# Shuffle Helm chart ## Chart Template The Bitnami Chart Template was used for creating this chart: https://github.com/bitnami/charts/tree/7e44e64626f5b1fc6d56889cdfdeadc1f62c7cf1/template/CHART_NAME Original license text: ``` Copyright Broadcom, Inc. All Rights Reserved. SPDX-License-Identifier: APACHE-2.0 ``` ## Usage ```sh # Install shuffle via helm (the shuffle namespace is hardcoded into the shuffle source code) helm install shuffle oci://ghcr.io/shuffle/charts/shuffle --namespace shuffle --create-namespace ``` Make sure that no other application is deployed to the shuffle namespace, as shuffle deletes kubernetes resources in this namespace. Only a single deployment of shuffle is supported per namespace. ## Uninstallation ```sh # Uninstall shuffle via helm helm uninstall shuffle --namespace shuffle # Remove additional resources created by shuffle (such as workers and apps) kubectl delete svc --namespace shuffle -l "app.kubernetes.io/managed-by in (shuffle-orborus,shuffle-worker)" kubectl delete deploy --namespace shuffle -l "app.kubernetes.io/managed-by in (shuffle-orborus,shuffle-worker)" ``` ## Secret Parameters The helm chart was designed to not contain any secret data and does not allow configuring secret data using helm values. Instead, secret values must be passed to services using `extraEnvVarsSecret` or `extraEnvVars`. The secrets need to be manually created. It is possible to run this helm chart without specifying any secrets. You will be prompted to create an admin user when visiting the shuffle dashboard for the first time. Note that information will not be encrypted without specifying the `SHUFFLE_ENCRYPTION_MODIFIER` value. ### Mounting env variables into a service After creating secrets which hold sensitive information, you can mount them as environment variables into a service via the `extraEnvVarsSecret` or `extraEnvVars` values. ```yaml backend: # Use a single secret, which holds environment variables. # Remember that the secret keys must exactly match the environment variable names. extraEnvVarsSecret: shuffle-backend-env # Or mount each value explicitly extraEnvVars: - name: SHUFFLE_DEFAULT_USERNAME valueFrom: secretKeyRef: name: "shuffle-initial-user" key: username - name: SHUFFLE_DEFAULT_PASSWORD valueFrom: secretKeyRef: name: "shuffle-initial-user" key: password - name: SHUFFLE_DEFAULT_APIKEY valueFrom: secretKeyRef: name: "shuffle-initial-user" key: apikey - name: SHUFFLE_ENCRYPTION_MODIFIER valueFrom: secretKeyRef: name: "shuffle-encryption" key: modifier ``` ### Backend A list of environment variables containing secret values for the backend. ```yaml # OpenSearch password SHUFFLE_OPENSEARCH_PASSWORD: "" # Basic auth credentials for downloading apps from git SHUFFLE_DOWNLOAD_AUTH_USERNAME: "" SHUFFLE_DOWNLOAD_AUTH_PASSWORD: "" # Automatically create the initial admin user. Username and password have a min length of 3. # If not set, you are prompted with an admin user creation dialog when visiting the shuffle frontend for the first time. SHUFFLE_DEFAULT_USERNAME: admin SHUFFLE_DEFAULT_PASSWORD: MySecretAdminPassword1234! SHUFFLE_DEFAULT_APIKEY: "72E41083-A6F6-4A1B-8538-B06B577F47F0" # Shuffle uses uuid v4 # Encryption modifier. This HAS to be set to encrypt any authentication being used in Shuffle. # This is put together with other relevant values to ensure multiple parts are needed to decrypt. # If this key is lost or changed, you will have to reauthenticate all apps. # The encryption modifier is added to encrypted values to prevent rainbow table attacks. It can be any random string. SHUFFLE_ENCRYPTION_MODIFIER: "MyShuffleEncryptionModifier" ``` ## Shuffle Worker By default, Orborus creates a Kubernetes Deployment and Service for Shuffle Worker. The deployment can be customized to some degree using some of the `worker.*` helm variables. They are converted to Orborus env variables. If you want full control, you can also deploy Shuffle Worker using helm by enabling `worker.enableHelmDeployment`. This approach respects all of the `worker.*` helm variables. You can then set `orborus.manageWorkerDeployments=false` to reduce the permissions assigned to the Shuffle Orborus Kubernetes service account. ## Shuffle Apps By default, Shuffle Worker is responsible for creating Kubernetes Deployments and Services for each app. Each app and version has their own Deployment and Service. Shuffle automatically deploys a set of apps. Other apps are deployed on demand, when they are first used. You can use some of the `app.*` helm variables to control some aspects of the deployment, e.g. resources and security context. Helm variables are converted to env variables set on Orborus. Orborus in turn passes the env variables to Worker when creating the Deployment. When `worker.enableHelmDeployment` is set, env variables for app configuration are set on the worker directly. Configuration using env variables applies to ALL deployed apps. There is no way to assign different options (e.g. resources) to different apps, or scale apps individually. If you want full control, you can deploy apps using helm. This has the following advantages: - full control over the deployment using helm values - granular control per app and version (e.g. have more replicas and resources for frequently used apps) - avoid problems with on-demand started apps (see https://github.com/Shuffle/Shuffle/issues/1739) To deploy apps using helm, set `apps.enabled=true`. By default, this deploys the `shuffle-tools`, `shuffle-subflow` and `http` apps. You can also deploy your own apps. See the following values file for an example. ```yaml app: replicaCount: 1 # default to 1 replica per app resources: {} # default resources for apps # ... configure default options for all apps here apps: enabled: true # Deploy apps using helm. # Configure default apps shuffleTools: enabled: true # default shuffleSubflow: enabled: true # default http: enabled: true # default # optionally override defaults from app values: replicaCount: 1 resources: {} # Deploy additional apps (e.g. opensearch) opensearch: enabled: true # required to actually deploy the app name: opensearch # required. The name and version must match the values of the `api.yaml` file of the app. version: 1.1.0 # required. # optionally change app configuration: replicaCount: 3 resources: {} ``` The key of an app in the `apps` map does not matter, as long as it is unique. We are not using an array here, to allow overriding values in stage-specific value files or using the command line, e.g. `helm upgrade ... --set apps.shuffleTools.replicas=3`. You can override any value set in `app.*` (e.g. `app.image`, `app.replicaCount`, `app.resources`, `app.podSecurityContext`) for each app (e.g. for the `shuffle-tools` app using `apps.shuffleTools.image`, `apps.shuffleTools.replicaCount`, ...). It is possible to use a hybrid approach - deploy some apps using helm, while still allowing Worker to create additional apps on-demand. If you do not want Worker to manage app deployments, set `worker.manageAppDeployments=true`. This effectively removes the required permissions from the Shuffle Worker Kubernetes Service Account. You are required to deploy all apps that are in use by your Shuffle instance manually using Helm. ### Shuffle App Service Accounts By default a shared `shuffle-app` service account is used for all apps. If you are deploying apps using helm, you can choose to have a dedicated service account per app. To enable it, set `apps.MY_APP.serviceAccount.create=true` and provide a name using `apps.MY_APP.serviceAccount.name`. You can also set `apps.MY_APP.serviceAccount.create=false` while still providing a name to use an existing service account. ```yaml apps: myAppWithCustomServiceAccount: enabled: true name: my-custom-service-account version: 1.0.0 serviceAccount: create: true name: shuffle-app-myapp anotherAppWithExistingServiceAccount: enabled: true name: another-app version: 1.0.0 serviceAccount: create: false name: existing-service-account-name ``` All service accounts use the `shuffle-app` role by default. ## OpenSearch Shuffle uses OpenSearch as its database. This helm chart installs a single-node OpenSearch cluster using [the Bitnami Helm Chart](https://github.com/bitnami/charts/blob/main/bitnami/opensearch/values.yaml). You can customize the helm chart using the values of the Bitnami helm chart under the `opensearch` prefix (e.g. `opensearch.master.replicaCOunt`). Alternatively, you can disable the built-in OpenSearch installation using `opensearch.enabled=false`. Provide your own OpenSearch url and username with `backend.openSearch.url` and `backend.openSearch.username`. The password should be provided with the `SHUFFLE_OPENSEARCH_PASSWORD` env variable to the backend. ## Parameters ##### Global parameters | Name | Description | Value | | ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | | `global.imageRegistry` | Global Docker image registry | `""` | | `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | | `global.defaultStorageClass` | Global default StorageClass for Persistent Volume(s) | `""` | | `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` | | `global.compatibility.omitEmptySeLinuxOptions` | If set to true, removes the seLinuxOptions from the securityContexts when it is set to an empty object | `false` | ##### Common parameters | Name | Description | Value | | ------------------------ | --------------------------------------------------------------------------------------- | --------------- | | `kubeVersion` | Override Kubernetes version | `""` | | `nameOverride` | String to partially override common.names.name | `""` | | `fullnameOverride` | String to fully override common.names.fullname | `""` | | `namespaceOverride` | String to fully override common.names.namespace | `""` | | `commonLabels` | Labels to add to all deployed objects | `{}` | | `commonAnnotations` | Annotations to add to all deployed objects | `{}` | | `clusterDomain` | Kubernetes cluster domain name | `cluster.local` | | `extraDeploy` | Array of extra objects to deploy with the release | `[]` | | `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | | `diagnosticMode.command` | Command to override all containers in the chart release | `["sleep"]` | | `diagnosticMode.args` | Args to override all containers in the chart release | `["infinity"]` | ##### Shared Shuffle Parameters | Name | Description | Value | | -------------------------- | -------------------------------------------------------------------------------------------------------------------------- | --------------- | | `shuffle.baseUrl` | The external base URL under which Shuffle is reachable. | `""` | | `shuffle.org` | Default shuffle organization | `Shuffle` | | `shuffle.appRegistry` | The registry from / to which shuffle apps are pulled / pushed | `docker.io` | | `shuffle.appBaseImageName` | The base image used for shuffle apps. The final image for an app is //: | `frikky` | | `shuffle.timezone` | The timezone used by Shuffle | `Europe/Berlin` | ##### backend Parameters | Name | Description | Value | | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------- | | `backend.image.registry` | backend image registry | `ghcr.io` | | `backend.image.repository` | backend image repository | `shuffle/shuffle-backend` | | `backend.image.tag` | backend image tag (immutable tags are recommended, defaults to appVersion) | `""` | | `backend.image.digest` | backend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | | `backend.image.pullPolicy` | backend image pull policy | `IfNotPresent` | | `backend.image.pullSecrets` | backend image pull secrets | `[]` | | `backend.replicaCount` | Number of backend replicas to deploy | `1` | | `backend.containerPorts.http` | backend HTTP container port | `5001` | | `backend.extraContainerPorts` | Optionally specify extra list of additional ports for backend containers | `[]` | | `backend.livenessProbe.enabled` | Enable livenessProbe on backend containers | `false` | | `backend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | | `backend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | | `backend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | | `backend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `4` | | `backend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | | `backend.readinessProbe.enabled` | Enable readinessProbe on backend containers | `false` | | `backend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | | `backend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | | `backend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | | `backend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | | `backend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `backend.startupProbe.enabled` | Enable startupProbe on backend containers | `false` | | `backend.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | | `backend.startupProbe.periodSeconds` | Period seconds for startupProbe | `1` | | `backend.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | | `backend.startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | | `backend.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | | `backend.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `backend.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `backend.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `backend.resourcesPreset` | Set backend container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if backend.resources is set (backend.resources is recommended for production). | `small` | | `backend.resources` | Set backend container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `backend.podSecurityContext.enabled` | Enable backend pods' Security Context | `true` | | `backend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for backend pods | `Always` | | `backend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for backend pods | `[]` | | `backend.podSecurityContext.supplementalGroups` | Set filesystem extra groups for backend pods | `[]` | | `backend.podSecurityContext.fsGroup` | Set fsGroup in backend pods' Security Context | `1001` | | `backend.containerSecurityContext.enabled` | Enabled backend container' Security Context | `true` | | `backend.containerSecurityContext.seLinuxOptions` | Set SELinux options in backend container | `{}` | | `backend.containerSecurityContext.runAsUser` | Set runAsUser in backend container' Security Context | `1001` | | `backend.containerSecurityContext.runAsGroup` | Set runAsGroup in backend container' Security Context | `1001` | | `backend.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in backend container' Security Context | `true` | | `backend.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in backend container' Security Context | `true` | | `backend.containerSecurityContext.privileged` | Set privileged in backend container' Security Context | `false` | | `backend.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in backend container' Security Context | `false` | | `backend.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in backend container | `["ALL"]` | | `backend.containerSecurityContext.seccompProfile.type` | Set seccomp profile in backend container | `RuntimeDefault` | | `backend.command` | Override default backend container command (useful when using custom images) | `[]` | | `backend.args` | Override default backend container args (useful when using custom images) | `[]` | | `backend.automountServiceAccountToken` | Mount Service Account token in backend pods | `true` | | `backend.hostAliases` | backend pods host aliases | `[]` | | `backend.deploymentAnnotations` | Annotations for backend deployment | `{}` | | `backend.podLabels` | Extra labels for backend pods | `{}` | | `backend.podAnnotations` | Annotations for backend pods | `{}` | | `backend.podAffinityPreset` | Pod affinity preset. Ignored if `backend.affinity` is set. Allowed values: `soft` or `hard` | `""` | | `backend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `backend.affinity` is set. Allowed values: `soft` or `hard` | `soft` | | `backend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `backend.affinity` is set. Allowed values: `soft` or `hard` | `""` | | `backend.nodeAffinityPreset.key` | Node label key to match. Ignored if `backend.affinity` is set | `""` | | `backend.nodeAffinityPreset.values` | Node label values to match. Ignored if `backend.affinity` is set | `[]` | | `backend.affinity` | Affinity for backend pods assignment | `{}` | | `backend.nodeSelector` | Node labels for backend pods assignment | `{}` | | `backend.tolerations` | Tolerations for backend pods assignment | `[]` | | `backend.updateStrategy.type` | backend deployment strategy type | `Recreate` | | `backend.priorityClassName` | backend pods' priorityClassName | `""` | | `backend.topologySpreadConstraints` | Topology Spread Constraints for backend pod assignment spread across your cluster among failure-domains | `[]` | | `backend.schedulerName` | Name of the k8s scheduler (other than default) for backend pods | `""` | | `backend.terminationGracePeriodSeconds` | Seconds backend pods need to terminate gracefully | `""` | | `backend.lifecycleHooks` | for backend containers to automate configuration before or after startup | `{}` | | `backend.extraEnvVars` | Array with extra environment variables to add to backend containers | `[]` | | `backend.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for backend containers | `""` | | `backend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for backend containers | `""` | | `backend.extraVolumes` | Optionally specify extra list of additional volumes for the backend pods | `[]` | | `backend.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the backend containers | `[]` | | `backend.sidecars` | Add additional sidecar containers to the backend pods | `[]` | | `backend.initContainers` | Add additional init containers to the backend pods | `[]` | | `backend.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | | `backend.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | | `backend.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `backend.pdb.minAvailable` and `backend.pdb.maxUnavailable` are empty. | `""` | | `backend.autoscaling.vpa.enabled` | Enable VPA for backend pods | `false` | | `backend.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | | `backend.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | | `backend.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | | `backend.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | | `backend.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `backend.autoscaling.hpa.enabled` | Enable HPA for backend pods | `false` | | `backend.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `backend.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `backend.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `backend.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | | `backend.service.labels` | Extra labels for backend service | `{}` | | `backend.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `backend.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | | `backend.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | | `backend.serviceAccount.automountServiceAccountToken` | Automount service account token for the backend service account | `true` | | `backend.serviceAccount.imagePullSecrets` | Add image pull secrets to the backend service account | `[]` | | `backend.rbac.create` | Specifies whether RBAC resources should be created | `true` | | `backend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `backend.networkPolicy.allowExternal` | Don't require server label for connections | `true` | | `backend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `backend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `backend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | | `backend.cleanupSchedule` | The interval in seconds at which the cleanup job runs | `300` | | `backend.openSearch.url` | The URL at which OpenSearch is available | `http://{{ .Release.Name }}-opensearch:9200` | | `backend.openSearch.username` | The username that is used for authenticating with OpenSearch | `admin` | | `backend.openSearch.certificateFile` | The path to a custom OpenSearch certificate file | `""` | | `backend.openSearch.skipSSLVerify` | Skip SSL verification | `false` | | `backend.openSearch.indexPrefix` | A prefix for OpenSearch indices | `""` | | `backend.apps.downloadLocation` | The location to a git repository from which default appps are downloaded on startup. | `https://github.com/shuffle/python-apps` | | `backend.apps.downloadBranch` | The branch from which apps should be downloaded on startup. | `master` | | `backend.apps.forceUpdate` | Force an update of apps on startup. | `false` | ##### frontend Parameters | Name | Description | Value | | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | | `frontend.image.registry` | frontend image registry | `ghcr.io` | | `frontend.image.repository` | frontend image repository | `shuffle/shuffle-frontend` | | `frontend.image.tag` | frontend image tag (immutable tags are recommended, defaults to appVersion) | `""` | | `frontend.image.digest` | frontend image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | | `frontend.image.pullPolicy` | frontend image pull policy | `IfNotPresent` | | `frontend.image.pullSecrets` | frontend image pull secrets | `[]` | | `frontend.replicaCount` | Number of frontend replicas to deploy | `1` | | `frontend.containerPorts.http` | frontend HTTP container port | `80` | | `frontend.containerPorts.https` | frontend HTTPS container port | `443` | | `frontend.extraContainerPorts` | Optionally specify extra list of additional ports for frontend containers | `[]` | | `frontend.livenessProbe.enabled` | Enable livenessProbe on frontend containers | `false` | | `frontend.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | | `frontend.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | | `frontend.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | | `frontend.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `4` | | `frontend.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | | `frontend.readinessProbe.enabled` | Enable readinessProbe on frontend containers | `false` | | `frontend.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | | `frontend.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | | `frontend.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | | `frontend.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | | `frontend.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `frontend.startupProbe.enabled` | Enable startupProbe on frontend containers | `false` | | `frontend.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | | `frontend.startupProbe.periodSeconds` | Period seconds for startupProbe | `1` | | `frontend.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | | `frontend.startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | | `frontend.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | | `frontend.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `frontend.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `frontend.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `frontend.resourcesPreset` | Set frontend container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production). | `nano` | | `frontend.resources` | Set frontend container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `frontend.podSecurityContext.enabled` | Enable frontend pods' Security Context | `false` | | `frontend.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for frontend pods | `Always` | | `frontend.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for frontend pods | `[]` | | `frontend.podSecurityContext.supplementalGroups` | Set filesystem extra groups for frontend pods | `[]` | | `frontend.podSecurityContext.fsGroup` | Set fsGroup in frontend pods' Security Context | `1001` | | `frontend.containerSecurityContext.enabled` | Enabled frontend container' Security Context | `false` | | `frontend.containerSecurityContext.seLinuxOptions` | Set SELinux options in frontend container | `{}` | | `frontend.containerSecurityContext.runAsUser` | Set runAsUser in frontend container' Security Context | `1001` | | `frontend.containerSecurityContext.runAsGroup` | Set runAsGroup in frontend container' Security Context | `1001` | | `frontend.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in frontend container' Security Context | `true` | | `frontend.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in frontend container' Security Context | `true` | | `frontend.containerSecurityContext.privileged` | Set privileged in frontend container' Security Context | `false` | | `frontend.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in frontend container' Security Context | `false` | | `frontend.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in frontend container | `["ALL"]` | | `frontend.containerSecurityContext.seccompProfile.type` | Set seccomp profile in frontend container | `RuntimeDefault` | | `frontend.command` | Override default frontend container command (useful when using custom images) | `[]` | | `frontend.args` | Override default frontend container args (useful when using custom images) | `[]` | | `frontend.automountServiceAccountToken` | Mount Service Account token in frontend pods | `false` | | `frontend.hostAliases` | frontend pods host aliases | `[]` | | `frontend.deploymentAnnotations` | Annotations for frontend deployment | `{}` | | `frontend.podLabels` | Extra labels for frontend pods | `{}` | | `frontend.podAnnotations` | Annotations for frontend pods | `{}` | | `frontend.podAffinityPreset` | Pod affinity preset. Ignored if `frontend.affinity` is set. Allowed values: `soft` or `hard` | `""` | | `frontend.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `frontend.affinity` is set. Allowed values: `soft` or `hard` | `soft` | | `frontend.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `frontend.affinity` is set. Allowed values: `soft` or `hard` | `""` | | `frontend.nodeAffinityPreset.key` | Node label key to match. Ignored if `frontend.affinity` is set | `""` | | `frontend.nodeAffinityPreset.values` | Node label values to match. Ignored if `frontend.affinity` is set | `[]` | | `frontend.affinity` | Affinity for frontend pods assignment | `{}` | | `frontend.nodeSelector` | Node labels for frontend pods assignment | `{}` | | `frontend.tolerations` | Tolerations for frontend pods assignment | `[]` | | `frontend.updateStrategy.type` | frontend deployment strategy type | `RollingUpdate` | | `frontend.priorityClassName` | frontend pods' priorityClassName | `""` | | `frontend.topologySpreadConstraints` | Topology Spread Constraints for frontend pod assignment spread across your cluster among failure-domains | `[]` | | `frontend.schedulerName` | Name of the k8s scheduler (other than default) for frontend pods | `""` | | `frontend.terminationGracePeriodSeconds` | Seconds frontend pods need to terminate gracefully | `""` | | `frontend.lifecycleHooks` | for frontend containers to automate configuration before or after startup | `{}` | | `frontend.extraEnvVars` | Array with extra environment variables to add to frontend containers | `[]` | | `frontend.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for frontend containers | `""` | | `frontend.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for frontend containers | `""` | | `frontend.extraVolumes` | Optionally specify extra list of additional volumes for the frontend pods | `[]` | | `frontend.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the frontend containers | `[]` | | `frontend.sidecars` | Add additional sidecar containers to the frontend pods | `[]` | | `frontend.initContainers` | Add additional init containers to the frontend pods | `[]` | | `frontend.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | | `frontend.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | | `frontend.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `frontend.pdb.minAvailable` and `frontend.pdb.maxUnavailable` are empty. | `""` | | `frontend.autoscaling.vpa.enabled` | Enable VPA for frontend pods | `false` | | `frontend.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | | `frontend.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | | `frontend.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | | `frontend.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | | `frontend.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `frontend.autoscaling.hpa.enabled` | Enable HPA for frontend pods | `false` | | `frontend.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `frontend.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `frontend.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `frontend.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | | `frontend.service.labels` | Extra labels for frontend service | `{}` | | `frontend.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `frontend.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | | `frontend.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | | `frontend.serviceAccount.automountServiceAccountToken` | Automount service account token for the frontend service account | `true` | | `frontend.serviceAccount.imagePullSecrets` | Add image pull secrets to the frontend service account | `[]` | | `frontend.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `frontend.networkPolicy.allowExternal` | Don't require server label for connections | `true` | | `frontend.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `frontend.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `frontend.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | ##### orborus Parameters | Name | Description | Value | | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- | | `orborus.image.registry` | orborus image registry | `ghcr.io` | | `orborus.image.repository` | orborus image repository | `shuffle/shuffle-orborus` | | `orborus.image.tag` | orborus image tag (immutable tags are recommended, defaults to appVersion) | `""` | | `orborus.image.digest` | orborus image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | | `orborus.image.pullPolicy` | orborus image pull policy | `IfNotPresent` | | `orborus.image.pullSecrets` | orborus image pull secrets | `[]` | | `orborus.replicaCount` | Number of orborus replicas to deploy | `1` | | `orborus.extraContainerPorts` | Optionally specify extra list of additional ports for orborus containers | `[]` | | `orborus.livenessProbe.enabled` | Enable livenessProbe on orborus containers | `false` | | `orborus.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | | `orborus.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | | `orborus.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | | `orborus.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `4` | | `orborus.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | | `orborus.readinessProbe.enabled` | Enable readinessProbe on orborus containers | `false` | | `orborus.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | | `orborus.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | | `orborus.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | | `orborus.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | | `orborus.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `orborus.startupProbe.enabled` | Enable startupProbe on orborus containers | `false` | | `orborus.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | | `orborus.startupProbe.periodSeconds` | Period seconds for startupProbe | `1` | | `orborus.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | | `orborus.startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | | `orborus.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | | `orborus.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | | `orborus.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | | `orborus.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | | `orborus.resourcesPreset` | Set orborus container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if orborus.resources is set (orborus.resources is recommended for production). | `nano` | | `orborus.resources` | Set orborus container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `orborus.podSecurityContext.enabled` | Enable orborus pods' Security Context | `true` | | `orborus.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for orborus pods | `Always` | | `orborus.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for orborus pods | `[]` | | `orborus.podSecurityContext.supplementalGroups` | Set filesystem extra groups for orborus pods | `[]` | | `orborus.podSecurityContext.fsGroup` | Set fsGroup in orborus pods' Security Context | `1001` | | `orborus.containerSecurityContext.enabled` | Enabled orborus container' Security Context | `true` | | `orborus.containerSecurityContext.seLinuxOptions` | Set SELinux options in orborus container | `{}` | | `orborus.containerSecurityContext.runAsUser` | Set runAsUser in orborus container' Security Context | `1001` | | `orborus.containerSecurityContext.runAsGroup` | Set runAsGroup in orborus container' Security Context | `1001` | | `orborus.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in orborus container' Security Context | `true` | | `orborus.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in orborus container' Security Context | `true` | | `orborus.containerSecurityContext.privileged` | Set privileged in orborus container' Security Context | `false` | | `orborus.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in orborus container' Security Context | `false` | | `orborus.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in orborus container | `["ALL"]` | | `orborus.containerSecurityContext.seccompProfile.type` | Set seccomp profile in orborus container | `RuntimeDefault` | | `orborus.command` | Override default orborus container command (useful when using custom images) | `[]` | | `orborus.args` | Override default orborus container args (useful when using custom images) | `[]` | | `orborus.automountServiceAccountToken` | Mount Service Account token in orborus pods | `true` | | `orborus.hostAliases` | orborus pods host aliases | `[]` | | `orborus.deploymentAnnotations` | Annotations for orborus deployment | `{}` | | `orborus.podLabels` | Extra labels for orborus pods | `{}` | | `orborus.podAnnotations` | Annotations for orborus pods | `{}` | | `orborus.podAffinityPreset` | Pod affinity preset. Ignored if `orborus.affinity` is set. Allowed values: `soft` or `hard` | `""` | | `orborus.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `orborus.affinity` is set. Allowed values: `soft` or `hard` | `soft` | | `orborus.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `orborus.affinity` is set. Allowed values: `soft` or `hard` | `""` | | `orborus.nodeAffinityPreset.key` | Node label key to match. Ignored if `orborus.affinity` is set | `""` | | `orborus.nodeAffinityPreset.values` | Node label values to match. Ignored if `orborus.affinity` is set | `[]` | | `orborus.affinity` | Affinity for orborus pods assignment | `{}` | | `orborus.nodeSelector` | Node labels for orborus pods assignment | `{}` | | `orborus.tolerations` | Tolerations for orborus pods assignment | `[]` | | `orborus.updateStrategy.type` | orborus deployment strategy type | `RollingUpdate` | | `orborus.priorityClassName` | orborus pods' priorityClassName | `""` | | `orborus.topologySpreadConstraints` | Topology Spread Constraints for orborus pod assignment spread across your cluster among failure-domains | `[]` | | `orborus.schedulerName` | Name of the k8s scheduler (other than default) for orborus pods | `""` | | `orborus.terminationGracePeriodSeconds` | Seconds orborus pods need to terminate gracefully | `""` | | `orborus.lifecycleHooks` | for orborus containers to automate configuration before or after startup | `{}` | | `orborus.extraEnvVars` | Array with extra environment variables to add to orborus containers | `[]` | | `orborus.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for orborus containers | `""` | | `orborus.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for orborus containers | `""` | | `orborus.extraVolumes` | Optionally specify extra list of additional volumes for the orborus pods | `[]` | | `orborus.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the orborus containers | `[]` | | `orborus.sidecars` | Add additional sidecar containers to the orborus pods | `[]` | | `orborus.initContainers` | Add additional init containers to the orborus pods | `[]` | | `orborus.pdb.create` | Enable/disable a Pod Disruption Budget creation | `true` | | `orborus.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | | `orborus.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `orborus.pdb.minAvailable` and `orborus.pdb.maxUnavailable` are empty. | `""` | | `orborus.autoscaling.vpa.enabled` | Enable VPA for orborus pods | `false` | | `orborus.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | | `orborus.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | | `orborus.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | | `orborus.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | | `orborus.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `orborus.autoscaling.hpa.enabled` | Enable HPA for orborus pods | `false` | | `orborus.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `orborus.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `orborus.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `orborus.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | | `orborus.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `orborus.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | | `orborus.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | | `orborus.serviceAccount.automountServiceAccountToken` | Automount service account token for the orborus service account | `true` | | `orborus.serviceAccount.imagePullSecrets` | Add image pull secrets to the orborus service account | `[]` | | `orborus.rbac.create` | Specifies whether RBAC resources should be created | `true` | | `orborus.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `orborus.networkPolicy.allowExternal` | Don't require server label for connections | `true` | | `orborus.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `orborus.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `orborus.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | | `orborus.executionConcurrency` | The maximum amount of concurrent workflow executions per worker | `25` | | `orborus.manageWorkerDeployments` | Whether workers are deployed and managed by orborus. When disabled, every worker is expected to be already deployed (see worker.enableHelmDeployment). | `true` | ##### worker Parameters | Name | Description | Value | | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | | `worker.enableHelmDeployment` | Deploy worker via helm. By default, workers are deployed by Orborus. | `false` | | `worker.image.registry` | worker image registry | `ghcr.io` | | `worker.image.repository` | worker image repository | `shuffle/shuffle-worker` | | `worker.image.tag` | worker image tag (immutable tags are recommended, defaults to appVersion) | `""` | | `worker.image.digest` | worker image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended) | `""` | | `worker.image.pullPolicy` | worker image pull policy. Only effective with worker.enableHelmDeployment. | `IfNotPresent` | | `worker.image.pullSecrets` | worker image pull secrets. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.replicaCount` | Number of worker replicas to deploy. Only effective with worker.enableHelmDeployment. | `1` | | `worker.containerPorts.http` | backend HTTP container port | `33333` | | `worker.extraContainerPorts` | Optionally specify extra list of additional ports for worker containers. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.livenessProbe.enabled` | Enable livenessProbe on worker containers. Only effective with worker.enableHelmDeployment. | `false` | | `worker.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | | `worker.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | | `worker.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | | `worker.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `4` | | `worker.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | | `worker.readinessProbe.enabled` | Enable readinessProbe on worker containers. Only effective with worker.enableHelmDeployment. | `false` | | `worker.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | | `worker.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | | `worker.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | | `worker.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | | `worker.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `worker.startupProbe.enabled` | Enable startupProbe on worker containers. Only effective with worker.enableHelmDeployment. | `false` | | `worker.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | | `worker.startupProbe.periodSeconds` | Period seconds for startupProbe | `1` | | `worker.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | | `worker.startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | | `worker.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | | `worker.customLivenessProbe` | Custom livenessProbe that overrides the default one. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.customReadinessProbe` | Custom readinessProbe that overrides the default one. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.customStartupProbe` | Custom startupProbe that overrides the default one. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.resourcesPreset` | Set worker container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if worker.resources is set (worker.resources is recommended for production). | `nano` | | `worker.resources` | Set worker container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `worker.podSecurityContext.enabled` | Enable worker pods' Security Context | `true` | | `worker.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for worker pods | `Always` | | `worker.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for worker pods | `[]` | | `worker.podSecurityContext.supplementalGroups` | Set filesystem extra groups for worker pods | `[]` | | `worker.podSecurityContext.fsGroup` | Set fsGroup in worker pods' Security Context | `1001` | | `worker.containerSecurityContext.enabled` | Enabled worker container' Security Context | `true` | | `worker.containerSecurityContext.seLinuxOptions` | Set SELinux options in worker container | `{}` | | `worker.containerSecurityContext.runAsUser` | Set runAsUser in worker container' Security Context | `1001` | | `worker.containerSecurityContext.runAsGroup` | Set runAsGroup in worker container' Security Context | `1001` | | `worker.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in worker container' Security Context | `true` | | `worker.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in worker container' Security Context | `true` | | `worker.containerSecurityContext.privileged` | Set privileged in worker container' Security Context | `false` | | `worker.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in worker container' Security Context | `false` | | `worker.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in worker container | `["ALL"]` | | `worker.containerSecurityContext.seccompProfile.type` | Set seccomp profile in worker container | `RuntimeDefault` | | `worker.command` | Override default worker container command (useful when using custom images). Only effective with worker.enableHelmDeployment. | `[]` | | `worker.args` | Override default worker container args (useful when using custom images). Only effective with worker.enableHelmDeployment. | `[]` | | `worker.automountServiceAccountToken` | Mount Service Account token in worker pods. Only effective with worker.enableHelmDeployment. | `true` | | `worker.hostAliases` | worker pods host aliases. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.deploymentAnnotations` | Annotations for worker deployment. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.podLabels` | Extra labels for worker pods. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.podAnnotations` | Annotations for worker pods. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.podAffinityPreset` | Pod affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard`. Only effective with worker.enableHelmDeployment. | `""` | | `worker.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard`. Only effective with worker.enableHelmDeployment. | `soft` | | `worker.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `worker.affinity` is set. Allowed values: `soft` or `hard`. Only effective with worker.enableHelmDeployment. | `""` | | `worker.nodeAffinityPreset.key` | Node label key to match. Ignored if `worker.affinity` is set | `""` | | `worker.nodeAffinityPreset.values` | Node label values to match. Ignored if `worker.affinity` is set | `[]` | | `worker.affinity` | Affinity for worker pods assignment. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.nodeSelector` | Node labels for worker pods assignment. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.tolerations` | Tolerations for worker pods assignment. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.updateStrategy.type` | worker deployment strategy type. Only effective with worker.enableHelmDeployment. | `RollingUpdate` | | `worker.priorityClassName` | worker pods' priorityClassName. Only effective with worker.enableHelmDeployment. | `""` | | `worker.topologySpreadConstraints` | Topology Spread Constraints for worker pod assignment spread across your cluster among failure-domains. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.schedulerName` | Name of the k8s scheduler (other than default) for worker pods. Only effective with worker.enableHelmDeployment. | `""` | | `worker.terminationGracePeriodSeconds` | Seconds worker pods need to terminate gracefully. Only effective with worker.enableHelmDeployment. | `""` | | `worker.lifecycleHooks` | for worker containers to automate configuration before or after startup. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.extraEnvVars` | Array with extra environment variables to add to worker containers. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for worker containers. Only effective with worker.enableHelmDeployment. | `""` | | `worker.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for worker containers. Only effective with worker.enableHelmDeployment. | `""` | | `worker.extraVolumes` | Optionally specify extra list of additional volumes for the worker pods. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the worker containers. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.sidecars` | Add additional sidecar containers to the worker pods. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.initContainers` | Add additional init containers to the worker pods. Only effective with worker.enableHelmDeployment. | `[]` | | `worker.pdb.create` | Enable/disable a Pod Disruption Budget creation. Only effective with worker.enableHelmDeployment. | `true` | | `worker.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | | `worker.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `worker.pdb.minAvailable` and `worker.pdb.maxUnavailable` are empty. | `""` | | `worker.autoscaling.vpa.enabled` | Enable VPA for worker pods. Only effective with worker.enableHelmDeployment. | `false` | | `worker.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | | `worker.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | | `worker.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | | `worker.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | | `worker.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `worker.autoscaling.hpa.enabled` | Enable HPA for worker pods. Only effective with worker.enableHelmDeployment. | `false` | | `worker.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `worker.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `worker.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `worker.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | | `worker.service.labels` | Extra labels for worker service. Only effective with worker.enableHelmDeployment. | `{}` | | `worker.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `worker.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | | `worker.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | | `worker.serviceAccount.automountServiceAccountToken` | Automount service account token for the worker service account | `true` | | `worker.serviceAccount.imagePullSecrets` | Add image pull secrets to the worker service account | `[]` | | `worker.rbac.create` | Specifies whether RBAC resources should be created | `true` | | `worker.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `worker.networkPolicy.allowExternal` | Don't require server label for connections | `true` | | `worker.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `worker.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `worker.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | | `worker.manageAppDeployments` | Whether apps are deployed and managed by worker. When disabled, every used app is expected to to be already deployed (see apps.enabled). | `true` | ##### app Parameters | Name | Description | Value | | ------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | | `app.image.registry` | app image registry (defaults to shuffle.appRegistry) | `""` | | `app.image.repository` | app image repository (defaults to shuffle.appBaseImageName) | `""` | | `app.image.tag` | app image tag (defaults to the apps version) | `""` | | `app.image.pullPolicy` | default image pull policy for app deployments. Only effective for helm-deployed apps (see apps.enabled). | `IfNotPresent` | | `app.image.pullSecrets` | default image pull secrets for app deployments. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.replicaCount` | Default number of replicas to deploy for each app. Only effective for helm-deployed apps (see apps.enabled). | `1` | | `app.extraContainerPorts` | Optionally specify extra list of additional ports for app containers. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.livenessProbe.enabled` | Enable livenessProbe on app containers. Only effective for helm-deployed apps (see apps.enabled). | `false` | | `app.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `0` | | `app.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `15` | | `app.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` | | `app.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `4` | | `app.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | | `app.readinessProbe.enabled` | Enable readinessProbe on app containers. Only effective for helm-deployed apps (see apps.enabled). | `false` | | `app.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `0` | | `app.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` | | `app.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` | | `app.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` | | `app.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | | `app.startupProbe.enabled` | Enable startupProbe on app containers. Only effective for helm-deployed apps (see apps.enabled). | `false` | | `app.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `0` | | `app.startupProbe.periodSeconds` | Period seconds for startupProbe | `1` | | `app.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | | `app.startupProbe.failureThreshold` | Failure threshold for startupProbe | `60` | | `app.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | | `app.customLivenessProbe` | Custom livenessProbe that overrides the default one. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.customReadinessProbe` | Custom readinessProbe that overrides the default one. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.customStartupProbe` | Custom startupProbe that overrides the default one. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.resourcesPreset` | Set app container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if app.resources is set (app.resources is recommended for production). | `nano` | | `app.resources` | Set app container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `app.podSecurityContext.enabled` | Enable app pods' Security Context | `true` | | `app.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy for app pods | `Always` | | `app.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface for app pods | `[]` | | `app.podSecurityContext.supplementalGroups` | Set filesystem extra groups for app pods | `[]` | | `app.podSecurityContext.fsGroup` | Set fsGroup in app pods' Security Context | `1001` | | `app.containerSecurityContext.enabled` | Enabled app container' Security Context | `true` | | `app.containerSecurityContext.seLinuxOptions` | Set SELinux options in app container | `{}` | | `app.containerSecurityContext.runAsUser` | Set runAsUser in app container' Security Context | `1001` | | `app.containerSecurityContext.runAsGroup` | Set runAsGroup in app container' Security Context | `1001` | | `app.containerSecurityContext.runAsNonRoot` | Set runAsNonRoot in app container' Security Context | `true` | | `app.containerSecurityContext.readOnlyRootFilesystem` | Set readOnlyRootFilesystem in app container' Security Context | `true` | | `app.containerSecurityContext.privileged` | Set privileged in app container' Security Context | `false` | | `app.containerSecurityContext.allowPrivilegeEscalation` | Set allowPrivilegeEscalation in app container' Security Context | `false` | | `app.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped in app container | `["ALL"]` | | `app.containerSecurityContext.seccompProfile.type` | Set seccomp profile in app container | `RuntimeDefault` | | `app.command` | Override default app container command (useful when using custom images) | `[]` | | `app.args` | Override default app container args (useful when using custom images) | `[]` | | `app.automountServiceAccountToken` | Mount Service Account token in app pods. Only effective for helm-deployed apps (see apps.enabled). | `false` | | `app.hostAliases` | app pods host aliases. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.deploymentAnnotations` | Annotations for app deployment. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.podLabels` | Extra labels for app pods. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.podAnnotations` | Annotations for app pods. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.podAffinityPreset` | Pod affinity preset. Ignored if `app.affinity` is set. Allowed values: `soft` or `hard`. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `app.affinity` is set. Allowed values: `soft` or `hard`. Only effective for helm-deployed apps (see apps.enabled). | `soft` | | `app.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `app.affinity` is set. Allowed values: `soft` or `hard`. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.nodeAffinityPreset.key` | Node label key to match. Ignored if `app.affinity` is set | `""` | | `app.nodeAffinityPreset.values` | Node label values to match. Ignored if `app.affinity` is set | `[]` | | `app.affinity` | Affinity for app pods assignment. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.nodeSelector` | Node labels for app pods assignment. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.tolerations` | Tolerations for app pods assignment. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.updateStrategy.type` | app deployment strategy type. Only effective for helm-deployed apps (see apps.enabled). | `RollingUpdate` | | `app.priorityClassName` | app pods' priorityClassName. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.topologySpreadConstraints` | Topology Spread Constraints for app pod assignment spread across your cluster among failure-domains. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.schedulerName` | Name of the k8s scheduler (other than default) for app pods. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.terminationGracePeriodSeconds` | Seconds app pods need to terminate gracefully. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.lifecycleHooks` | for app containers to automate configuration before or after startup. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.extraEnvVars` | Array with extra environment variables to add to app containers. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for app containers. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for app containers. Only effective for helm-deployed apps (see apps.enabled). | `""` | | `app.extraVolumes` | Optionally specify extra list of additional volumes for the app pods. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the app containers. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.sidecars` | Add additional sidecar containers to the app pods. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.initContainers` | Add additional init containers to the app pods. Only effective for helm-deployed apps (see apps.enabled). | `[]` | | `app.pdb.create` | Enable/disable a Pod Disruption Budget creation. Only effective for helm-deployed apps (see apps.enabled). | `true` | | `app.pdb.minAvailable` | Minimum number/percentage of pods that should remain scheduled | `""` | | `app.pdb.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `app.pdb.minAvailable` and `app.pdb.maxUnavailable` are empty. | `""` | | `app.autoscaling.vpa.enabled` | Enable VPA for app pods. Only effective for helm-deployed apps (see apps.enabled). | `false` | | `app.autoscaling.vpa.annotations` | Annotations for VPA resource | `{}` | | `app.autoscaling.vpa.controlledResources` | VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | `[]` | | `app.autoscaling.vpa.maxAllowed` | VPA Max allowed resources for the pod | `{}` | | `app.autoscaling.vpa.minAllowed` | VPA Min allowed resources for the pod | `{}` | | `app.autoscaling.vpa.updatePolicy.updateMode` | Autoscaling update policy | `Auto` | | `app.autoscaling.hpa.enabled` | Enable HPA for app pods. Only effective for helm-deployed apps (see apps.enabled). | `false` | | `app.autoscaling.hpa.minReplicas` | Minimum number of replicas | `""` | | `app.autoscaling.hpa.maxReplicas` | Maximum number of replicas | `""` | | `app.autoscaling.hpa.targetCPU` | Target CPU utilization percentage | `""` | | `app.autoscaling.hpa.targetMemory` | Target Memory utilization percentage | `""` | | `app.service.labels` | Extra labels for app service. Only effective for helm-deployed apps (see apps.enabled). | `{}` | | `app.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | | `app.serviceAccount.name` | The name of the ServiceAccount to use. | `""` | | `app.serviceAccount.annotations` | Additional Service Account annotations (evaluated as a template) | `{}` | | `app.serviceAccount.automountServiceAccountToken` | Automount service account token for the app service account | `true` | | `app.serviceAccount.imagePullSecrets` | Add image pull secrets to the app service account | `[]` | | `app.rbac.create` | Specifies whether RBAC resources should be created | `true` | | `app.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` | | `app.networkPolicy.allowExternal` | Don't require server label for connections | `true` | | `app.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` | | `app.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolicy | `[]` | | `app.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) | `[]` | | `app.mountTmpVolume` | Whether a writable /tmp emptyDir volume should be mounted to the app. | `true` | | `app.exposedContainerPort` | The port that shuffle app containers will listen on for new requests. | `80` | | `app.sdkTimeout` | The timeout in seconds for app actions. | `300` | | `app.disableLogs` | Do not capture app logs. By default, app logs are captured, so that they are visible in the frontend. | `false` | ##### Parameters to deploy apps using helm | Name | Description | Value | | ----------------------------- | -------------------------------------------------- | ------- | | `apps.enabled` | Whether apps should be deployed using helm. | `false` | | `apps.shuffleTools.enabled` | Whether the shuffle-tools app is enabled | `true` | | `apps.shuffleTools.version` | The version of the shuffle-tools app to deploy. | `1.2.0` | | `apps.shuffleSubflow.enabled` | Whether the shuffle-subflow app is enabled | `true` | | `apps.shuffleSubflow.version` | The version of the shuffle-subflow app to deploy. | `1.1.0` | | `apps.http.enabled` | Whether the http app is enabled | `true` | | `apps.http.version` | The version of the http app to deploy. | `1.4.0` | | `apps.MY_APP.app` | The name of the app (required, e.g. shuffle-tools) | | | `apps.MY_APP.version` | The version of the app (required, e.g. 1.2.0) | | ##### Traffic Exposure Parameters | Name | Description | Value | | -------------------------- | ----------------------------------------------------------------------------------------------------- | --------------- | | `ingress.enabled` | Enable ingress record generation for frontend and backend | `false` | | `ingress.pathType` | Ingress path type for the frontend path | `Prefix` | | `ingress.backendPathType` | Ingress path type for the backend path | `Prefix` | | `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | | `ingress.hostname` | Default host for the ingress record | `shuffle.local` | | `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `nginx` | | `ingress.path` | Ingress path for Shuffle frontend | `"/"` | | `ingress.backendPath` | Ingress path for Shuffle backend | `"/api/"` | | `ingress.annotations` | Additional annotations for the Ingress resource. | `{}` | | `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | | `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | | `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | | `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | | `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | | `ingress.secrets` | Custom TLS certificates as secrets | `[]` | | `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ##### Istio Parameters | Name | Description | Value | | --------------------------------------- | ------------------------------------------------------------------------------- | ------------------------ | | `istio.enabled` | Enable creation of an Istio Gateway and VirtualService for frontend and backend | `false` | | `istio.apiVersion` | The istio apiVersion to use for Gateway and VirtualService resources | `networking.istio.io/v1` | | `istio.hosts` | One or more hosts exposed by Istio | `[]` | | `istio.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | | `istio.gateway.selector` | The selector matches the ingress gateway pod labels | `{ istio: ingress }` | | `istio.gateway.http.enabled` | Enable HTTP server port 80 | `true` | | `istio.gateway.http.httpsRedirect` | If set to true, a 301 redirect is send for all HTTP connections | `false` | | `istio.gateway.https.enabled` | Enable HTTPS server on port 443 | `false` | | `istio.gateway.https.tlsCredentialName` | The name of the secret that holds the TLS certs including the CA certificates. | `""` | | `istio.gateway.https.tlsCipherSuites` | If specified, only support the specified cipher list. | `[]` | | `istio.gateway.extraServers` | Additional servers for the Gateway resource | `[]` | | `istio.virtualService.annotations` | Additional annotations for the VirtualService resource. | `{}` | | `istio.virtualService.backendHeaders` | Header manipulation rules for backend traffic | `{}` | | `istio.virtualService.frontendHeaders` | Header manipulation rules for frontend traffic | `{}` | ##### Persistence Parameters | Name | Description | Value | | ------------------------------------- | ------------------------------------------------- | ------------------- | | `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | | `persistence.apps.existingClaim` | Name of an existing PVC to use | `""` | | `persistence.apps.storageClass` | PVC Storage Class for shuffle-apps volume | `""` | | `persistence.apps.subPath` | The sub path used in the volume | `""` | | `persistence.apps.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.apps.size` | The size of the volume | `5Gi` | | `persistence.apps.annotations` | Annotations for the PVC | `{}` | | `persistence.apps.selector` | Selector to match an existing Persistent Volume | `{}` | | `persistence.appBuilder.storageClass` | PVC Storage Class for backend-apps-claim volume | `""` | | `persistence.appBuilder.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.appBuilder.size` | The size of the volume | `5Gi` | | `persistence.appBuilder.annotations` | Annotations for the PVC | `{}` | | `persistence.appBuilder.selector` | Selector to match an existing Persistent Volume | `{}` | | `persistence.files.existingClaim` | Name of an existing PVC to use | `""` | | `persistence.files.storageClass` | PVC Storage Class for shuffle-files volume | `""` | | `persistence.files.subPath` | The sub path used in the volume | `""` | | `persistence.files.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.files.size` | The size of the volume | `5Gi` | | `persistence.files.annotations` | Annotations for the PVC | `{}` | | `persistence.files.selector` | Selector to match an existing Persistent Volume | `{}` | ##### Init Container Parameters | Name | Description | Value | | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | OS Shell + Utility image registry | `docker.io` | | `volumePermissions.image.repository` | OS Shell + Utility image repository | `bitnamilegacy/os-shell` | | `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `12-debian-12-r30` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `volumePermissions.containerSecurityContext.enabled` | Enabled init container' Security Context | `true` | | `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in init container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | ##### OpenSearch Parameters | Name | Description | Value | | -------------------- | ----------------------------------------------------- | ------ | | `opensearch.enabled` | Switch to enable or disable the opensearch helm chart | `true` | ##### Vault Parameters | Name | Description | Value | | --------------- | -------------------------------------------------------------------------- | ----- | | `vault.role` | Specify the Vault role, which should be used to get the secret from Vault. | `""` | | `vault.secrets` | A list of VaultSecrets to create | `[]` | ##### Other Parameters | Name | Description | Value | | ----------------------------- | -------------------------------------------------- | ------- | | `apps.enabled` | Whether apps should be deployed using helm. | `false` | | `apps.shuffleTools.enabled` | Whether the shuffle-tools app is enabled | `true` | | `apps.shuffleTools.version` | The version of the shuffle-tools app to deploy. | `1.2.0` | | `apps.shuffleSubflow.enabled` | Whether the shuffle-subflow app is enabled | `true` | | `apps.shuffleSubflow.version` | The version of the shuffle-subflow app to deploy. | `1.1.0` | | `apps.http.enabled` | Whether the http app is enabled | `true` | | `apps.http.version` | The version of the http app to deploy. | `1.4.0` | | `apps.MY_APP.app` | The name of the app (required, e.g. shuffle-tools) | | | `apps.MY_APP.version` | The version of the app (required, e.g. 1.2.0) | | #### Traffic Exposure Parameters | Name | Description | Value | | -------------------------- | ----------------------------------------------------------------------------------------------------- | --------------- | | `ingress.enabled` | Enable ingress record generation for frontend and backend | `false` | | `ingress.pathType` | Ingress path type for the frontend path | `Prefix` | | `ingress.backendPathType` | Ingress path type for the backend path | `Prefix` | | `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | | `ingress.hostname` | Default host for the ingress record | `shuffle.local` | | `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `nginx` | | `ingress.path` | Ingress path for Shuffle frontend | `"/"` | | `ingress.backendPath` | Ingress path for Shuffle backend | `"/api/"` | | `ingress.annotations` | Additional annotations for the Ingress resource. | `{}` | | `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | | `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | | `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | | `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | | `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | | `ingress.secrets` | Custom TLS certificates as secrets | `[]` | | `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | #### Istio Parameters | Name | Description | Value | | --------------------------------------- | ------------------------------------------------------------------------------- | ------------------------ | | `istio.enabled` | Enable creation of an Istio Gateway and VirtualService for frontend and backend | `false` | | `istio.apiVersion` | The istio apiVersion to use for Gateway and VirtualService resources | `networking.istio.io/v1` | | `istio.hosts` | One or more hosts exposed by Istio | `[]` | | `istio.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | | `istio.gateway.selector` | The selector matches the ingress gateway pod labels | `{ istio: ingress }` | | `istio.gateway.http.enabled` | Enable HTTP server port 80 | `true` | | `istio.gateway.http.httpsRedirect` | If set to true, a 301 redirect is send for all HTTP connections | `false` | | `istio.gateway.https.enabled` | Enable HTTPS server on port 443 | `false` | | `istio.gateway.https.tlsCredentialName` | The name of the secret that holds the TLS certs including the CA certificates. | `""` | | `istio.gateway.https.tlsCipherSuites` | If specified, only support the specified cipher list. | `[]` | | `istio.gateway.extraServers` | Additional servers for the Gateway resource | `[]` | | `istio.virtualService.annotations` | Additional annotations for the VirtualService resource. | `{}` | | `istio.virtualService.backendHeaders` | Header manipulation rules for backend traffic | `{}` | | `istio.virtualService.frontendHeaders` | Header manipulation rules for frontend traffic | `{}` | #### Persistence Parameters | Name | Description | Value | | ------------------------------------- | ------------------------------------------------- | ------------------- | | `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | | `persistence.apps.existingClaim` | Name of an existing PVC to use | `""` | | `persistence.apps.storageClass` | PVC Storage Class for shuffle-apps volume | `""` | | `persistence.apps.subPath` | The sub path used in the volume | `""` | | `persistence.apps.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.apps.size` | The size of the volume | `5Gi` | | `persistence.apps.annotations` | Annotations for the PVC | `{}` | | `persistence.apps.selector` | Selector to match an existing Persistent Volume | `{}` | | `persistence.appBuilder.storageClass` | PVC Storage Class for backend-apps-claim volume | `""` | | `persistence.appBuilder.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.appBuilder.size` | The size of the volume | `5Gi` | | `persistence.appBuilder.annotations` | Annotations for the PVC | `{}` | | `persistence.appBuilder.selector` | Selector to match an existing Persistent Volume | `{}` | | `persistence.files.existingClaim` | Name of an existing PVC to use | `""` | | `persistence.files.storageClass` | PVC Storage Class for shuffle-files volume | `""` | | `persistence.files.subPath` | The sub path used in the volume | `""` | | `persistence.files.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.files.size` | The size of the volume | `5Gi` | | `persistence.files.annotations` | Annotations for the PVC | `{}` | | `persistence.files.selector` | Selector to match an existing Persistent Volume | `{}` | #### Init Container Parameters | Name | Description | Value | | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | OS Shell + Utility image registry | `docker.io` | | `volumePermissions.image.repository` | OS Shell + Utility image repository | `bitnamilegacy/os-shell` | | `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `12-debian-12-r30` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `volumePermissions.containerSecurityContext.enabled` | Enabled init container' Security Context | `true` | | `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in init container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | #### OpenSearch Parameters | Name | Description | Value | | -------------------- | ----------------------------------------------------- | ------ | | `opensearch.enabled` | Switch to enable or disable the opensearch helm chart | `true` | #### Vault Parameters | Name | Description | Value | | --------------- | -------------------------------------------------------------------------- | ----- | | `vault.role` | Specify the Vault role, which should be used to get the secret from Vault. | `""` | | `vault.secrets` | A list of VaultSecrets to create | `[]` | #### Other Parameters | Name | Description | Value | | ----------------------------- | -------------------------------------------------- | ------- | | `apps.enabled` | Whether apps should be deployed using helm. | `false` | | `apps.shuffleTools.enabled` | Whether the shuffle-tools app is enabled | `true` | | `apps.shuffleTools.version` | The version of the shuffle-tools app to deploy. | `1.2.0` | | `apps.shuffleSubflow.enabled` | Whether the shuffle-subflow app is enabled | `true` | | `apps.shuffleSubflow.version` | The version of the shuffle-subflow app to deploy. | `1.1.0` | | `apps.http.enabled` | Whether the http app is enabled | `true` | | `apps.http.version` | The version of the http app to deploy. | `1.4.0` | | `apps.MY_APP.app` | The name of the app (required, e.g. shuffle-tools) | | | `apps.MY_APP.version` | The version of the app (required, e.g. 1.2.0) | | ### Traffic Exposure Parameters | Name | Description | Value | | -------------------------- | ----------------------------------------------------------------------------------------------------- | --------------- | | `ingress.enabled` | Enable ingress record generation for frontend and backend | `false` | | `ingress.pathType` | Ingress path type for the frontend path | `Prefix` | | `ingress.backendPathType` | Ingress path type for the backend path | `Prefix` | | `ingress.apiVersion` | Force Ingress API version (automatically detected if not set) | `""` | | `ingress.hostname` | Default host for the ingress record | `shuffle.local` | | `ingress.ingressClassName` | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | `nginx` | | `ingress.path` | Ingress path for Shuffle frontend | `"/"` | | `ingress.backendPath` | Ingress path for Shuffle backend | `"/api/"` | | `ingress.annotations` | Additional annotations for the Ingress resource. | `{}` | | `ingress.tls` | Enable TLS configuration for the host defined at `ingress.hostname` parameter | `false` | | `ingress.selfSigned` | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | `false` | | `ingress.extraHosts` | An array with additional hostname(s) to be covered with the ingress record | `[]` | | `ingress.extraPaths` | An array with additional arbitrary paths that may need to be added to the ingress under the main host | `[]` | | `ingress.extraTls` | TLS configuration for additional hostname(s) to be covered with this ingress record | `[]` | | `ingress.secrets` | Custom TLS certificates as secrets | `[]` | | `ingress.extraRules` | Additional rules to be covered with this ingress record | `[]` | ### Istio Parameters | Name | Description | Value | | --------------------------------------- | ------------------------------------------------------------------------------- | ------------------------ | | `istio.enabled` | Enable creation of an Istio Gateway and VirtualService for frontend and backend | `false` | | `istio.apiVersion` | The istio apiVersion to use for Gateway and VirtualService resources | `networking.istio.io/v1` | | `istio.hosts` | One or more hosts exposed by Istio | `[]` | | `istio.gateway.annotations` | Additional annotations for the Gateway resource | `{}` | | `istio.gateway.selector` | The selector matches the ingress gateway pod labels | `{ istio: ingress }` | | `istio.gateway.http.enabled` | Enable HTTP server port 80 | `true` | | `istio.gateway.http.httpsRedirect` | If set to true, a 301 redirect is send for all HTTP connections | `false` | | `istio.gateway.https.enabled` | Enable HTTPS server on port 443 | `false` | | `istio.gateway.https.tlsCredentialName` | The name of the secret that holds the TLS certs including the CA certificates. | `""` | | `istio.gateway.https.tlsCipherSuites` | If specified, only support the specified cipher list. | `[]` | | `istio.gateway.extraServers` | Additional servers for the Gateway resource | `[]` | | `istio.virtualService.annotations` | Additional annotations for the VirtualService resource. | `{}` | | `istio.virtualService.backendHeaders` | Header manipulation rules for backend traffic | `{}` | | `istio.virtualService.frontendHeaders` | Header manipulation rules for frontend traffic | `{}` | ### Persistence Parameters | Name | Description | Value | | ------------------------------------- | ------------------------------------------------- | ------------------- | | `persistence.enabled` | Enable persistence using Persistent Volume Claims | `true` | | `persistence.apps.existingClaim` | Name of an existing PVC to use | `""` | | `persistence.apps.storageClass` | PVC Storage Class for shuffle-apps volume | `""` | | `persistence.apps.subPath` | The sub path used in the volume | `""` | | `persistence.apps.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.apps.size` | The size of the volume | `5Gi` | | `persistence.apps.annotations` | Annotations for the PVC | `{}` | | `persistence.apps.selector` | Selector to match an existing Persistent Volume | `{}` | | `persistence.appBuilder.storageClass` | PVC Storage Class for backend-apps-claim volume | `""` | | `persistence.appBuilder.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.appBuilder.size` | The size of the volume | `5Gi` | | `persistence.appBuilder.annotations` | Annotations for the PVC | `{}` | | `persistence.appBuilder.selector` | Selector to match an existing Persistent Volume | `{}` | | `persistence.files.existingClaim` | Name of an existing PVC to use | `""` | | `persistence.files.storageClass` | PVC Storage Class for shuffle-files volume | `""` | | `persistence.files.subPath` | The sub path used in the volume | `""` | | `persistence.files.accessModes` | The access mode of the volume | `["ReadWriteOnce"]` | | `persistence.files.size` | The size of the volume | `5Gi` | | `persistence.files.annotations` | Annotations for the PVC | `{}` | | `persistence.files.selector` | Selector to match an existing Persistent Volume | `{}` | ### Init Container Parameters | Name | Description | Value | | ----------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------ | | `volumePermissions.enabled` | Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup` | `false` | | `volumePermissions.image.registry` | OS Shell + Utility image registry | `docker.io` | | `volumePermissions.image.repository` | OS Shell + Utility image repository | `bitnamilegacy/os-shell` | | `volumePermissions.image.tag` | OS Shell + Utility image tag (immutable tags are recommended) | `12-debian-12-r30` | | `volumePermissions.image.pullPolicy` | OS Shell + Utility image pull policy | `IfNotPresent` | | `volumePermissions.image.pullSecrets` | OS Shell + Utility image pull secrets | `[]` | | `volumePermissions.resourcesPreset` | Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | `nano` | | `volumePermissions.resources` | Set init container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` | | `volumePermissions.containerSecurityContext.enabled` | Enabled init container' Security Context | `true` | | `volumePermissions.containerSecurityContext.seLinuxOptions` | Set SELinux options in init container | `{}` | | `volumePermissions.containerSecurityContext.runAsUser` | Set init container's Security Context runAsUser | `0` | ### OpenSearch Parameters | Name | Description | Value | | -------------------- | ----------------------------------------------------- | ------ | | `opensearch.enabled` | Switch to enable or disable the opensearch helm chart | `true` | ### Vault Parameters | Name | Description | Value | | --------------- | -------------------------------------------------------------------------- | ----- | | `vault.role` | Specify the Vault role, which should be used to get the secret from Vault. | `""` | | `vault.secrets` | A list of VaultSecrets to create | `[]` | ### Other Parameters