ ## @param brokerservice.ldap.uidField The field containing the user id.
+ uidField: uid
+ ## @param brokerservice.ldap.basedn The base domain name containing the users.
+ basedn: ou=users,dc=dbrepo,dc=at
+ ## @param brokerservice.ldap.userDnPattern The pattern to determine the user.
+ userDnPattern: ${username}
auth:
+ ## @skip brokerservice.auth.tls
tls:
enabled: false
sslOptionsVerify: true
failIfNoPeerCert: true
existingSecret: ingress-cert
- username: broker
- password: broker
- extraConfiguration: |-
- default_vhost = dbrepo
- default_user_tags.administrator = true
- default_permissions.configure = .*
- default_permissions.read = .*
- default_permissions.write = .*
- load_definitions = /app/load_definition.json
- log.console = true
- listeners.tcp.1 = 0.0.0.0:5672
- auth_backends.1 = rabbit_auth_backend_oauth2
- auth_backends.2 = rabbit_auth_backend_internal
- auth_oauth2.resource_server_id = rabbitmq
- auth_oauth2.preferred_username_claims.1 = client_id
- auth_oauth2.default_key = t2OCeCheJ9uwoBbNQjG_nN6WKiLcceTIAZmiTbGODFM
- auth_oauth2.signing_keys.t2OCeCheJ9uwoBbNQjG_nN6WKiLcceTIAZmiTbGODFM = /app/cert.pem
- auth_oauth2.signing_keys.id2 = /app/pubkey.pem
- auth_oauth2.algorithms.1 = HS256
- auth_oauth2.algorithms.2 = RS256
- management.oauth_enabled = true
- management.oauth_client_id = rabbitmq-client
- management.oauth_client_secret = JEC2FexxrX4N65fLeDGukAl6R3Lc9y0u
- management.oauth_scopes = openid
- management.oauth_provider_url = https://example.com/api/auth/realms/dbrepo
+ ## @skip brokerservice.advancedConfigurationExistingSecret
+ advancedConfigurationExistingSecret: broker-service-secret
+ ## @skip brokerservice.loadDefinition
loadDefinition:
enabled: true
existingSecret: broker-service-secret
- extraVolumes:
- - name: secret-map
- secret:
- secretName: broker-service-secret
- extraPlugins: rabbitmq_prometheus rabbitmq_auth_backend_oauth2 rabbitmq_auth_mechanism_ssl
+ ## @param brokerservice.extraPlugins The list of plugins to be activated.
+ extraPlugins: rabbitmq_prometheus rabbitmq_auth_backend_ldap rabbitmq_auth_mechanism_ssl
persistence:
+ ## @param brokerservice.persistence.enabled If set to true, a PVC will be created.
enabled: false
+ ## @skip brokerservice.service
service:
type: ClusterIP
managerPortEnabled: true
# loadBalancerIP:
- resources:
- requests:
- cpu: 50m
- ephemeral-storage: 10Mi
- memory: 512Mi
- limits:
- cpu: 300m
- ephemeral-storage: 100Mi
- memory: 768Mi
- replicaCount: 2
+ ## @param brokerservice.replicaCount The number of replicas.
+ replicaCount: 1
## @section Analyse Service
-## @param analyseservice.enabled Enable the Broker Service.
-## @skip analyseservice.image
-## @param analyseservice.endpoint The url of the endpoint.
-## @param analyseservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-## @param analyseservice.replicaCount The number of replicas.
-##
analyseservice:
+ ## @param analyseservice.enabled Enable the Broker Service.
enabled: true
image:
- name: s210.dl.hpc.tuwien.ac.at/dbrepo/analyse-service:1.4.4
+ ## @skip analyseservice.image.name
+ name: registry.datalab.tuwien.ac.at/dbrepo/analyse-service:1.4.5
+ ## @skip analyseservice.image.pullPolicy
pullPolicy: Always
+ ## @param analyseservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ podSecurityContext:
+ ## @param analyseservice.podSecurityContext.enabled Enable pods' Security Context
+ enabled: true
+ ## @param analyseservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ fsGroupChangePolicy: Always
+ ## @param analyseservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ sysctls: [ ]
+ ## @param analyseservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+ supplementalGroups: [ ]
+ ## @param analyseservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+ fsGroup: 1001
+ containerSecurityContext:
+ ## @param analyseservice.containerSecurityContext.enabled Enabled containers' Security Context
+ enabled: true
+ ## @param analyseservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+ seLinuxOptions: { }
+ ## @param analyseservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+ runAsUser: 1001
+ ## @param analyseservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+ runAsGroup: 1001
+ ## @param analyseservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+ runAsNonRoot: true
+ ## @param analyseservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+ allowPrivilegeEscalation: false
+ ## @param analyseservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ readOnlyRootFilesystem: false
+ capabilities:
+ ## @param analyseservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+ drop: [ "ALL" ]
+ seccompProfile:
+ ## @param analyseservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ type: "RuntimeDefault"
+ ## @skip analyseservice.resources
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 500m
+ memory: 2048Mi
+
+ ## @param analyseservice.endpoint The url of the endpoint.
endpoint: http://analyse-service
+ s3:
+ ## @param analyseservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+ endpoint: http://storage-service-s3:8333
+ ## @param analyseservice.replicaCount The number of replicas.
replicaCount: 2
## @section Metadata Service
-## @param metadataservice.enabled Enable the Metadata Service.
-## @skip metadataservice.image
-## @param metadataservice.endpoint The Metadata Service endpoint.
-## @param metadataservice.admin.email The OAI-PMH exposed admin e-mail.
-## @param metadataservice.deletedRecord The OAI-PMH exposed delete policy.
-## @param metadataservice.repositoryName The OAI-PMH exposed repository name.
-## @param metadataservice.granularity The OAI-PMH exposed record granularity.
-## @param metadataservice.datacite.enabled Enable the DataCite account for minting DOIs.
-## @param metadataservice.datacite.url The DataCite api endpoint url.
-## @param metadataservice.datacite.prefix The DataCite prefix.
-## @param metadataservice.datacite.username The DataCite api username.
-## @param metadataservice.datacite.password The DataCite api user password.
-## @param metadataservice.sparql.connectionTimeout The connection timeout for sparql queries fetching remote data in ms.
-## @param metadataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-## @skip metadataservice.s3.bucket
-## @param metadataservice.s3.auth.username The S3-capable endpoint username (or access key id).
-## @param metadataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
-## @param metadataservice.replicaCount The number of replicas.
-##
metadataservice:
+ ## @param metadataservice.enabled Enable the Broker Service.
enabled: true
image:
- name: s210.dl.hpc.tuwien.ac.at/dbrepo/metadata-service:1.4.4
+ ## @skip metadataservice.image.name
+ name: registry.datalab.tuwien.ac.at/dbrepo/metadata-service:1.4.5
+ ## @skip metadataservice.image.pullPolicy
pullPolicy: Always
+ ## @param metadataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ podSecurityContext:
+ ## @param metadataservice.podSecurityContext.enabled Enable pods' Security Context
+ enabled: true
+ ## @param metadataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ fsGroupChangePolicy: Always
+ ## @param metadataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ sysctls: [ ]
+ ## @param metadataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+ supplementalGroups: [ ]
+ ## @param metadataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+ fsGroup: 1001
+ containerSecurityContext:
+ ## @param metadataservice.containerSecurityContext.enabled Enabled containers' Security Context
+ enabled: true
+ ## @param metadataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+ seLinuxOptions: { }
+ ## @param metadataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+ runAsUser: 1001
+ ## @param metadataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+ runAsGroup: 1001
+ ## @param metadataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+ runAsNonRoot: true
+ ## @param metadataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+ allowPrivilegeEscalation: false
+ ## @param metadataservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ readOnlyRootFilesystem: false
+ capabilities:
+ ## @param metadataservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+ drop: [ "ALL" ]
+ seccompProfile:
+ ## @param metadataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ type: "RuntimeDefault"
+ ## @skip metadataservice.resources
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
+ ## @param metadataservice.endpoint The Metadata Service endpoint.
endpoint: http://metadata-service
+ crossref:
+ ## @param metadataservice.crossref.endpoint The CrossRef endpoint.
+ endpoint: http://data.crossref.org
+ ror:
+ ## @param metadataservice.ror.endpoint The ROR endpoint.
+ endpoint: https://api.ror.org
admin:
+ ## @param metadataservice.admin.email The OAI-PMH exposed e-mail for contacting the metadata records responsible person.
email: noreply@example.com
+ ## @param metadataservice.deletedRecord The OAI-PMH exposed delete policy.
deletedRecord: permanent
+ ## @param metadataservice.repositoryName The OAI-PMH exposed repository name.
repositoryName: Database Repository
+ ## @param metadataservice.granularity The OAI-PMH exposed record granularity.
granularity: YYYY-MM-DDThh:mm:ssZ
datacite:
+ ## @param metadataservice.datacite.enabled If set to true, the service mints DOIs instead of local PIDs.
enabled: false
+ ## @param metadataservice.datacite.url The DataCite api endpoint url.
url: https://api.datacite.org
+ ## @param metadataservice.datacite.prefix The DataCite prefix.
prefix: ""
+ ## @param metadataservice.datacite.username The DataCite api username.
username: ""
+ ## @param metadataservice.datacite.password The DataCite api user password.
password: ""
sparql:
+ ## @param metadataservice.sparql.connectionTimeout The connection timeout for sparql queries fetching remote data in ms.
connectionTimeout: 10000
+ s3:
+ ## @param metadataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+ endpoint: http://storage-service-s3:8333
+ ## @skip metadataservice.s3.bucket
+ bucket:
+ import: dbrepo-upload
+ export: dbrepo-download
+ auth:
+ ## @param metadataservice.s3.auth.username The S3-capable endpoint username (or access key id).
+ username: seaweedfsadmin
+ ## @param metadataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
+ password: seaweedfsadmin
+ ## @param metadataservice.replicaCount The number of replicas.
replicaCount: 2
## @section Data Service
-## @param dataservice.enabled Enable the Metadata Service.
-## @param dataservice.endpoint The endpoint for the microservices.
-## @skip dataservice.image
-## @param dataservice.grant.read The default database permissions for users with read access.
-## @param dataservice.grant.write The default database permissions for users with write access.
-## @param dataservice.default.date The default date format id for dates.
-## @param dataservice.default.time The default date format id for times.
-## @param dataservice.default.timestamp The default date format id for timestamps.
-## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-## @skip dataservice.s3.bucket
-## @param dataservice.s3.auth.username The S3-capable endpoint username (or access key id).
-## @param dataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
-## @param dataservice.s3.filePath The local location to download/upload files from/to S3-capable endpoint.
-## @param dataservice.consumerConcurrentMin The minimum broker service consumer number.
-## @param dataservice.consumerConcurrentMax The maximum broker service consumer number.
-## @param dataservice.requeueRejected Enable re-queueing of rejected messages to the broker service.
-## @param dataservice.replicaCount The number of replicas.
-##
dataservice:
+ ## @param dataservice.enabled Enable the Broker Service.
