rebase merges

helm/dbrepo/dbrepo-aris-values.yaml

+namespace: aris-dbrepo-dev
+hostname: dbrepo.arisnet.ac.at
+gateway: https://dbrepo.arisnet.ac.at
+
+dbrepo:
+  namespace: aris-dbrepo-dev
+  hostname: dbrepo.arisnet.ac.at
+  gateway: https://dbrepo.arisnet.ac.at
+
+  admin:
+    username: admin
+    password: admin
+
+  metadatadb:
+    enabled: false
+    rootUser:
+      user: root
+      password: dbrepo
+    galera:
+      mariabackup:
+        user: mariabackup
+        password: mariabackup
+    extraInitDbScripts:
+      03-additional-data.sql: |
+        BEGIN;
+        INSERT INTO `mdb_containers` (name, internal_name, image_id, host, port, sidecar_host, sidecar_port, privileged_username, privileged_password)
+          VALUES ('MariaDB 11.1.2', 'mariadb_11_1_2', 1, 'data2-db', 3306, 'data2-db', 8080, 'root', 'dbrepo');
+        INSERT INTO `mdb_banner_messages` (type, message)
+          VALUES ('INFO', 'You are currently working on our test environment. Any data upload to this system may be deleted.');
+        COMMIT;
+    persistence:
+      enabled: false
+
+  uploadservice:
+    enabled: false
+
+  authservice:
+    enabled: false
+    auth:
+      adminUser: admin
+      adminPassword: de4aingohyohveeRooZe
+    postgresql:
+      auth:
+        postgresPassword: Zaethie2gai3phogh3wa
+    jwt:
+      pubkey: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqnHQ2BWWW9vDNLRCcxD++xZg/16oqMo/c1l+lcFEjjAIJjJp/HqrPYU/U9GvquGE6PbVFtTzW1KcKawOW+FJNOA3CGo8Q1TFEfz43B8rZpKsFbJKvQGVv1Z4HaKPvLUm7iMm8Hv91cLduuoWx6Q3DPe2vg13GKKEZe7UFghF+0T9u8EKzA/XqQ0OiICmsmYPbwvf9N3bCKsB/Y10EYmZRb8IhCoV9mmO5TxgWgiuNeCTtNCv2ePYqL/U0WvyGFW0reasIK8eg3KrAUj8DpyOgPOVBn3lBGf+3KFSYi+0bwZbJZWqbC/Xlk20Go1YfeJPRIt7ImxD27R/lNjgDO/MwIDAQAB"
+    client:
+      id: dbrepo-client
+      secret: MUwRc7yfXSJwX8AdRMWaQC3Nep1VjwgG
+    persistence:
+      enabled: false
+
+  brokerservice:
+    enabled: false
+    rbac:
+      # OpenShift has problems with clusterroles
+      create: false
+    ldap:
+      bindpw: oNah3caew4ceemiel5ae
+
+  identityservice:
+    enabled: false
+    global:
+      adminUser: admin
+      adminPassword: oNah3caew4ceemiel5ae
+    users: admin
+    userPasswords: eene9Loochai5thaiRoo
+
+  datadb:
+    enabled: false
+    rootUser:
+      user: root
+      password: dbrepo
+    galera:
+      mariabackup:
+        user: mariabackup
+        password: mariabackup
+    sidecars:
+      - name: sidecar
+        image: registry.datalab.tuwien.ac.at/dbrepo/data-db-sidecar:unstable
+        imagePullPolicy: Always
+        securityContext:
+          runAsUser: 1001
+          runAsGroup: 0
+          runAsNonRoot: true
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+              - ALL
+        ports:
+          - name: "sidecar"
+            containerPort: 8080
+            protocol: TCP
+        envFrom:
+          - secretRef:
+              name: data-service-secret
+        livenessProbe:
+          exec:
+            command:
+              - /bin/bash
+              - -ec
+              - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
+          initialDelaySeconds: 120
+          periodSeconds: 30
+        readinessProbe:
+          exec:
+            command:
+              - /bin/bash
+              - -ec
+              - "curl -sSL localhost:8080/health | grep 'UP' || exit 1"
+          initialDelaySeconds: 30
+          periodSeconds: 30
+        volumeMounts:
+          - name: s3
+            mountPath: /s3
+    extraPorts:
+      - name: "sidecar"
+        port: 8080
+        targetPort: 8080
+        protocol: TCP
+    extraVolumeMounts:
+      - name: s3
+        mountPath: /s3
+    extraVolumes:
+      - name: s3
+        emptyDir: {}
+    replicaCount: 3
+    persistence:
+      enabled: false
+
+  searchdb:
+    enabled: false
+    security:
+      enabled: false
+#      adminUsername: admin
+#      adminPassword: uMeiphoh8Enasoh3ohCh
+    extraEnvs:
+      - name: DISABLE_INSTALL_DEMO_CONFIG
+        value: "true"
+    persistence:
+      enabled: false
+
+  analyseservice:
+    enabled: false
+    image:
+      name: registry.datalab.tuwien.ac.at/dbrepo/analyse-service:unstable
+      pullPolicy: Always
+
+  metadataservice:
+    enabled: false
+    image:
+      name: registry.datalab.tuwien.ac.at/dbrepo/metadata-service:unstable
+      pullPolicy: Always
+      debug: true
+    admin:
+      email: noreply@example.com
+    deletedRecord: permanent
+    repositoryName: Database Repository
+    granularity: YYYY-MM-DDThh:mm:ssZ
+    datacite:
+      enabled: false
+      url: https://api.datacite.org
+      prefix: ""
+      username: ""
+      password: ""
+
+  dataservice:
+    enabled: false
+    image:
+      name: registry.datalab.tuwien.ac.at/dbrepo/data-service:unstable
+      pullPolicy: Always
+      debug: true
+    rabbitmq:
+      consumer:
+        username: admin
+        password: eene9Loochai5thaiRoo
+    s3:
+      filePath: /s3
+
+  searchservice:
+    enabled: false
+    image:
+      name: registry.datalab.tuwien.ac.at/dbrepo/search-service:unstable
+      pullPolicy: Always
+      debug: false
+    init:
+      image:
+        name: registry.datalab.tuwien.ac.at/dbrepo/search-service-init:unstable
+        pullPolicy: Always
+
+  storageservice:
+    enabled: false
+    global:
+      # OpenShift has problems with clusterroles
+      createClusterRole: false
+    init:
+      image: registry.datalab.tuwien.ac.at/dbrepo/storage-service-init:unstable
+
+  ui:
+    enabled: true
+    image:
+      name: registry.datalab.tuwien.ac.at/dbrepo/ui:unstable
+      pullPolicy: Always
+    public:
+      api:
+        client: https://dbrepo.arisnet.ac.at
+        server: https://dbrepo.arisnet.ac.at
+      title: "Database Repository"
+      logo: "/logo.svg"
+      icon: "/favicon.ico"
+      touch: "/apple-touch-icon.png"
+      broker:
+        host: dbrepo.arisnet.ac.at
+        port:
+          5671: true
+          5672: false
+        extra: "128.130.0.0/15"
+      database:
+        extra: "128.130.0.0/15"
+      pid:
+        default:
+          publisher: "TU Wien"
+      doi:
+        enabled: false
+        endpoint: https://doi.org
+    extraVolumes: [ ]
+    #  - name: images-map
+    #    configMap:
+    #      name: ui-config
+    extraVolumeMounts: [ ]
+    #  - name: images-map
+    #    mountPath: /static/logo.svg
+    #    subPath: logo.svg
+
+  ingress:
+    enabled: true
+    className: nginx
+    tls:
+      enabled: true
+      secretName: dbrepo-ingress-tls-cert
+    annotations:
+      basic:
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+        nginx.ingress.kubernetes.io/use-regex: "true"
+      rewriteApi:
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+        nginx.ingress.kubernetes.io/use-regex: "true"
+        nginx.ingress.kubernetes.io/rewrite-target: /api/$1
+      rewriteRoot:
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+        nginx.ingress.kubernetes.io/use-regex: "true"
+        nginx.ingress.kubernetes.io/rewrite-target: /$1
+      rewriteRootSecure:
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+        nginx.ingress.kubernetes.io/use-regex: "true"
+        nginx.ingress.kubernetes.io/rewrite-target: /$1
+      rewritePid:
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+        nginx.ingress.kubernetes.io/use-regex: "true"
+        nginx.ingress.kubernetes.io/rewrite-target: /api/pid/$1
+

helm/dbrepo/values.yaml

 # Copyright the DBRepo developers
 # SPDX-License-Identifier: APACHE-2.0
 
+## @section Global parameters
+
+global:
+  ## Compatibility adaptations for Kubernetes platforms
+  compatibility:
+    ##  Compatibility adaptations for Openshift
+    openshift:
+      ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+      adaptSecurityContext: auto
+  ## @param global.storageClass Global StorageClass for Persistent Volume(s)
+  storageClass: ""
+
 ## @section Common parameters
-##
 
 ## @param namespace The namespace to install the chart
-##
 namespace: aris-dbrepo-dev
 ## @param hostname The hostname.
 ##
@@ -14,226 +24,127 @@ hostname: dbrepo.arisnet.ac.at
 ##
 gateway: https://arisnet.ac.at
 ## @param strategyType The image pull
-##
 strategyType: RollingUpdate
 ## @param clusterDomain The cluster domain.
-##
 clusterDomain: cluster.local
 
-## @section Internal Admin User
-
-## @param admin.username The internal admin username.
-## @param admin.password The internal admin password.
-##
-admin:
-  username: admin
-  password: admin
-
-## resource limits required by ares cluster
-##
-resources:
-  limits:
-    cpu: 500m
-    memory: 756Mi
-  requests:
-    cpu: 100m
-    memory: 256Mi
-
-
-resourcesLittle:
-  limits:
-    cpu: 100m
-    memory: 512Mi
-  requests:
-    cpu: 50m
-    memory: 256Mi
-
 ## @section Metadata Database
 
-## @param metadatadb.enabled Enable the Metadata Database.
-## @skip metadatadb.fullnameOverride
-## @param metadatadb.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
-## @param metadatadb.host The hostname for the microservices.
-## @param metadatadb.rootUser.user The root username.
-## @param metadatadb.rootUser.password The root user password.
-## @param metadatadb.jdbcExtraArgs The extra arguments for JDBC connections in the microservices.
-## @param metadatadb.db.name The database name.
-## @skip metadatadb.metrics.enabled The Prometheus settings.
-## @skip metadatadb.galera The Galera settings.
-## @skip metadatadb.initdbScriptsConfigMap The initial database scripts.
-## @param metadatadb.extraInitDbScripts Additional init.db scripts that are executed on the first start.
-## @skip metadatadb.service The initial database scripts.
-## @param metadatadb.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @param metadatadb.replicaCount The number of replicas, should be uneven (2n+1).
-##
 metadatadb:
+  ## @param metadatadb.enabled Enable the Metadata Database.
   enabled: true
+  ## @skip metadatadb.fullnameOverride
   fullnameOverride: metadata-db
-  global:
-    compatibility:
-      openshift:
-        adaptSecurityContext: force
-    storageClass: "rbd-storagepool-cluster"
-  image:
-    debug: false
+  ## @param metadatadb.host The hostname for the microservices.
   host: metadata-db
   rootUser:
+    ## @param metadatadb.rootUser.user The root username.
     user: root
+    ## @param metadatadb.rootUser.password The root user password.
     password: dbrepo
-  jdbcExtraArgs: ""
   db:
-    name: fda
-  metrics:
-    enabled: false
+    ## @param metadatadb.db.name The database name.
+    name: dbrepo
   galera:
     mariabackup:
-      user: mariabackup
-      password: mariabackup
+      ## @param metadatadb.galera.mariabackup.user The database backup username.
+      user: backup
+      ## @param metadatadb.galera.mariabackup.password The database backup user password
+      password: backup
+  ## @param metadatadb.jdbcExtraArgs The extra arguments for JDBC connections in the microservices.
+  jdbcExtraArgs: ""
+  metrics:
+    ## @skip metadatadb.metrics.enabled The Prometheus settings.
+    enabled: false
+  ## @skip metadatadb.initdbScriptsConfigMap The initial database scripts.
   initdbScriptsConfigMap: metadata-db-setup
-  extraInitDbScripts: {}
+  ## @param metadatadb.initdbScripts Additional init.db scripts that are executed on the first start.
+  initdbScripts: { }
   #    03-additional-data.sql: |
   #      BEGIN;
   #      INSERT INTO `mdb_containers` (name, internal_name, image_id, host, port, sidecar_host, sidecar_port, privileged_username, privileged_password)
   #        VALUES ('MariaDB Galera TEST', 'mariadb_11_1_3', 1, 'data-db', 3306, 'data-db', 80, 'root', 'dbrepo');
   #      COMMIT;
-  service:
-    type: ClusterIP
-    annotations: {}
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
-  persistence:
-    enabled: false
-  resources:
-    requests:
-      cpu: 50m
-      ephemeral-storage: 10Mi
-      memory: 512Mi
-    limits:
-      cpu: 150m
-      ephemeral-storage: 50Mi
-      memory: 768Mi
+  ## @param metadatadb.replicaCount The number of cluster nodes, should be uneven i.e. 2n+1
   replicaCount: 3
+  persistence:
+    ## @param metadatadb.persistence.enabled Enable persistent storage.
+    enabled: true
 
 ## @section Auth Service
 
-## @param authservice.enabled Enable the Auth Service.
-## @skip authservice.fullnameOverride
-## @param authservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
-## @param authservice.endpoint The hostname for the microservices.
-## @param authservice.auth.adminUser The admin username.
-## @param authservice.auth.adminPassword The admin user password.
-## @skip authservice.postgresql
-## @skip authservice.extraStartupArgs
-## @param authservice.jwt.pubkey The JWT public key from the `dbrepo-client`.
-## @param authservice.tls.enabled Enable TLS/SSL communication. Required for HTTPS.
-## @param authservice.tls.existingSecret The secret containing the `tls.crt`, `tls.key` and `ca.crt`.
-## @param authservice.tls.usePem Use PEM certificates as input instead of PKS12/JKS stores.
-## @param authservice.metrics.enabled Enable the Prometheus metrics export sidecar container.
-## @param authservice.client.id The client id for the microservices.
-## @param authservice.client.secret The client secret for the microservices.
-## @skip authservice.extraEnvVarsCM
-## @skip authservice.extraVolumes
-## @skip authservice.extraVolumeMounts
-## @skip authservice.replicaCount The number of replicas.
-##
 authservice:
+  ## @param authservice.enabled Enable the Auth Service.
   enabled: true
+  ## @skip authservice.fullnameOverride
   fullnameOverride: auth-service
-  global:
-    compatibility:
-      openshift:
-        adaptSecurityContext: force
-    storageClass: "rbd-storagepool-cluster"
   image:
+    ## @param authservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  ## @param authservice.endpoint The hostname for the microservices.
   endpoint: http://auth-service
   auth:
-    adminUser: fda
-    adminPassword: fda
+    adminUser: admin
+    adminPassword: de4aingohyohveeRooZe
   postgresql:
-    enabled: true
     auth:
-      postgresPassword: postgres
+      postgresPassword: Zaethie2gai3phogh3wa
+  ## @skip authservice.extraStartupArgs
   extraStartupArgs: "--import-realm"
   jwt:
+    ## @param authservice.jwt.pubkey The JWT public key from the `dbrepo-client`.
     pubkey: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqqnHQ2BWWW9vDNLRCcxD++xZg/16oqMo/c1l+lcFEjjAIJjJp/HqrPYU/U9GvquGE6PbVFtTzW1KcKawOW+FJNOA3CGo8Q1TFEfz43B8rZpKsFbJKvQGVv1Z4HaKPvLUm7iMm8Hv91cLduuoWx6Q3DPe2vg13GKKEZe7UFghF+0T9u8EKzA/XqQ0OiICmsmYPbwvf9N3bCKsB/Y10EYmZRb8IhCoV9mmO5TxgWgiuNeCTtNCv2ePYqL/U0WvyGFW0reasIK8eg3KrAUj8DpyOgPOVBn3lBGf+3KFSYi+0bwZbJZWqbC/Xlk20Go1YfeJPRIt7ImxD27R/lNjgDO/MwIDAQAB"
   tls:
+    ## @param authservice.tls.enabled Enable TLS/SSL communication. Required for HTTPS.
     enabled: true
+    ## @param authservice.tls.existingSecret The secret containing the `tls.crt`, `tls.key` and `ca.crt`.
     existingSecret: ingress-cert
+    ## @skip authservice.tls.usePem
     usePem: true
   metrics:
+    ## @param authservice.metrics.enabled Enable the Prometheus metrics export sidecar container.
     enabled: false
   client:
+    ## @param authservice.client.id The client id for the microservices.
     id: dbrepo-client
+    ## @param authservice.client.secret The client secret for the microservices.
     secret: MUwRc7yfXSJwX8AdRMWaQC3Nep1VjwgG
+  ## @skip authservice.extraEnvVarsCM
   extraEnvVarsCM: auth-service-config
+  ## @skip authservice.extraVolumes
   extraVolumes:
     - name: config-map
       configMap:
         name: auth-service-config
+  ## @skip authservice.extraVolumeMounts
   extraVolumeMounts:
     - name: config-map
       mountPath: /opt/bitnami/keycloak/data/import
-  resources:
-    requests:
-      cpu: 50m
-      ephemeral-storage: 10Mi
-      memory: 512Mi
-    limits:
-      cpu: 250m
-      ephemeral-storage: 10Mi
-      memory: 768Mi
+  ## @skip authservice.replicaCount The number of replicas.
   replicaCount: 2
 
 ## @section Data Database
 
-## @param datadb.enabled Enable the Data Database.
-## @skip datadb.fullnameOverride
-## @param datadb.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
-## @skip datadb.extraFlags
-## @param datadb.rootUser.user The root username.
-## @param datadb.rootUser.password The root user password.
-## @skip datadb.metrics.enabled The Prometheus settings.
-## @skip datadb.galera The Galera settings.
-## @skip datadb.service
-## @skip datadb.sidecars
-## @skip datadb.extraVolumeMounts
-## @skip datadb.extraVolumes
-## @param datadb.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @param datadb.replicaCount The number of replicas, should be uneven (2n+1).
-##
 datadb:
+  ## @param datadb.enabled Enable the Data Database.
   enabled: true
-  global:
-    compatibility:
-      openshift:
-        adaptSecurityContext: force
-    storageClass: "rbd-storagepool-cluster"
+  ## @skip datadb.fullnameOverride
   fullnameOverride: data-db
   image:
+    ## @param datadb.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
-  extraFlags: "--character-set-server=utf8mb4 --collation-server=utf8mb4_general_ci"
-  rootUser:
-    user: root
-    password: dbrepo
+  auth:
+    ## @param datadb.auth.rootPassword The root user password.
+    rootPassword: dbrepo
+    ## @param datadb.auth.replicationUser The database replication user password
+    replicationUser: replication
+    ## @param datadb.auth.replicationPassword The database replication user password
+    replicationPassword: replication
   metrics:
+    ## @skip datadb.metrics.enabled
     enabled: true
-    resources:
-      requests:
-        cpu: 50m
-        ephemeral-storage: 10Mi
-        memory: 512Mi
-      limits:
-        cpu: 150m
-        ephemeral-storage: 10Mi
-        memory: 768Mi
-  galera:
-    mariabackup:
-      user: mariabackup
-      password: mariabackup
-    bootstrap:
-      forceBootstrap: true
-      forceSafeToBootstrap: true
+  ## @skip datadb.primary
+  primary:
     service:
       extraPorts:
         - name: "sidecar"
@@ -242,22 +153,18 @@ datadb:
           protocol: TCP
     sidecars:
       - name: sidecar
-      image: s210.dl.hpc.tuwien.ac.at/dbrepo/data-db-sidecar:1.4.4
+        image: registry.datalab.tuwien.ac.at/dbrepo/data-db-sidecar:1.4.5
         imagePullPolicy: Always
         securityContext:
+          runAsUser: 1001
+          runAsGroup: 0
+          runAsNonRoot: true
           allowPrivilegeEscalation: false
           seccompProfile:
             type: RuntimeDefault
           capabilities:
             drop:
               - ALL
-      resources:
-        requests:
-          cpu: 25m
-          memory: 512Mi
-        limits:
-          cpu: 100m
-          memory: 768Mi
         ports:
           - name: "sidecar"
             containerPort: 8080
@@ -292,422 +199,633 @@ datadb:
         emptyDir: { }
     persistence:
       enabled: true
-  resources:
-    requests:
-      cpu: 25m
-      ephemeral-storage: 10Mi
-      memory: 512Mi
-    limits:
-      cpu: 100m
-      ephemeral-storage: 10Mi
-      memory: 768Mi
-  replicaCount: 3
+  ## @skip datadb.secondary
+  secondary:
+    replicaCount: 2
 
 ## @section Search Database
 
-## @param searchdb.enabled Enable the Search Database.
-## @skip searchdb.fullnameOverride
-## @param searchdb.host The hostname for the microservices.
-## @param searchdb.port The port for the microservices.
-## @skip searchdb.protocol
-## @param searchdb.username The admin username.
-## @param searchdb.password The admin user password.
-## @skip searchdb.clusterName
-## @skip searchdb.masterService
-## @param searchdb.replicas The number of replicas.
-## @skip searchdb.sysctlInit
-## @param searchdb.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @skip searchdb.service
-## @skip searchdb.extraEnvs
-## @skip searchdb.extraVolumeMounts
-## @skip searchdb.extraVolumes
-## @skip searchdb.config
-##
 searchdb:
+  ## @param searchdb.enabled Enable the Data Database.
   enabled: true
+  ## @skip searchdb.fullnameOverride
   fullnameOverride: search-db
+  ## @skip searchdb.servicenameOverride
+  servicenameOverride: search-db
+  ## @param searchdb.host The hostname for the microservices.
   host: search-db
+  ## @param searchdb.port The port for the microservices.
   port: 9200
-  protocol: http
-  username: admin
-  password: admin
-  clusterName: search-db
-  masterService: search-db
-  replicas: 3
-  sysctlInit:
-    enabled: false
-  persistence:
-    enabled: false
-  service:
-    type: ClusterIP
-    annotations: {}
-    loadBalancerSourceRanges: []
-  extraEnvs:
-    - name: DISABLE_INSTALL_DEMO_CONFIG
-      value: "true"
-  extraVolumeMounts:
-    - name: node-cert
-      mountPath: /usr/share/opensearch/config/tls
-      readOnly: true
-  extraVolumes:
-    - name: node-cert
-      secret:
-        secretName: search-db-secret
-  securityContext:
-    capabilities:
-      drop:
-        - ALL
-    runAsNonRoot: true
-    readOnlyRootFilesystem: true
-    allowPrivilegeEscalation: false
-    runAsUser: null
-  podSecurityContext:
-    runAsNonRoot: true
-    fsGroup: null
-    runAsUser: null
-  resources:
-    requests:
-      cpu: 50m
-      ephemeral-storage: 10Mi
-      memory: 512Mi
-    limits:
-      cpu: 150m
-      ephemeral-storage: 100Mi
-      memory: 768Mi
-  initResources:
-    requests:
-      cpu: 50m
-      ephemeral-storage: 10Mi
-      memory: 512Mi
-    limits:
-      cpu: 150m
-      ephemeral-storage: 100Mi
-      memory: 768Mi
-  config:
-    opensearch.yml: |
-      cluster.name: search-db
-      network.host: 0.0.0.0
-      plugins:
+  ## @skip searchdb.security
   security:
-          ssl:
-            transport:
-              pemcert_filepath: tls/tls.crt
-              pemkey_filepath: tls/tls.key
-              pemtrustedcas_filepath: tls/ca.crt
-              enforce_hostname_verification: false
-            http:
-              #enabled: true # uncomment to force ssl connections
-              pemcert_filepath: tls/tls.crt
-              pemkey_filepath: tls/tls.key
-              pemtrustedcas_filepath: tls/ca.crt
-          allow_unsafe_democertificates: false
-          allow_default_init_securityindex: true
-          authcz:
-            admin_dn:
-              - CN=search-db
-          nodes_dn:
-            - CN=search-db
-          audit.type: internal_opensearch
-          enable_snapshot_restore_privilege: true
-          check_snapshot_restore_write_privileges: true
-          restapi:
-            roles_enabled: [ "all_access", "security_rest_api_access" ]
-          system_indices:
-            enabled: true
-            indices:
-              [
-                ".opendistro-alerting-config",
-                ".opendistro-alerting-alert*",
-                ".opendistro-anomaly-results*",
-                ".opendistro-anomaly-detector*",
-                ".opendistro-anomaly-checkpoints",
-                ".opendistro-anomaly-detection-state",
-                ".opendistro-reports-*",
-                ".opendistro-notifications-*",
-                ".opendistro-notebooks",
-                ".opendistro-asynchronous-search-response*",
-              ]
+    enabled: false
+    adminUsername: admin
+    adminPassword: admin
+  ## @param searchdb.clusterName The cluster name.
+  clusterName: search-db
 
 ## @section Upload Service
 
-## @param uploadservice.enabled Enable the Upload Service.
-## @skip uploadservice.fullnameOverride
-## @skip uploadservice.image
-## @skip uploadservice.containerArgs
-## @skip uploadservice.envFrom
-## @param uploadservice.replicaCount The number of replicas.
-##
 uploadservice:
+  ## @param uploadservice.enabled Enable the Upload Service.
   enabled: true
+  ## @skip uploadservice.fullnameOverride
   fullnameOverride: upload-service
+  ## @skip uploadservice.image
   image:
     repository: tusproject/tusd
     tag: v1.12
+  ## @skip uploadservice.securityContext
+  securityContext:
+    allowPrivilegeEscalation: false
+    runAsUser: 1000
+    runAsGroup: 1000
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+    capabilities:
+      drop:
+        - ALL
+  ## @skip uploadservice.containerArgs
   containerArgs:
-    - "--base-path=/api/upload/files/"
-    - "-s3-endpoint=https://sos-at-vie-1.exo.io"
-    - "-s3-bucket=s3-bucket-dbrepo-upload"
+    - "-behind-proxy"
+    - "-max-size=2000000000"
+    - "-base-path=/api/upload/files/"
+    - "-s3-endpoint=http://storage-service-s3:8333"
+    - "-s3-bucket=dbrepo-upload"
+  ## @skip uploadservice.envFrom
+  envFrom:
+    - secretRef:
+        name: upload-service-secret
+  ## @param uploadservice.replicaCount The number of replicas.
   replicaCount: 2
 
 ## @section Broker Service
 
-## @param brokerservice.enabled Enable the Broker Service.
-## @skip brokerservice.fullnameOverride
-## @skip brokerservice.image
-## @param brokerservice.endpoint The management api endpoint for the microservices.
-## @param brokerservice.host The hostname for the microservices.
-## @param brokerservice.port The port for the microservices.
-## @param brokerservice.virtualHost The default virtual host name.
-## @param brokerservice.queueName The default queue name.
-## @param brokerservice.exchangeName The default exchange name.
-## @param brokerservice.routingKey The default routing key binding from the default queue to the default exchange.
-## @param brokerservice.connectionTimeout The connection timeout in ms.
-## @skip brokerservice.auth
-## @skip brokerservice.extraConfiguration
-## @skip brokerservice.loadDefinition
-## @skip brokerservice.extraVolumes
-## @skip brokerservice.extraPlugins
-## @param brokerservice.persistence.enabled Enable persistent storage. Requires PV-provisioner.
-## @skip brokerservice.service
-## @param brokerservice.replicaCount The number of replicas.
-##
 brokerservice:
+  ## @param brokerservice.enabled Enable the Broker Service.
   enabled: true
+  ## @skip brokerservice.fullnameOverride
   fullnameOverride: broker-service
   image:
+    ## @param brokerservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: true
+  ## @param brokerservice.endpoint The management api endpoint for the microservices.
   endpoint: http://broker-service:15672
+  ## @param brokerservice.host The hostname for the microservices.
   host: broker-service
+  ## @param brokerservice.port The port for the microservices.
   port: 5672
+  ## @param brokerservice.virtualHost The default virtual host name.
   virtualHost: dbrepo
+  ## @param brokerservice.queueName The default queue name.
   queueName: dbrepo
+  ## @param brokerservice.exchangeName The default exchange name.
   exchangeName: dbrepo
+  ## @param brokerservice.routingKey The default routing key binding from the default queue to the default exchange.
   routingKey: dbrepo.#
+  ## @param brokerservice.connectionTimeout The connection timeout in ms.
   connectionTimeout: 60000
   rbac:
     create: false
+  ldap:
+    ## @skip brokerservice.ldap.enabled
+    enabled: true
+    ## @skip brokerservice.ldap.authorisationEnabled
+    authorisationEnabled: true
+    ## @skip brokerservice.ldap.servers
+    servers:
+      - identity-service
+    ## @skip brokerservice.ldap.port
+    port: 389
+    ## @param brokerservice.ldap.binddn The domain name the broker service should bind to. In many cases this is the admin user from `identityservice.global.adminUser`.
+    binddn: cn=admin,dc=dbrepo,dc=at
+    ## @param brokerservice.ldap.bindpw The password to bind on the identity service. In many cases this value is equal to `identityservice.global.adminPassword`.
+    bindpw: admin
+    ## @param brokerservice.ldap.uidField The field containing the user id.
+    uidField: uid
+    ## @param brokerservice.ldap.basedn The base domain name containing the users.
+    basedn: ou=users,dc=dbrepo,dc=at
+    ## @param brokerservice.ldap.userDnPattern The pattern to determine the user.
+    userDnPattern: ${username}
   auth:
+    ## @skip brokerservice.auth.tls
     tls:
       enabled: false
       sslOptionsVerify: true
       failIfNoPeerCert: true
       existingSecret: ingress-cert
-    username: broker
-    password: broker
-  extraConfiguration: |-
-    default_vhost = dbrepo
-    default_user_tags.administrator = true
-    default_permissions.configure = .*
-    default_permissions.read = .*
-    default_permissions.write = .*
-    load_definitions = /app/load_definition.json
-    log.console = true
-    listeners.tcp.1 = 0.0.0.0:5672
-    auth_backends.1 = rabbit_auth_backend_oauth2
-    auth_backends.2 = rabbit_auth_backend_internal
-    auth_oauth2.resource_server_id = rabbitmq
-    auth_oauth2.preferred_username_claims.1 = client_id
-    auth_oauth2.default_key = t2OCeCheJ9uwoBbNQjG_nN6WKiLcceTIAZmiTbGODFM
-    auth_oauth2.signing_keys.t2OCeCheJ9uwoBbNQjG_nN6WKiLcceTIAZmiTbGODFM = /app/cert.pem
-    auth_oauth2.signing_keys.id2 = /app/pubkey.pem
-    auth_oauth2.algorithms.1 = HS256
-    auth_oauth2.algorithms.2 = RS256
-    management.oauth_enabled = true
-    management.oauth_client_id = rabbitmq-client
-    management.oauth_client_secret = JEC2FexxrX4N65fLeDGukAl6R3Lc9y0u
-    management.oauth_scopes = openid
-    management.oauth_provider_url = https://example.com/api/auth/realms/dbrepo
+  ## @skip brokerservice.advancedConfigurationExistingSecret
+  advancedConfigurationExistingSecret: broker-service-secret
+  ## @skip brokerservice.loadDefinition
   loadDefinition:
     enabled: true
     existingSecret: broker-service-secret
-  extraVolumes:
-    - name: secret-map
-      secret:
-        secretName: broker-service-secret
-  extraPlugins: rabbitmq_prometheus rabbitmq_auth_backend_oauth2 rabbitmq_auth_mechanism_ssl
+  ## @param brokerservice.extraPlugins The list of plugins to be activated.
+  extraPlugins: rabbitmq_prometheus rabbitmq_auth_backend_ldap rabbitmq_auth_mechanism_ssl
   persistence:
+    ## @param brokerservice.persistence.enabled If set to true, a PVC will be created.
     enabled: false
+  ## @skip brokerservice.service
   service:
     type: ClusterIP
     managerPortEnabled: true
     # loadBalancerIP:
-  resources:
-    requests:
-      cpu: 50m
-      ephemeral-storage: 10Mi
-      memory: 512Mi
-    limits:
-      cpu: 300m
-      ephemeral-storage: 100Mi
-      memory: 768Mi
-  replicaCount: 2
+  ## @param brokerservice.replicaCount The number of replicas.
+  replicaCount: 1
 
 ## @section Analyse Service
 
-## @param analyseservice.enabled Enable the Broker Service.
-## @skip analyseservice.image
-## @param analyseservice.endpoint The url of the endpoint.
-## @param analyseservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-## @param analyseservice.replicaCount The number of replicas.
-##
 analyseservice:
+  ## @param analyseservice.enabled Enable the Broker Service.
   enabled: true
   image:
-    name: s210.dl.hpc.tuwien.ac.at/dbrepo/analyse-service:1.4.4
+    ## @skip analyseservice.image.name
+    name: registry.datalab.tuwien.ac.at/dbrepo/analyse-service:1.4.5
+    ## @skip analyseservice.image.pullPolicy
     pullPolicy: Always
+    ## @param analyseservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    ## @param analyseservice.podSecurityContext.enabled Enable pods' Security Context
+    enabled: true
+    ## @param analyseservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+    fsGroupChangePolicy: Always
+    ## @param analyseservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+    sysctls: [ ]
+    ## @param analyseservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+    supplementalGroups: [ ]
+    ## @param analyseservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+    fsGroup: 1001
+  containerSecurityContext:
+    ## @param analyseservice.containerSecurityContext.enabled Enabled containers' Security Context
+    enabled: true
+    ## @param analyseservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+    seLinuxOptions: { }
+    ## @param analyseservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+    runAsUser: 1001
+    ## @param analyseservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+    runAsGroup: 1001
+    ## @param analyseservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+    runAsNonRoot: true
+    ## @param analyseservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+    allowPrivilegeEscalation: false
+    ## @param analyseservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+    readOnlyRootFilesystem: false
+    capabilities:
+      ## @param analyseservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+      drop: [ "ALL" ]
+    seccompProfile:
+      ## @param analyseservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+      type: "RuntimeDefault"
+  ## @skip analyseservice.resources
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 500m
+      memory: 2048Mi
+
+  ## @param analyseservice.endpoint The url of the endpoint.
   endpoint: http://analyse-service
+  s3:
+    ## @param analyseservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+    endpoint: http://storage-service-s3:8333
+  ## @param analyseservice.replicaCount The number of replicas.
   replicaCount: 2
 
 ## @section Metadata Service
 
-## @param metadataservice.enabled Enable the Metadata Service.
-## @skip metadataservice.image
-## @param metadataservice.endpoint The Metadata Service endpoint.
-## @param metadataservice.admin.email The OAI-PMH exposed admin e-mail.
-## @param metadataservice.deletedRecord The OAI-PMH exposed delete policy.
-## @param metadataservice.repositoryName The OAI-PMH exposed repository name.
-## @param metadataservice.granularity The OAI-PMH exposed record granularity.
-## @param metadataservice.datacite.enabled Enable the DataCite account for minting DOIs.
-## @param metadataservice.datacite.url The DataCite api endpoint url.
-## @param metadataservice.datacite.prefix The DataCite prefix.
-## @param metadataservice.datacite.username The DataCite api username.
-## @param metadataservice.datacite.password The DataCite api user password.
-## @param metadataservice.sparql.connectionTimeout The connection timeout for sparql queries fetching remote data in ms.
-## @param metadataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-## @skip metadataservice.s3.bucket
-## @param metadataservice.s3.auth.username The S3-capable endpoint username (or access key id).
-## @param metadataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
-## @param metadataservice.replicaCount The number of replicas.
-##
 metadataservice:
+  ## @param metadataservice.enabled Enable the Broker Service.
   enabled: true
   image:
-    name: s210.dl.hpc.tuwien.ac.at/dbrepo/metadata-service:1.4.4
+    ## @skip metadataservice.image.name
+    name: registry.datalab.tuwien.ac.at/dbrepo/metadata-service:1.4.5
+    ## @skip metadataservice.image.pullPolicy
     pullPolicy: Always
+    ## @param metadataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    ## @param metadataservice.podSecurityContext.enabled Enable pods' Security Context
+    enabled: true
+    ## @param metadataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+    fsGroupChangePolicy: Always
+    ## @param metadataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+    sysctls: [ ]
+    ## @param metadataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+    supplementalGroups: [ ]
+    ## @param metadataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+    fsGroup: 1001
+  containerSecurityContext:
+    ## @param metadataservice.containerSecurityContext.enabled Enabled containers' Security Context
+    enabled: true
+    ## @param metadataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+    seLinuxOptions: { }
+    ## @param metadataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+    runAsUser: 1001
+    ## @param metadataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+    runAsGroup: 1001
+    ## @param metadataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+    runAsNonRoot: true
+    ## @param metadataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+    allowPrivilegeEscalation: false
+    ## @param metadataservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+    readOnlyRootFilesystem: false
+    capabilities:
+      ## @param metadataservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+      drop: [ "ALL" ]
+    seccompProfile:
+      ## @param metadataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+      type: "RuntimeDefault"
+  ## @skip metadataservice.resources
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
+  ## @param metadataservice.endpoint The Metadata Service endpoint.
   endpoint: http://metadata-service
+  crossref:
+    ## @param metadataservice.crossref.endpoint The CrossRef endpoint.
+    endpoint: http://data.crossref.org
+  ror:
+    ## @param metadataservice.ror.endpoint The ROR endpoint.
+    endpoint: https://api.ror.org
   admin:
+    ## @param metadataservice.admin.email The OAI-PMH exposed e-mail for contacting the metadata records responsible person.
     email: noreply@example.com
+  ## @param metadataservice.deletedRecord The OAI-PMH exposed delete policy.
   deletedRecord: permanent
+  ## @param metadataservice.repositoryName The OAI-PMH exposed repository name.
   repositoryName: Database Repository
+  ## @param metadataservice.granularity The OAI-PMH exposed record granularity.
   granularity: YYYY-MM-DDThh:mm:ssZ
   datacite:
+    ## @param metadataservice.datacite.enabled If set to true, the service mints DOIs instead of local PIDs.
     enabled: false
+    ## @param metadataservice.datacite.url The DataCite api endpoint url.
     url: https://api.datacite.org
+    ## @param metadataservice.datacite.prefix The DataCite prefix.
     prefix: ""
+    ## @param metadataservice.datacite.username The DataCite api username.
     username: ""
+    ## @param metadataservice.datacite.password The DataCite api user password.
     password: ""
   sparql:
+    ## @param metadataservice.sparql.connectionTimeout The connection timeout for sparql queries fetching remote data in ms.
     connectionTimeout: 10000
+  s3:
+    ## @param metadataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+    endpoint: http://storage-service-s3:8333
+    ## @skip metadataservice.s3.bucket
+    bucket:
+      import: dbrepo-upload
+      export: dbrepo-download
+    auth:
+      ## @param metadataservice.s3.auth.username The S3-capable endpoint username (or access key id).
+      username: seaweedfsadmin
+      ## @param metadataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
+      password: seaweedfsadmin
+  ## @param metadataservice.replicaCount The number of replicas.
   replicaCount: 2
 
 ## @section Data Service
 
-## @param dataservice.enabled Enable the Metadata Service.
-## @param dataservice.endpoint The endpoint for the microservices.
-## @skip dataservice.image
-## @param dataservice.grant.read The default database permissions for users with read access.
-## @param dataservice.grant.write The default database permissions for users with write access.
-## @param dataservice.default.date The default date format id for dates.
-## @param dataservice.default.time The default date format id for times.
-## @param dataservice.default.timestamp The default date format id for timestamps.
-## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-## @skip dataservice.s3.bucket
-## @param dataservice.s3.auth.username The S3-capable endpoint username (or access key id).
-## @param dataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
-## @param dataservice.s3.filePath The local location to download/upload files from/to S3-capable endpoint.
-## @param dataservice.consumerConcurrentMin The minimum broker service consumer number.
-## @param dataservice.consumerConcurrentMax The maximum broker service consumer number.
-## @param dataservice.requeueRejected Enable re-queueing of rejected messages to the broker service.
-## @param dataservice.replicaCount The number of replicas.
-##
 dataservice:
+  ## @param dataservice.enabled Enable the Broker Service.
   enabled: true
+  ## @param dataservice.endpoint Absolute URL to the data service in the form of http://host:port
   endpoint: http://data-service
   image:
-    name: s210.dl.hpc.tuwien.ac.at/dbrepo/data-service:1.4.4
+    ## @skip dataservice.image.name
+    name: registry.datalab.tuwien.ac.at/dbrepo/data-service:1.4.5
+    ## @skip dataservice.image.pullPolicy
     pullPolicy: Always
+    ## @param dataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    ## @param dataservice.podSecurityContext.enabled Enable pods' Security Context
+    enabled: true
+    ## @param dataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+    fsGroupChangePolicy: Always
+    ## @param dataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+    sysctls: [ ]
+    ## @param dataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+    supplementalGroups: [ ]
+    ## @param dataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+    fsGroup: 1001
+  containerSecurityContext:
+    ## @param dataservice.containerSecurityContext.enabled Enabled containers' Security Context
+    enabled: true
+    ## @param dataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+    seLinuxOptions: { }
+    ## @param dataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+    runAsUser: 1001
+    ## @param dataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+    runAsGroup: 1001
+    ## @param dataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+    runAsNonRoot: true
+    ## @param dataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+    allowPrivilegeEscalation: false
+    ## @param dataservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+    readOnlyRootFilesystem: false
+    capabilities:
+      ## @param dataservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+      drop: [ "ALL" ]
+    seccompProfile:
+      ## @param dataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+      type: "RuntimeDefault"
+  ## @skip dataservice.resources
   grant:
+    ## @param dataservice.grant.read The default database permissions for users with read access.
     read: SELECT
+    ## @param dataservice.grant.write The default database permissions for users with write access.
     write: SELECT, CREATE, CREATE VIEW, CREATE ROUTINE, CREATE TEMPORARY TABLES, LOCK TABLES, INDEX, TRIGGER, INSERT, UPDATE, DELETE
   default:
+    ## @param dataservice.default.date The default date format id for dates. Default: YYYY-MM-dd (e.g. 2024-06-15).
     date: 3
+    ## @param dataservice.default.time The default date format id for times. Default: HH:mm:ss (e.g. 14:23:42).
     time: 4
+    ## @param dataservice.default.timestamp The default date format id for timestamps. Default: YYYY-MM-dd HH:mm:ss (e.g. 2024-06-15 14:23:42).
     timestamp: 1
-  s3FilePath: /s3
-  consumerConcurrentMin: 1
-  consumerConcurrentMax: 5
+  rabbitmq:
+    ## @param dataservice.rabbitmq.consumerConcurrentMin The minimal number of RabbitMQ consumers.
+    consumerConcurrentMin: 2
+    ## @param dataservice.rabbitmq.consumerConcurrentMax The maximal number of RabbitMQ consumers.
+    consumerConcurrentMax: 6
+    ## @param dataservice.rabbitmq.requeueRejected If set to true, rejected tuples will be re-queued.
     requeueRejected: false
+    consumer:
+      ## @param dataservice.rabbitmq.consumer.username The username for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.users`.
+      username: admin
+      ## @param dataservice.rabbitmq.consumer.password The user password for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.userPasswords`.
+      password: admin
+  s3:
+    ## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
+    endpoint: http://storage-service-s3:8333
+    ## @param dataservice.s3.bucket The S3 bucket name.
+    bucket:
+      import: dbrepo-upload
+      export: dbrepo-download
+    auth:
+      ## @param dataservice.s3.auth.username The S3-capable endpoint username (or access key id).
+      username: seaweedfsadmin
+      ## @param dataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
+      password: seaweedfsadmin
+    ## @param dataservice.s3.filePath The local location to download/upload files from/to S3-capable endpoint.
+    filePath: /s3
+  ## @param dataservice.replicaCount The number of replicas.
   replicaCount: 2
 
 ## @section Search Service
 
-## @param searchservice.enabled Enable the Search Service.
-## @param searchservice.endpoint The endpoint for the microservices.
-## @skip searchservice.image
-## @skip searchservice.init
-## @param searchservice.replicaCount The number of replicas.
-##
 searchservice:
+  ## @param searchservice.enabled Enable the Broker Service.
   enabled: true
+  ## @param searchservice.endpoint Absolute URL to the search service in the form of http://host:port
   endpoint: http://search-service
   image:
-    name: s210.dl.hpc.tuwien.ac.at/dbrepo/search-service:1.4.4
+    ## @skip searchservice.image.name
+    name: registry.datalab.tuwien.ac.at/dbrepo/search-service:1.4.5
+    ## @skip searchservice.image.pullPolicy
     pullPolicy: Always
+    ## @param searchservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    ## @param searchservice.podSecurityContext.enabled Enable pods' Security Context
+    enabled: true
+    ## @param searchservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+    fsGroupChangePolicy: Always
+    ## @param searchservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+    sysctls: [ ]
+    ## @param searchservice.podSecurityContext.supplementalGroups Set filesystem extra groups
+    supplementalGroups: [ ]
+    ## @param searchservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+    fsGroup: 1001
+  containerSecurityContext:
+    ## @param searchservice.containerSecurityContext.enabled Enabled containers' Security Context
+    enabled: true
+    ## @param searchservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
+    seLinuxOptions: { }
+    ## @param searchservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+    runAsUser: 1001
+    ## @param searchservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+    runAsGroup: 1001
+    ## @param searchservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+    runAsNonRoot: true
+    ## @param searchservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+    allowPrivilegeEscalation: false
+    ## @param searchservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+    readOnlyRootFilesystem: true
+    capabilities:
+      ## @param searchservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+      drop: [ "ALL" ]
+    seccompProfile:
+      ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+      type: "RuntimeDefault"
+  ## @skip searchservice.resources
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
+  ## @skip searchservice.init
   init:
     image:
-      name: s210.dl.hpc.tuwien.ac.at/dbrepo/search-service-init:1.4.4
+      name: registry.datalab.tuwien.ac.at/dbrepo/search-service-init:1.4.5
       pullPolicy: Always
+  ## @param searchservice.replicaCount The number of replicas.
   replicaCount: 2
 
+## @section Storage Service
+
+storageservice:
+  ## @param storageservice.enabled Enable the Storage Service.
+  enabled: true
+  ## @skip storageservice.fullnameOverride
+  fullnameOverride: storage-service
+  mariadb:
+    ## @skip storageservice.mariadb.fullnameOverride
+    fullnameOverride: storage-service-db
+    ## @skip storageservice.mariadb.enabled
+    enabled: true
+  master:
+    ## @skip storageservice.master.enabled
+    enabled: true
+  filer:
+    ## @param storageservice.filer.enabled Enable the storage service filer which is required for S3.
+    enabled: true
+  volume:
+    ## @skip storageservice.volume.enabled
+    enabled: false
+  s3:
+    ## @skip storageservice.s3.enabled
+    enabled: true
+    ## @param storageservice.s3.replicaCount The number of replicas.
+    replicaCount: 2
+    ## @param storageservice.s3.bucket The S3-bucket name.
+    bucket:
+      import: dbrepo-upload
+      export: dbrepo-download
+    auth:
+      ## @param storageservice.s3.auth.enabled Enable the S3 service.
+      enabled: true
+      ## @param storageservice.s3.auth.adminAccessKeyId The S3 access key id for the admin user. In some systems this is named `username`.
+      adminAccessKeyId: seaweedfsadmin
+      ## @param storageservice.s3.auth.adminSecretAccessKey The S3 secret access key for the admin user. In some systems this is named `password`.
+      adminSecretAccessKey: seaweedfsadmin
+  ## @skip storageservice.init
+  init:
+    image: registry.datalab.tuwien.ac.at/dbrepo/storage-service-init:1.4.5
+    pullPolicy: Always
+
+## @section Identity Service
+
+identityservice:
+  ## @param identityservice.enabled Enable the Identity Service.
+  enabled: true
+  ## @skip identityservice.fullnameOverride
+  fullnameOverride: identity-service
+  global:
+    ## @param identityservice.global.ldapDomain The LDAP domain name in domain "dbrepo.at" form or explicit in "dc=dbrepo,dc=at" form.
+    ldapDomain: dc=dbrepo,dc=at
+    ## @param identityservice.global.adminUser The admin username that is used to bind.
+    adminUser: admin
+    ## @param identityservice.global.adminPassword The admin user password that is used to bind.
+    adminPassword: admin
+    ## @skip identityservice.global.configUserEnabled
+    configUserEnabled: false
+  ## @param identityservice.users The admin username for internal authentication.
+  users: admin
+  ## @param identityservice.userPasswords The admin user password for internal authentication.
+  userPasswords: admin
+  ## @param identityservice.group The group that contains the administrators for the broker service.
+  group: system
+  ## @skip identityservice.ltb-passwd
+  ltb-passwd:
+    ingress:
+      enabled: false
+  ## @skip identityservice.phpldapadmin
+  phpldapadmin:
+    enabled: false
+  ## @skip identityservice.customSchemaFiles
+  customSchemaFiles:
+    00-memberof.ldif: |-
+      dn: cn=module,cn=config
+      cn: module
+      objectClass: olcModuleList
+      olcModuleLoad: memberof
+      olcModulePath: /opt/bitnami/openldap/lib/openldap
+
+      dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
+      changetype: add
+      objectClass: olcOverlayConfig
+      objectClass: olcMemberOf
+      olcOverlay: memberof
+      olcMemberOfRefint: TRUE
+  persistence:
+    ## @param identityservice.persistence.enabled If set to true, a PVC will be created.
+    enabled: true
+  replication:
+    ## @param identityservice.replication.enabled If set to true, the pods required a cluster. Needs `replicaCount` to be `3` or higher (of 2n+1).
+    enabled: false
+  ## @param identityservice.replicaCount The number of replicas. If `replicaCount` is set to more than 1, requires `replication.enabled` to be `true`.
+  replicaCount: 1
+
 ## @section User Interface
 
-## @param ui.enabled Enable the User Interface.
-## @skip ui.image
-## @param ui.public.api.client The endpoint for the client api.
-## @param ui.public.api.server The endpoint for the server api.
-## @param ui.public.title The user interface title.
-## @param ui.public.logo The user interface logo.
-## @param ui.public.icon The user interface icon.
-## @param ui.public.touch The user interface apple touch icon.
-## @param ui.public.broker.host The displayed broker hostname.
-## @param ui.public.broker.port.5671 Enable display of the broker 5671 port and mark it as secure (SSL/TLS).
-## @param ui.public.broker.port.5672 Enable display of the broker 5672 port and mark it as insecure (no SSL/TLS).
-## @param ui.public.broker.extra Extra metadata displayed.
-## @param ui.public.database.extra Extra metadata displayed.
-## @skip ui.public.links
-## @param ui.public.pid.default.publisher The default dataset publisher for persisted identifiers.
-## @param ui.public.doi.enabled Enable the display that DOIs are minted.
-## @param ui.public.doi.endpoint The DOI proxy.
-## @param ui.replicaCount The number of replicas.
-## @skip ui.extraVolumes
-## @skip ui.extraVolumeMounts
-##
 ui:
+  ## @param ui.enabled Enable the Broker Service.
   enabled: true
   image:
-    name: s210.dl.hpc.tuwien.ac.at/dbrepo/ui:1.4.4
+    ## @skip ui.image.name
+    name: registry.datalab.tuwien.ac.at/dbrepo/ui:1.4.5
+    ## @skip ui.image.pullPolicy
     pullPolicy: Always
+    ## @param ui.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
     debug: false
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  podSecurityContext:
+    ## @param ui.podSecurityContext.enabled Enable pods' Security Context
+    enabled: true
+    ## @param ui.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
+    fsGroupChangePolicy: Always
+    ## @param ui.podSecurityContext.sysctls Set kernel settings using the sysctl interface
+    sysctls: [ ]
+    ## @param ui.podSecurityContext.supplementalGroups Set filesystem extra groups
+    supplementalGroups: [ ]
+    ## @param ui.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+    fsGroup: 1001
+  containerSecurityContext:
+    ## @param ui.containerSecurityContext.enabled Enabled containers' Security Context
+    enabled: true
+    ## @param ui.containerSecurityContext.seLinuxOptions Set SELinux options in container
+    seLinuxOptions: { }
+    ## @param ui.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+    runAsUser: 1001
+    ## @param ui.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+    runAsGroup: 1001
+    ## @param ui.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
+    runAsNonRoot: true
+    ## @param ui.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
+    allowPrivilegeEscalation: false
+    ## @param ui.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+    readOnlyRootFilesystem: false
+    capabilities:
+      ## @param ui.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
+      drop: [ "ALL" ]
+    seccompProfile:
+      ## @param ui.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
+      type: "RuntimeDefault"
+  ## @skip ui.resources
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2048Mi
   public:
     api:
+      ## @param ui.public.api.client The endpoint for the client api. Defaults to the value of `gateway`.
       client: ""
+      ## @param ui.public.api.server The endpoint for the server api. Defaults to the value of `gateway`.
       server: ""
+    upload:
+      ## @param ui.public.upload.client The endpoint for the upload client. Defaults to the value of `gateway` and path `/api/upload/files`.
+      client: ""
+    ## @param ui.public.title The user interface title.
     title: "Database Repository"
+    ## @param ui.public.logo The user interface logo.
     logo: "/logo.svg"
+    ## @param ui.public.icon The user interface icon.
     icon: "/favicon.ico"
+    ## @param ui.public.touch The user interface apple touch icon.
     touch: "/apple-touch-icon.png"
     broker:
+      ## @param ui.public.broker.host The displayed broker hostname.
       host: example.com
       port:
+        ## @param ui.public.broker.port.5671 Enable display of the broker 5671 port and mark it as secure (SSL/TLS).
         5671: true
+        ## @param ui.public.broker.port.5672 Enable display of the broker 5672 port and mark it as insecure (no SSL/TLS).
         5672: false
+      ## @param ui.public.broker.extra Extra metadata displayed.
       extra: ""
     database:
+      ## @param ui.public.database.extra Extra metadata displayed.
       extra: "128.130.0.0/15"
+    ## @skip ui.public.links
     links:
       rabbitmq:
         text: RabbitMQ Admin
@@ -717,15 +835,21 @@ ui:
         href: /api/auth/
     pid:
       default:
+        ## @param ui.public.pid.default.publisher The default dataset publisher for persisted identifiers.
         publisher: "Example University"
     doi:
+      ## @param ui.public.doi.enabled Enable the display that DOIs are minted.
       enabled: false
+      ## @param ui.public.doi.endpoint The DOI proxy.
       endpoint: https://doi.org
+  ## @param ui.replicaCount The number of replicas.
   replicaCount: 2
+  ## @skip ui.extraVolumes
   extraVolumes: [ ]
   #  - name: images-map
   #    configMap:
   #      name: ui-config
+  ## @skip ui.extraVolumeMounts
   extraVolumeMounts: [ ]
   #  - name: images-map
   #    mountPath: /static/logo.svg
@@ -733,32 +857,35 @@ ui:
 
 ## @section Ingress
 
-## @param ingress.enabled Enable the ingress.
-## @skip ingress.className
-## @skip ingress.tls
-## @skip ingress.annotations
-##
 ingress:
-  enabled: true
+  ## @param ingress.enabled Enable the ingress.
+  enabled: false
+  ## @param ingress.className The ingress class name.
   className: nginx
   tls:
+    ## @param ingress.tls.enabled Enable the ingress.
     enabled: true
+    ## @param ingress.tls.secretName The secret holding the SSL/TLS certificate. Needs to have keys `tls.crt` and `tls.key` and optionally `ca.crt`.
     secretName: ingress-cert
   annotations:
+    ## @skip ingress.annotations.basic The ingress rules for proxying requests directly to services.
     basic: { }
     #      nginx.org/path-regex: "case_sensitive"
     #      nginx.ingress.kubernetes.io/use-regex: "true"
     #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+    ## @skip ingress.annotations.rewriteApi The ingress rules for rewriting certain paths to /api/.
     rewriteApi:
       #      nginx.org/path-regex: "case_sensitive"
       #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /api/$1
+    ## @skip ingress.annotations.rewriteRoot The ingress rules for rewriting certain paths to /.
     rewriteRoot:
       #      nginx.org/path-regex: "case_sensitive"
       #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /$1
+    ## @skip ingress.annotations.rewriteRootSecure The ingress rules for rewriting certain paths to / and force SSL/TLS encrypted traffic.
     rewriteRootSecure:
       #      nginx.org/path-regex: "case_sensitive"
       #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
@@ -766,6 +893,7 @@ ingress:
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /$1
+    ## @skip ingress.annotations.rewritePid The ingress rules for rewriting certain paths to /api/identifier/.
     rewritePid:
       #      nginx.org/path-regex: "case_sensitive"
       #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer