clickhouse
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
## Security parameters
29
##
30
security:
31
## @param global.security.allowInsecureImages Allows skipping image verification
32
allowInsecureImages: false
33
## Compatibility adaptations for Kubernetes platforms
34
##
35
compatibility:
36
## Compatibility adaptations for Openshift
37
##
38
openshift:
39
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
40
##
41
adaptSecurityContext: auto
42
org: ""
43
## @section Common parameters
44
45
## @param kubeVersion Override Kubernetes version
46
##
47
kubeVersion: ""
48
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
49
##
50
apiVersions: []
51
## @param nameOverride String to partially override common.names.name
52
##
53
nameOverride: ""
54
## @param fullnameOverride String to fully override common.names.fullname
55
##
56
fullnameOverride: ""
57
## @param namespaceOverride String to fully override common.names.namespace
58
##
59
namespaceOverride: ""
60
## @param commonLabels Labels to add to all deployed objects
61
##
62
commonLabels: {}
63
## @param commonAnnotations Annotations to add to all deployed objects
64
##
65
commonAnnotations: {}
66
## @param clusterDomain Kubernetes cluster domain name
67
##
68
clusterDomain: cluster.local
69
## @param extraDeploy Array of extra objects to deploy with the release
70
##
71
extraDeploy: []
72
## @param usePasswordFiles Mount credentials as files instead of using environment variables
73
##
74
usePasswordFiles: true
75
## Enable diagnostic mode in the deployment
76
##
77
diagnosticMode:
78
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
79
##
80
enabled: false
81
## @param diagnosticMode.command Command to override all containers in the deployment
82
##
83
command:
84
- sleep
85
## @param diagnosticMode.args Args to override all containers in the deployment
86
##
87
args:
88
- infinity
89
## @section Default Init Container Parameters
90
defaultInitContainers:
91
## 'volume-permissions' init container
92
## Used to change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
93
##
94
volumePermissions:
95
## @param defaultInitContainers.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
96
##
97
enabled: false
98
## @param defaultInitContainers.volumePermissions.image.registry [default: REGISTRY_NAME] "volume-permissions" init-containers' image registry
99
## @param defaultInitContainers.volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] "volume-permissions" init-containers' image repository
100
## @skip defaultInitContainers.volumePermissions.image.tag "volume-permissions" init-containers' image tag (immutable tags are recommended)
101
## @param defaultInitContainers.volumePermissions.image.digest "volume-permissions" init-containers' image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
102
## @param defaultInitContainers.volumePermissions.image.pullPolicy "volume-permissions" init-containers' image pull policy
103
## @param defaultInitContainers.volumePermissions.image.pullSecrets "volume-permissions" init-containers' image pull secrets
104
##
105
image:
106
registry: docker.io
107
repository: iamguarded/os-shell
108
tag: 12-debian-12-r51
109
digest: ""
110
pullPolicy: IfNotPresent
111
## Optionally specify an array of imagePullSecrets.
112
## Secrets must be manually created in the namespace.
113
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
114
## Example:
115
## pullSecrets:
116
## - myRegistryKeySecretName
117
##
118
pullSecrets: []
119
## Configure "volume-permissions" init-container Security Context
120
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
121
## @param defaultInitContainers.volumePermissions.containerSecurityContext.enabled Enabled "volume-permissions" init-containers' Security Context
122
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "volume-permissions" init-containers
123
## @param defaultInitContainers.volumePermissions.containerSecurityContext.runAsUser Set runAsUser in "volume-permissions" init-containers' Security Context
124
## @param defaultInitContainers.volumePermissions.containerSecurityContext.privileged Set privileged in "volume-permissions" init-containers' Security Context
125
## @param defaultInitContainers.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "volume-permissions" init-containers' Security Context
126
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.add List of capabilities to be added in "volume-permissions" init-containers
127
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "volume-permissions" init-containers
128
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seccompProfile.type Set seccomp profile in "volume-permissions" init-containers
129
##
130
containerSecurityContext:
131
enabled: true
132
seLinuxOptions: {}
133
runAsUser: 0
134
privileged: false
135
allowPrivilegeEscalation: false
136
capabilities:
137
add: ["CHOWN"]
138
drop: ["ALL"]
139
seccompProfile:
140
type: "RuntimeDefault"
141
## ClickHouse Keeper "volume-permissions" init container resource requests and limits
142
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
143
## @param defaultInitContainers.volumePermissions.resourcesPreset Set ClickHouse Keeper "volume-permissions" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.volumePermissions.resources is set (defaultInitContainers.volumePermissions.resources is recommended for production).
144
##
145
resourcesPreset: "nano"
146
## @param defaultInitContainers.volumePermissions.resources Set ClickHouse Keeper "volume-permissions" init container requests and limits for different resources like CPU or memory (essential for production workloads)
147
## E.g:
148
## resources:
149
## requests:
150
## cpu: 2
151
## memory: 512Mi
152
## limits:
153
## cpu: 3
154
## memory: 1024Mi
155
##
156
resources: {}
157
## @section ClickHouse parameters
158
159
## Iamguarded ClickHouse image
160
## @param image.registry [default: REGISTRY_NAME] ClickHouse image registry
161
## @param image.repository [default: REPOSITORY_NAME/clickhouse] ClickHouse image repository
162
## @skip image.tag ClickHouse image tag (immutable tags are recommended)
163
## @param image.digest ClickHouse image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
164
## @param image.pullPolicy ClickHouse image pull policy
165
## @param image.pullSecrets ClickHouse image pull secrets
166
## @param image.debug Enable ClickHouse image debug mode
167
##
168
image:
169
registry: cgr.dev
170
repository: chainguard-private/clickhouse-iamguarded
171
tag: 26.1.4
172
digest: ""
173
## Specify a imagePullPolicy
174
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
175
##
176
pullPolicy: IfNotPresent
177
## Optionally specify an array of imagePullSecrets.
178
## Secrets must be manually created in the namespace.
179
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
180
## e.g:
181
## pullSecrets:
182
## - myRegistryKeySecretName
183
##
184
pullSecrets: []
185
## Enable debug mode
186
##
187
debug: false
188
## @param clusterName ClickHouse cluster name
189
##
190
clusterName: default
191
## Authentication
192
## @param auth.username ClickHouse Admin username
193
## @param auth.password ClickHouse Admin password
194
## @param auth.existingSecret Name of a secret containing the Admin password
195
## @param auth.existingSecretKey Name of the key inside the existing secret
196
##
197
auth:
198
username: default
199
password: ""
200
existingSecret: ""
201
existingSecretKey: ""
202
## @param tls.enabled Enable TLS configuration for ClickHouse
203
## @param tls.autoGenerated.enabled Enable automatic generation of TLS certificates
204
## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
205
## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
206
## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
207
## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
208
## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
209
## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
210
## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
211
## @param tls.ca CA certificate for TLS. Ignored if `tls.existingCASecret` is set
212
## @param tls.existingCASecret The name of an existing Secret containing the CA certificate for TLS
213
## @param tls.server.cert TLS certificate for ClickHouse servers. Ignored if `tls.server.existingSecret` is set
214
## @param tls.server.key TLS key for ClickHouse servers. Ignored if `tls.server.existingSecret` is set
215
## @param tls.server.existingSecret The name of an existing Secret containing the TLS certificates for ClickHouse servers
216
## @param tls.keeper.cert TLS certificate for ClickHouse Keeper. Ignored if `tls.keeper.existingSecret` is set
217
## @param tls.keeper.key TLS key for ClickHouse Keeper. Ignored if `tls.keeper.existingSecret` is set
218
## @param tls.keeper.existingSecret The name of an existing Secret containing the TLS certificates for ClickHouse Keeper
219
##
220
tls:
221
enabled: false
222
autoGenerated:
223
enabled: true
224
engine: helm
225
certManager:
226
existingIssuer: ""
227
existingIssuerKind: ""
228
keySize: 2048
229
keyAlgorithm: RSA
230
duration: 2160h
231
renewBefore: 360h
232
ca: ""
233
existingCASecret: ""
234
server:
235
cert: ""
236
key: ""
237
existingSecret: ""
238
keeper:
239
cert: ""
240
key: ""
241
existingSecret: ""
242
## @param logLevel Logging level
243
##
244
logLevel: information
245
## @param sampling.enabled Enable logging tables collected by sampling query profiler
246
##
247
sampling:
248
enabled: false
249
## @param configuration Specify content for ClickHouse configuration (basic one auto-generated based on other values otherwise)
250
##
251
configuration: {}
252
## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for ClickHouse
253
##
254
existingConfigmap: ""
255
## @param configdFiles Extra configuration files to be mounted at config.d
256
## ref: https://clickhouse.com/docs/operations/configuration-files
257
##
258
configdFiles: {}
259
## @param existingConfigdConfigmap The name of an existing ConfigMap with extra configuration files for ClickHouse
260
##
261
existingConfigdConfigmap: ""
262
## @param usersdFiles Extra users configuration files to be mounted at users.d
263
## ref: https://clickhouse.com/docs/operations/configuration-files#user-settings
264
##
265
usersdFiles: {}
266
## @param existingUsersdConfigmap The name of an existing ConfigMap with extra users configuration files for ClickHouse
267
##
268
existingUsersdConfigmap: ""
269
## @param existingUsersdSecret The name of an existing Secret with extra users configuration files for ClickHouse
270
##
271
existingUsersdSecret: ""
272
## @param initdbScripts Dictionary of initdb scripts
273
## Specify dictionary of scripts to be run at first boot
274
## Example:
275
## initdbScripts:
276
## my_init_script.sh: |
277
## #!/bin/bash
278
## echo "Do something."
279
##
280
initdbScripts: {}
281
## @param initdbScriptsSecret ConfigMap with the initdb scripts (Note: Overrides `initdbScripts`)
282
##
283
initdbScriptsSecret: ""
284
## @param startdbScripts Dictionary of startdb scripts
285
## Specify dictionary of scripts to be run on every start
286
## Example:
287
## startdbScripts:
288
## my_start_script.sh: |
289
## #!/bin/bash
290
## echo "Do something."
291
##
292
startdbScripts: {}
293
## @param startdbScriptsSecret ConfigMap with the startdb scripts (Note: Overrides `startdbScripts`)
294
##
295
startdbScriptsSecret: ""
296
## @param shards Number of ClickHouse shards to deploy
297
##
298
shards: 2
299
## @param replicaCount Number of ClickHouse replicas per shard to deploy
300
## if keeper enable, same as keeper count, keeper cluster by shards.
301
##
302
replicaCount: 3
303
## @param distributeReplicasByZone Schedules replicas of the same shard to different availability zones
304
##
305
distributeReplicasByZone: false
306
## @param exposeMysql Expose MySQL port container port
307
## @param exposePostgresql Expose PostgreSQL port container port
308
##
309
exposeMysql: true
310
exposePostgresql: true
311
## @param containerPorts.http ClickHouse HTTP container port
312
## @param containerPorts.https ClickHouse HTTPS container port
313
## @param containerPorts.tcp ClickHouse TCP container port
314
## @param containerPorts.tcpSecure ClickHouse TCP (secure) container port
315
## @param containerPorts.mysql ClickHouse MySQL container port
316
## @param containerPorts.postgresql ClickHouse PostgreSQL container port
317
## @param containerPorts.interserver ClickHouse Interserver container port
318
## @param containerPorts.metrics ClickHouse metrics container port
319
##
320
containerPorts:
321
http: 8123
322
https: 8443
323
tcp: 9000
324
tcpSecure: 9440
325
mysql: 9004
326
postgresql: 9005
327
interserver: 9009
328
metrics: 8001
329
## Configure extra options for ClickHouse containers' liveness and readiness probes
330
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
331
## @param livenessProbe.enabled Enable livenessProbe on ClickHouse containers
332
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
333
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
334
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
335
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
336
## @param livenessProbe.successThreshold Success threshold for livenessProbe
337
##
338
livenessProbe:
339
enabled: true
340
failureThreshold: 3
341
initialDelaySeconds: 10
342
periodSeconds: 10
343
successThreshold: 1
344
timeoutSeconds: 1
345
## @param readinessProbe.enabled Enable readinessProbe on ClickHouse containers
346
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
347
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
348
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
349
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
350
## @param readinessProbe.successThreshold Success threshold for readinessProbe
351
##
352
readinessProbe:
353
enabled: true
354
failureThreshold: 3
355
initialDelaySeconds: 10
356
periodSeconds: 10
357
successThreshold: 1
358
timeoutSeconds: 1
359
## @param startupProbe.enabled Enable startupProbe on ClickHouse containers
360
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
361
## @param startupProbe.periodSeconds Period seconds for startupProbe
362
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
363
## @param startupProbe.failureThreshold Failure threshold for startupProbe
364
## @param startupProbe.successThreshold Success threshold for startupProbe
365
##
366
startupProbe:
367
enabled: false
368
failureThreshold: 3
369
initialDelaySeconds: 10
370
periodSeconds: 10
371
successThreshold: 1
372
timeoutSeconds: 1
373
## @param customLivenessProbe Custom livenessProbe that overrides the default one
374
##
375
customLivenessProbe: {}
376
## @param customReadinessProbe Custom readinessProbe that overrides the default one
377
##
378
customReadinessProbe: {}
379
## @param customStartupProbe Custom startupProbe that overrides the default one
380
##
381
customStartupProbe: {}
382
## ClickHouse resource requests and limits
383
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
384
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
385
##
386
resourcesPreset: "small"
387
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
388
## Example:
389
## resources:
390
## requests:
391
## cpu: 2
392
## memory: 512Mi
393
## limits:
394
## cpu: 3
395
## memory: 1024Mi
396
##
397
resources: {}
398
## Configure Pods Security Context
399
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
400
## @param podSecurityContext.enabled Enabled ClickHouse pods' Security Context
401
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
402
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
403
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
404
## @param podSecurityContext.fsGroup Set ClickHouse pod's Security Context fsGroup
405
## If you are using Kubernetes 1.18, the following code needs to be commented out.
406
##
407
podSecurityContext:
408
enabled: true
409
fsGroupChangePolicy: Always
410
sysctls: []
411
supplementalGroups: []
412
fsGroup: 1001
413
## Configure Container Security Context
414
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
415
## @param containerSecurityContext.enabled Enable containers' Security Context
416
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
417
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
418
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
419
## @param containerSecurityContext.runAsNonRoot Set containers' Security Context runAsNonRoot
420
## @param containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's
421
## @param containerSecurityContext.privileged Set ClickHouse container's Security Context privileged
422
## @param containerSecurityContext.allowPrivilegeEscalation Set ClickHouse container's Security Context allowPrivilegeEscalation
423
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
424
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
425
##
426
containerSecurityContext:
427
enabled: true
428
seLinuxOptions: {}
429
runAsUser: 1001
430
runAsGroup: 1001
431
runAsNonRoot: true
432
privileged: false
433
allowPrivilegeEscalation: false
434
readOnlyRootFilesystem: true
435
capabilities:
436
drop: ["ALL"]
437
seccompProfile:
438
type: "RuntimeDefault"
439
## @param command Override default container command (useful when using custom images)
440
##
441
command: []
442
## @param args Override default container args (useful when using custom images)
443
##
444
args: []
445
## @param automountServiceAccountToken Mount Service Account token in pod
446
##
447
automountServiceAccountToken: false
448
## @param hostAliases ClickHouse pods host aliases
449
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
450
##
451
hostAliases: []
452
## @param podLabels Extra labels for ClickHouse pods
453
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
454
##
455
podLabels: {}
456
## @param podAnnotations Annotations for ClickHouse pods
457
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
458
##
459
podAnnotations: {}
460
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
461
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
462
##
463
podAffinityPreset: ""
464
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
465
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
466
##
467
podAntiAffinityPreset: soft
468
## Node affinity preset
469
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
470
##
471
nodeAffinityPreset:
472
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
473
##
474
type: ""
475
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set
476
##
477
key: ""
478
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set
479
## E.g.
480
## values:
481
## - e2e-az1
482
## - e2e-az2
483
##
484
values: []
485
## @param affinity Affinity for ClickHouse pods assignment
486
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
487
## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set
488
##
489
affinity: {}
490
## @param nodeSelector Node labels for ClickHouse pods assignment
491
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
492
##
493
nodeSelector: {}
494
## @param tolerations Tolerations for ClickHouse pods assignment
495
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
496
##
497
tolerations: []
498
## @param updateStrategy.type ClickHouse StatefulSet strategy type
499
## @param updateStrategy.rollingUpdate ClickHouse StatefulSet rolling update configuration parameters
500
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
501
##
502
updateStrategy:
503
type: RollingUpdate
504
rollingUpdate: {}
505
## @param podManagementPolicy Statefulset Pod management policy, it needs to be Parallel to be able to complete the cluster join
506
## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
507
##
508
podManagementPolicy: Parallel
509
## @param priorityClassName ClickHouse pods' priorityClassName
510
##
511
priorityClassName: ""
512
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
513
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
514
##
515
topologySpreadConstraints: []
516
## @param schedulerName Name of the k8s scheduler (other than default) for ClickHouse pods
517
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
518
##
519
schedulerName: ""
520
## @param terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
521
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
522
##
523
terminationGracePeriodSeconds: ""
524
## @param lifecycleHooks for the ClickHouse container(s) to automate configuration before or after startup
525
##
526
lifecycleHooks: {}
527
## @param extraEnvVars Array with extra environment variables to add to ClickHouse nodes
528
## e.g:
529
## extraEnvVars:
530
## - name: FOO
531
## value: "bar"
532
##
533
extraEnvVars: []
534
## @param extraEnvVarsCM Name of existing ConfigMap containing extra env vars for ClickHouse nodes
535
##
536
extraEnvVarsCM: ""
537
## @param extraEnvVarsSecret Name of existing Secret containing extra env vars for ClickHouse nodes
538
##
539
extraEnvVarsSecret: ""
540
## @param extraVolumes Optionally specify extra list of additional volumes for the ClickHouse pod(s)
541
##
542
extraVolumes: []
543
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the ClickHouse container(s)
544
##
545
extraVolumeMounts: []
546
## @param extraVolumeClaimTemplates Optionally specify extra list of additional volumeClaimTemplates for the ClickHouse container(s)
547
##
548
extraVolumeClaimTemplates: []
549
## @param sidecars Add additional sidecar containers to the ClickHouse pod(s)
550
## e.g:
551
## sidecars:
552
## - name: your-image-name
553
## image: your-image
554
## imagePullPolicy: Always
555
## ports:
556
## - name: portname
557
## containerPort: 1234
558
##
559
sidecars: []
560
## @param initContainers Add additional init containers to the ClickHouse pod(s)
561
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
562
## e.g:
563
## initContainers:
564
## - name: your-image-name
565
## image: your-image
566
## imagePullPolicy: Always
567
## command: ['sh', '-c', 'echo "hello world"']
568
##
569
initContainers: []
570
## Pod Disruption Budget configuration
571
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
572
## @param pdb.create Enable/disable a Pod Disruption Budget creation
573
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
574
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
575
##
576
pdb:
577
create: true
578
minAvailable: ""
579
maxUnavailable: ""
580
## ClickHouse Autoscaling configuration
581
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
582
##
583
autoscaling:
584
vpa:
585
## @param autoscaling.vpa.enabled Enable VPA
586
##
587
enabled: false
588
## @param autoscaling.vpa.annotations Annotations for VPA resource
589
##
590
annotations: {}
591
## @param autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
592
##
593
controlledResources: []
594
## @param autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
595
## cpu: 200m
596
## memory: 100Mi
597
maxAllowed: {}
598
## @param autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
599
## cpu: 200m
600
## memory: 100Mi
601
minAllowed: {}
602
updatePolicy:
603
## @param autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
604
## Possible values are "Off", "Initial", "Recreate", and "Auto".
605
##
606
updateMode: Auto
607
## @section ClickHouse Traffic Exposure parameters
608
609
## ClickHouse service parameters
610
##
611
service:
612
## @param service.type ClickHouse service type
613
##
614
type: ClusterIP
615
## @param service.perReplicaAccess Enable per-replica service creation
616
## This is useful for exposing individual replicas externally via LoadBalancer or NodePort
617
##
618
perReplicaAccess: false
619
## @param service.ports.http ClickHouse service HTTP port
620
## @param service.ports.https ClickHouse service HTTPS port
621
## @param service.ports.tcp ClickHouse service TCP port
622
## @param service.ports.tcpSecure ClickHouse service TCP (secure) port
623
## @param service.ports.mysql ClickHouse service MySQL port
624
## @param service.ports.postgresql ClickHouse service PostgreSQL port
625
## @param service.ports.interserver ClickHouse service Interserver port
626
## @param service.ports.metrics ClickHouse service metrics port
627
##
628
ports:
629
http: 8123
630
https: 443
631
tcp: 9000
632
tcpSecure: 9440
633
mysql: 9004
634
postgresql: 9005
635
interserver: 9009
636
metrics: 8001
637
## Node ports to expose
638
## @param service.nodePorts.http Node port for HTTP
639
## @param service.nodePorts.https Node port for HTTPS
640
## @param service.nodePorts.tcp Node port for TCP
641
## @param service.nodePorts.tcpSecure Node port for TCP (with TLS)
642
## @param service.nodePorts.mysql Node port for MySQL
643
## @param service.nodePorts.postgresql Node port for PostgreSQL
644
## @param service.nodePorts.interserver Node port for Interserver
645
## @param service.nodePorts.metrics Node port for metrics
646
## NOTE: choose port between <30000-32767>
647
##
648
nodePorts:
649
http: ""
650
https: ""
651
tcp: ""
652
tcpSecure: ""
653
mysql: ""
654
postgresql: ""
655
interserver: ""
656
metrics: ""
657
## @param service.clusterIP ClickHouse service Cluster IP
658
## e.g.:
659
## clusterIP: None
660
##
661
clusterIP: ""
662
## @param service.loadBalancerIP ClickHouse service Load Balancer IP (only if per-replica access is disabled)
663
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
664
##
665
loadBalancerIP: ""
666
## @param service.loadBalancerIPs Array of ClickHouse service Load Balancer IPs (only if per-replica access is enabled). Length must be the same as shards multiplied by replicaCount
667
## e.g:
668
## loadBalancerIPs:
669
## - X.X.X.X
670
## - Y.Y.Y.Y
671
##
672
loadBalancerIPs: []
673
## @param service.loadBalancerAnnotations Array of ClickHouse service Load Balancer annotations (only if per-replica access is enabled). Length must be the same as shards multiplied by replicaCount
674
## e.g:
675
## loadBalancerAnnotations:
676
## - external-dns.alpha.kubernetes.io/hostname: 1.external.example.com.
677
## - external-dns.alpha.kubernetes.io/hostname: 2.external.example.com.
678
##
679
loadBalancerAnnotations: []
680
## @param service.loadBalancerSourceRanges ClickHouse service Load Balancer sources
681
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
682
## e.g:
683
## loadBalancerSourceRanges:
684
## - 10.10.10.0/24
685
##
686
loadBalancerSourceRanges: []
687
## @param service.externalTrafficPolicy ClickHouse service external traffic policy
688
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
689
##
690
externalTrafficPolicy: Cluster
691
## @param service.annotations Additional custom annotations for ClickHouse service
692
##
693
annotations: {}
694
## @param service.extraPorts Extra ports to expose in ClickHouse service (normally used with the `sidecars` value)
695
##
696
extraPorts: []
697
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
698
## Values: ClientIP or None
699
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
700
##
701
sessionAffinity: None
702
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
703
## sessionAffinityConfig:
704
## clientIP:
705
## timeoutSeconds: 300
706
##
707
sessionAffinityConfig: {}
708
## Headless service properties
709
##
710
headless:
711
## @param service.headless.annotations Annotations for the headless service.
712
##
713
annotations: {}
714
## @param service.headless.extraPorts Optionally specify extra ports to expose for the headless service.
715
##
716
extraPorts: []
717
## ClickHouse Ingress parameters
718
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
719
##
720
ingress:
721
## @param ingress.enabled Enable ingress record generation for ClickHouse
722
##
723
enabled: false
724
## @param ingress.pathType Ingress path type
725
##
726
pathType: ImplementationSpecific
727
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
728
##
729
apiVersion: ""
730
## @param ingress.hostname Default host for the ingress record
731
##
732
hostname: clickhouse.local
733
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
734
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
735
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
736
##
737
ingressClassName: ""
738
## @param ingress.path Default path for the ingress record
739
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
740
##
741
path: /
742
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
743
## Use this parameter to set the required annotations for cert-manager, see
744
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
745
## e.g:
746
## annotations:
747
## kubernetes.io/ingress.class: nginx
748
## cert-manager.io/cluster-issuer: cluster-issuer-name
749
##
750
annotations: {}
751
## @param ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
752
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
753
## You can:
754
## - Use the `ingress.secrets` parameter to create this TLS secret
755
## - Rely on cert-manager to create it by setting the corresponding annotations
756
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
757
##
758
tls: false
759
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
760
##
761
selfSigned: false
762
## @param ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
763
## e.g:
764
## extraHosts:
765
## - name: clickhouse.local
766
## path: /
767
##
768
extraHosts: []
769
## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
770
## e.g:
771
## extraPaths:
772
## - path: /*
773
## backend:
774
## serviceName: ssl-redirect
775
## servicePort: use-annotation
776
##
777
extraPaths: []
778
## @param ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
779
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
780
## e.g:
781
## extraTls:
782
## - hosts:
783
## - clickhouse.local
784
## secretName: clickhouse.local-tls
785
##
786
extraTls: []
787
## @param ingress.secrets Custom TLS certificates as secrets
788
## NOTE: 'key' and 'certificate' are expected in PEM format
789
## NOTE: 'name' should line up with a 'secretName' set further up
790
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
791
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
792
## It is also possible to create and manage the certificates outside of this helm chart
793
## Please see README.md for more information
794
## e.g:
795
## secrets:
796
## - name: clickhouse.local-tls
797
## key: |-
798
## -----BEGIN RSA PRIVATE KEY-----
799
## ...
800
## -----END RSA PRIVATE KEY-----
801
## certificate: |-
802
## -----BEGIN CERTIFICATE-----
803
## ...
804
## -----END CERTIFICATE-----
805
##
806
secrets: []
807
## @param ingress.extraRules Additional rules to be covered with this ingress record
808
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
809
## e.g:
810
## extraRules:
811
## - host: example.local
812
## http:
813
## path: /
814
## backend:
815
## service:
816
## name: example-svc
817
## port:
818
## name: http
819
##
820
extraRules: []
821
## ClickHouse Network Policies
822
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
823
##
824
networkPolicy:
825
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
826
##
827
enabled: true
828
## @param networkPolicy.allowExternal Don't require client label for connections
829
## The Policy model to apply. When set to false, only pods with the correct
830
## client label will have network access to the ports ClickHouse is listening
831
## on. When true, ClickHouse will accept connections from any source
832
## (with the correct destination port).
833
##
834
allowExternal: true
835
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
836
##
837
allowExternalEgress: true
838
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
839
##
840
addExternalClientAccess: true
841
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
842
## e.g:
843
## extraIngress:
844
## - ports:
845
## - port: 1234
846
## from:
847
## - podSelector:
848
## - matchLabels:
849
## - role: frontend
850
## - podSelector:
851
## - matchExpressions:
852
## - key: role
853
## operator: In
854
## values:
855
## - frontend
856
extraIngress: []
857
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
858
## e.g:
859
## extraEgress:
860
## - ports:
861
## - port: 1234
862
## to:
863
## - podSelector:
864
## - matchLabels:
865
## - role: frontend
866
## - podSelector:
867
## - matchExpressions:
868
## - key: role
869
## operator: In
870
## values:
871
## - frontend
872
##
873
extraEgress: []
874
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
875
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
876
##
877
ingressNSMatchLabels: {}
878
ingressNSPodMatchLabels: {}
879
## @section ClickHouse Persistence parameters
880
881
## persistentVolumeClaimRetentionPolicy
882
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
883
## @param persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
884
## @param persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
885
## @param persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
886
##
887
persistentVolumeClaimRetentionPolicy:
888
enabled: false
889
whenScaled: Retain
890
whenDeleted: Retain
891
## Enable persistence using Persistent Volume Claims
892
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
893
##
894
persistence:
895
## @param persistence.enabled Enable persistence using Persistent Volume Claims
896
##
897
enabled: true
898
## @param persistence.volumeName Name to assign the volume
899
##
900
volumeName: data
901
## @param persistence.existingClaim Name of an existing PVC to use
902
##
903
existingClaim: ""
904
## @param persistence.storageClass Storage class of backing PVC
905
## If defined, storageClassName: <storageClass>
906
## If set to "-", storageClassName: "", which disables dynamic provisioning
907
## If undefined (the default) or set to null, no storageClassName spec is
908
## set, choosing the default provisioner. (gp2 on AWS, standard on
909
## GKE, AWS & OpenStack)
910
##
911
storageClass: ""
912
## @param persistence.labels Persistent Volume Claim labels
913
##
914
labels: {}
915
## @param persistence.annotations Persistent Volume Claim annotations
916
##
917
annotations: {}
918
## @param persistence.accessModes Persistent Volume Access Modes
919
##
920
accessModes:
921
- ReadWriteOnce
922
## @param persistence.size Size of data volume
923
##
924
size: 8Gi
925
## @param persistence.selector Selector to match an existing Persistent Volume for ClickHouse data PVC
926
## If set, the PVC can't have a PV dynamically provisioned for it
927
## E.g.
928
## selector:
929
## matchLabels:
930
## app: my-app
931
##
932
selector: {}
933
## @param persistence.dataSource Custom PVC data source
934
##
935
dataSource: {}
936
## @param persistence.mountPath Mount path of the ClickHouse data volume
937
##
938
mountPath: /iamguarded/clickhouse
939
## @section ClickHouse Keeper parameters
940
keeper:
941
## @param keeper.enabled Deploy ClickHouse Keeper to provide coordination capabilities
942
##
943
enabled: true
944
## Iamguarded ClickHouse Keeper image
945
## @param keeper.image.registry [default: REGISTRY_NAME] ClickHouse Keeper image registry
946
## @param keeper.image.repository [default: REPOSITORY_NAME/clickhouse-keeper] ClickHouse Keeper image repository
947
## @skip keeper.image.tag ClickHouse Keeper image tag (immutable tags are recommended)
948
## @param keeper.image.digest ClickHouse Keeper image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
949
## @param keeper.image.pullPolicy ClickHouse Keeper image pull policy
950
## @param keeper.image.pullSecrets ClickHouse Keeper image pull secrets
951
## @param keeper.image.debug Enable ClickHouse image debug mode
952
##
953
image:
954
registry: cgr.dev
955
repository: chainguard-private/clickhouse-keeper-iamguarded
956
tag: 26.1.4
957
digest: ""
958
## Specify a imagePullPolicy
959
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
960
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
961
##
962
pullPolicy: IfNotPresent
963
## Optionally specify an array of imagePullSecrets.
964
## Secrets must be manually created in the namespace.
965
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
966
## e.g:
967
## pullSecrets:
968
## - myRegistryKeySecretName
969
##
970
pullSecrets: []
971
## Set to true if you would like to see extra information on logs
972
##
973
debug: false
974
## @param keeper.replicaCount Number of ClickHouse Keeper replicas to deploy
975
##
976
replicaCount: 3
977
## @param keeper.configuration Specify content for ClickHouse Keeper configuration (basic one auto-generated based on other values otherwise)
978
##
979
configuration: {}
980
## @param keeper.existingConfigmap The name of an existing ConfigMap with your custom configuration for ClickHouse Keeper
981
##
982
existingConfigmap: ""
983
## @param keeper.configdFiles Extra configuration files to be mounted at keeper_config.d
984
## ref: https://clickhouse.com/docs/operations/configuration-files
985
##
986
configdFiles: {}
987
## @param keeper.existingConfigdConfigmap The name of an existing ConfigMap with extra configuration files for ClickHouse Keeper
988
##
989
existingConfigdConfigmap: ""
990
## @param keeper.usersdFiles Extra users configuration files to be mounted at users.d
991
## ref: https://clickhouse.com/docs/operations/configuration-files#user-settings
992
##
993
usersdFiles: {}
994
## @param keeper.existingUsersdConfigmap The name of an existing ConfigMap with extra users configuration files for ClickHouse Keeper
995
##
996
existingUsersdConfigmap: ""
997
## @param keeper.existingUsersdSecret The name of an existing Secret with extra users configuration files for ClickHouse Keeper
998
##
999
existingUsersdSecret: ""
1000
## @param keeper.containerPorts.tcp ClickHouse Keeper TCP container port
1001
## @param keeper.containerPorts.tcpSecure ClickHouse TCP (secure) container port
1002
## @param keeper.containerPorts.raft ClickHouse Keeper Raft container port
1003
##
1004
containerPorts:
1005
tcp: 9181
1006
tcpSecure: 9281
1007
raft: 9234
1008
## @param keeper.extraContainerPorts ClickHouse Keeper extra containerPorts
1009
##
1010
extraContainerPorts: []
1011
## Configure extra options for ClickHouse Keeper containers' liveness and readiness probes
1012
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1013
## @param keeper.livenessProbe.enabled Enable livenessProbe on ClickHouse Keeper containers
1014
## @param keeper.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1015
## @param keeper.livenessProbe.periodSeconds Period seconds for livenessProbe
1016
## @param keeper.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1017
## @param keeper.livenessProbe.failureThreshold Failure threshold for livenessProbe
1018
## @param keeper.livenessProbe.successThreshold Success threshold for livenessProbe
1019
##
1020
livenessProbe:
1021
enabled: true
1022
failureThreshold: 3
1023
initialDelaySeconds: 10
1024
periodSeconds: 10
1025
successThreshold: 1
1026
timeoutSeconds: 1
1027
## @param keeper.readinessProbe.enabled Enable readinessProbe on ClickHouse Keeper containers
1028
## @param keeper.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1029
## @param keeper.readinessProbe.periodSeconds Period seconds for readinessProbe
1030
## @param keeper.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1031
## @param keeper.readinessProbe.failureThreshold Failure threshold for readinessProbe
1032
## @param keeper.readinessProbe.successThreshold Success threshold for readinessProbe
1033
##
1034
readinessProbe:
1035
enabled: true
1036
failureThreshold: 3
1037
initialDelaySeconds: 10
1038
periodSeconds: 10
1039
successThreshold: 1
1040
timeoutSeconds: 1
1041
## @param keeper.startupProbe.enabled Enable startupProbe on ClickHouse Keeper containers
1042
## @param keeper.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1043
## @param keeper.startupProbe.periodSeconds Period seconds for startupProbe
1044
## @param keeper.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1045
## @param keeper.startupProbe.failureThreshold Failure threshold for startupProbe
1046
## @param keeper.startupProbe.successThreshold Success threshold for startupProbe
1047
##
1048
startupProbe:
1049
enabled: false
1050
failureThreshold: 3
1051
initialDelaySeconds: 10
1052
periodSeconds: 10
1053
successThreshold: 1
1054
timeoutSeconds: 1
1055
## @param keeper.customLivenessProbe Custom livenessProbe that overrides the default one
1056
##
1057
customLivenessProbe: {}
1058
## @param keeper.customReadinessProbe Custom readinessProbe that overrides the default one
1059
##
1060
customReadinessProbe: {}
1061
## @param keeper.customStartupProbe Custom startupProbe that overrides the default one
1062
##
1063
customStartupProbe: {}
1064
## ClickHouse Keeper resource requests and limits
1065
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1066
## @param keeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if keeper.resources is set (keeper.resources is recommended for production).
1067
##
1068
resourcesPreset: "small"
1069
## @param keeper.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1070
## Example:
1071
## resources:
1072
## requests:
1073
## cpu: 2
1074
## memory: 512Mi
1075
## limits:
1076
## cpu: 3
1077
## memory: 1024Mi
1078
##
1079
resources: {}
1080
## Configure ClickHouse Keeper pods Security Context
1081
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1082
## @param keeper.podSecurityContext.enabled Enabled ClickHouse Keeper pods' Security Context
1083
## @param keeper.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1084
## @param keeper.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1085
## @param keeper.podSecurityContext.supplementalGroups Set filesystem extra groups
1086
## @param keeper.podSecurityContext.fsGroup Set ClickHouse Keeper pod's Security Context fsGroup
1087
##
1088
podSecurityContext:
1089
enabled: true
1090
fsGroupChangePolicy: Always
1091
sysctls: []
1092
supplementalGroups: []
1093
fsGroup: 1001
1094
## Configure ClickHouse Keeper containers (only main one) Security Context
1095
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1096
## @param keeper.containerSecurityContext.enabled Enabled ClickHouse Keeper containers' Security Context
1097
## @param keeper.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1098
## @param keeper.containerSecurityContext.runAsUser Set ClickHouse Keeper containers' Security Context runAsUser
1099
## @param keeper.containerSecurityContext.runAsGroup Set ClickHouse Keeper containers' Security Context runAsGroup
1100
## @param keeper.containerSecurityContext.runAsNonRoot Set ClickHouse Keeper containers' Security Context runAsNonRoot
1101
## @param keeper.containerSecurityContext.privileged Set web container's Security Context privileged
1102
## @param keeper.containerSecurityContext.allowPrivilegeEscalation Set web container's Security Context allowPrivilegeEscalation
1103
## @param keeper.containerSecurityContext.readOnlyRootFilesystem Set web container's Security Context readOnlyRootFilesystem
1104
## @param keeper.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1105
## @param keeper.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1106
##
1107
containerSecurityContext:
1108
enabled: true
1109
seLinuxOptions: {}
1110
runAsUser: 1001
1111
runAsGroup: 1001
1112
runAsNonRoot: true
1113
privileged: false
1114
allowPrivilegeEscalation: false
1115
readOnlyRootFilesystem: true
1116
capabilities:
1117
drop: ["ALL"]
1118
seccompProfile:
1119
type: "RuntimeDefault"
1120
## @param keeper.command Override default container command (useful when using custom images)
1121
##
1122
command: []
1123
## @param keeper.args Override default container args (useful when using custom images)
1124
##
1125
args: []
1126
## @param keeper.extraEnvVars Array with extra environment variables to add to ClickHouse Keeper container(s)
1127
## e.g:
1128
## extraEnvVars:
1129
## - name: FOO
1130
## value: "bar"
1131
##
1132
extraEnvVars: []
1133
## @param keeper.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for ClickHouse Keeper container(s)
1134
##
1135
extraEnvVarsCM: ""
1136
## @param keeper.extraEnvVarsSecret Name of existing Secret containing extra env vars for ClickHouse Keeper container(s)
1137
##
1138
extraEnvVarsSecret: ""
1139
## @param keeper.automountServiceAccountToken Mount Service Account token in pod
1140
##
1141
automountServiceAccountToken: false
1142
## @param keeper.hostAliases ClickHouse Keeper pods host aliases
1143
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1144
##
1145
hostAliases: []
1146
## @param keeper.podLabels Extra labels for ClickHouse Keeper pods
1147
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1148
##
1149
podLabels: {}
1150
## @param keeper.podAnnotations Annotations for ClickHouse Keeper pods
1151
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1152
##
1153
podAnnotations: {}
1154
## @param keeper.podAffinityPreset Pod affinity preset. Ignored if `keeper.affinity` is set. Allowed values: `soft` or `hard`
1155
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1156
##
1157
podAffinityPreset: ""
1158
## @param keeper.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `keeper.affinity` is set. Allowed values: `soft` or `hard`
1159
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1160
##
1161
podAntiAffinityPreset: soft
1162
## Node affinity preset
1163
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1164
## @param keeper.nodeAffinityPreset.key Node label key to match. Ignored if `keeper.affinity` is set.
1165
## @param keeper.nodeAffinityPreset.type Node affinity preset type. Ignored if `keeper.affinity` is set. Allowed values: `soft` or `hard`
