kafka
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
##
19
global:
20
imageRegistry: ""
21
## E.g.
22
## imagePullSecrets:
23
## - myRegistryKeySecretName
24
##
25
imagePullSecrets: []
26
defaultStorageClass: ""
27
## Security parameters
28
##
29
security:
30
## @param global.security.allowInsecureImages Allows skipping image verification
31
allowInsecureImages: false
32
## Compatibility adaptations for Kubernetes platforms
33
##
34
compatibility:
35
## Compatibility adaptations for Openshift
36
##
37
openshift:
38
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
39
##
40
adaptSecurityContext: auto
41
org: ""
42
## @section Common parameters
43
44
## @param kubeVersion Override Kubernetes version
45
##
46
kubeVersion: ""
47
## @param apiVersions Override Kubernetes API versions reported by .Capabilities
48
##
49
apiVersions: []
50
## @param nameOverride String to partially override common.names.fullname
51
##
52
nameOverride: ""
53
## @param fullnameOverride String to fully override common.names.fullname
54
##
55
fullnameOverride: ""
56
## @param namespaceOverride String to fully override common.names.namespace
57
##
58
namespaceOverride: ""
59
## @param clusterDomain Default Kubernetes cluster domain
60
##
61
clusterDomain: cluster.local
62
## @param commonLabels Labels to add to all deployed objects
63
##
64
commonLabels: {}
65
## @param commonAnnotations Annotations to add to all deployed objects
66
##
67
commonAnnotations: {}
68
## @param extraDeploy Array of extra objects to deploy with the release
69
##
70
extraDeploy: []
71
## @param usePasswordFiles Mount credentials as files instead of using environment variables
72
##
73
usePasswordFiles: true
74
## Diagnostic mode
75
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
76
## @param diagnosticMode.command Command to override all containers in the chart release
77
## @param diagnosticMode.args Args to override all containers in the chart release
78
##
79
diagnosticMode:
80
enabled: false
81
command:
82
- sleep
83
args:
84
- infinity
85
## @param serviceBindings.enabled Create secret for service binding (Experimental)
86
## Ref: https://servicebinding.io/service-provider/
87
##
88
serviceBindings:
89
enabled: false
90
## @section Kafka common parameters
91
92
## Iamguarded Kafka image version
93
## @param image.registry [default: REGISTRY_NAME] Kafka image registry
94
## @param image.repository [default: REPOSITORY_NAME/kafka] Kafka image repository
95
## @skip image.tag Kafka image tag (immutable tags are recommended)
96
## @param image.digest Kafka image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
97
## @param image.pullPolicy Kafka image pull policy
98
## @param image.pullSecrets Specify docker-registry secret names as an array
99
## @param image.debug Specify if debug values should be set
100
##
101
image:
102
registry: cgr.dev
103
repository: chainguard-private/kafka-iamguarded
104
tag: 4.2.0
105
digest: ""
106
## Specify a imagePullPolicy
107
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
108
##
109
pullPolicy: IfNotPresent
110
## Optionally specify an array of imagePullSecrets.
111
## Secrets must be manually created in the namespace.
112
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
113
## e.g:
114
## pullSecrets:
115
## - myRegistryKeySecretName
116
##
117
pullSecrets: []
118
## Set to true if you would like to see extra information on logs
119
##
120
debug: false
121
## @param clusterId Kafka Kraft cluster ID (ignored if existingKraftSecret is set). A random cluster ID will be generated the 1st time Kraft is initialized if not set.
122
## NOTE: Already initialized Kafka nodes will use cluster ID stored in their persisted storage.
123
## If reusing existing PVCs, make sure the cluster ID is set matching the stored cluster ID, otherwise new nodes will fail to join the cluster.
124
## In case the cluster ID stored in the secret does not match the value stored in /iamguarded/kafka/data/meta.properties, remove the secret and upgrade the chart setting the correct value.
125
##
126
clusterId: ""
127
## @param existingKraftSecret Name of the secret containing the Kafka KRaft Cluster ID and one directory ID per controller replica
128
##
129
existingKraftSecret: ""
130
## @param kraftVersion Kraft version to be used. It determines whether static quorum (kraftVersion=0) or dynamic quorum (kraftVersion=1) will be used.
131
## NOTE: Kafka 4.0 does not yet support switching kraft version. This setting was added for backward-compatibility with 3.x clusters.
132
## Ref: https://kafka.apache.org/documentation/#static_versus_dynamic_kraft_quorums
133
##
134
kraftVersion: 1
135
## @param config Specify content for Kafka configuration (auto-generated based on other parameters otherwise)
136
## NOTE: This will override the configuration based on values, please act carefully
137
## Use simple key-value YAML format, then it's transformed to properties format by the chart. e.g:
138
## process.roles: broker
139
## ... will be transformed to:
140
## process.roles=broker
141
##
142
config: {}
143
## @param overrideConfiguration Kafka common configuration override. Values defined here takes precedence over the ones defined at `config`
144
##
145
overrideConfiguration: {}
146
## @param existingConfigmap Name of an existing ConfigMap with the Kafka configuration
147
##
148
existingConfigmap: ""
149
## @param secretConfig Additional configuration to be appended at the end of the generated Kafka configuration (store in a secret)
150
##
151
secretConfig: ""
152
## @param existingSecretConfig Secret with additional configuration that will be appended to the end of the generated Kafka configuration
153
## The key for the configuration should be: server-secret.properties
154
## NOTE: This will override secretConfig value
155
##
156
existingSecretConfig: ""
157
## @param log4j2 Specify content for Kafka log4j2 configuration (default one is used otherwise)
158
## ref: https://github.com/apache/kafka/blob/trunk/config/log4j2.yaml
159
##
160
log4j2: ""
161
## @param existingLog4j2ConfigMap The name of an existing ConfigMap containing the log4j2.yaml file
162
##
163
existingLog4j2ConfigMap: ""
164
## @param heapOpts Kafka Java Heap configuration
165
##
166
heapOpts: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
167
## @param brokerRackAwareness.enabled Enable Kafka Rack Awareness
168
## @param brokerRackAwareness.cloudProvider Cloud provider to use to set Broker Rack Awareness. Allowed values: `aws-az`, `azure`
169
## @param brokerRackAwareness.azureApiVersion Metadata API version to use when brokerRackAwareness.cloudProvider is set to `azure`
170
## ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-392%3A+Allow+consumers+to+fetch+from+closest+replica
171
##
172
brokerRackAwareness:
173
enabled: false
174
cloudProvider: ""
175
azureApiVersion: "2023-11-15"
176
## @param interBrokerProtocolVersion Override the setting 'inter.broker.protocol.version' during the ZK migration.
177
## Ref. https://docs.confluent.io/platform/current/installation/migrate-zk-kraft.html
178
##
179
interBrokerProtocolVersion: ""
180
## Kafka listeners configuration
181
##
182
listeners:
183
## @param listeners.client.name Name for the Kafka client listener
184
## @param listeners.client.containerPort Port for the Kafka client listener
185
## @param listeners.client.protocol Security protocol for the Kafka client listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
186
## @param listeners.client.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required'
187
client:
188
containerPort: 9092
189
protocol: SASL_PLAINTEXT
190
name: CLIENT
191
sslClientAuth: ""
192
## @param listeners.controller.name Name for the Kafka controller listener
193
## @param listeners.controller.containerPort Port for the Kafka controller listener
194
## @param listeners.controller.protocol Security protocol for the Kafka controller listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
195
## @param listeners.controller.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required'
196
## Ref: https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners
197
controller:
198
name: CONTROLLER
199
containerPort: 9093
200
protocol: SASL_PLAINTEXT
201
sslClientAuth: ""
202
## @param listeners.interbroker.name Name for the Kafka inter-broker listener
203
## @param listeners.interbroker.containerPort Port for the Kafka inter-broker listener
204
## @param listeners.interbroker.protocol Security protocol for the Kafka inter-broker listener. Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
205
## @param listeners.interbroker.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.authType for this listener. Allowed values are 'none', 'requested' and 'required'
206
interbroker:
207
containerPort: 9094
208
protocol: SASL_PLAINTEXT
209
name: INTERNAL
210
sslClientAuth: ""
211
## @param listeners.external.containerPort Port for the Kafka external listener
212
## @param listeners.external.protocol Security protocol for the Kafka external listener. . Allowed values are 'PLAINTEXT', 'SASL_PLAINTEXT', 'SASL_SSL' and 'SSL'
213
## @param listeners.external.name Name for the Kafka external listener
214
## @param listeners.external.sslClientAuth Optional. If SASL_SSL is enabled, configure mTLS TLS authentication type. If SSL protocol is enabled, overrides tls.sslClientAuth for this listener. Allowed values are 'none', 'requested' and 'required'
215
external:
216
containerPort: 9095
217
protocol: SASL_PLAINTEXT
218
name: EXTERNAL
219
sslClientAuth: ""
220
## @param listeners.extraListeners Array of listener objects to be appended to already existing listeners
221
## E.g.
222
## extraListeners:
223
## - name: CUSTOM
224
## containerPort: 9097
225
## protocol: SASL_PLAINTEXT
226
## sslClientAuth: ""
227
##
228
extraListeners: []
229
## NOTE: If set, below values will override configuration set using the above values (extraListeners.*, controller.*, interbroker.*, client.* and external.*)
230
## @param listeners.overrideListeners Overrides the Kafka 'listeners' configuration setting.
231
## @param listeners.advertisedListeners Overrides the Kafka 'advertised.listener' configuration setting.
232
## @param listeners.securityProtocolMap Overrides the Kafka 'security.protocol.map' configuration setting.
233
overrideListeners: ""
234
advertisedListeners: ""
235
securityProtocolMap: ""
236
## @section Kafka SASL parameters
237
## Kafka SASL settings for authentication, required if SASL_PLAINTEXT or SASL_SSL listeners are configured
238
##
239
sasl:
240
## @param sasl.enabledMechanisms Comma-separated list of allowed SASL mechanisms when SASL listeners are configured. Allowed types: `PLAIN`, `SCRAM-SHA-256`, `SCRAM-SHA-512`, `OAUTHBEARER`
241
## NOTE: At the moment, Kafka Raft mode does not support SCRAM, that is why only PLAIN is configured.
242
##
243
enabledMechanisms: PLAIN,SCRAM-SHA-256,SCRAM-SHA-512
244
## @param sasl.interBrokerMechanism SASL mechanism for inter broker communication.
245
##
246
interBrokerMechanism: PLAIN
247
## @param sasl.controllerMechanism SASL mechanism for controller communications.
248
##
249
controllerMechanism: PLAIN
250
## Settings for OAuthBearer mechanism
251
## @param sasl.oauthbearer.tokenEndpointUrl The URL for the OAuth/OIDC identity provider
252
## @param sasl.oauthbearer.jwksEndpointUrl The OAuth/OIDC provider URL from which the provider's JWKS (JSON Web Key Set) can be retrieved
253
## @param sasl.oauthbearer.expectedAudience The comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences
254
## @param sasl.oauthbearer.subClaimName The OAuth claim name for the subject.
255
##
256
oauthbearer:
257
tokenEndpointUrl: ""
258
jwksEndpointUrl: ""
259
expectedAudience: ""
260
subClaimName: "sub"
261
## Credentials for inter-broker communications.
262
## @param sasl.interbroker.user Username for inter-broker communications when SASL is enabled
263
## @param sasl.interbroker.password Password for inter-broker communications when SASL is enabled. If not set and SASL is enabled for the controller listener, a random password will be generated.
264
## @param sasl.interbroker.clientId Client ID for inter-broker communications when SASL is enabled with mechanism OAUTHBEARER
265
## @param sasl.interbroker.clientSecret Client Secret for inter-broker communications when SASL is enabled with mechanism OAUTHBEARER. If not set and SASL is enabled for the controller listener, a random secret will be generated.
266
##
267
interbroker:
268
user: inter_broker_user
269
password: ""
270
clientId: inter_broker_client
271
clientSecret: ""
272
## Credentials for controller communications.
273
## @param sasl.controller.user Username for controller communications when SASL is enabled
274
## @param sasl.controller.password Password for controller communications when SASL is enabled. If not set and SASL is enabled for the inter-broker listener, a random password will be generated.
275
## @param sasl.controller.clientId Client ID for controller communications when SASL is enabled with mechanism OAUTHBEARER
276
## @param sasl.controller.clientSecret Client Secret for controller communications when SASL is enabled with mechanism OAUTHBEARER. If not set and SASL is enabled for the inter-broker listener, a random secret will be generated.
277
##
278
controller:
279
user: controller_user
280
password: ""
281
clientId: controller_broker_client
282
clientSecret: ""
283
## Credentials for client communications.
284
## @param sasl.client.users Comma-separated list of usernames for client communications when SASL is enabled
285
## @param sasl.client.passwords Comma-separated list of passwords for client communications when SASL is enabled, must match the number of client.users
286
##
287
client:
288
users:
289
- user1
290
passwords: ""
291
## @param sasl.existingSecret Name of the existing secret containing credentials for client.users, interbroker.user and controller.user
292
## Create this secret running the command below where SECRET_NAME is the name of the secret you want to create:
293
## kubectl create secret generic SECRET_NAME --from-literal=client-passwords=CLIENT_PASSWORD1,CLIENT_PASSWORD2 --from-literal=inter-broker-password=INTER_BROKER_PASSWORD --from-literal=inter-broker-client-secret=INTER_BROKER_CLIENT_SECRET --from-literal=controller-password=CONTROLLER_PASSWORD --from-literal=controller-client-secret=CONTROLLER_CLIENT_SECRET
294
## The client secrets are only required when using OAuthBearer as SASL mechanism.
295
## Client, inter-broker and controller passwords are only required if the SASL mechanism includes something other than OAuthBearer.
296
##
297
existingSecret: ""
298
## @section Kafka TLS parameters
299
## Kafka TLS settings, required if SSL or SASL_SSL listeners are configured
300
##
301
tls:
302
## @param tls.type Format to use for TLS certificates. Allowed types: `JKS` and `PEM`
303
##
304
type: JKS
305
## @param tls.pemChainIncluded Flag to denote that the Certificate Authority (CA) certificates are bundled with the endpoint cert.
306
## Certificates must be in proper order, where the top certificate is the leaf and the bottom certificate is the top-most intermediate CA.
307
##
308
pemChainIncluded: false
309
## @param tls.autoGenerated.enabled Enable automatic generation of TLS certificates (only supported if `tls.type` is `PEM`)
310
## @param tls.autoGenerated.engine Mechanism to generate the certificates (allowed values: helm, cert-manager)
311
## @param tls.autoGenerated.customAltNames List of additional subject alternative names (SANs) for the automatically generated TLS certificates.
312
## @param tls.autoGenerated.certManager.existingIssuer The name of an existing Issuer to use for generating the certificates (only for `cert-manager` engine)
313
## @param tls.autoGenerated.certManager.existingIssuerKind Existing Issuer kind, defaults to Issuer (only for `cert-manager` engine)
314
## @param tls.autoGenerated.certManager.keyAlgorithm Key algorithm for the certificates (only for `cert-manager` engine)
315
## @param tls.autoGenerated.certManager.keySize Key size for the certificates (only for `cert-manager` engine)
316
## @param tls.autoGenerated.certManager.duration Duration for the certificates (only for `cert-manager` engine)
317
## @param tls.autoGenerated.certManager.renewBefore Renewal period for the certificates (only for `cert-manager` engine)
318
##
319
autoGenerated:
320
enabled: true
321
engine: helm
322
customAltNames: []
323
certManager:
324
existingIssuer: ""
325
existingIssuerKind: ""
326
keySize: 2048
327
keyAlgorithm: RSA
328
duration: 2160h
329
renewBefore: 360h
330
## @param tls.existingSecret Name of the existing secret containing the TLS certificates for the Kafka nodes.
331
## When using 'jks' format for certificates, each secret should contain a truststore and a keystore.
332
## Create these secrets following the steps below:
333
## 1) Generate your truststore and keystore files. Helpful script: https://raw.githubusercontent.com/confluentinc/confluent-platform-security-tools/master/kafka-generate-ssl.sh
334
## 2) Rename your truststore to `kafka.truststore.jks`.
335
## 3) Rename your keystores to `kafka-<role>-X.keystore.jks` where X is the replica number of the .
336
## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create):
337
## kubectl create secret generic SECRET_NAME_0 --from-file=kafka.truststore.jks=./kafka.truststore.jks \
338
## --from-file=kafka-controller-0.keystore.jks=./kafka-controller-0.keystore.jks --from-file=kafka-broker-0.keystore.jks=./kafka-broker-0.keystore.jks ...
339
##
340
## NOTE: Alternatively, a single keystore can be provided for all nodes under the key 'kafka.keystore.jks', this keystore will be used by all nodes unless overridden by the 'kafka-<role>-X.keystore.jks' file
341
##
342
## When using 'pem' format for certificates, each secret should contain a public CA certificate, a public certificate and one private key.
343
## Create these secrets following the steps below:
344
## 1) Create a certificate key and signing request per Kafka broker, and sign the signing request with your CA
345
## 2) Rename your CA file to `ca.crt`.
346
## 3) Rename your certificates to `kafka-X.tls.crt` where X is the ID of each Kafka broker.
347
## 3) Rename your keys to `kafka-X.tls.key` where X is the ID of each Kafka broker.
348
## 4) Run the command below one time per broker to create its associated secret (SECRET_NAME_X is the name of the secret you want to create):
349
## kubectl create secret generic SECRET_NAME_0 --from-file=ca.crt=./ca.crt --from-file=kafka-controller-0.crt=./kafka-controller-0.crt --from-file=kafka-controller-0.key=./kafka-controller-0.key \
350
## --from-file=kafka-broker-0.crt=./kafka-broker-0.crt --from-file=kafka-broker-0.key=./kafka-broker-0.key ...
351
##
352
## NOTE: Alternatively, a single key and certificate can be provided for all nodes under the keys 'tls.crt' and 'tls.key'. These certificates will be used by all nodes unless overridden by the 'kafka-<role>-X.key' and 'kafka-<role>-X.crt' files
353
##
354
existingSecret: ""
355
## @param tls.passwordsSecret Name of the secret containing the password to access the JKS files or PEM key when they are password-protected. (`key`: `password`)
356
##
357
passwordsSecret: ""
358
## @param tls.passwordsSecretKeystoreKey The secret key from the tls.passwordsSecret containing the password for the Keystore.
359
##
360
passwordsSecretKeystoreKey: keystore-password
361
## @param tls.passwordsSecretTruststoreKey The secret key from the tls.passwordsSecret containing the password for the Truststore.
362
##
363
passwordsSecretTruststoreKey: truststore-password
364
## @param tls.passwordsSecretPemPasswordKey The secret key from the tls.passwordsSecret containing the password for the PEM key inside 'tls.passwordsSecret'.
365
##
366
passwordsSecretPemPasswordKey: ""
367
## @param tls.keystorePassword Password to access the JKS keystore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided.
368
## When using tls.type=PEM, the generated keystore will use this password or randomly generate one.
369
##
370
keystorePassword: ""
371
## @param tls.truststorePassword Password to access the JKS truststore when it is password-protected. Ignored when 'tls.passwordsSecret' is provided.
372
## When using tls.type=PEM, the generated keystore will use this password or randomly generate one.
373
##
374
truststorePassword: ""
375
## @param tls.keyPassword Password to access the PEM key when it is password-protected.
376
## Note: ignored when using 'tls.passwordsSecret'
377
##
378
keyPassword: ""
379
## @param tls.jksKeystoreKey The secret key from the `tls.existingSecret` containing the keystore
380
## Note: ignored when using 'pem' format for certificates.
381
##
382
jksKeystoreKey: ""
383
## @param tls.jksTruststoreSecret Name of the existing secret containing your truststore if truststore not existing or different from the one in the `tls.existingSecret`
384
## Note: ignored when using 'pem' format for certificates.
385
##
386
jksTruststoreSecret: ""
387
## @param tls.jksTruststoreKey The secret key from the `tls.existingSecret` or `tls.jksTruststoreSecret` containing the truststore
388
## Note: ignored when using 'pem' format for certificates.
389
##
390
jksTruststoreKey: ""
391
## @param tls.endpointIdentificationAlgorithm The endpoint identification algorithm to validate server hostname using server certificate
392
## Disable server host name verification by setting it to an empty string.
393
## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings
394
##
395
endpointIdentificationAlgorithm: https
396
## @param tls.sslClientAuth Sets the default value for the ssl.client.auth Kafka setting.
397
## ref: https://docs.confluent.io/current/kafka/authentication_ssl.html#optional-settings
398
##
399
sslClientAuth: "required"
400
## @param extraEnvVars Extra environment variables to add to Kafka pods
401
## e.g:
402
## extraEnvVars:
403
## - name: KAFKA_CFG_BACKGROUND_THREADS
404
## value: "10"
405
##
406
extraEnvVars: []
407
## @param extraEnvVarsCM ConfigMap with extra environment variables
408
##
409
extraEnvVarsCM: ""
410
## @param extraEnvVarsSecret Secret with extra environment variables
411
##
412
extraEnvVarsSecret: ""
413
## @param extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s)
414
## e.g:
415
## extraVolumes:
416
## - name: kafka-jaas
417
## secret:
418
## secretName: kafka-jaas
419
##
420
extraVolumes: []
421
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s)
422
## extraVolumeMounts:
423
## - name: kafka-jaas
424
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
425
## subPath: kafka_jaas.conf
426
##
427
extraVolumeMounts: []
428
## @param sidecars Add additional sidecar containers to the Kafka pod(s)
429
## e.g:
430
## sidecars:
431
## - name: your-image-name
432
## image: your-image
433
## imagePullPolicy: Always
434
## ports:
435
## - name: portname
436
## containerPort: 1234
437
##
438
sidecars: []
439
## @param initContainers Add additional Add init containers to the Kafka pod(s)
440
## e.g:
441
## initContainers:
442
## - name: your-image-name
443
## image: your-image
444
## imagePullPolicy: Always
445
## ports:
446
## - name: portname
447
## containerPort: 1234
448
##
449
initContainers: []
450
## DNS-Pod services
451
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
452
## @param dnsPolicy Specifies the DNS policy for the Kafka pods
453
## DNS policies can be set on a per-Pod basis. Currently Kubernetes supports the following Pod-specific DNS policies.
454
## Available options: Default, ClusterFirst, ClusterFirstWithHostNet, None
455
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
456
dnsPolicy: ""
457
## @param dnsConfig allows users more control on the DNS settings for a Pod. Required if `dnsPolicy` is set to `None`
458
## The dnsConfig field is optional and it can work with any dnsPolicy settings.
459
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
460
## E.g.
461
## dnsConfig:
462
## nameservers:
463
## - 192.0.2.1 # this is an example
464
## searches:
465
## - ns1.svc.cluster-domain.example
466
## - my.dns.search.suffix
467
## options:
468
## - name: ndots
469
## value: "2"
470
## - name: edns0
471
dnsConfig: {}
472
## Default init Containers
473
##
474
defaultInitContainers:
475
## 'volume-permissions' init container
476
## Used to change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
477
##
478
volumePermissions:
479
## @param defaultInitContainers.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
480
##
481
enabled: false
482
## @param defaultInitContainers.volumePermissions.image.registry [default: REGISTRY_NAME] "volume-permissions" init-containers' image registry
483
## @param defaultInitContainers.volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] "volume-permissions" init-containers' image repository
484
## @skip defaultInitContainers.volumePermissions.image.tag "volume-permissions" init-containers' image tag (immutable tags are recommended)
485
## @param defaultInitContainers.volumePermissions.image.digest "volume-permissions" init-containers' image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
486
## @param defaultInitContainers.volumePermissions.image.pullPolicy "volume-permissions" init-containers' image pull policy
487
## @param defaultInitContainers.volumePermissions.image.pullSecrets "volume-permissions" init-containers' image pull secrets
488
##
489
image:
490
registry: cgr.dev
491
repository: chainguard-private/os-shell-iamguarded
492
tag: 1.0.0
493
digest: ""
494
pullPolicy: IfNotPresent
495
## Optionally specify an array of imagePullSecrets.
496
## Secrets must be manually created in the namespace.
497
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
498
## Example:
499
## pullSecrets:
500
## - myRegistryKeySecretName
501
##
502
pullSecrets: []
503
## Configure "volume-permissions" init-container Security Context
504
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
505
## @param defaultInitContainers.volumePermissions.containerSecurityContext.enabled Enabled "volume-permissions" init-containers' Security Context
506
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "volume-permissions" init-containers
507
## @param defaultInitContainers.volumePermissions.containerSecurityContext.runAsUser Set runAsUser in "volume-permissions" init-containers' Security Context
508
## @param defaultInitContainers.volumePermissions.containerSecurityContext.privileged Set privileged in "volume-permissions" init-containers' Security Context
509
## @param defaultInitContainers.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "volume-permissions" init-containers' Security Context
510
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.add List of capabilities to be added in "volume-permissions" init-containers
511
## @param defaultInitContainers.volumePermissions.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "volume-permissions" init-containers
512
## @param defaultInitContainers.volumePermissions.containerSecurityContext.seccompProfile.type Set seccomp profile in "volume-permissions" init-containers
513
##
514
containerSecurityContext:
515
enabled: true
516
seLinuxOptions: {}
517
runAsUser: 0
518
privileged: false
519
allowPrivilegeEscalation: false
520
capabilities:
521
add: []
522
drop: ["ALL"]
523
seccompProfile:
524
type: "RuntimeDefault"
525
## Kafka "volume-permissions" init container resource requests and limits
526
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
527
## @param defaultInitContainers.volumePermissions.resourcesPreset Set Kafka "volume-permissions" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.volumePermissions.resources is set (defaultInitContainers.volumePermissions.resources is recommended for production).
528
##
529
resourcesPreset: "nano"
530
## @param defaultInitContainers.volumePermissions.resources Set Kafka "volume-permissions" init container requests and limits for different resources like CPU or memory (essential for production workloads)
531
## E.g:
532
## resources:
533
## requests:
534
## cpu: 2
535
## memory: 512Mi
536
## limits:
537
## cpu: 3
538
## memory: 1024Mi
539
##
540
resources: {}
541
## Kafka "prepare-config" init container
542
## Used to prepare the Kafka configuration files for main containers to use them
543
##
544
prepareConfig:
545
## Configure "prepare-config" init-container Security Context
546
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
547
## @param defaultInitContainers.prepareConfig.containerSecurityContext.enabled Enabled "prepare-config" init-containers' Security Context
548
## @param defaultInitContainers.prepareConfig.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "prepare-config" init-containers
549
## @param defaultInitContainers.prepareConfig.containerSecurityContext.runAsUser Set runAsUser in "prepare-config" init-containers' Security Context
550
## @param defaultInitContainers.prepareConfig.containerSecurityContext.runAsGroup Set runAsUser in "prepare-config" init-containers' Security Context
551
## @param defaultInitContainers.prepareConfig.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "prepare-config" init-containers' Security Context
552
## @param defaultInitContainers.prepareConfig.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "prepare-config" init-containers' Security Context
553
## @param defaultInitContainers.prepareConfig.containerSecurityContext.privileged Set privileged in "prepare-config" init-containers' Security Context
554
## @param defaultInitContainers.prepareConfig.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "prepare-config" init-containers' Security Context
555
## @param defaultInitContainers.prepareConfig.containerSecurityContext.capabilities.add List of capabilities to be added in "prepare-config" init-containers
556
## @param defaultInitContainers.prepareConfig.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "prepare-config" init-containers
557
## @param defaultInitContainers.prepareConfig.containerSecurityContext.seccompProfile.type Set seccomp profile in "prepare-config" init-containers
558
##
559
containerSecurityContext:
560
enabled: true
561
seLinuxOptions: {}
562
runAsUser: 1001
563
runAsGroup: 1001
564
runAsNonRoot: true
565
readOnlyRootFilesystem: true
566
privileged: false
567
allowPrivilegeEscalation: false
568
capabilities:
569
add: []
570
drop: ["ALL"]
571
seccompProfile:
572
type: "RuntimeDefault"
573
## Kafka "prepare-config" init container resource requests and limits
574
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
575
## @param defaultInitContainers.prepareConfig.resourcesPreset Set Kafka "prepare-config" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.prepareConfig.resources is set (defaultInitContainers.prepareConfig.resources is recommended for production).
576
##
577
resourcesPreset: "nano"
578
## @param defaultInitContainers.prepareConfig.resources Set Kafka "prepare-config" init container requests and limits for different resources like CPU or memory (essential for production workloads)
579
## E.g:
580
## resources:
581
## requests:
582
## cpu: 2
583
## memory: 512Mi
584
## limits:
585
## cpu: 3
586
## memory: 1024Mi
587
##
588
resources: {}
589
## @param defaultInitContainers.prepareConfig.extraInit Additional content for the "prepare-config" init script, rendered as a template.
590
##
591
extraInit: ""
592
## 'auto-discovery' init container
593
## Used to auto-detect LB IPs or node ports by querying the K8s API
594
## Note: RBAC might be required
595
##
596
autoDiscovery:
597
## @param defaultInitContainers.autoDiscovery.enabled Enable init container that auto-detects external IPs/ports by querying the K8s API
598
##
599
enabled: false
600
## Iamguarded Kubectl image
601
## @param defaultInitContainers.autoDiscovery.image.registry [default: REGISTRY_NAME] "auto-discovery" init-containers' image registry
602
## @param defaultInitContainers.autoDiscovery.image.repository [default: REPOSITORY_NAME/os-shell] "auto-discovery" init-containers' image repository
603
## @skip defaultInitContainers.autoDiscovery.image.tag "auto-discovery" init-containers' image tag (immutable tags are recommended)
604
## @param defaultInitContainers.autoDiscovery.image.digest "auto-discovery" init-containers' image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
605
## @param defaultInitContainers.autoDiscovery.image.pullPolicy "auto-discovery" init-containers' image pull policy
606
## @param defaultInitContainers.autoDiscovery.image.pullSecrets "auto-discovery" init-containers' image pull secrets
607
##
608
image:
609
registry: cgr.dev
610
repository: chainguard-private/kubectl-iamguarded
611
tag: 1.35.3
612
digest: ""
613
## Specify a imagePullPolicy
614
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
615
##
616
pullPolicy: IfNotPresent
617
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
618
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
619
## e.g:
620
## pullSecrets:
621
## - myRegistryKeySecretName
622
##
623
pullSecrets: []
624
## Configure "auto-discovery" init-container Security Context
625
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
626
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.enabled Enabled "auto-discovery" init-containers' Security Context
627
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in "auto-discovery" init-containers
628
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.runAsUser Set runAsUser in "auto-discovery" init-containers' Security Context
629
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.runAsGroup Set runAsUser in "auto-discovery" init-containers' Security Context
630
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.runAsNonRoot Set runAsNonRoot in "auto-discovery" init-containers' Security Context
631
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.readOnlyRootFilesystem Set readOnlyRootFilesystem in "auto-discovery" init-containers' Security Context
632
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.privileged Set privileged in "auto-discovery" init-containers' Security Context
633
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.allowPrivilegeEscalation Set allowPrivilegeEscalation in "auto-discovery" init-containers' Security Context
634
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.capabilities.add List of capabilities to be added in "auto-discovery" init-containers
635
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.capabilities.drop List of capabilities to be dropped in "auto-discovery" init-containers
636
## @param defaultInitContainers.autoDiscovery.containerSecurityContext.seccompProfile.type Set seccomp profile in "auto-discovery" init-containers
637
##
638
containerSecurityContext:
639
enabled: true
640
seLinuxOptions: {}
641
runAsUser: 1001
642
runAsGroup: 1001
643
runAsNonRoot: true
644
readOnlyRootFilesystem: true
645
privileged: false
646
allowPrivilegeEscalation: false
647
capabilities:
648
add: []
649
drop: ["ALL"]
650
seccompProfile:
651
type: "RuntimeDefault"
652
## Kafka "auto-discovery" init container resource requests and limits
653
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
654
## @param defaultInitContainers.autoDiscovery.resourcesPreset Set Kafka "auto-discovery" init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if defaultInitContainers.autoDiscovery.resources is set (defaultInitContainers.autoDiscovery.resources is recommended for production).
655
##
656
resourcesPreset: "nano"
657
## @param defaultInitContainers.autoDiscovery.resources Set Kafka "auto-discovery" init container requests and limits for different resources like CPU or memory (essential for production workloads)
658
## E.g:
659
## resources:
660
## requests:
661
## cpu: 2
662
## memory: 512Mi
663
## limits:
664
## cpu: 3
665
## memory: 1024Mi
666
##
667
resources: {}
668
## @section Controller-eligible statefulset parameters
669
##
670
controller:
671
## @param controller.replicaCount Number of Kafka controller-eligible nodes
672
##
673
replicaCount: 3
674
## @param controller.controllerOnly If set to true, controller nodes will be deployed as dedicated controllers, instead of controller+broker processes.
675
##
676
controllerOnly: false
677
## @param controller.quorumBootstrapServers Override the Kafka controller quorum bootstrap servers of the Kafka Kraft cluster. If not set, it will be automatically configured to use all controller-eligible nodes.
678
##
679
quorumBootstrapServers: ""
680
## @param controller.minId Minimal node.id values for controller-eligible nodes. Do not change after first initialization.
681
## Broker-only id increment their ID starting at this minimal value.
682
## We recommend setting this this value high enough, as IDs under this value will be used by controller-elegible nodes
683
##
684
minId: 0
685
## @param controller.config Specify content for Kafka configuration for Kafka controller-eligible nodes (auto-generated based on other parameters otherwise)
686
## NOTE: This will override the configuration based on values, please act carefully
687
## Use simple key-value YAML format, then it's transformed to properties format by the chart. e.g:
688
## process.roles: controller
689
## ... will be transformed to:
690
## process.roles=controller
691
##
692
config: {}
693
## @param controller.overrideConfiguration Kafka configuration override for Kafka controller-eligible nodes. Values defined here takes precedence over the ones defined at `controller.config`
694
##
695
overrideConfiguration: {}
696
## @param controller.existingConfigmap Name of an existing ConfigMap with the Kafka configuration for Kafka controller-eligible nodes
697
##
698
existingConfigmap: ""
699
## @param controller.secretConfig Additional configuration to be appended at the end of the generated Kafka configuration for Kafka controller-eligible nodes (store in a secret)
700
##
701
secretConfig: ""
702
## @param controller.existingSecretConfig Secret with additional configuration that will be appended to the end of the generated Kafka configuration for Kafka controller-eligible nodes
703
## The key for the configuration should be: server-secret.properties
704
## NOTE: This will override secretConfig value
705
##
706
existingSecretConfig: ""
707
## @param controller.heapOpts Kafka Java Heap configuration for controller-eligible nodes
708
##
709
heapOpts: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
710
## @param controller.command Override Kafka container command
711
##
712
command: []
713
## @param controller.args Override Kafka container arguments
714
##
715
args: []
716
## @param controller.extraEnvVars Extra environment variables to add to Kafka pods
717
## e.g:
718
## extraEnvVars:
719
## - name: KAFKA_CFG_BACKGROUND_THREADS
720
## value: "10"
721
##
722
extraEnvVars: []
723
## @param controller.extraEnvVarsCM ConfigMap with extra environment variables
724
##
725
extraEnvVarsCM: ""
726
## @param controller.extraEnvVarsSecret Secret with extra environment variables
727
##
728
extraEnvVarsSecret: ""
729
## @param controller.extraContainerPorts Kafka controller-eligible extra containerPorts.
730
##
731
extraContainerPorts: []
732
## Configure extra options for Kafka containers' liveness, readiness and startup probes
733
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
734
## @param controller.livenessProbe.enabled Enable livenessProbe on Kafka containers
735
## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
736
## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe
737
## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
738
## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe
739
## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe
740
##
741
livenessProbe:
742
enabled: true
743
initialDelaySeconds: 10
744
timeoutSeconds: 5
745
failureThreshold: 3
746
periodSeconds: 10
747
successThreshold: 1
748
## @param controller.readinessProbe.enabled Enable readinessProbe on Kafka containers
749
## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
750
## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe
751
## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
752
## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe
753
## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe
754
##
755
readinessProbe:
756
enabled: true
757
initialDelaySeconds: 5
758
failureThreshold: 6
759
timeoutSeconds: 5
760
periodSeconds: 10
761
successThreshold: 1
762
## @param controller.startupProbe.enabled Enable startupProbe on Kafka containers
763
## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
764
## @param controller.startupProbe.periodSeconds Period seconds for startupProbe
765
## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe
766
## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe
767
## @param controller.startupProbe.successThreshold Success threshold for startupProbe
768
##
769
startupProbe:
770
enabled: false
771
initialDelaySeconds: 30
772
periodSeconds: 10
773
timeoutSeconds: 1
774
failureThreshold: 15
775
successThreshold: 1
776
## @param controller.customLivenessProbe Custom livenessProbe that overrides the default one
777
##
778
customLivenessProbe: {}
779
## @param controller.customReadinessProbe Custom readinessProbe that overrides the default one
780
##
781
customReadinessProbe: {}
782
## @param controller.customStartupProbe Custom startupProbe that overrides the default one
783
##
784
customStartupProbe: {}
785
## @param controller.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup
786
##
787
lifecycleHooks: {}
788
## Kafka resource requests and limits
789
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
790
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
791
##
792
resourcesPreset: "small"
793
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
794
## Example:
795
## resources:
796
## requests:
797
## cpu: 2
798
## memory: 512Mi
799
## limits:
800
## cpu: 3
801
## memory: 1024Mi
802
##
803
resources: {}
804
## Kafka pods' Security Context
805
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
806
## @param controller.podSecurityContext.enabled Enable security context for the pods
807
## @param controller.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
808
## @param controller.podSecurityContext.sysctls Set kernel settings using the sysctl interface
809
## @param controller.podSecurityContext.supplementalGroups Set filesystem extra groups
810
## @param controller.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup
811
## @param controller.podSecurityContext.seccompProfile.type Set Kafka pods's Security Context seccomp profile
812
##
813
podSecurityContext:
814
enabled: true
815
fsGroupChangePolicy: Always
816
sysctls: []
817
supplementalGroups: []
818
fsGroup: 1001
819
seccompProfile:
820
type: "RuntimeDefault"
821
## Kafka containers' Security Context
822
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
823
## @param controller.containerSecurityContext.enabled Enable Kafka containers' Security Context
824
## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
825
## @param controller.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
826
## @param controller.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
827
## @param controller.containerSecurityContext.runAsGroup Set Kafka containers' Security Context runAsGroup
828
## @param controller.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot
829
## @param controller.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged
830
## @param controller.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only
831
## @param controller.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped
832
## e.g:
833
## containerSecurityContext:
834
## enabled: true
835
## capabilities:
836
## drop: ["NET_RAW"]
837
## readOnlyRootFilesystem: true
838
##
839
containerSecurityContext:
840
enabled: true
841
seLinuxOptions: {}
842
runAsUser: 1001
843
runAsGroup: 1001
844
runAsNonRoot: true
845
allowPrivilegeEscalation: false
846
readOnlyRootFilesystem: true
847
capabilities:
848
drop: ["ALL"]
849
## @param controller.automountServiceAccountToken Mount Service Account token in pod
850
##
851
automountServiceAccountToken: false
852
## @param controller.hostAliases Kafka pods host aliases
853
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
854
##
855
hostAliases: []
856
## @param controller.hostNetwork Specify if host network should be enabled for Kafka pods
857
##
858
hostNetwork: false
859
## @param controller.hostIPC Specify if host IPC should be enabled for Kafka pods
860
##
861
hostIPC: false
862
## @param controller.podLabels Extra labels for Kafka pods
863
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
864
##
865
podLabels: {}
866
## @param controller.podAnnotations Extra annotations for Kafka pods
867
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
868
##
869
podAnnotations: {}
870
## @param controller.topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used
871
## i.e. topologyKey: topology.kubernetes.io/zone
872
##
873
topologyKey: ""
874
## @param controller.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
875
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
876
##
877
podAffinityPreset: ""
878
## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
879
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
880
##
881
podAntiAffinityPreset: soft
882
## Node affinity preset
883
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
884
##
885
nodeAffinityPreset:
886
## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
887
##
888
type: ""
889
## @param controller.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
890
## E.g.
891
## key: "kubernetes.io/e2e-az-name"
892
##
893
key: ""
894
## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
895
## E.g.
896
## values:
897
## - e2e-az1
898
## - e2e-az2
899
##
900
values: []
901
## @param controller.affinity Affinity for pod assignment
902
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
903
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
904
##
905
affinity: {}
906
## @param controller.nodeSelector Node labels for pod assignment
907
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
908
##
909
nodeSelector: {}
910
## @param controller.tolerations Tolerations for pod assignment
911
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
912
##
913
tolerations: []
914
## @param controller.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
915
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
916
##
917
topologySpreadConstraints: []
918
## @param controller.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate
919
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
920
##
921
terminationGracePeriodSeconds: ""
922
## @param controller.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
923
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
924
##
925
podManagementPolicy: Parallel
926
## @param controller.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update
927
##
928
minReadySeconds: 0
929
## @param controller.priorityClassName Name of the existing priority class to be used by kafka pods
930
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
931
##
932
priorityClassName: ""
933
## @param controller.runtimeClassName Name of the runtime class to be used by pod(s)
934
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
935
##
936
runtimeClassName: ""
937
## @param controller.enableServiceLinks Whether information about services should be injected into pod's environment variable
938
## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace.
939
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
940
##
941
enableServiceLinks: true
942
## @param controller.schedulerName Name of the k8s scheduler (other than default)
943
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
944
##
945
schedulerName: ""
946
## @param controller.updateStrategy.type Kafka statefulset strategy type
947
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
948
##
949
updateStrategy:
950
type: RollingUpdate
951
## @param controller.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s)
952
## e.g:
953
## extraVolumes:
954
## - name: kafka-jaas
955
## secret:
956
## secretName: kafka-jaas
957
##
958
extraVolumes: []
959
## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s)
960
## extraVolumeMounts:
961
## - name: kafka-jaas
962
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
963
## subPath: kafka_jaas.conf
964
##
965
extraVolumeMounts: []
966
## @param controller.sidecars Add additional sidecar containers to the Kafka pod(s)
967
## e.g:
968
## sidecars:
969
## - name: your-image-name
970
## image: your-image
971
## imagePullPolicy: Always
972
## ports:
973
## - name: portname
974
## containerPort: 1234
975
##
976
sidecars: []
977
## @param controller.initContainers Add additional Add init containers to the Kafka pod(s)
978
## e.g:
979
## initContainers:
980
## - name: your-image-name
981
## image: your-image
982
## imagePullPolicy: Always
983
## ports:
984
## - name: portname
985
## containerPort: 1234
986
##
987
initContainers: []
988
## @section Experimental: Kafka Controller Autoscaling configuration
989
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
990
##
991
autoscaling:
992
vpa:
993
## @param controller.autoscaling.vpa.enabled Enable VPA
994
##
995
enabled: false
996
## @param controller.autoscaling.vpa.annotations Annotations for VPA resource
997
##
998
annotations: {}
999
## @param controller.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1000
##
1001
controlledResources: []
1002
## @param controller.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1003
## cpu: 200m
1004
## memory: 100Mi
1005
maxAllowed: {}
1006
## @param controller.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1007
## cpu: 200m
1008
## memory: 100Mi
1009
minAllowed: {}
1010
updatePolicy:
1011
## @param controller.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1012
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1013
##
1014
updateMode: Auto
1015
hpa:
1016
## @param controller.autoscaling.hpa.enabled Enable HPA for Kafka Controller
1017
##
1018
enabled: false
1019
## @param controller.autoscaling.hpa.annotations Annotations for HPA resource
1020
##
1021
annotations: {}
1022
## @param controller.autoscaling.hpa.minReplicas Minimum number of Kafka Controller replicas
1023
##
1024
minReplicas: ""
1025
## @param controller.autoscaling.hpa.maxReplicas Maximum number of Kafka Controller replicas
1026
##
1027
maxReplicas: ""
1028
## @param controller.autoscaling.hpa.targetCPU Target CPU utilization percentage
1029
##
1030
targetCPU: ""
1031
## @param controller.autoscaling.hpa.targetMemory Target Memory utilization percentage
1032
##
1033
targetMemory: ""
1034
## Kafka Pod Disruption Budget
1035
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
1036
## @param controller.pdb.create Deploy a pdb object for the Kafka pod
1037
## @param controller.pdb.minAvailable Minimum number/percentage of available Kafka replicas
1038
## @param controller.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas
1039
##
1040
pdb:
1041
create: true
1042
minAvailable: ""
1043
maxUnavailable: ""
1044
## persistentVolumeClaimRetentionPolicy
1045
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1046
## @param controller.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
1047
## @param controller.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1048
## @param controller.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1049
##
1050
persistentVolumeClaimRetentionPolicy:
1051
enabled: false
1052
whenScaled: Retain
1053
whenDeleted: Retain
1054
## Enable persistence using Persistent Volume Claims
1055
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1056
##
1057
persistence:
1058
## @param controller.persistence.enabled Enable Kafka data persistence using PVC
1059
##
1060
enabled: true
1061
## @param controller.persistence.existingClaim A manually managed Persistent Volume and Claim
1062
## If defined, PVC must be created manually before volume will be bound
1063
## The value is evaluated as a template
1064
##
1065
existingClaim: ""
1066
## @param controller.persistence.storageClass PVC Storage Class for Kafka data volume
1067
## If defined, storageClassName: <storageClass>
1068
## If set to "-", storageClassName: "", which disables dynamic provisioning
1069
## If undefined (the default) or set to null, no storageClassName spec is
1070
## set, choosing the default provisioner.
1071
##
1072
storageClass: ""
1073
## @param controller.persistence.accessModes Persistent Volume Access Modes
1074
##
1075
accessModes:
1076
- ReadWriteOnce
1077
## @param controller.persistence.size PVC Storage Request for Kafka data volume
1078
##
1079
size: 8Gi
1080
## @param controller.persistence.annotations Annotations for the PVC
1081
##
1082
annotations: {}
1083
## @param controller.persistence.labels Labels for the PVC
1084
##
1085
labels: {}
1086
## @param controller.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1087
## selector:
1088
## matchLabels:
1089
## app: my-app
1090
##
1091
selector: {}
1092
## @param controller.persistence.mountPath Mount path of the Kafka data volume
1093
##
1094
mountPath: /iamguarded/kafka
1095
## Log Persistence parameters
1096
##
1097
logPersistence:
1098
## @param controller.logPersistence.enabled Enable Kafka logs persistence using PVC
1099
##
1100
enabled: false
1101
## @param controller.logPersistence.existingClaim A manually managed Persistent Volume and Claim
1102
## If defined, PVC must be created manually before volume will be bound
1103
## The value is evaluated as a template
1104
##
1105
existingClaim: ""
1106
## @param controller.logPersistence.storageClass PVC Storage Class for Kafka logs volume
1107
## If defined, storageClassName: <storageClass>
1108
## If set to "-", storageClassName: "", which disables dynamic provisioning
1109
## If undefined (the default) or set to null, no storageClassName spec is
1110
## set, choosing the default provisioner.
1111
##
1112
storageClass: ""
1113
## @param controller.logPersistence.accessModes Persistent Volume Access Modes
1114
##
1115
accessModes:
1116
- ReadWriteOnce
1117
## @param controller.logPersistence.size PVC Storage Request for Kafka logs volume
1118
##
1119
size: 8Gi
1120
## @param controller.logPersistence.annotations Annotations for the PVC
1121
##
1122
annotations: {}
1123
## @param controller.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1124
## selector:
1125
## matchLabels:
1126
## app: my-app
1127
##
1128
selector: {}
1129
## @param controller.logPersistence.mountPath Mount path of the Kafka logs volume
1130
##
1131
mountPath: /opt/iamguarded/kafka/logs
1132
## @section Broker-only statefulset parameters
1133
##
1134
broker:
1135
## @param broker.replicaCount Number of Kafka broker-only nodes
1136
##
1137
replicaCount: 0
1138
## @param broker.minId Minimal node.id values for broker-only nodes. Do not change after first initialization.
1139
## Broker-only id increment their ID starting at this minimal value.
1140
## We recommend setting this this value high enough, as IDs under this value will be used by controller-eligible nodes
1141
##
1142
##
1143
minId: 100
1144
## @param broker.config Specify content for Kafka configuration for Kafka broker-only nodes (auto-generated based on other parameters otherwise)
1145
## NOTE: This will override the configuration based on values, please act carefully
1146
## Use simple key-value YAML format, then it's transformed to properties format by the chart. e.g:
1147
## process.roles: broker
1148
## ... will be transformed to:
1149
## process.roles=broker
1150
##
1151
config: {}
1152
## @param broker.overrideConfiguration Kafka configuration override for Kafka broker-only nodes. Values defined here takes precedence over the ones defined at `broker.config`
1153
##
1154
overrideConfiguration: {}
1155
## @param broker.existingConfigmap Name of an existing ConfigMap with the Kafka configuration for Kafka broker-only nodes
1156
##
1157
existingConfigmap: ""
1158
## @param broker.secretConfig Additional configuration to be appended at the end of the generated Kafka configuration for Kafka broker-only nodes (store in a secret)
1159
##
1160
secretConfig: ""
1161
## @param broker.existingSecretConfig Secret with additional configuration that will be appended to the end of the generated Kafka configuration for Kafka broker-only nodes
1162
## The key for the configuration should be: server-secret.properties
1163
## NOTE: This will override secretConfig value
1164
##
1165
existingSecretConfig: ""
1166
## @param broker.heapOpts Kafka Java Heap configuration for broker-only nodes
1167
##
1168
heapOpts: -XX:InitialRAMPercentage=75 -XX:MaxRAMPercentage=75
1169
## @param broker.command Override Kafka container command
1170
##
1171
command: []
1172
## @param broker.args Override Kafka container arguments
1173
##
1174
args: []
1175
## @param broker.extraEnvVars Extra environment variables to add to Kafka pods
1176
## e.g:
1177
## extraEnvVars:
1178
## - name: KAFKA_CFG_BACKGROUND_THREADS
1179
## value: "10"
1180
##
1181
extraEnvVars: []
1182
## @param broker.extraEnvVarsCM ConfigMap with extra environment variables
1183
##
1184
extraEnvVarsCM: ""
1185
## @param broker.extraEnvVarsSecret Secret with extra environment variables
1186
##
1187
extraEnvVarsSecret: ""
1188
## @param broker.extraContainerPorts Kafka broker-only extra containerPorts.
1189
##
1190
extraContainerPorts: []
1191
## Configure extra options for Kafka containers' liveness, readiness and startup probes
1192
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
1193
## @param broker.livenessProbe.enabled Enable livenessProbe on Kafka containers
1194
## @param broker.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1195
## @param broker.livenessProbe.periodSeconds Period seconds for livenessProbe
1196
## @param broker.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1197
## @param broker.livenessProbe.failureThreshold Failure threshold for livenessProbe
1198
## @param broker.livenessProbe.successThreshold Success threshold for livenessProbe
1199
##
1200
livenessProbe:
1201
enabled: true
1202
initialDelaySeconds: 10
1203
timeoutSeconds: 5
1204
failureThreshold: 3
1205
periodSeconds: 10
1206
successThreshold: 1
1207
## @param broker.readinessProbe.enabled Enable readinessProbe on Kafka containers
1208
## @param broker.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1209
## @param broker.readinessProbe.periodSeconds Period seconds for readinessProbe
1210
## @param broker.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1211
## @param broker.readinessProbe.failureThreshold Failure threshold for readinessProbe
1212
## @param broker.readinessProbe.successThreshold Success threshold for readinessProbe
1213
##
1214
readinessProbe:
1215
enabled: true
1216
initialDelaySeconds: 5
1217
failureThreshold: 6
1218
timeoutSeconds: 5
1219
periodSeconds: 10
1220
successThreshold: 1
1221
## @param broker.startupProbe.enabled Enable startupProbe on Kafka containers
1222
## @param broker.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1223
## @param broker.startupProbe.periodSeconds Period seconds for startupProbe
1224
## @param broker.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1225
## @param broker.startupProbe.failureThreshold Failure threshold for startupProbe
1226
## @param broker.startupProbe.successThreshold Success threshold for startupProbe
1227
##
1228
startupProbe:
1229
enabled: false
1230
initialDelaySeconds: 30
1231
periodSeconds: 10
1232
timeoutSeconds: 1
1233
failureThreshold: 15
1234
successThreshold: 1
1235
## @param broker.customLivenessProbe Custom livenessProbe that overrides the default one
1236
##
1237
customLivenessProbe: {}
1238
## @param broker.customReadinessProbe Custom readinessProbe that overrides the default one
1239
##
1240
customReadinessProbe: {}
1241
## @param broker.customStartupProbe Custom startupProbe that overrides the default one
1242
##
1243
customStartupProbe: {}
1244
## @param broker.lifecycleHooks lifecycleHooks for the Kafka container to automate configuration before or after startup
1245
##
1246
lifecycleHooks: {}
1247
## Kafka resource requests and limits
1248
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1249
## @param broker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if broker.resources is set (broker.resources is recommended for production).
1250
##
1251
resourcesPreset: "small"
1252
## @param broker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1253
## Example:
1254
## resources:
1255
## requests:
1256
## cpu: 2
1257
## memory: 512Mi
1258
## limits:
1259
## cpu: 3
1260
## memory: 1024Mi
1261
##
1262
resources: {}
1263
## Kafka pods' Security Context
1264
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
1265
## @param broker.podSecurityContext.enabled Enable security context for the pods
1266
## @param broker.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
1267
## @param broker.podSecurityContext.sysctls Set kernel settings using the sysctl interface
1268
## @param broker.podSecurityContext.supplementalGroups Set filesystem extra groups
1269
## @param broker.podSecurityContext.fsGroup Set Kafka pod's Security Context fsGroup
1270
## @param broker.podSecurityContext.seccompProfile.type Set Kafka pod's Security Context seccomp profile
1271
##
1272
podSecurityContext:
1273
enabled: true
1274
fsGroupChangePolicy: Always
1275
sysctls: []
1276
supplementalGroups: []
1277
fsGroup: 1001
1278
seccompProfile:
1279
type: "RuntimeDefault"
1280
## Kafka containers' Security Context
1281
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1282
## @param broker.containerSecurityContext.enabled Enable Kafka containers' Security Context
1283
## @param broker.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1284
## @param broker.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1285
## @param broker.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1286
## @param broker.containerSecurityContext.runAsNonRoot Set Kafka containers' Security Context runAsNonRoot
1287
## @param broker.containerSecurityContext.allowPrivilegeEscalation Force the child process to be run as non-privileged
1288
## @param broker.containerSecurityContext.readOnlyRootFilesystem Allows the pod to mount the RootFS as ReadOnly only
1289
## @param broker.containerSecurityContext.capabilities.drop Set Kafka containers' server Security Context capabilities to be dropped
1290
## e.g:
1291
## containerSecurityContext:
1292
## enabled: true
1293
## capabilities:
1294
## drop: ["NET_RAW"]
1295
## readOnlyRootFilesystem: true
1296
##
1297
containerSecurityContext:
1298
enabled: true
1299
seLinuxOptions: {}
1300
runAsUser: 1001
1301
runAsGroup: 1001
1302
runAsNonRoot: true
1303
allowPrivilegeEscalation: false
1304
readOnlyRootFilesystem: true
1305
capabilities:
1306
drop: ["ALL"]
1307
## @param broker.automountServiceAccountToken Mount Service Account token in pod
1308
##
1309
automountServiceAccountToken: false
1310
## @param broker.hostAliases Kafka pods host aliases
1311
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1312
##
1313
hostAliases: []
1314
## @param broker.hostNetwork Specify if host network should be enabled for Kafka pods
1315
##
1316
hostNetwork: false
1317
## @param broker.hostIPC Specify if host IPC should be enabled for Kafka pods
1318
##
1319
hostIPC: false
1320
## @param broker.podLabels Extra labels for Kafka pods
1321
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1322
##
1323
podLabels: {}
1324
## @param broker.podAnnotations Extra annotations for Kafka pods
1325
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1326
##
1327
podAnnotations: {}
1328
## @param broker.topologyKey Override common lib default topology key. If empty - "kubernetes.io/hostname" is used
1329
## i.e. topologyKey: topology.kubernetes.io/zone
1330
##
1331
topologyKey: ""
1332
## @param broker.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1333
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1334
##
1335
podAffinityPreset: ""
1336
## @param broker.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1337
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
1338
##
1339
podAntiAffinityPreset: soft
1340
## Node affinity preset
1341
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
1342
##
1343
nodeAffinityPreset:
1344
## @param broker.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
1345
##
1346
type: ""
1347
## @param broker.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
1348
## E.g.
1349
## key: "kubernetes.io/e2e-az-name"
1350
##
1351
key: ""
1352
## @param broker.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
1353
## E.g.
1354
## values:
1355
## - e2e-az1
1356
## - e2e-az2
1357
##
1358
values: []
1359
## @param broker.affinity Affinity for pod assignment
1360
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1361
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
1362
##
1363
affinity: {}
1364
## @param broker.nodeSelector Node labels for pod assignment
1365
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
1366
##
1367
nodeSelector: {}
1368
## @param broker.tolerations Tolerations for pod assignment
1369
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1370
##
1371
tolerations: []
1372
## @param broker.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
1373
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
1374
##
1375
topologySpreadConstraints: []
1376
## @param broker.terminationGracePeriodSeconds Seconds the pod needs to gracefully terminate
1377
## ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution
1378
##
1379
terminationGracePeriodSeconds: ""
1380
## @param broker.podManagementPolicy StatefulSet controller supports relax its ordering guarantees while preserving its uniqueness and identity guarantees. There are two valid pod management policies: OrderedReady and Parallel
1381
## ref: https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy
1382
##
1383
podManagementPolicy: Parallel
1384
## @param broker.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update
1385
##
1386
minReadySeconds: 0
1387
## @param broker.priorityClassName Name of the existing priority class to be used by kafka pods
1388
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
1389
##
1390
priorityClassName: ""
1391
## @param broker.runtimeClassName Name of the runtime class to be used by pod(s)
1392
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
1393
##
1394
runtimeClassName: ""
1395
## @param broker.enableServiceLinks Whether information about services should be injected into pod's environment variable
1396
## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace.
1397
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
1398
##
1399
enableServiceLinks: true
1400
## @param broker.schedulerName Name of the k8s scheduler (other than default)
1401
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1402
##
1403
schedulerName: ""
1404
## @param broker.updateStrategy.type Kafka statefulset strategy type
1405
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
1406
##
1407
updateStrategy:
1408
type: RollingUpdate
1409
## @param broker.extraVolumes Optionally specify extra list of additional volumes for the Kafka pod(s)
1410
## e.g:
1411
## extraVolumes:
1412
## - name: kafka-jaas
1413
## secret:
1414
## secretName: kafka-jaas
1415
##
1416
extraVolumes: []
1417
## @param broker.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka container(s)
1418
## extraVolumeMounts:
1419
## - name: kafka-jaas
1420
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
1421
## subPath: kafka_jaas.conf
1422
##
1423
extraVolumeMounts: []
1424
## @param broker.sidecars Add additional sidecar containers to the Kafka pod(s)
1425
## e.g:
1426
## sidecars:
1427
## - name: your-image-name
1428
## image: your-image
1429
## imagePullPolicy: Always
1430
## ports:
1431
## - name: portname
1432
## containerPort: 1234
1433
##
1434
sidecars: []
1435
## @param broker.initContainers Add additional Add init containers to the Kafka pod(s)
1436
## e.g:
1437
## initContainers:
1438
## - name: your-image-name
1439
## image: your-image
1440
## imagePullPolicy: Always
1441
## ports:
1442
## - name: portname
1443
## containerPort: 1234
1444
##
1445
initContainers: []
1446
## Kafka Pod Disruption Budget
1447
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
1448
## @param broker.pdb.create Deploy a pdb object for the Kafka pod
1449
## @param broker.pdb.minAvailable Maximum number/percentage of unavailable Kafka replicas
1450
## @param broker.pdb.maxUnavailable Maximum number/percentage of unavailable Kafka replicas
1451
##
1452
pdb:
1453
create: true
1454
minAvailable: ""
1455
maxUnavailable: ""
1456
## @section Experimental: Kafka Broker Autoscaling configuration
1457
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
1458
##
1459
autoscaling:
1460
vpa:
1461
## @param broker.autoscaling.vpa.enabled Enable VPA
1462
##
1463
enabled: false
1464
## @param broker.autoscaling.vpa.annotations Annotations for VPA resource
1465
##
1466
annotations: {}
1467
## @param broker.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory
1468
##
1469
controlledResources: []
1470
## @param broker.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod
1471
## cpu: 200m
1472
## memory: 100Mi
1473
maxAllowed: {}
1474
## @param broker.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod
1475
## cpu: 200m
1476
## memory: 100Mi
1477
minAllowed: {}
1478
updatePolicy:
1479
## @param broker.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod
1480
## Possible values are "Off", "Initial", "Recreate", and "Auto".
1481
##
1482
updateMode: Auto
1483
hpa:
1484
## @param broker.autoscaling.hpa.enabled Enable HPA for Kafka Broker
1485
##
1486
enabled: false
1487
## @param broker.autoscaling.hpa.annotations Annotations for HPA resource
1488
##
1489
annotations: {}
1490
## @param broker.autoscaling.hpa.minReplicas Minimum number of Kafka Broker replicas
1491
##
1492
minReplicas: ""
1493
## @param broker.autoscaling.hpa.maxReplicas Maximum number of Kafka Broker replicas
1494
##
1495
maxReplicas: ""
1496
## @param broker.autoscaling.hpa.targetCPU Target CPU utilization percentage
1497
##
1498
targetCPU: ""
1499
## @param broker.autoscaling.hpa.targetMemory Target Memory utilization percentage
1500
##
1501
targetMemory: ""
1502
## persistentVolumeClaimRetentionPolicy
1503
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
1504
## @param broker.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet
1505
## @param broker.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced
1506
## @param broker.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted
1507
##
1508
persistentVolumeClaimRetentionPolicy:
1509
enabled: false
1510
whenScaled: Retain
1511
whenDeleted: Retain
1512
## Enable persistence using Persistent Volume Claims
1513
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1514
##
1515
persistence:
1516
## @param broker.persistence.enabled Enable Kafka data persistence using PVC
1517
##
1518
enabled: true
1519
## @param broker.persistence.existingClaim A manually managed Persistent Volume and Claim
1520
## If defined, PVC must be created manually before volume will be bound
1521
## The value is evaluated as a template
1522
##
1523
existingClaim: ""
1524
## @param broker.persistence.storageClass PVC Storage Class for Kafka data volume
1525
## If defined, storageClassName: <storageClass>
1526
## If set to "-", storageClassName: "", which disables dynamic provisioning
1527
## If undefined (the default) or set to null, no storageClassName spec is
1528
## set, choosing the default provisioner.
1529
##
1530
storageClass: ""
1531
## @param broker.persistence.accessModes Persistent Volume Access Modes
1532
##
1533
accessModes:
1534
- ReadWriteOnce
1535
## @param broker.persistence.size PVC Storage Request for Kafka data volume
1536
##
1537
size: 8Gi
1538
## @param broker.persistence.annotations Annotations for the PVC
1539
##
1540
annotations: {}
1541
## @param broker.persistence.labels Labels for the PVC
1542
##
1543
labels: {}
1544
## @param broker.persistence.selector Selector to match an existing Persistent Volume for Kafka data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1545
## selector:
1546
## matchLabels:
1547
## app: my-app
1548
##
1549
selector: {}
1550
## @param broker.persistence.mountPath Mount path of the Kafka data volume
1551
##
1552
mountPath: /iamguarded/kafka
1553
## Log Persistence parameters
1554
##
1555
logPersistence:
1556
## @param broker.logPersistence.enabled Enable Kafka logs persistence using PVC
1557
##
1558
enabled: false
1559
## @param broker.logPersistence.existingClaim A manually managed Persistent Volume and Claim
1560
## If defined, PVC must be created manually before volume will be bound
1561
## The value is evaluated as a template
1562
##
1563
existingClaim: ""
1564
## @param broker.logPersistence.storageClass PVC Storage Class for Kafka logs volume
1565
## If defined, storageClassName: <storageClass>
1566
## If set to "-", storageClassName: "", which disables dynamic provisioning
1567
## If undefined (the default) or set to null, no storageClassName spec is
1568
## set, choosing the default provisioner.
1569
##
1570
storageClass: ""
1571
## @param broker.logPersistence.accessModes Persistent Volume Access Modes
1572
##
1573
accessModes:
1574
- ReadWriteOnce
1575
## @param broker.logPersistence.size PVC Storage Request for Kafka logs volume
1576
##
1577
size: 8Gi
1578
## @param broker.logPersistence.annotations Annotations for the PVC
1579
##
1580
annotations: {}
1581
## @param broker.logPersistence.selector Selector to match an existing Persistent Volume for Kafka log data PVC. If set, the PVC can't have a PV dynamically provisioned for it
1582
## selector:
1583
## matchLabels:
1584
## app: my-app
1585
##
1586
selector: {}
1587
## @param broker.logPersistence.mountPath Mount path of the Kafka logs volume
1588
##
1589
mountPath: /opt/iamguarded/kafka/logs
1590
## @section Traffic Exposure parameters
1591
##
1592
1593
## Service parameters
1594
##
1595
service:
1596
## @param service.type Kubernetes Service type
1597
##
1598
type: ClusterIP
1599
## @param service.ports.client Kafka svc port for client connections
1600
## @param service.ports.controller Kafka svc port for controller connections
1601
## @param service.ports.interbroker Kafka svc port for inter-broker connections
1602
## @param service.ports.external Kafka svc port for external connections
1603
##
1604
ports:
1605
client: 9092
1606
controller: 9093
1607
interbroker: 9094
1608
external: 9095
1609
## @param service.extraPorts Extra ports to expose in the Kafka service (normally used with the `sidecar` value)
1610
##
1611
extraPorts: []
1612
## @param service.nodePorts.client Node port for the Kafka client connections
1613
## @param service.nodePorts.external Node port for the Kafka external connections
1614
## NOTE: choose port between <30000-32767>
1615
##
1616
nodePorts:
1617
client: ""
1618
external: ""
1619
## @param service.sessionAffinity Control where client requests go, to the same pod or round-robin
1620
## Values: ClientIP or None
1621
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1622
##
1623
sessionAffinity: None
1624
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
1625
## sessionAffinityConfig:
1626
## clientIP:
1627
## timeoutSeconds: 300
1628
##
1629
sessionAffinityConfig: {}
1630
## @param service.clusterIP Kafka service Cluster IP
1631
## e.g.:
1632
## clusterIP: None
1633
##
1634
clusterIP: ""
1635
## @param service.loadBalancerIP Kafka service Load Balancer IP
1636
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
1637
##
1638
loadBalancerIP: ""
1639
## @param service.loadBalancerClass Kafka service Load Balancer Class
1640
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1641
##
1642
loadBalancerClass: ""
1643
## @param service.loadBalancerSourceRanges Kafka service Load Balancer sources
1644
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1645
## e.g:
1646
## loadBalancerSourceRanges:
1647
## - 10.10.10.0/24
1648
##
1649
loadBalancerSourceRanges: []
1650
## @param service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1651
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1652
##
1653
allocateLoadBalancerNodePorts: true
1654
## @param service.externalTrafficPolicy Kafka service external traffic policy
1655
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1656
##
1657
externalTrafficPolicy: Cluster
1658
## @param service.annotations Additional custom annotations for Kafka service
1659
##
1660
annotations: {}
1661
## Headless service properties
1662
##
1663
headless:
1664
controller:
1665
## @param service.headless.controller.annotations Annotations for the controller-eligible headless service.
1666
##
1667
annotations: {}
1668
## @param service.headless.controller.labels Labels for the controller-eligible headless service.
1669
##
1670
labels: {}
1671
broker:
1672
## @param service.headless.broker.annotations Annotations for the broker-only headless service.
1673
##
1674
annotations: {}
1675
## @param service.headless.broker.labels Labels for the broker-only headless service.
1676
##
1677
labels: {}
1678
## @param service.headless.ipFamilies IP families for the headless service
1679
##
1680
ipFamilies: []
1681
## @param service.headless.ipFamilyPolicy IP family policy for the headless service
1682
##
1683
ipFamilyPolicy: ""
1684
## External Access to Kafka brokers configuration
1685
##
1686
externalAccess:
1687
## @param externalAccess.enabled Enable Kubernetes external cluster access to Kafka brokers
1688
##
1689
enabled: false
1690
## Service settings
1691
controller:
1692
## @param externalAccess.controller.forceExpose If set to true, force exposing controller-eligible nodes although they are configured as controller-only nodes
1693
##
1694
forceExpose: false
1695
## Parameters to configure K8s service(s) used to externally access Kafka brokers
1696
## Note: A new service per broker will be created
1697
##
1698
service:
1699
## @param externalAccess.controller.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP
1700
##
1701
type: LoadBalancer
1702
## @param externalAccess.controller.service.ports.external Kafka port used for external access when service type is LoadBalancer
1703
##
1704
ports:
1705
external: 9094
1706
## @param externalAccess.controller.service.loadBalancerClass Kubernetes Service Load Balancer class for external access when service type is LoadBalancer
1707
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1708
##
1709
loadBalancerClass: ""
1710
## @param externalAccess.controller.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount
1711
## e.g:
1712
## loadBalancerIPs:
1713
## - X.X.X.X
1714
## - Y.Y.Y.Y
1715
##
1716
loadBalancerIPs: []
1717
## @param externalAccess.controller.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount
1718
## e.g:
1719
## loadBalancerNames:
1720
## - broker1.external.example.com
1721
## - broker2.external.example.com
1722
##
1723
loadBalancerNames: []
1724
## @param externalAccess.controller.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount
1725
## e.g:
1726
## loadBalancerAnnotations:
1727
## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com.
1728
## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com.
1729
##
1730
loadBalancerAnnotations: []
1731
## @param externalAccess.controller.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer
1732
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1733
## e.g:
1734
## loadBalancerSourceRanges:
1735
## - 10.10.10.0/24
1736
##
1737
loadBalancerSourceRanges: []
1738
## @param externalAccess.controller.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1739
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1740
##
1741
allocateLoadBalancerNodePorts: true
1742
## @param externalAccess.controller.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount
1743
## e.g:
1744
## nodePorts:
1745
## - 30001
1746
## - 30002
1747
##
1748
nodePorts: []
1749
## @param externalAccess.controller.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount
1750
## e.g:
1751
## externalIPs:
1752
## - X.X.X.X
1753
## - Y.Y.Y.Y
1754
##
1755
externalIPs: []
1756
## @param externalAccess.controller.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort
1757
##
1758
useHostIPs: false
1759
## @param externalAccess.controller.service.usePodIPs using the MY_POD_IP address for external access.
1760
##
1761
usePodIPs: false
1762
## @param externalAccess.controller.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP
1763
## NodePort: If not specified, the container will try to get the kubernetes node external IP
1764
## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured
1765
##
1766
domain: ""
1767
## @param externalAccess.controller.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready
1768
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/
1769
##
1770
publishNotReadyAddresses: false
1771
## @param externalAccess.controller.service.labels Service labels for external access
1772
##
1773
labels: {}
1774
## @param externalAccess.controller.service.annotations Service annotations for external access
1775
##
1776
annotations: {}
1777
## @param externalAccess.controller.service.extraPorts Extra ports to expose in the Kafka external service
1778
##
1779
extraPorts: []
1780
## @param externalAccess.controller.service.ipFamilies IP families for the external controller service
1781
##
1782
ipFamilies: []
1783
## @param externalAccess.controller.service.ipFamilyPolicy IP family policy for the external controller service
1784
##
1785
ipFamilyPolicy: ""
1786
broker:
1787
## Parameters to configure K8s service(s) used to externally access Kafka brokers
1788
## Note: A new service per broker will be created
1789
##
1790
service:
1791
## @param externalAccess.broker.service.type Kubernetes Service type for external access. It can be NodePort, LoadBalancer or ClusterIP
1792
##
1793
type: LoadBalancer
1794
## @param externalAccess.broker.service.ports.external Kafka port used for external access when service type is LoadBalancer
1795
##
1796
ports:
1797
external: 9094
1798
## @param externalAccess.broker.service.loadBalancerClass Kubernetes Service Load Balancer class for external access when service type is LoadBalancer
1799
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
1800
##
1801
loadBalancerClass: ""
1802
## @param externalAccess.broker.service.loadBalancerIPs Array of load balancer IPs for each Kafka broker. Length must be the same as replicaCount
1803
## e.g:
1804
## loadBalancerIPs:
1805
## - X.X.X.X
1806
## - Y.Y.Y.Y
1807
##
1808
loadBalancerIPs: []
1809
## @param externalAccess.broker.service.loadBalancerNames Array of load balancer Names for each Kafka broker. Length must be the same as replicaCount
1810
## e.g:
1811
## loadBalancerNames:
1812
## - broker1.external.example.com
1813
## - broker2.external.example.com
1814
##
1815
loadBalancerNames: []
1816
## @param externalAccess.broker.service.loadBalancerAnnotations Array of load balancer annotations for each Kafka broker. Length must be the same as replicaCount
1817
## e.g:
1818
## loadBalancerAnnotations:
1819
## - external-dns.alpha.kubernetes.io/hostname: broker1.external.example.com.
1820
## - external-dns.alpha.kubernetes.io/hostname: broker2.external.example.com.
1821
##
1822
loadBalancerAnnotations: []
1823
## @param externalAccess.broker.service.loadBalancerSourceRanges Address(es) that are allowed when service is LoadBalancer
1824
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1825
## e.g:
1826
## loadBalancerSourceRanges:
1827
## - 10.10.10.0/24
1828
##
1829
loadBalancerSourceRanges: []
1830
## @param externalAccess.broker.service.allocateLoadBalancerNodePorts Whether to allocate node ports when service type is LoadBalancer
1831
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
1832
##
1833
allocateLoadBalancerNodePorts: true
1834
## @param externalAccess.broker.service.nodePorts Array of node ports used for each Kafka broker. Length must be the same as replicaCount
1835
## e.g:
1836
## nodePorts:
1837
## - 30001
1838
## - 30002
1839
##
1840
nodePorts: []
1841
## @param externalAccess.broker.service.externalIPs Use distinct service host IPs to configure Kafka external listener when service type is NodePort. Length must be the same as replicaCount
1842
## e.g:
1843
## externalIPs:
1844
## - X.X.X.X
1845
## - Y.Y.Y.Y
1846
##
1847
externalIPs: []
1848
## @param externalAccess.broker.service.useHostIPs Use service host IPs to configure Kafka external listener when service type is NodePort
1849
##
1850
useHostIPs: false
1851
## @param externalAccess.broker.service.usePodIPs using the MY_POD_IP address for external access.
1852
##
1853
usePodIPs: false
1854
## @param externalAccess.broker.service.domain Domain or external ip used to configure Kafka external listener when service type is NodePort or ClusterIP
1855
## NodePort: If not specified, the container will try to get the kubernetes node external IP
1856
## ClusterIP: Must be specified, ingress IP or domain where tcp for external ports is configured
1857
##
1858
domain: ""
1859
## @param externalAccess.broker.service.publishNotReadyAddresses Indicates that any agent which deals with endpoints for this Service should disregard any indications of ready/not-ready
1860
## ref: https://kubernetes.io/docs/reference/kubernetes-api/service-resources/service-v1/
1861
##
1862
publishNotReadyAddresses: false
1863
## @param externalAccess.broker.service.labels Service labels for external access
1864
##
1865
labels: {}
1866
## @param externalAccess.broker.service.annotations Service annotations for external access
1867
##
1868
annotations: {}
1869
## @param externalAccess.broker.service.extraPorts Extra ports to expose in the Kafka external service
1870
##
1871
extraPorts: []
1872
## @param externalAccess.broker.service.ipFamilies IP families for the external broker service
1873
##
1874
ipFamilies: []
1875
## @param externalAccess.broker.service.ipFamilyPolicy IP family policy for the external broker service
1876
##
1877
ipFamilyPolicy: ""
1878
## Network policies
1879
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1880
##
1881
networkPolicy:
1882
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1883
##
1884
enabled: true
1885
## @param networkPolicy.allowExternal Don't require client label for connections
1886
## When set to false, only pods with the correct client label will have network access to the port Kafka is
1887
## listening on. When true, Kafka accept connections from any source (with the correct destination port).
1888
##
1889
allowExternal: true
1890
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1891
##
1892
allowExternalEgress: true
1893
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
1894
##
1895
addExternalClientAccess: true
1896
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1897
## e.g:
1898
## extraIngress:
1899
## - ports:
1900
## - port: 1234
1901
## from:
1902
## - podSelector:
1903
## - matchLabels:
1904
## - role: frontend
1905
## - podSelector:
1906
## - matchExpressions:
1907
## - key: role
1908
## operator: In
1909
## values:
1910
## - frontend
1911
extraIngress: []
1912
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1913
## e.g:
1914
## extraEgress:
1915
## - ports:
1916
## - port: 1234
1917
## to:
1918
## - podSelector:
1919
## - matchLabels:
1920
## - role: frontend
1921
## - podSelector:
1922
## - matchExpressions:
1923
## - key: role
1924
## operator: In
1925
## values:
1926
## - frontend
1927
##
1928
extraEgress: []
1929
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
1930
## e.g:
1931
## ingressPodMatchLabels:
1932
## my-client: "true"
1933
#
1934
ingressPodMatchLabels: {}
1935
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
1936
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
1937
##
1938
ingressNSMatchLabels: {}
1939
ingressNSPodMatchLabels: {}
1940
## @section Other Parameters
1941
1942
## ServiceAccount for Kafka
1943
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
1944
##
1945
serviceAccount:
1946
## @param serviceAccount.create Enable creation of ServiceAccount for Kafka pods
1947
##
1948
create: true
1949
## @param serviceAccount.name The name of the service account to use. If not set and `create` is `true`, a name is generated
1950
## If not set and create is true, a name is generated using the kafka.serviceAccountName template
1951
##
1952
name: ""
1953
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
1954
## Can be set to false if pods using this serviceAccount do not need to use K8s API
1955
##
1956
automountServiceAccountToken: false
1957
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
1958
##
1959
annotations: {}
1960
## Role Based Access Control
1961
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
1962
##
1963
rbac:
1964
## @param rbac.create Whether to create & use RBAC resources or not
1965
## binding Kafka ServiceAccount to a role
1966
## that allows Kafka pods querying the K8s API
1967
##
1968
create: false
1969
## @section Metrics parameters
1970
1971
## Prometheus Exporters / Metrics
1972
##
1973
metrics:
1974
## Prometheus JMX exporter: exposes the majority of Kafka metrics
1975
##
1976
jmx:
1977
## @param metrics.jmx.enabled Whether or not to expose JMX metrics to Prometheus
1978
##
1979
enabled: false
1980
## @param metrics.jmx.kafkaJmxPort JMX port where the exporter will collect metrics, exposed in the Kafka container.
1981
##
1982
kafkaJmxPort: 5555
1983
## Iamguarded JMX exporter image
1984
## @param metrics.jmx.image.registry [default: REGISTRY_NAME] JMX exporter image registry
1985
## @param metrics.jmx.image.repository [default: REPOSITORY_NAME/jmx-exporter] JMX exporter image repository
1986
## @skip metrics.jmx.image.tag JMX exporter image tag (immutable tags are recommended)
1987
## @param metrics.jmx.image.digest JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1988
## @param metrics.jmx.image.pullPolicy JMX exporter image pull policy
1989
## @param metrics.jmx.image.pullSecrets Specify docker-registry secret names as an array
1990
##
1991
image:
1992
registry: cgr.dev
1993
repository: chainguard-private/jmx-exporter-iamguarded
1994
tag: 1.5.0
1995
digest: ""
1996
## Specify a imagePullPolicy
1997
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1998
##
1999
pullPolicy: IfNotPresent
2000
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
2001
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
2002
## e.g:
2003
## pullSecrets:
2004
## - myRegistryKeySecretName
2005
##
2006
pullSecrets: []
2007
## Prometheus JMX exporter containers' Security Context
2008
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2009
## @param metrics.jmx.containerSecurityContext.enabled Enable Prometheus JMX exporter containers' Security Context
2010
## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2011
## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2012
## @param metrics.jmx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2013
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set Prometheus JMX exporter containers' Security Context runAsNonRoot
2014
## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set Prometheus JMX exporter containers' Security Context allowPrivilegeEscalation
2015
## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set Prometheus JMX exporter containers' Security Context readOnlyRootFilesystem
2016
## @param metrics.jmx.containerSecurityContext.capabilities.drop Set Prometheus JMX exporter containers' Security Context capabilities to be dropped
2017
## e.g:
2018
## containerSecurityContext:
2019
## enabled: true
2020
## capabilities:
2021
## drop: ["NET_RAW"]
2022
## readOnlyRootFilesystem: true
2023
##
2024
containerSecurityContext:
2025
enabled: true
2026
seLinuxOptions: {}
2027
runAsUser: 1001
2028
runAsGroup: 1001
2029
runAsNonRoot: true
2030
allowPrivilegeEscalation: false
2031
readOnlyRootFilesystem: true
2032
capabilities:
2033
drop: ["ALL"]
2034
## @param metrics.jmx.containerPorts.metrics Prometheus JMX exporter metrics container port
2035
##
2036
containerPorts:
2037
metrics: 5556
2038
## Prometheus JMX exporter resource requests and limits
2039
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2040
## @param metrics.jmx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production).
2041
##
2042
resourcesPreset: "micro"
2043
## @param metrics.jmx.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2044
## Example:
2045
## resources:
2046
## requests:
2047
## cpu: 2
2048
## memory: 512Mi
2049
## limits:
2050
## cpu: 3
2051
## memory: 1024Mi
2052
##
2053
resources: {}
2054
## Configure extra options for liveness probe
2055
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2056
## @param metrics.jmx.livenessProbe.enabled Enable livenessProbe
2057
## @param metrics.jmx.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
2058
## @param metrics.jmx.livenessProbe.periodSeconds Period seconds for livenessProbe
2059
## @param metrics.jmx.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
2060
## @param metrics.jmx.livenessProbe.failureThreshold Failure threshold for livenessProbe
2061
## @param metrics.jmx.livenessProbe.successThreshold Success threshold for livenessProbe
2062
##
2063
livenessProbe:
2064
enabled: true
2065
initialDelaySeconds: 60
2066
periodSeconds: 10
2067
timeoutSeconds: 10
2068
successThreshold: 1
2069
failureThreshold: 3
2070
## Configure extra options for readiness probe
2071
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
2072
## @param metrics.jmx.readinessProbe.enabled Enable readinessProbe
2073
## @param metrics.jmx.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
2074
## @param metrics.jmx.readinessProbe.periodSeconds Period seconds for readinessProbe
2075
## @param metrics.jmx.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
2076
## @param metrics.jmx.readinessProbe.failureThreshold Failure threshold for readinessProbe
2077
## @param metrics.jmx.readinessProbe.successThreshold Success threshold for readinessProbe
2078
##
2079
readinessProbe:
2080
enabled: true
2081
initialDelaySeconds: 30
2082
periodSeconds: 10
2083
timeoutSeconds: 10
2084
successThreshold: 1
2085
failureThreshold: 3
2086
## Prometheus JMX exporter service configuration
2087
##
2088
service:
2089
## @param metrics.jmx.service.ports.metrics Prometheus JMX exporter metrics service port
2090
##
2091
ports:
2092
metrics: 5556
2093
## @param metrics.jmx.service.clusterIP Static clusterIP or None for headless services
2094
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
2095
##
2096
clusterIP: ""
2097
## @param metrics.jmx.service.sessionAffinity Control where client requests go, to the same pod or round-robin
2098
## Values: ClientIP or None
2099
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
2100
##
2101
sessionAffinity: None
2102
## @param metrics.jmx.service.annotations [object] Annotations for the Prometheus JMX exporter service
2103
##
2104
annotations:
2105
prometheus.io/scrape: "true"
2106
prometheus.io/port: "{{ .Values.metrics.jmx.service.ports.metrics }}"
2107
prometheus.io/path: "/metrics"
2108
## @param metrics.jmx.service.ipFamilies IP families for the jmx metrics service
2109
##
2110
ipFamilies: []
2111
## @param metrics.jmx.service.ipFamilyPolicy IP family policy for the jmx metrics service
2112
##
2113
ipFamilyPolicy: ""
2114
## @param metrics.jmx.whitelistObjectNames Allows setting which JMX objects you want to expose to via JMX stats to JMX exporter
2115
## Only whitelisted values will be exposed via JMX exporter. They must also be exposed via Rules. To expose all metrics
2116
## (warning its crazy excessive and they aren't formatted in a prometheus style) (1) `whitelistObjectNames: []`
2117
## (2) commented out above `overrideConfig`.
2118
##
2119
whitelistObjectNames:
2120
- kafka.controller:*
2121
- kafka.server:*
2122
- java.lang:*
2123
- kafka.network:*
2124
- kafka.log:*
2125
## @param metrics.jmx.config [string] Configuration file for JMX exporter
2126
## Specify content for jmx-kafka-prometheus.yml. Evaluated as a template
2127
##
2128
## Credits to the incubator/kafka chart for the JMX configuration.
2129
## https://github.com/helm/charts/tree/master/incubator/kafka
2130
##
2131
config: |-
2132
jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:{{ .Values.metrics.jmx.kafkaJmxPort }}/jmxrmi
2133
lowercaseOutputName: true
2134
lowercaseOutputLabelNames: true
2135
ssl: false
2136
{{- if .Values.metrics.jmx.whitelistObjectNames }}
2137
whitelistObjectNames: ["{{ join "\",\"" .Values.metrics.jmx.whitelistObjectNames }}"]
2138
{{- end }}
2139
## @param metrics.jmx.existingConfigmap Name of existing ConfigMap with JMX exporter configuration
2140
## NOTE: This will override metrics.jmx.config
2141
##
2142
existingConfigmap: ""
2143
## @param metrics.jmx.extraRules Add extra rules to JMX exporter configuration
2144
## e.g:
2145
## extraRules: |-
2146
## - pattern: kafka.server<type=socket-server-metrics, listener=(.+), networkProcessor=(.+)><>(connection-count)
2147
## name: kafka_server_socket_server_metrics_$3
2148
## labels:
2149
## listener: $1
2150
##
2151
extraRules: ""
2152
## Prometheus Operator ServiceMonitor configuration
2153
##
2154
serviceMonitor:
2155
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (requires `metrics.jmx.enabled` to be `true`)
2156
##
2157
enabled: false
2158
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
2159
##
2160
namespace: ""
2161
## @param metrics.serviceMonitor.path Path where JMX exporter serves metrics
2162
##
2163
path: /metrics
2164
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
2165
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2166
##
2167
interval: ""
2168
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
2169
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
2170
##
2171
scrapeTimeout: ""
2172
## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus
2173
##
2174
labels: {}
2175
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
2176
##
2177
selector: {}
2178
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
2179
##
2180
relabelings: []
2181
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
2182
##
2183
metricRelabelings: []
2184
## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
2185
##
2186
honorLabels: false
2187
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
2188
##
2189
jobLabel: ""
2190
prometheusRule:
2191
## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (requires `metrics.jmx.enabled` to be `true`)
2192
##
2193
enabled: false
2194
## @param metrics.prometheusRule.namespace Namespace in which Prometheus is running
2195
##
2196
namespace: ""
2197
## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
2198
##
2199
labels: {}
2200
## @param metrics.prometheusRule.groups Prometheus Rule Groups for Kafka
2201
##
2202
groups: []
2203
## @section Kafka provisioning parameters
2204
##
2205
2206
## Kafka provisioning
2207
##
2208
provisioning:
2209
## @param provisioning.enabled Enable Kafka provisioning Job
2210
##
2211
enabled: false
2212
## @param provisioning.waitForKafka Whether an init container should be created to wait until Kafka is ready before provisioning
2213
##
2214
waitForKafka: true
2215
## @param provisioning.useHelmHooks Flag to indicate usage of helm hooks
2216
##
2217
useHelmHooks: true
2218
## @param provisioning.automountServiceAccountToken Mount Service Account token in pod
2219
##
2220
automountServiceAccountToken: false
2221
## @param provisioning.numPartitions Default number of partitions for topics when unspecified
2222
##
2223
numPartitions: 1
2224
## @param provisioning.replicationFactor Default replication factor for topics when unspecified
2225
##
2226
replicationFactor: 1
2227
## @param provisioning.topics Kafka topics to provision
2228
## - name: topic-name
2229
## partitions: 1
2230
## replicationFactor: 1
2231
## ## https://kafka.apache.org/documentation/#topicconfigs
2232
## config:
2233
## max.message.bytes: 64000
2234
## flush.messages: 1
2235
##
2236
topics: []
2237
## @param provisioning.nodeSelector Node labels for pod assignment
2238
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
2239
##
2240
nodeSelector: {}
2241
## @param provisioning.tolerations Tolerations for pod assignment
2242
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
2243
##
2244
tolerations: []
2245
## @param provisioning.extraProvisioningCommands Extra commands to run to provision cluster resources
2246
## - echo "Allow user to consume from any topic"
2247
## - >-
2248
## /opt/iamguarded/kafka/bin/kafka-acls.sh
2249
## --bootstrap-server $KAFKA_SERVICE
2250
## --command-config /shared/client.properties
2251
## --add
2252
## --allow-principal User:user
2253
## --consumer --topic *
2254
## - "/opt/iamguarded/kafka/bin/kafka-acls.sh
2255
## --bootstrap-server $KAFKA_SERVICE
2256
## --command-config /shared/client.properties
2257
## --list"
2258
##
2259
extraProvisioningCommands: []
2260
## @param provisioning.parallel Number of provisioning commands to run at the same time
2261
##
2262
parallel: 1
2263
## @param provisioning.preScript Extra bash script to run before topic provisioning. /shared/client.properties is path to properties file with most needed configurations
2264
##
2265
preScript: ""
2266
## @param provisioning.postScript Extra bash script to run after topic provisioning. /shared/client.properties is path to properties file with most needed configurations
2267
##
2268
postScript: ""
2269
## Auth Configuration for kafka provisioning Job
2270
##
2271
auth:
2272
## TLS configuration for kafka provisioning Job
2273
##
2274
tls:
2275
## @param provisioning.auth.tls.type Format to use for TLS certificates. Allowed types: `JKS` and `PEM`.
2276
## Note: ignored if auth.tls.client.protocol different from one of these values: "SSL" "SASL_SSL"
2277
##
2278
type: jks
2279
## @param provisioning.auth.tls.certificatesSecret Existing secret containing the TLS certificates for the Kafka provisioning Job.
2280
## When using 'jks' format for certificates, the secret should contain a truststore and a keystore.
2281
## When using 'pem' format for certificates, the secret should contain one of the following:
2282
## 1. A public CA certificate, a public certificate and one private key.
2283
## 2. A truststore and a keystore in PEM format
2284
## If caCert is set, option 1 will be taken, otherwise option 2.
2285
##
2286
certificatesSecret: ""
2287
## @param provisioning.auth.tls.cert The secret key from the certificatesSecret if 'cert' key different from the default (tls.crt)
2288
##
2289
cert: tls.crt
2290
## @param provisioning.auth.tls.key The secret key from the certificatesSecret if 'key' key different from the default (tls.key)
2291
##
2292
key: tls.key
2293
## @param provisioning.auth.tls.caCert The secret key from the certificatesSecret if 'caCert' key different from the default (ca.crt)
2294
##
2295
caCert: ca.crt
2296
## @param provisioning.auth.tls.keystore The secret key from the certificatesSecret if 'keystore' key different from the default (keystore.jks)
2297
##
2298
keystore: keystore.jks
2299
## @param provisioning.auth.tls.truststore The secret key from the certificatesSecret if 'truststore' key different from the default (truststore.jks)
2300
##
2301
truststore: truststore.jks
2302
## @param provisioning.auth.tls.passwordsSecret Name of the secret containing passwords to access the JKS files or PEM key when they are password-protected.
2303
## It should contain two keys called "keystore-password" and "truststore-password", or "key-password" if using a password-protected PEM key.
2304
##
2305
passwordsSecret: ""
2306
## @param provisioning.auth.tls.keyPasswordSecretKey The secret key from the passwordsSecret if 'keyPasswordSecretKey' key different from the default (key-password)
2307
## Note: must not be used if `passwordsSecret` is not defined.
2308
##
2309
keyPasswordSecretKey: key-password
2310
## @param provisioning.auth.tls.keystorePasswordSecretKey The secret key from the passwordsSecret if 'keystorePasswordSecretKey' key different from the default (keystore-password)
2311
## Note: must not be used if `passwordsSecret` is not defined.
2312
##
2313
keystorePasswordSecretKey: keystore-password
2314
## @param provisioning.auth.tls.truststorePasswordSecretKey The secret key from the passwordsSecret if 'truststorePasswordSecretKey' key different from the default (truststore-password)
2315
## Note: must not be used if `passwordsSecret` is not defined.
2316
##
2317
truststorePasswordSecretKey: truststore-password
2318
## @param provisioning.auth.tls.keyPassword Password to access the password-protected PEM key if necessary. Ignored if 'passwordsSecret' is provided.
2319
##
2320
keyPassword: ""
2321
## @param provisioning.auth.tls.keystorePassword Password to access the JKS keystore. Ignored if 'passwordsSecret' is provided.
2322
##
2323
keystorePassword: ""
2324
## @param provisioning.auth.tls.truststorePassword Password to access the JKS truststore. Ignored if 'passwordsSecret' is provided.
2325
##
2326
truststorePassword: ""
2327
## @param provisioning.command Override provisioning container command
2328
##
2329
command: []
2330
## @param provisioning.args Override provisioning container arguments
2331
##
2332
args: []
2333
## @param provisioning.extraEnvVars Extra environment variables to add to the provisioning pod
2334
## e.g:
2335
## extraEnvVars:
2336
## - name: KAFKA_CFG_BACKGROUND_THREADS
2337
## value: "10"
2338
##
2339
extraEnvVars: []
2340
## @param provisioning.extraEnvVarsCM ConfigMap with extra environment variables
2341
##
2342
extraEnvVarsCM: ""
2343
## @param provisioning.extraEnvVarsSecret Secret with extra environment variables
2344
##
2345
extraEnvVarsSecret: ""
2346
## @param provisioning.podAnnotations Extra annotations for Kafka provisioning pods
2347
##
2348
podAnnotations: {}
2349
## @param provisioning.podLabels Extra labels for Kafka provisioning pods
2350
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
2351
##
2352
podLabels: {}
2353
## Kafka provisioning pods ServiceAccount
2354
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
2355
##
2356
serviceAccount:
2357
## @param provisioning.serviceAccount.create Enable creation of ServiceAccount for Kafka provisioning pods
2358
##
2359
create: true
2360
## @param provisioning.serviceAccount.name The name of the service account to use. If not set and `create` is `true`, a name is generated
2361
## If not set and create is true, a name is generated using the provisioning.serviceAccount.name template
2362
##
2363
name: ""
2364
## @param provisioning.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
2365
## Can be set to false if pods using this serviceAccount do not need to use K8s API
2366
##
2367
automountServiceAccountToken: false
2368
## Kafka provisioning resource requests and limits
2369
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
2370
## @param provisioning.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if provisioning.resources is set (provisioning.resources is recommended for production).
2371
##
2372
resourcesPreset: "micro"
2373
## @param provisioning.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
2374
## Example:
2375
## resources:
2376
## requests:
2377
## cpu: 2
2378
## memory: 512Mi
2379
## limits:
2380
## cpu: 3
2381
## memory: 1024Mi
2382
##
2383
resources: {}
2384
## Kafka provisioning pods' Security Context
2385
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
2386
## @param provisioning.podSecurityContext.enabled Enable security context for the pods
2387
## @param provisioning.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
2388
## @param provisioning.podSecurityContext.sysctls Set kernel settings using the sysctl interface
2389
## @param provisioning.podSecurityContext.supplementalGroups Set filesystem extra groups
2390
## @param provisioning.podSecurityContext.fsGroup Set Kafka provisioning pod's Security Context fsGroup
2391
## @param provisioning.podSecurityContext.seccompProfile.type Set Kafka provisioning pod's Security Context seccomp profile
2392
##
2393
podSecurityContext:
2394
enabled: true
2395
fsGroupChangePolicy: Always
2396
sysctls: []
2397
supplementalGroups: []
2398
fsGroup: 1001
2399
seccompProfile:
2400
type: "RuntimeDefault"
2401
## Kafka provisioning containers' Security Context
2402
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
2403
## @param provisioning.containerSecurityContext.enabled Enable Kafka provisioning containers' Security Context
2404
## @param provisioning.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
2405
## @param provisioning.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
2406
## @param provisioning.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
2407
## @param provisioning.containerSecurityContext.runAsNonRoot Set Kafka provisioning containers' Security Context runAsNonRoot
2408
## @param provisioning.containerSecurityContext.allowPrivilegeEscalation Set Kafka provisioning containers' Security Context allowPrivilegeEscalation
2409
## @param provisioning.containerSecurityContext.readOnlyRootFilesystem Set Kafka provisioning containers' Security Context readOnlyRootFilesystem
2410
## @param provisioning.containerSecurityContext.capabilities.drop Set Kafka provisioning containers' Security Context capabilities to be dropped
2411
## e.g:
2412
## containerSecurityContext:
2413
## enabled: true
2414
## capabilities:
2415
## drop: ["NET_RAW"]
2416
## readOnlyRootFilesystem: true
2417
##
2418
containerSecurityContext:
2419
enabled: true
2420
seLinuxOptions: {}
2421
runAsUser: 1001
2422
runAsGroup: 1001
2423
runAsNonRoot: true
2424
allowPrivilegeEscalation: false
2425
readOnlyRootFilesystem: true
2426
capabilities:
2427
drop: ["ALL"]
2428
## @param provisioning.schedulerName Name of the k8s scheduler (other than default) for kafka provisioning
2429
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
2430
##
2431
schedulerName: ""
2432
## @param provisioning.enableServiceLinks Whether information about services should be injected into pod's environment variable
2433
## The environment variables injected by service links are not used, but can lead to slow kafka boot times or slow running of the scripts when there are many services in the current namespace.
2434
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
2435
##
2436
enableServiceLinks: true
2437
## @param provisioning.extraVolumes Optionally specify extra list of additional volumes for the Kafka provisioning pod(s)
2438
## e.g:
2439
## extraVolumes:
2440
## - name: kafka-jaas
2441
## secret:
2442
## secretName: kafka-jaas
2443
##
2444
extraVolumes: []
2445
## @param provisioning.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Kafka provisioning container(s)
2446
## extraVolumeMounts:
2447
## - name: kafka-jaas
2448
## mountPath: /iamguarded/kafka/config/kafka_jaas.conf
2449
## subPath: kafka_jaas.conf
2450
##
2451
extraVolumeMounts: []
2452
## @param provisioning.sidecars Add additional sidecar containers to the Kafka provisioning pod(s)
2453
## e.g:
2454
## sidecars:
2455
## - name: your-image-name
2456
## image: your-image
2457
## imagePullPolicy: Always
2458
## ports:
2459
## - name: portname
2460
## containerPort: 1234
2461
##
2462
sidecars: []
2463
## @param provisioning.initContainers Add additional Add init containers to the Kafka provisioning pod(s)
2464
## e.g:
2465
## initContainers:
2466
## - name: your-image-name
2467
## image: your-image
2468
## imagePullPolicy: Always
2469
## ports:
2470
## - name: portname
2471
## containerPort: 1234
2472
##
2473
initContainers: []
2474
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.