enabled: true
+ ## @param dataservice.endpoint Absolute URL to the data service in the form of http://host:port
endpoint: http://data-service
image:
- name: s210.dl.hpc.tuwien.ac.at/dbrepo/data-service:1.4.4
+ ## @skip dataservice.image.name
+ name: registry.datalab.tuwien.ac.at/dbrepo/data-service:1.4.5
+ ## @skip dataservice.image.pullPolicy
pullPolicy: Always
+ ## @param dataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ podSecurityContext:
+ ## @param dataservice.podSecurityContext.enabled Enable pods' Security Context
+ enabled: true
+ ## @param dataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ fsGroupChangePolicy: Always
+ ## @param dataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ sysctls: [ ]
+ ## @param dataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+ supplementalGroups: [ ]
+ ## @param dataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+ fsGroup: 1001
+ containerSecurityContext:
+ ## @param dataservice.containerSecurityContext.enabled Enabled containers' Security Context
+ enabled: true
+ ## @param dataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+ seLinuxOptions: { }
+ ## @param dataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+ runAsUser: 1001
+ ## @param dataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+ runAsGroup: 1001
+ ## @param dataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+ runAsNonRoot: true
+ ## @param dataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+ allowPrivilegeEscalation: false
+ ## @param dataservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ readOnlyRootFilesystem: false
+ capabilities:
+ ## @param dataservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+ drop: [ "ALL" ]
+ seccompProfile:
+ ## @param dataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ type: "RuntimeDefault"
+ ## @skip dataservice.resources
grant:
+ ## @param dataservice.grant.read The default database permissions for users with read access.
read: SELECT
+ ## @param dataservice.grant.write The default database permissions for users with write access.
write: SELECT, CREATE, CREATE VIEW, CREATE ROUTINE, CREATE TEMPORARY TABLES, LOCK TABLES, INDEX, TRIGGER, INSERT, UPDATE, DELETE
default:
+ ## @param dataservice.default.date The default date format id for dates. Default: YYYY-MM-dd (e.g. 2024-06-15).
date: 3
+ ## @param dataservice.default.time The default date format id for times. Default: HH:mm:ss (e.g. 14:23:42).
time: 4
+ ## @param dataservice.default.timestamp The default date format id for timestamps. Default: YYYY-MM-dd HH:mm:ss (e.g. 2024-06-15 14:23:42).
timestamp: 1
- s3FilePath: /s3
- consumerConcurrentMin: 1
- consumerConcurrentMax: 5
- requeueRejected: false
+ rabbitmq:
+ ## @param dataservice.rabbitmq.consumerConcurrentMin The minimal number of RabbitMQ consumers.
+ consumerConcurrentMin: 2
+ ## @param dataservice.rabbitmq.consumerConcurrentMax The maximal number of RabbitMQ consumers.
+ consumerConcurrentMax: 6
+ ## @param dataservice.rabbitmq.requeueRejected If set to true, rejected tuples will be re-queued.
+ requeueRejected: false
+ consumer:
+ ## @param dataservice.rabbitmq.consumer.username The username for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.users`.
+ username: admin
+ ## @param dataservice.rabbitmq.consumer.password The user password for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.userPasswords`.
+ password: admin
+ s3:
+ ## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+ endpoint: http://storage-service-s3:8333
+ ## @param dataservice.s3.bucket The S3 bucket name.
+ bucket:
+ import: dbrepo-upload
+ export: dbrepo-download
+ auth:
+ ## @param dataservice.s3.auth.username The S3-capable endpoint username (or access key id).
+ username: seaweedfsadmin
+ ## @param dataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
+ password: seaweedfsadmin
+ ## @param dataservice.s3.filePath The local location to download/upload files from/to S3-capable endpoint.
+ filePath: /s3
+ ## @param dataservice.replicaCount The number of replicas.
replicaCount: 2
## @section Search Service
-## @param searchservice.enabled Enable the Search Service.
-## @param searchservice.endpoint The endpoint for the microservices.
-## @skip searchservice.image
-## @skip searchservice.init
-## @param searchservice.replicaCount The number of replicas.
-##
searchservice:
+ ## @param searchservice.enabled Enable the Broker Service.
enabled: true
+ ## @param searchservice.endpoint Absolute URL to the search service in the form of http://host:port
endpoint: http://search-service
image:
- name: s210.dl.hpc.tuwien.ac.at/dbrepo/search-service:1.4.4
+ ## @skip searchservice.image.name
+ name: registry.datalab.tuwien.ac.at/dbrepo/search-service:1.4.5
+ ## @skip searchservice.image.pullPolicy
pullPolicy: Always
+ ## @param searchservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ podSecurityContext:
+ ## @param searchservice.podSecurityContext.enabled Enable pods' Security Context
+ enabled: true
+ ## @param searchservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ fsGroupChangePolicy: Always
+ ## @param searchservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ sysctls: [ ]
+ ## @param searchservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+ supplementalGroups: [ ]
+ ## @param searchservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+ fsGroup: 1001
+ containerSecurityContext:
+ ## @param searchservice.containerSecurityContext.enabled Enabled containers' Security Context
+ enabled: true
+ ## @param searchservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+ seLinuxOptions: { }
+ ## @param searchservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+ runAsUser: 1001
+ ## @param searchservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+ runAsGroup: 1001
+ ## @param searchservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+ runAsNonRoot: true
+ ## @param searchservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+ allowPrivilegeEscalation: false
+ ## @param searchservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ readOnlyRootFilesystem: true
+ capabilities:
+ ## @param searchservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+ drop: [ "ALL" ]
+ seccompProfile:
+ ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ type: "RuntimeDefault"
+ ## @skip searchservice.resources
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
+ ## @skip searchservice.init
init:
image:
- name: s210.dl.hpc.tuwien.ac.at/dbrepo/search-service-init:1.4.4
+ name: registry.datalab.tuwien.ac.at/dbrepo/search-service-init:1.4.5
pullPolicy: Always
+ ## @param searchservice.replicaCount The number of replicas.
replicaCount: 2
+## @section Storage Service
+
+storageservice:
+ ## @param storageservice.enabled Enable the Storage Service.
+ enabled: true
+ ## @skip storageservice.fullnameOverride
+ fullnameOverride: storage-service
+ mariadb:
+ ## @skip storageservice.mariadb.fullnameOverride
+ fullnameOverride: storage-service-db
+ ## @skip storageservice.mariadb.enabled
+ enabled: true
+ master:
+ ## @skip storageservice.master.enabled
+ enabled: true
+ filer:
+ ## @param storageservice.filer.enabled Enable the storage service filer which is required for S3.
+ enabled: true
+ volume:
+ ## @skip storageservice.volume.enabled
+ enabled: false
+ s3:
+ ## @skip storageservice.s3.enabled
+ enabled: true
+ ## @param storageservice.s3.replicaCount The number of replicas.
+ replicaCount: 2
+ ## @param storageservice.s3.bucket The S3-bucket name.
+ bucket:
+ import: dbrepo-upload
+ export: dbrepo-download
+ auth:
+ ## @param storageservice.s3.auth.enabled Enable the S3 service.
+ enabled: true
+ ## @param storageservice.s3.auth.adminAccessKeyId The S3 access key id for the admin user. In some systems this is named `username`.
+ adminAccessKeyId: seaweedfsadmin
+ ## @param storageservice.s3.auth.adminSecretAccessKey The S3 secret access key for the admin user. In some systems this is named `password`.
+ adminSecretAccessKey: seaweedfsadmin
+ ## @skip storageservice.init
+ init:
+ image: registry.datalab.tuwien.ac.at/dbrepo/storage-service-init:1.4.5
+ pullPolicy: Always
+
+## @section Identity Service
+
+identityservice:
+ ## @param identityservice.enabled Enable the Identity Service.
+ enabled: true
+ ## @skip identityservice.fullnameOverride
+ fullnameOverride: identity-service
+ global:
+ ## @param identityservice.global.ldapDomain The LDAP domain name in domain "dbrepo.at" form or explicit in "dc=dbrepo,dc=at" form.
+ ldapDomain: dc=dbrepo,dc=at
+ ## @param identityservice.global.adminUser The admin username that is used to bind.
+ adminUser: admin
+ ## @param identityservice.global.adminPassword The admin user password that is used to bind.
+ adminPassword: admin
+ ## @skip identityservice.global.configUserEnabled
+ configUserEnabled: false
+ ## @param identityservice.users The admin username for internal authentication.
+ users: admin
+ ## @param identityservice.userPasswords The admin user password for internal authentication.
+ userPasswords: admin
+ ## @param identityservice.group The group that contains the administrators for the broker service.
+ group: system
+ ## @skip identityservice.ltb-passwd
+ ltb-passwd:
+ ingress:
+ enabled: false
+ ## @skip identityservice.phpldapadmin
+ phpldapadmin:
+ enabled: false
+ ## @skip identityservice.customSchemaFiles
+ customSchemaFiles:
+ 00-memberof.ldif: |-
+ dn: cn=module,cn=config
+ cn: module
+ objectClass: olcModuleList
+ olcModuleLoad: memberof
+ olcModulePath: /opt/bitnami/openldap/lib/openldap
+
+ dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
+ changetype: add
+ objectClass: olcOverlayConfig
+ objectClass: olcMemberOf
+ olcOverlay: memberof
+ olcMemberOfRefint: TRUE
+ persistence:
+ ## @param identityservice.persistence.enabled If set to true, a PVC will be created.
+ enabled: true
+ replication:
+ ## @param identityservice.replication.enabled If set to true, the pods required a cluster. Needs `replicaCount` to be `3` or higher (of 2n+1).
+ enabled: false
+ ## @param identityservice.replicaCount The number of replicas. If `replicaCount` is set to more than 1, requires `replication.enabled` to be `true`.
+ replicaCount: 1
+
## @section User Interface
-## @param ui.enabled Enable the User Interface.
-## @skip ui.image
-## @param ui.public.api.client The endpoint for the client api.
-## @param ui.public.api.server The endpoint for the server api.
-## @param ui.public.title The user interface title.
-## @param ui.public.logo The user interface logo.
-## @param ui.public.icon The user interface icon.
-## @param ui.public.touch The user interface apple touch icon.
-## @param ui.public.broker.host The displayed broker hostname.
-## @param ui.public.broker.port.5671 Enable display of the broker 5671 port and mark it as secure (SSL/TLS).
-## @param ui.public.broker.port.5672 Enable display of the broker 5672 port and mark it as insecure (no SSL/TLS).
-## @param ui.public.broker.extra Extra metadata displayed.
-## @param ui.public.database.extra Extra metadata displayed.
-## @skip ui.public.links
-## @param ui.public.pid.default.publisher The default dataset publisher for persisted identifiers.
-## @param ui.public.doi.enabled Enable the display that DOIs are minted.
-## @param ui.public.doi.endpoint The DOI proxy.
-## @param ui.replicaCount The number of replicas.
-## @skip ui.extraVolumes
-## @skip ui.extraVolumeMounts
-##
ui:
+ ## @param ui.enabled Enable the Broker Service.
enabled: true
image:
- name: s210.dl.hpc.tuwien.ac.at/dbrepo/ui:1.4.4
+ ## @skip ui.image.name
+ name: registry.datalab.tuwien.ac.at/dbrepo/ui:1.4.5
+ ## @skip ui.image.pullPolicy
pullPolicy: Always
+ ## @param ui.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+ podSecurityContext:
+ ## @param ui.podSecurityContext.enabled Enable pods' Security Context
+ enabled: true
+ ## @param ui.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+ fsGroupChangePolicy: Always
+ ## @param ui.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+ sysctls: [ ]
+ ## @param ui.podSecurityContext.supplementalGroups Set filesystem extra groups
+ supplementalGroups: [ ]
+ ## @param ui.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+ fsGroup: 1001
+ containerSecurityContext:
+ ## @param ui.containerSecurityContext.enabled Enabled containers' Security Context
+ enabled: true
+ ## @param ui.containerSecurityContext.seLinuxOptions Set SELinux options in container
+ seLinuxOptions: { }
+ ## @param ui.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+ runAsUser: 1001
+ ## @param ui.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+ runAsGroup: 1001
+ ## @param ui.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+ runAsNonRoot: true
+ ## @param ui.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+ allowPrivilegeEscalation: false
+ ## @param ui.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ readOnlyRootFilesystem: false
+ capabilities:
+ ## @param ui.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+ drop: [ "ALL" ]
+ seccompProfile:
+ ## @param ui.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+ type: "RuntimeDefault"
+ ## @skip ui.resources
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 2048Mi
public:
api:
+ ## @param ui.public.api.client The endpoint for the client api. Defaults to the value of `gateway`.
client: ""
+ ## @param ui.public.api.server The endpoint for the server api. Defaults to the value of `gateway`.
server: ""
+ upload:
+ ## @param ui.public.upload.client The endpoint for the upload client. Defaults to the value of `gateway` and path `/api/upload/files`.
+ client: ""
+ ## @param ui.public.title The user interface title.
title: "Database Repository"
+ ## @param ui.public.logo The user interface logo.
logo: "/logo.svg"
+ ## @param ui.public.icon The user interface icon.
icon: "/favicon.ico"
+ ## @param ui.public.touch The user interface apple touch icon.
touch: "/apple-touch-icon.png"
broker:
+ ## @param ui.public.broker.host The displayed broker hostname.
host: example.com
port:
+ ## @param ui.public.broker.port.5671 Enable display of the broker 5671 port and mark it as secure (SSL/TLS).
5671: true
+ ## @param ui.public.broker.port.5672 Enable display of the broker 5672 port and mark it as insecure (no SSL/TLS).
5672: false
+ ## @param ui.public.broker.extra Extra metadata displayed.
extra: ""
database:
+ ## @param ui.public.database.extra Extra metadata displayed.
extra: "128.130.0.0/15"
+ ## @skip ui.public.links
links:
rabbitmq:
text: RabbitMQ Admin
@@ -717,48 +835,57 @@ ui:
href: /api/auth/
pid:
default:
+ ## @param ui.public.pid.default.publisher The default dataset publisher for persisted identifiers.
publisher: "Example University"
doi:
+ ## @param ui.public.doi.enabled Enable the display that DOIs are minted.
enabled: false
+ ## @param ui.public.doi.endpoint The DOI proxy.
endpoint: https://doi.org
+ ## @param ui.replicaCount The number of replicas.
replicaCount: 2
- extraVolumes: []
+ ## @skip ui.extraVolumes
+ extraVolumes: [ ]
# - name: images-map
# configMap:
# name: ui-config
- extraVolumeMounts: []
+ ## @skip ui.extraVolumeMounts
+ extraVolumeMounts: [ ]
# - name: images-map
# mountPath: /static/logo.svg
# subPath: logo.svg
## @section Ingress
-## @param ingress.enabled Enable the ingress.
-## @skip ingress.className
-## @skip ingress.tls
-## @skip ingress.annotations
-##
ingress:
- enabled: true
+ ## @param ingress.enabled Enable the ingress.
+ enabled: false
+ ## @param ingress.className The ingress class name.
className: nginx
tls:
+ ## @param ingress.tls.enabled Enable the ingress.
enabled: true
+ ## @param ingress.tls.secretName The secret holding the SSL/TLS certificate. Needs to have keys `tls.crt` and `tls.key` and optionally `ca.crt`.
secretName: ingress-cert
annotations:
- basic: {}
+ ## @skip ingress.annotations.basic The ingress rules for proxying requests directly to services.
+ basic: { }
# nginx.org/path-regex: "case_sensitive"
# nginx.ingress.kubernetes.io/use-regex: "true"
# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+ ## @skip ingress.annotations.rewriteApi The ingress rules for rewriting certain paths to /api/.
rewriteApi:
# nginx.org/path-regex: "case_sensitive"
# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /api/$1
+ ## @skip ingress.annotations.rewriteRoot The ingress rules for rewriting certain paths to /.
rewriteRoot:
# nginx.org/path-regex: "case_sensitive"
# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
+ ## @skip ingress.annotations.rewriteRootSecure The ingress rules for rewriting certain paths to / and force SSL/TLS encrypted traffic.
rewriteRootSecure:
# nginx.org/path-regex: "case_sensitive"
# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
@@ -766,6 +893,7 @@ ingress:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$1
+ ## @skip ingress.annotations.rewritePid The ingress rules for rewriting certain paths to /api/identifier/.
rewritePid:
# nginx.org/path-regex: "case_sensitive"
# cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer