diff --git a/dbrepo-auth-service/dbrepo-realm.json b/dbrepo-auth-service/dbrepo-realm.json
index 270ca00a1f59dedc2b3f9b25b7c30c73064f7c82..be38bbb1b44c10635ef7772293105c422715e4d7 100644
--- a/dbrepo-auth-service/dbrepo-realm.json
+++ b/dbrepo-auth-service/dbrepo-realm.json
@@ -2237,7 +2237,7 @@
"enabled" : [ "true" ],
"usernameLDAPAttribute" : [ "uid" ],
"bindDn" : [ "cn=admin,dc=dbrepo,dc=at" ],
- "bindCredential" : [ "adminpassword" ],
+ "bindCredential" : [ "admin" ],
"changedSyncPeriod" : [ "-1" ],
"lastSync" : [ "1719252666" ],
"vendor" : [ "other" ],
diff --git a/dbrepo-data-db/README.md b/dbrepo-data-db/README.md
index 94eb341d841ea5150c920ada2461cf9f1302555f..c2dfb1b0c65e7e97903457dfafc7ed7d913d2b94 100644
--- a/dbrepo-data-db/README.md
+++ b/dbrepo-data-db/README.md
@@ -1 +1,5 @@
-# Data Database
\ No newline at end of file
+# Data Database
+
+S3 Import
+
+https://mariadb.com/kb/en/s3-storage-engine-system-variables/
\ No newline at end of file
diff --git a/dbrepo-data-db/enable_history_insert.cnf b/dbrepo-data-db/enable_history_insert.cnf
new file mode 100644
index 0000000000000000000000000000000000000000..7bced156c829b3dbd4d6221dfd9654045c6f501e
--- /dev/null
+++ b/dbrepo-data-db/enable_history_insert.cnf
@@ -0,0 +1 @@
+secure_timestamp="SUPER"
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
index 43c3fbbfb133fe87b0d1138d2d7cbce46750a3c6..78dd4191ac2059cc3a1441c6c3d5ed667076cd4b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -39,6 +39,7 @@ services:
hostname: data-db
image: docker.io/bitnami/mariadb:11.1.3-debian-11-r6
volumes:
+ - ./dbrepo-data-db/enable_history_insert.cnf:/opt/bitnami/mariadb/conf.default/enable_history_insert.cnf
- "${SHARED_VOLUME:-/tmp}:/tmp"
- data-db-data:/bitnami/mariadb
ports:
diff --git a/helm/dbrepo/README.md b/helm/dbrepo/README.md
index 48848c588c1698d2f578a0b39543ba6610d0bc4e..ddf972b2b77bcd5ec00c82522c70da39ac5c8bcf 100644
--- a/helm/dbrepo/README.md
+++ b/helm/dbrepo/README.md
@@ -45,6 +45,13 @@ The command removes all the Kubernetes components associated with the chart and
## Parameters
+### Global parameters
+
+| Name | Description | Value |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
+| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` |
+
### Common parameters
| Name | Description | Value |
@@ -137,67 +144,121 @@ The command removes all the Kubernetes components associated with the chart and
### Analyse Service
-| Name | Description | Value |
-| ----------------------------- | ----------------------------------------------------------- | ------------------------------- |
-| `analyseservice.enabled` | Enable the Broker Service. | `true` |
-| `analyseservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
-| `analyseservice.endpoint` | The url of the endpoint. | `http://analyse-service` |
-| `analyseservice.s3.endpoint` | The S3-capable endpoint the microservice connects to. | `http://storageservice-s3:9000` |
-| `analyseservice.replicaCount` | The number of replicas. | `2` |
+| Name | Description | Value |
+| ------------------------------------------------------------------ | ----------------------------------------------------------- | ------------------------------- |
+| `analyseservice.enabled` | Enable the Broker Service. | `true` |
+| `analyseservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
+| `analyseservice.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
+| `analyseservice.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `analyseservice.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `analyseservice.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `analyseservice.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
+| `analyseservice.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `analyseservice.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `analyseservice.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
+| `analyseservice.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
+| `analyseservice.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
+| `analyseservice.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
+| `analyseservice.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
+| `analyseservice.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
+| `analyseservice.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `analyseservice.endpoint` | The url of the endpoint. | `http://analyse-service` |
+| `analyseservice.s3.endpoint` | The S3-capable endpoint the microservice connects to. | `http://storageservice-s3:9000` |
+| `analyseservice.replicaCount` | The number of replicas. | `2` |
### Metadata Service
-| Name | Description | Value |
-| ------------------------------------------ | ---------------------------------------------------------------------------------- | ------------------------------- |
-| `metadataservice.enabled` | Enable the Metadata Service. | `true` |
-| `metadataservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
-| `metadataservice.endpoint` | The Metadata Service endpoint. | `http://metadata-service` |
-| `metadataservice.admin.email` | The OAI-PMH exposed e-mail for contacting the metadata records responsible person. | `noreply@example.com` |
-| `metadataservice.deletedRecord` | The OAI-PMH exposed delete policy. | `permanent` |
-| `metadataservice.repositoryName` | The OAI-PMH exposed repository name. | `Database Repository` |
-| `metadataservice.granularity` | The OAI-PMH exposed record granularity. | `YYYY-MM-DDThh:mm:ssZ` |
-| `metadataservice.datacite.enabled` | If set to true, the service mints DOIs instead of local PIDs. | `false` |
-| `metadataservice.datacite.url` | The DataCite api endpoint url. | `https://api.datacite.org` |
-| `metadataservice.datacite.prefix` | The DataCite prefix. | `""` |
-| `metadataservice.datacite.username` | The DataCite api username. | `""` |
-| `metadataservice.datacite.password` | The DataCite api user password. | `""` |
-| `metadataservice.sparql.connectionTimeout` | The connection timeout for sparql queries fetching remote data in ms. | `10000` |
-| `metadataservice.s3.endpoint` | The S3-capable endpoint the microservice connects to. | `http://storageservice-s3:9000` |
-| `metadataservice.s3.auth.username` | The S3-capable endpoint username (or access key id). | `seaweedfsadmin` |
-| `metadataservice.s3.auth.password` | The S3-capable endpoint user password (or access key secret). | `seaweedfsadmin` |
-| `metadataservice.replicaCount` | The number of replicas. | `2` |
+| Name | Description | Value |
+| ------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ------------------------------- |
+| `metadataservice.enabled` | Enable the Broker Service. | `true` |
+| `metadataservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
+| `metadataservice.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
+| `metadataservice.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `metadataservice.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `metadataservice.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `metadataservice.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
+| `metadataservice.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `metadataservice.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `metadataservice.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
+| `metadataservice.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
+| `metadataservice.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
+| `metadataservice.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
+| `metadataservice.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
+| `metadataservice.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
+| `metadataservice.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `metadataservice.endpoint` | The Metadata Service endpoint. | `http://metadata-service` |
+| `metadataservice.admin.email` | The OAI-PMH exposed e-mail for contacting the metadata records responsible person. | `noreply@example.com` |
+| `metadataservice.deletedRecord` | The OAI-PMH exposed delete policy. | `permanent` |
+| `metadataservice.repositoryName` | The OAI-PMH exposed repository name. | `Database Repository` |
+| `metadataservice.granularity` | The OAI-PMH exposed record granularity. | `YYYY-MM-DDThh:mm:ssZ` |
+| `metadataservice.datacite.enabled` | If set to true, the service mints DOIs instead of local PIDs. | `false` |
+| `metadataservice.datacite.url` | The DataCite api endpoint url. | `https://api.datacite.org` |
+| `metadataservice.datacite.prefix` | The DataCite prefix. | `""` |
+| `metadataservice.datacite.username` | The DataCite api username. | `""` |
+| `metadataservice.datacite.password` | The DataCite api user password. | `""` |
+| `metadataservice.sparql.connectionTimeout` | The connection timeout for sparql queries fetching remote data in ms. | `10000` |
+| `metadataservice.s3.endpoint` | The S3-capable endpoint the microservice connects to. | `http://storageservice-s3:9000` |
+| `metadataservice.s3.auth.username` | The S3-capable endpoint username (or access key id). | `seaweedfsadmin` |
+| `metadataservice.s3.auth.password` | The S3-capable endpoint user password (or access key secret). | `seaweedfsadmin` |
+| `metadataservice.replicaCount` | The number of replicas. | `2` |
### Data Service
-| Name | Description | Value |
-| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
-| `dataservice.enabled` | Enable the Metadata Service. | `true` |
-| `dataservice.endpoint` | The endpoint for the microservices. | `http://data-service` |
-| `dataservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
-| `dataservice.grant.read` | The default database permissions for users with read access. | `SELECT` |
-| `dataservice.grant.write` | The default database permissions for users with write access. | `SELECT, CREATE, CREATE VIEW, CREATE ROUTINE, CREATE TEMPORARY TABLES, LOCK TABLES, INDEX, TRIGGER, INSERT, UPDATE, DELETE` |
-| `dataservice.default.date` | The default date format id for dates. Default: YYYY-MM-dd (e.g. 2024-06-15). | `3` |
-| `dataservice.default.time` | The default date format id for times. Default: HH:mm:ss (e.g. 14:23:42). | `4` |
-| `dataservice.default.timestamp` | The default date format id for timestamps. Default: YYYY-MM-dd HH:mm:ss (e.g. 2024-06-15 14:23:42). | `1` |
-| `dataservice.rabbitmq.consumerConcurrentMin` | The minimal number of RabbitMQ consumers. | `2` |
-| `dataservice.rabbitmq.consumerConcurrentMax` | The maximal number of RabbitMQ consumers. | `6` |
-| `dataservice.rabbitmq.requeueRejected` | If set to true, rejected tuples will be re-queued. | `false` |
-| `dataservice.rabbitmq.consumer.username` | The username for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.users`. | `admin` |
-| `dataservice.rabbitmq.consumer.password` | The user password for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.userPasswords`. | `admin` |
-| `dataservice.s3.endpoint` | The S3-capable endpoint the microservice connects to. | `http://storageservice-s3:9000` |
-| `dataservice.s3.auth.username` | The S3-capable endpoint username (or access key id). | `seaweedfsadmin` |
-| `dataservice.s3.auth.password` | The S3-capable endpoint user password (or access key secret). | `seaweedfsadmin` |
-| `dataservice.s3.filePath` | The local location to download/upload files from/to S3-capable endpoint. | `/s3` |
-| `dataservice.replicaCount` | The number of replicas. | `2` |
+| Name | Description | Value |
+| --------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
+| `dataservice.enabled` | Enable the Broker Service. | `true` |
+| `dataservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
+| `dataservice.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
+| `dataservice.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `dataservice.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `dataservice.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `dataservice.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
+| `dataservice.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `dataservice.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `dataservice.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
+| `dataservice.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
+| `dataservice.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
+| `dataservice.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
+| `dataservice.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
+| `dataservice.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
+| `dataservice.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `dataservice.grant.read` | The default database permissions for users with read access. | `SELECT` |
+| `dataservice.grant.write` | The default database permissions for users with write access. | `SELECT, CREATE, CREATE VIEW, CREATE ROUTINE, CREATE TEMPORARY TABLES, LOCK TABLES, INDEX, TRIGGER, INSERT, UPDATE, DELETE` |
+| `dataservice.default.date` | The default date format id for dates. Default: YYYY-MM-dd (e.g. 2024-06-15). | `3` |
+| `dataservice.default.time` | The default date format id for times. Default: HH:mm:ss (e.g. 14:23:42). | `4` |
+| `dataservice.default.timestamp` | The default date format id for timestamps. Default: YYYY-MM-dd HH:mm:ss (e.g. 2024-06-15 14:23:42). | `1` |
+| `dataservice.rabbitmq.consumerConcurrentMin` | The minimal number of RabbitMQ consumers. | `2` |
+| `dataservice.rabbitmq.consumerConcurrentMax` | The maximal number of RabbitMQ consumers. | `6` |
+| `dataservice.rabbitmq.requeueRejected` | If set to true, rejected tuples will be re-queued. | `false` |
+| `dataservice.rabbitmq.consumer.username` | The username for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.users`. | `admin` |
+| `dataservice.rabbitmq.consumer.password` | The user password for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.userPasswords`. | `admin` |
+| `dataservice.s3.endpoint` | The S3-capable endpoint the microservice connects to. | `http://storageservice-s3:9000` |
+| `dataservice.s3.auth.username` | The S3-capable endpoint username (or access key id). | `seaweedfsadmin` |
+| `dataservice.s3.auth.password` | The S3-capable endpoint user password (or access key secret). | `seaweedfsadmin` |
+| `dataservice.s3.filePath` | The local location to download/upload files from/to S3-capable endpoint. | `/s3` |
+| `dataservice.replicaCount` | The number of replicas. | `2` |
### Search Service
-| Name | Description | Value |
-| ---------------------------- | ----------------------------------------------------------- | ----------------------- |
-| `searchservice.enabled` | Enable the Search Service. | `true` |
-| `searchservice.endpoint` | The endpoint for the microservices. | `http://search-service` |
-| `searchservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
-| `searchservice.replicaCount` | The number of replicas. | `2` |
+| Name | Description | Value |
+| ----------------------------------------------------------------- | ----------------------------------------------------------- | ---------------- |
+| `searchservice.enabled` | Enable the Broker Service. | `true` |
+| `searchservice.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
+| `searchservice.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
+| `searchservice.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `searchservice.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `searchservice.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `searchservice.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
+| `searchservice.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `searchservice.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `searchservice.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
+| `searchservice.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
+| `searchservice.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
+| `searchservice.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
+| `searchservice.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `true` |
+| `searchservice.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
+| `searchservice.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `searchservice.replicaCount` | The number of replicas. | `2` |
### Storage Service
@@ -222,25 +283,39 @@ The command removes all the Kubernetes components associated with the chart and
### User Interface
-| Name | Description | Value |
-| --------------------------------- | ---------------------------------------------------------------------------- | ----------------------- |
-| `ui.enabled` | Enable the User Interface. | `true` |
-| `ui.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
-| `ui.public.api.client` | The endpoint for the client api. | `""` |
-| `ui.public.api.server` | The endpoint for the server api. | `""` |
-| `ui.public.title` | The user interface title. | `Database Repository` |
-| `ui.public.logo` | The user interface logo. | `/logo.svg` |
-| `ui.public.icon` | The user interface icon. | `/favicon.ico` |
-| `ui.public.touch` | The user interface apple touch icon. | `/apple-touch-icon.png` |
-| `ui.public.broker.host` | The displayed broker hostname. | `example.com` |
-| `ui.public.broker.port.5671` | Enable display of the broker 5671 port and mark it as secure (SSL/TLS). | `true` |
-| `ui.public.broker.port.5672` | Enable display of the broker 5672 port and mark it as insecure (no SSL/TLS). | `false` |
-| `ui.public.broker.extra` | Extra metadata displayed. | `""` |
-| `ui.public.database.extra` | Extra metadata displayed. | `128.130.0.0/15` |
-| `ui.public.pid.default.publisher` | The default dataset publisher for persisted identifiers. | `Example University` |
-| `ui.public.doi.enabled` | Enable the display that DOIs are minted. | `false` |
-| `ui.public.doi.endpoint` | The DOI proxy. | `https://doi.org` |
-| `ui.replicaCount` | The number of replicas. | `2` |
+| Name | Description | Value |
+| ------------------------------------------------------ | ---------------------------------------------------------------------------- | ----------------------- |
+| `ui.enabled` | Enable the Broker Service. | `true` |
+| `ui.image.debug` | Set the logging level to `trace`. Otherwise, set to `info`. | `false` |
+| `ui.podSecurityContext.enabled` | Enable pods' Security Context | `true` |
+| `ui.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
+| `ui.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
+| `ui.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
+| `ui.podSecurityContext.fsGroup` | Set RabbitMQ pod's Security Context fsGroup | `1001` |
+| `ui.containerSecurityContext.enabled` | Enabled containers' Security Context | `true` |
+| `ui.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
+| `ui.containerSecurityContext.runAsUser` | Set RabbitMQ containers' Security Context runAsUser | `1001` |
+| `ui.containerSecurityContext.runAsGroup` | Set RabbitMQ containers' Security Context runAsGroup | `1001` |
+| `ui.containerSecurityContext.runAsNonRoot` | Set RabbitMQ container's Security Context runAsNonRoot | `true` |
+| `ui.containerSecurityContext.allowPrivilegeEscalation` | Set container's privilege escalation | `false` |
+| `ui.containerSecurityContext.readOnlyRootFilesystem` | Set container's Security Context readOnlyRootFilesystem | `false` |
+| `ui.containerSecurityContext.capabilities.drop` | Set container's Security Context runAsNonRoot | `["ALL"]` |
+| `ui.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
+| `ui.public.api.client` | The endpoint for the client api. | `""` |
+| `ui.public.api.server` | The endpoint for the server api. | `""` |
+| `ui.public.title` | The user interface title. | `Database Repository` |
+| `ui.public.logo` | The user interface logo. | `/logo.svg` |
+| `ui.public.icon` | The user interface icon. | `/favicon.ico` |
+| `ui.public.touch` | The user interface apple touch icon. | `/apple-touch-icon.png` |
+| `ui.public.broker.host` | The displayed broker hostname. | `example.com` |
+| `ui.public.broker.port.5671` | Enable display of the broker 5671 port and mark it as secure (SSL/TLS). | `true` |
+| `ui.public.broker.port.5672` | Enable display of the broker 5672 port and mark it as insecure (no SSL/TLS). | `false` |
+| `ui.public.broker.extra` | Extra metadata displayed. | `""` |
+| `ui.public.database.extra` | Extra metadata displayed. | `128.130.0.0/15` |
+| `ui.public.pid.default.publisher` | The default dataset publisher for persisted identifiers. | `Example University` |
+| `ui.public.doi.enabled` | Enable the display that DOIs are minted. | `false` |
+| `ui.public.doi.endpoint` | The DOI proxy. | `https://doi.org` |
+| `ui.replicaCount` | The number of replicas. | `2` |
### Ingress
diff --git a/helm/dbrepo/values.schema.json b/helm/dbrepo/values.schema.json
index 5872dd5e3a81b779cdf37c01cac04afa2d73e17a..0e1d72462caa8ecaa85d9eacd79822cb19f89dd1 100644
--- a/helm/dbrepo/values.schema.json
+++ b/helm/dbrepo/values.schema.json
@@ -3,6 +3,51 @@
"properties": {
"analyseservice": {
"properties": {
+ "containerSecurityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "type": "string"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"enabled": {
"type": "boolean"
},
@@ -23,9 +68,56 @@
},
"type": "object"
},
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "type": "string"
+ },
+ "supplementalGroups": {
+ "type": "array"
+ },
+ "sysctls": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
"replicaCount": {
"type": "integer"
},
+ "resources": {
+ "properties": {
+ "limits": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "requests": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"s3": {
"properties": {
"endpoint": {
@@ -579,6 +671,51 @@
},
"dataservice": {
"properties": {
+ "containerSecurityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "type": "string"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"default": {
"properties": {
"date": {
@@ -596,9 +733,6 @@
"enabled": {
"type": "boolean"
},
- "endpoint": {
- "type": "string"
- },
"grant": {
"properties": {
"read": {
@@ -624,6 +758,26 @@
},
"type": "object"
},
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "type": "string"
+ },
+ "supplementalGroups": {
+ "type": "array"
+ },
+ "sysctls": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
"rabbitmq": {
"properties": {
"consumer": {
@@ -691,6 +845,27 @@
"gateway": {
"type": "string"
},
+ "global": {
+ "properties": {
+ "compatibility": {
+ "properties": {
+ "openshift": {
+ "properties": {
+ "adaptSecurityContext": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
+ "storageClass": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
"hostname": {
"type": "string"
},
@@ -930,6 +1105,51 @@
},
"type": "object"
},
+ "containerSecurityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "type": "string"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"datacite": {
"properties": {
"enabled": {
@@ -976,12 +1196,59 @@
},
"type": "object"
},
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "type": "string"
+ },
+ "supplementalGroups": {
+ "type": "array"
+ },
+ "sysctls": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
"replicaCount": {
"type": "integer"
},
"repositoryName": {
"type": "string"
},
+ "resources": {
+ "properties": {
+ "limits": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "requests": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"s3": {
"properties": {
"auth": {
@@ -1065,12 +1332,54 @@
},
"searchservice": {
"properties": {
+ "containerSecurityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "type": "string"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"enabled": {
"type": "boolean"
},
- "endpoint": {
- "type": "string"
- },
"image": {
"properties": {
"debug": {
@@ -1101,8 +1410,55 @@
},
"type": "object"
},
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "type": "string"
+ },
+ "supplementalGroups": {
+ "type": "array"
+ },
+ "sysctls": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
"replicaCount": {
"type": "integer"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "requests": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
}
},
"type": "object"
@@ -1238,6 +1594,51 @@
},
"ui": {
"properties": {
+ "containerSecurityContext": {
+ "properties": {
+ "allowPrivilegeEscalation": {
+ "type": "boolean"
+ },
+ "capabilities": {
+ "properties": {
+ "drop": {
+ "items": {
+ "type": "string"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "enabled": {
+ "type": "boolean"
+ },
+ "readOnlyRootFilesystem": {
+ "type": "boolean"
+ },
+ "runAsGroup": {
+ "type": "integer"
+ },
+ "runAsNonRoot": {
+ "type": "boolean"
+ },
+ "runAsUser": {
+ "type": "integer"
+ },
+ "seLinuxOptions": {
+ "type": "string"
+ },
+ "seccompProfile": {
+ "properties": {
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
+ },
"enabled": {
"type": "boolean"
},
@@ -1261,6 +1662,26 @@
},
"type": "object"
},
+ "podSecurityContext": {
+ "properties": {
+ "enabled": {
+ "type": "boolean"
+ },
+ "fsGroup": {
+ "type": "integer"
+ },
+ "fsGroupChangePolicy": {
+ "type": "string"
+ },
+ "supplementalGroups": {
+ "type": "array"
+ },
+ "sysctls": {
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
"public": {
"properties": {
"api": {
@@ -1372,6 +1793,33 @@
},
"replicaCount": {
"type": "integer"
+ },
+ "resources": {
+ "properties": {
+ "limits": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ },
+ "requests": {
+ "properties": {
+ "cpu": {
+ "type": "string"
+ },
+ "memory": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ },
+ "type": "object"
}
},
"type": "object"
diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml
index 0ae0af178af2c40149511578a35dcb48dc6e296e..172a18537257dde3bef2153f3f666b2809fd018d 100644
--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -1,23 +1,29 @@
# Copyright the DBRepo developers
# SPDX-License-Identifier: APACHE-2.0
+## @section Global parameters
+
+global:
+ ## Compatibility adaptations for Kubernetes platforms
+ compatibility:
+ ## Compatibility adaptations for Openshift
+ openshift:
+ ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
+ adaptSecurityContext: auto
+ ## @param global.storageClass Global StorageClass for Persistent Volume(s)
+ storageClass: ""
+
## @section Common parameters
-##
## @param namespace The namespace to install the chart
-##
namespace: dbrepo
## @param hostname The hostname.
-##
hostname: example.com
## @param gateway The gateway endpoint.
-##
gateway: https://example.com
## @param strategyType The image pull
-##
strategyType: RollingUpdate
## @param clusterDomain The cluster domain.
-##
clusterDomain: cluster.local
## @section Metadata Database
@@ -336,24 +342,40 @@ analyseservice:
pullPolicy: Always
## @param analyseservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
+ ## @param analyseservice.podSecurityContext.enabled Enable pods' Security Context
enabled: true
+ ## @param analyseservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
fsGroupChangePolicy: Always
+ ## @param analyseservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
sysctls: [ ]
+ ## @param analyseservice.podSecurityContext.supplementalGroups Set filesystem extra groups
supplementalGroups: [ ]
+ ## @param analyseservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
fsGroup: 1001
containerSecurityContext:
+ ## @param analyseservice.containerSecurityContext.enabled Enabled containers' Security Context
enabled: true
+ ## @param analyseservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
seLinuxOptions: null
+ ## @param analyseservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
runAsUser: 1001
+ ## @param analyseservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
runAsGroup: 1001
+ ## @param analyseservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
runAsNonRoot: true
+ ## @param analyseservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
allowPrivilegeEscalation: false
+ ## @param analyseservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
readOnlyRootFilesystem: false
capabilities:
+ ## @param analyseservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
drop: [ "ALL" ]
seccompProfile:
+ ## @param analyseservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
type: "RuntimeDefault"
+ ## @skip analyseservice.resources
resources:
requests:
cpu: 250m
@@ -373,7 +395,7 @@ analyseservice:
## @section Metadata Service
metadataservice:
- ## @param metadataservice.enabled Enable the Metadata Service.
+ ## @param metadataservice.enabled Enable the Broker Service.
enabled: true
image:
## @skip metadataservice.image.name
@@ -382,24 +404,40 @@ metadataservice:
pullPolicy: Always
## @param metadataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
+ ## @param metadataservice.podSecurityContext.enabled Enable pods' Security Context
enabled: true
+ ## @param metadataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
fsGroupChangePolicy: Always
+ ## @param metadataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
sysctls: [ ]
+ ## @param metadataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
supplementalGroups: [ ]
+ ## @param metadataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
fsGroup: 1001
containerSecurityContext:
+ ## @param metadataservice.containerSecurityContext.enabled Enabled containers' Security Context
enabled: true
+ ## @param metadataservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
seLinuxOptions: null
+ ## @param metadataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
runAsUser: 1001
+ ## @param metadataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
runAsGroup: 1001
+ ## @param metadataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
runAsNonRoot: true
+ ## @param metadataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
allowPrivilegeEscalation: false
+ ## @param metadataservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
readOnlyRootFilesystem: false
capabilities:
+ ## @param metadataservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
drop: [ "ALL" ]
seccompProfile:
+ ## @param metadataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
type: "RuntimeDefault"
+ ## @skip metadataservice.resources
resources:
requests:
cpu: 250m
@@ -450,10 +488,8 @@ metadataservice:
## @section Data Service
dataservice:
- ## @param dataservice.enabled Enable the Metadata Service.
+ ## @param dataservice.enabled Enable the Broker Service.
enabled: true
- ## @param dataservice.endpoint The endpoint for the microservices.
- endpoint: http://data-service
image:
## @skip dataservice.image.name
name: registry.datalab.tuwien.ac.at/dbrepo/data-service:1.4.4
@@ -461,31 +497,40 @@ dataservice:
pullPolicy: Always
## @param dataservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
+ ## @param dataservice.podSecurityContext.enabled Enable pods' Security Context
enabled: true
+ ## @param dataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
fsGroupChangePolicy: Always
+ ## @param dataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
sysctls: [ ]
+ ## @param dataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
supplementalGroups: [ ]
+ ## @param dataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
fsGroup: 1001
containerSecurityContext:
+ ## @param dataservice.containerSecurityContext.enabled Enabled containers' Security Context
enabled: true
+ ## @param dataservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
seLinuxOptions: null
+ ## @param dataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
runAsUser: 1001
+ ## @param dataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
runAsGroup: 1001
+ ## @param dataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
runAsNonRoot: true
+ ## @param dataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
allowPrivilegeEscalation: false
+ ## @param dataservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
readOnlyRootFilesystem: false
capabilities:
+ ## @param dataservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
drop: [ "ALL" ]
seccompProfile:
+ ## @param dataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
type: "RuntimeDefault"
- resources:
- requests:
- cpu: 250m
- memory: 512Mi
- limits:
- cpu: 1000m
- memory: 2048Mi
+ ## @skip dataservice.resources
grant:
## @param dataservice.grant.read The default database permissions for users with read access.
read: SELECT
@@ -530,10 +575,8 @@ dataservice:
## @section Search Service
searchservice:
- ## @param searchservice.enabled Enable the Search Service.
+ ## @param searchservice.enabled Enable the Broker Service.
enabled: true
- ## @param searchservice.endpoint The endpoint for the microservices.
- endpoint: http://search-service
image:
## @skip searchservice.image.name
name: registry.datalab.tuwien.ac.at/dbrepo/search-service:1.4.4
@@ -541,24 +584,40 @@ searchservice:
pullPolicy: Always
## @param searchservice.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
+ ## @param searchservice.podSecurityContext.enabled Enable pods' Security Context
enabled: true
+ ## @param searchservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
fsGroupChangePolicy: Always
+ ## @param searchservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
sysctls: [ ]
+ ## @param searchservice.podSecurityContext.supplementalGroups Set filesystem extra groups
supplementalGroups: [ ]
+ ## @param searchservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
fsGroup: 1001
containerSecurityContext:
+ ## @param searchservice.containerSecurityContext.enabled Enabled containers' Security Context
enabled: true
+ ## @param searchservice.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
seLinuxOptions: null
+ ## @param searchservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
runAsUser: 1001
+ ## @param searchservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
runAsGroup: 1001
+ ## @param searchservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
runAsNonRoot: true
+ ## @param searchservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
allowPrivilegeEscalation: false
+ ## @param searchservice.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
readOnlyRootFilesystem: true
capabilities:
+ ## @param searchservice.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
drop: [ "ALL" ]
seccompProfile:
+ ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
type: "RuntimeDefault"
+ ## @skip searchservice.resources
resources:
requests:
cpu: 250m
@@ -675,7 +734,7 @@ identityservice:
## @section User Interface
ui:
- ## @param ui.enabled Enable the User Interface.
+ ## @param ui.enabled Enable the Broker Service.
enabled: true
image:
## @skip ui.image.name
@@ -684,24 +743,40 @@ ui:
pullPolicy: Always
## @param ui.image.debug Set the logging level to `trace`. Otherwise, set to `info`.
debug: false
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
+ ## @param ui.podSecurityContext.enabled Enable pods' Security Context
enabled: true
+ ## @param ui.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
fsGroupChangePolicy: Always
+ ## @param ui.podSecurityContext.sysctls Set kernel settings using the sysctl interface
sysctls: [ ]
+ ## @param ui.podSecurityContext.supplementalGroups Set filesystem extra groups
supplementalGroups: [ ]
- fsGroup: 1000
+ ## @param ui.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
+ fsGroup: 1001
containerSecurityContext:
+ ## @param ui.containerSecurityContext.enabled Enabled containers' Security Context
enabled: true
+ ## @param ui.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
seLinuxOptions: null
- runAsUser: 1000
- runAsGroup: 1000
+ ## @param ui.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
+ runAsUser: 1001
+ ## @param ui.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
+ runAsGroup: 1001
+ ## @param ui.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
runAsNonRoot: true
+ ## @param ui.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
+ ## @param ui.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
+ readOnlyRootFilesystem: false
capabilities:
+ ## @param ui.containerSecurityContext.capabilities.drop Set container's Security Context runAsNonRoot
drop: [ "ALL" ]
seccompProfile:
+ ## @param ui.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
type: "RuntimeDefault"
+ ## @skip ui.resources
resources:
requests:
cpu: 250m