1166
## @param keeper.nodeAffinityPreset.values Node label values to match. Ignored if `keeper.affinity` is set.
1167
##
1168
nodeAffinityPreset:
1169
## e.g:
1170
## key: "kubernetes.io/e2e-az-name"
1171
##
1172
key: ""
1173
type: ""
1174
## e.g:
1175
## values:
1176
## - e2e-az1
1177
## - e2e-az2
1178
##
1179
values: []
1180
## @param keeper.affinity Affinity for ClickHouse Keeper pods assignment
1181
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1182
## NOTE: `keeper.podAffinityPreset`, `keeper.podAntiAffinityPreset`, and `keeper.nodeAffinityPreset` will be ignored when it's set
1183
##
1184
affinity: {}
1185
## @param keeper.nodeSelector Node labels for ClickHouse Keeper pods assignment
1186
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1187
##
1188
nodeSelector: {}
1189
## @param keeper.tolerations Tolerations for ClickHouse Keeper pods assignment
1190
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1191
##
1192
tolerations: []
1193
## @param keeper.updateStrategy.type ClickHouse Keeper StatefulSet strategy type
1194
## @param keeper.updateStrategy.rollingUpdate ClickHouse Keeper StatefulSet rolling update configuration parameters
1195
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1196
##
1197
updateStrategy:
1198
type: RollingUpdate
1199
rollingUpdate: {}
1200
## @param keeper.podManagementPolicy StatefulSet Pod management policy, it needs to be Parallel to be able to complete the cluster join
1201
## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
1202
##
1203
podManagementPolicy: Parallel
1204
## @param keeper.priorityClassName ClickHouse Keeper pods' priorityClassName
1205
##
1206
priorityClassName: ""
1207
## @param keeper.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1208
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1209
##
1210
topologySpreadConstraints: []
1211
## @param keeper.schedulerName Name of the k8s scheduler (other than default) for ClickHouse pods
1212
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1213
##
1214
schedulerName: ""
1215
## @param keeper.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
1216
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
1217
##
1218
terminationGracePeriodSeconds: ""
1219
## @param keeper.lifecycleHooks for the ClickHouse Keeper container(s) to automate configuration before or after startup
1220
##
1221
lifecycleHooks: {}
1222
## @param keeper.extraVolumes Optionally specify extra list of additional volumes for the ClickHouse Keeper pod(s)
1223
##
1224
extraVolumes: []
1225
## @param keeper.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the ClickHouse Keeper container(s)
1226
##
1227
extraVolumeMounts: []
1228
## @param keeper.sidecars Add additional sidecar containers to the ClickHouse Keeper pod(s)
1229
## e.g:
1230
## sidecars:
1231
## - name: your-image-name
1232
## image: your-image
1233
## imagePullPolicy: Always
1234
## ports:
1235
## - name: portname
1236
## containerPort: 1234
1237
##
1238
sidecars: []
1239
## @param keeper.initContainers Add additional init containers to the ClickHouse Keeper pod(s)
1240
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1241
## e.g:
1242
## initContainers:
1243
## - name: your-image-name
1244
## image: your-image
1245
## imagePullPolicy: Always
1246
## command: ['sh', '-c', 'echo "hello world"']
1247
##
1248
initContainers: []
1249
## ClickHouse Keeper Pod Disruption Budget
1250
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
1251
## @param keeper.pdb.create Deploy a pdb object for the ClickHouse Keeper pods
1252
## @param keeper.pdb.minAvailable Maximum number/percentage of unavailable ClickHouse Keeper replicas
1253
## @param keeper.pdb.maxUnavailable Maximum number/percentage of unavailable ClickHouse Keeper replicas
1254
##
1255
pdb:
1256
create: true
1257
minAvailable: ""
1258
maxUnavailable: ""
1259
## ClickHouse Keeper Autoscaling configuration
1260
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1261
##
1262
autoscaling:
1263
vpa:
1264
## @param keeper.autoscaling.vpa.enabled Enable VPA
1265
##
1266
enabled: false
1267
## @param keeper.autoscaling.vpa.annotations Annotations for VPA resource
1268
##
1269
annotations: {}
1270
## @param keeper.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1271
##
1272
controlledResources: []
1273
## @param keeper.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1274
## cpu: 200m
1275
## memory: 100Mi
1276
maxAllowed: {}
1277
## @param keeper.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1278
## cpu: 200m
1279
## memory: 100Mi
1280
minAllowed: {}
1281
updatePolicy:
1282
## @param keeper.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1283
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1284
##
1285
updateMode: Auto
1286
## @section ClickHouse Keeper Traffic Exposure parameters
1287
1288
## ClickHouse Keeper service parameters
1289
##
1290
service:
1291
## @param keeper.service.type ClickHouse Keeper service type
1292
##
1293
type: ClusterIP
1294
## @param keeper.service.ports.tcp ClickHouse Keeper service TCP port
1295
## @param keeper.service.ports.tcpSecure ClickHouse Keeper service TCP (secure) port
1296
## @param keeper.service.ports.raft ClickHouse Keeper service Raft port
1297
##
1298
ports:
1299
tcp: 9181
1300
tcpSecure: 9281
1301
raft: 9234
1302
## Node ports to expose
1303
## @param keeper.service.nodePorts.tcp Node port for ClickHouse Keeper service TCP port
1304
## @param keeper.service.nodePorts.tcpSecure Node port for ClickHouse Keeper service TCP (secure) port
1305
## @param keeper.service.nodePorts.raft Node port for ClickHouse Keeper service Raft port
1306
## NOTE: choose port between <30000-32767>
1307
##
1308
nodePorts:
1309
tcp: ""
1310
tcpSecure: ""
1311
raft: ""
1312
## @param keeper.service.clusterIP ClickHouse Keeper service Cluster IP
1313
## e.g.:
1314
## clusterIP: None
1315
##
1316
clusterIP: ""
1317
## @param keeper.service.loadBalancerIP ClickHouse Keeper service Load Balancer IP
1318
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1319
##
1320
loadBalancerIP: ""
1321
## @param keeper.service.loadBalancerSourceRanges ClickHouse Keeper service Load Balancer sources
1322
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1323
## e.g:
1324
## loadBalancerSourceRanges:
1325
## - 10.10.10.0/24
1326
##
1327
loadBalancerSourceRanges: []
1328
## @param keeper.service.externalTrafficPolicy ClickHouse Keeper service external traffic policy
1329
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1330
##
1331
externalTrafficPolicy: Cluster
1332
## @param keeper.service.annotations Additional custom annotations for ClickHouse Keeper service
1333
##
1334
annotations: {}
1335
## @param keeper.service.extraPorts Extra ports to expose in ClickHouse Keeper service (normally used with the `sidecars` value)
1336
##
1337
extraPorts: []
1338
## @param keeper.service.sessionAffinity Control where client requests go, to the same pod or round-robin
1339
## Values: ClientIP or None
1340
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1341
##
1342
sessionAffinity: None
1343
## @param keeper.service.sessionAffinityConfig Additional settings for the sessionAffinity
1344
## sessionAffinityConfig:
1345
## clientIP:
1346
## timeoutSeconds: 300
1347
##
1348
sessionAffinityConfig: {}
1349
## Headless service properties
1350
##
1351
headless:
1352
## @param keeper.service.headless.annotations Annotations for the headless service.
1353
##
1354
annotations: {}
1355
## @param keeper.service.headless.extraPorts Optionally specify extra ports to expose for the headless service.
1356
##
1357
extraPorts: []
1358
## ClickHouse Keeper Network Policies
1359
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1360
##
1361
networkPolicy:
1362
## @param keeper.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1363
##
1364
enabled: true
1365
## @param keeper.networkPolicy.allowExternal Don't require client label for connections
1366
## The Policy model to apply. When set to false, only pods with the correct
1367
## client label will have network access to the ports ClickHouse Keeper is listening
1368
## on. When true, ClickHouse Keeper will accept connections from any source
1369
## (with the correct destination port).
1370
##
1371
allowExternal: true
1372
## @param keeper.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1373
##
1374
allowExternalEgress: true
1375
## @param keeper.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `keeper.networkPolicy.allowExternal` is true.
1376
##
1377
addExternalClientAccess: true
1378
## @param keeper.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1379
## e.g:
1380
## extraIngress:
1381
## - ports:
1382
## - port: 1234
1383
## from:
1384
## - podSelector:
1385
## - matchLabels:
1386
## - role: frontend
1387
## - podSelector:
1388
## - matchExpressions:
1389
## - key: role
1390
## operator: In
1391
## values:
1392
## - frontend
1393
extraIngress: []
1394
## @param keeper.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1395
## e.g:
1396
## extraEgress:
1397
## - ports:
1398
## - port: 1234
1399
## to:
1400
## - podSelector:
1401
## - matchLabels:
1402
## - role: frontend
1403
## - podSelector:
1404
## - matchExpressions:
1405
## - key: role
1406
## operator: In
1407
## values:
1408
## - frontend
1409
##
1410
extraEgress: []
1411
## @param keeper.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
1412
## @param keeper.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
1413
##
1414
ingressNSMatchLabels: {}
1415
ingressNSPodMatchLabels: {}
1416
## @section ClickHouse Keeper Persistence parameters
1417
1418
## persistentVolumeClaimRetentionPolicy
1419
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1420
## @param keeper.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
1421
## @param keeper.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1422
## @param keeper.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1423
##
1424
persistentVolumeClaimRetentionPolicy:
1425
enabled: false
1426
whenScaled: Retain
1427
whenDeleted: Retain
1428
## Enable persistence using Persistent Volume Claims
1429
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1430
##
1431
persistence:
1432
## @param keeper.persistence.enabled Enable ClickHouse Keeper data persistence using PVC
1433
##
1434
enabled: true
1435
## @param keeper.persistence.existingClaim A manually managed Persistent Volume and Claim
1436
## If defined, PVC must be created manually before volume will be bound
1437
## The value is evaluated as a template
1438
##
1439
existingClaim: ""
1440
## @param keeper.persistence.storageClass PVC Storage Class for ClickHouse Keeper data volume
1441
## If defined, storageClassName: <storageClass>
1442
## If set to "-", storageClassName: "", which disables dynamic provisioning
1443
## If undefined (the default) or set to null, no storageClassName spec is
1444
## set, choosing the default provisioner.
1445
##
1446
storageClass: ""
1447
## @param keeper.persistence.accessModes Persistent Volume Access Modes
1448
##
1449
accessModes:
1450
- ReadWriteOnce
1451
## @param keeper.persistence.size PVC Storage Request for ClickHouse Keeper data volume
1452
##
1453
size: 8Gi
1454
## @param keeper.persistence.annotations Annotations for the PVC
1455
##
1456
annotations: {}
1457
## @param keeper.persistence.labels Labels for the PVC
1458
##
1459
labels: {}
1460
## @param keeper.persistence.selector Selector to match an existing Persistent Volume for ClickHouse Keeper data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1461
## selector:
1462
## matchLabels:
1463
## app: my-app
1464
##
1465
selector: {}
1466
## @param keeper.persistence.dataSource Custom PVC data source
1467
##
1468
dataSource: {}
1469
## @param keeper.persistence.mountPath Mount path of the ClickHouse Keeper data volume
1470
##
1471
mountPath: /iamguarded/clickhouse-keeper
1472
## @section Other Parameters
1473
1474
## ServiceAccount configuration
1475
##
1476
serviceAccount:
1477
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
1478
##
1479
create: true
1480
## @param serviceAccount.name The name of the ServiceAccount to use.
1481
## If not set and create is true, a name is generated using the common.names.fullname template
1482
##
1483
name: ""
1484
## @param serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
1485
##
1486
annotations: {}
1487
## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1488
##
1489
automountServiceAccountToken: false
1490
## @section Prometheus metrics parameters
1491
metrics:
1492
## @param metrics.enabled Enable the export of Prometheus metrics
1493
##
1494
enabled: false
1495
## @param metrics.podAnnotations Pod annotations for enabling Prometheus to access the metrics endpoint
1496
##
1497
podAnnotations: {}
1498
## Prometheus Operator ServiceMonitor configuration
1499
##
1500
serviceMonitor:
1501
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
1502
##
1503
enabled: false
1504
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
1505
##
1506
namespace: ""
1507
## @param metrics.serviceMonitor.annotations Additional custom annotations for the ServiceMonitor
1508
##
1509
annotations: {}
1510
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1511
##
1512
labels: {}
1513
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in Prometheus
1514
##
1515
jobLabel: ""
1516
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1517
##
1518
honorLabels: false
1519
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
1520
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1521
## e.g:
1522
## interval: 10s
1523
##
1524
interval: ""
1525
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1526
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1527
## e.g:
1528
## scrapeTimeout: 10s
1529
##
1530
scrapeTimeout: ""
1531
## @param metrics.serviceMonitor.metricRelabelings Specify additional relabeling of metrics
1532
##
1533
metricRelabelings: []
1534
## @param metrics.serviceMonitor.relabelings Specify general relabeling
1535
##
1536
relabelings: []
1537
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
1538
## selector:
1539
## prometheus: my-prometheus
1540
##
1541
selector: {}
1542
## Prometheus Operator PrometheusRule configuration
1543
##
1544
prometheusRule:
1545
## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator
1546
##
1547
enabled: false
1548
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
1549
##
1550
namespace: ""
1551
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
1552
##
1553
additionalLabels: {}
1554
## @param metrics.prometheusRule.rules PrometheusRule definitions
1555
## - alert: ClickHouseServerRestart
1556
## annotations:
1557
## message: ClickHouse server started recently
1558
## expr: ClickHouseAsyncMetrics_Uptime > 1 < 180
1559
## for: 5m
1560
## labels:
1561
## severity: warning
1562
rules: []
1563
## @section External ClickHouse Keeper / Zookeeper parameters
1564
##
1565
externalZookeeper:
1566
## @param externalZookeeper.servers List of external ClickHouse Keeper / Zookeeper servers to use
1567
## @param externalZookeeper.port Port of the ClickHouse Keeper / Zookeeper servers
1568
##
1569
servers: []
1570
port: 2888
1571
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.