valkey

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# This file has been modified by Chainguard, Inc.

# Chainguard, Inc. modifications are subject to the license

# available at: https://www.chainguard.dev/legal/software-license-agreement

# SPDX-License-Identifier: APACHE-2.0

## @section Global parameters

## Global Docker image parameters

## Please, note that this will override the image parameters, including dependencies, configured to use the global value

## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass

## @param global.imageRegistry Global Docker image registry

## @param global.imagePullSecrets Global Docker registry secret names as an array

## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)

## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead

## @param global.valkey.password Global Valkey password (overrides `auth.password`)

## @param global.defaultFips Default value for the FIPS configuration (allowed values: '', restricted, relaxed, off). Can be overridden by the 'fips' object

global:

imageRegistry: ""

## Example:

## imagePullSecrets:

## - myRegistryKeySecretName

imagePullSecrets: []

defaultStorageClass: ""

storageClass: ""

## Security parameters

security:

## @param global.security.allowInsecureImages Allows skipping image verification

allowInsecureImages: false

valkey:

password: ""

## Compatibility adaptations for Kubernetes platforms

compatibility:

## Compatibility adaptations for Openshift

openshift:

## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)

adaptSecurityContext: auto

## Configure FIPS mode: '', 'restricted', 'relaxed', 'off'

defaultFips: restricted

org: ""

## @section Common parameters

## @param kubeVersion Override Kubernetes version

kubeVersion: ""

## @param apiVersions Override Kubernetes API versions reported by .Capabilities

apiVersions: []

## @param nameOverride String to partially override common.names.fullname

nameOverride: ""

## @param fullnameOverride String to fully override common.names.fullname

fullnameOverride: ""

## @param namespaceOverride String to fully override common.names.namespace

namespaceOverride: ""

## @param commonLabels Labels to add to all deployed objects

commonLabels: {}

## @param commonAnnotations Annotations to add to all deployed objects

commonAnnotations: {}

## @param secretAnnotations Annotations to add to secret

secretAnnotations: {}

## @param clusterDomain Kubernetes cluster domain name

clusterDomain: cluster.local

## @param extraDeploy Array of extra objects to deploy with the release

extraDeploy: []

## @param useHostnames Use hostnames internally when announcing replication. If false, the hostname will be resolved to an IP address

useHostnames: true

## @param nameResolutionThreshold Failure threshold for internal hostnames resolution

nameResolutionThreshold: 5

## @param nameResolutionTimeout Timeout seconds between probes for internal hostnames resolution

nameResolutionTimeout: 5

## Enable diagnostic mode in the deployment

diagnosticMode:

## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)

enabled: false

100

## @param diagnosticMode.command Command to override all containers in the deployment

101

102

command:

103

- sleep

104

## @param diagnosticMode.args Args to override all containers in the deployment

105

106

args:

107

- infinity

108

## @section Valkey Image parameters

109

110

111

## Iamguarded Valkey image

112

## @param image.registry [default: REGISTRY_NAME] Valkey image registry

113

## @param image.repository [default: REPOSITORY_NAME/valkey] Valkey image repository

114

## @skip image.tag Valkey image tag (immutable tags are recommended)

115

## @param image.digest Valkey image digest in the way sha256:aa... Please note this parameter, if set, will override the tag

116

## @param image.pullPolicy Valkey image pull policy

117

## @param image.pullSecrets Valkey image pull secrets

118

## @param image.debug Enable image debug mode

119

120

image:

121

registry: cgr.dev

122

repository: chainguard-private/valkey-iamguarded-iamguarded

123

tag: 9.0.3

124

digest: ""

125

## Specify a imagePullPolicy

126

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

127

128

pullPolicy: IfNotPresent

129

## Optionally, specify an array of imagePullSecrets.

130

## Secrets must be manually created in the namespace.

131

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

132

## Example:

133

## pullSecrets:

134

## - myRegistryKeySecretName

135

136

pullSecrets: []

137

## Enable debug mode

138

139

debug: false

140

## @section Valkey common configuration parameters

141

142

143

## @param architecture Valkey architecture. Allowed values: `standalone` or `replication`

144

145

architecture: replication

146

## @param fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

147

148

fips:

149

openssl: ""

150

## Valkey Authentication parameters

151

152

auth:

153

## @param auth.enabled Enable password authentication

154

155

enabled: true

156

## @param auth.sentinel Enable password authentication on sentinels too

157

158

sentinel: true

159

## @param auth.password Valkey password

160

## Defaults to a random 10-character alphanumeric string if not set

161

162

password: ""

163

## @param auth.existingSecret The name of an existing secret with Valkey credentials

164

## NOTE: When it's set, the previous `auth.password` parameter is ignored

165

166

existingSecret: ""

167

## @param auth.existingSecretPasswordKey Password key to be retrieved from existing secret

168

## NOTE: ignored unless `auth.existingSecret` parameter is set

169

170

existingSecretPasswordKey: ""

171

## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable

172

173

usePasswordFiles: true

174

## @param auth.usePasswordFileFromSecret Mount password file from secret

175

176

usePasswordFileFromSecret: true

177

## @param commonConfiguration [string] Common configuration to be added into the ConfigMap

178

## ref: https://valkey.io/topics/valkey-conf/

179

180

commonConfiguration: |-

181

# Enable AOF https://valkey.io/docs/topics/persistence.html

182

appendonly yes

183

# Disable RDB persistence, AOF persistence already enabled.

184

save ""

185

## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Valkey nodes

186

187

existingConfigmap: ""

188

## @section Valkey primary configuration parameters

189

190

primary:

191

## @param primary.replicaCount Number of Valkey primary instances to deploy (experimental, requires additional configuration)

192

193

replicaCount: 1

194

## @param primary.configuration Configuration for Valkey primary nodes

195

## ref: https://valkey.io/topics/config

196

197

configuration: ""

198

## @param primary.disableCommands Array with Valkey commands to disable on primary nodes

199

## Commands will be completely disabled by renaming each to an empty string.

200

## ref: https://valkey.io/topics/security#disabling-of-specific-commands

201

202

disableCommands:

203

- FLUSHDB

204

- FLUSHALL

205

## @param primary.command Override default container command (useful when using custom images)

206

207

command: []

208

## @param primary.args Override default container args (useful when using custom images)

209

210

args: []

211

## @param primary.enableServiceLinks Whether information about services should be injected into pod's environment variable

212

213

enableServiceLinks: true

214

## @param primary.preExecCmds Additional commands to run prior to starting Valkey primary

215

216

preExecCmds: []

217

## @param primary.extraFlags Array with additional command line flags for Valkey primary

218

## Example:

219

## extraFlags:

220

## - "--maxmemory-policy volatile-ttl"

221

## - "--repl-backlog-size 1024mb"

222

223

extraFlags: []

224

## @param primary.extraEnvVars Array with extra environment variables to add to Valkey primary nodes

225

## Example:

226

## extraEnvVars:

227

## - name: FOO

228

## value: "bar"

229

230

extraEnvVars: []

231

## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Valkey primary nodes

232

233

extraEnvVarsCM: ""

234

## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for Valkey primary nodes

235

236

extraEnvVarsSecret: ""

237

## @param primary.containerPorts.valkey Container port to open on Valkey primary nodes

238

239

containerPorts:

240

valkey: 6379

241

## Configure extra options for Valkey containers' liveness and readiness probes

242

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

243

## @param primary.startupProbe.enabled Enable startupProbe on Valkey primary nodes

244

## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe

245

## @param primary.startupProbe.periodSeconds Period seconds for startupProbe

246

## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe

247

## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe

248

## @param primary.startupProbe.successThreshold Success threshold for startupProbe

249

250

startupProbe:

251

enabled: false

252

initialDelaySeconds: 20

253

periodSeconds: 5

254

timeoutSeconds: 5

255

successThreshold: 1

256

failureThreshold: 5

257

## @param primary.livenessProbe.enabled Enable livenessProbe on Valkey primary nodes

258

## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

259

## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe

260

## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

261

## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe

262

## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe

263

264

livenessProbe:

265

enabled: true

266

initialDelaySeconds: 20

267

periodSeconds: 5

268

timeoutSeconds: 5

269

successThreshold: 1

270

failureThreshold: 5

271

## @param primary.readinessProbe.enabled Enable readinessProbe on Valkey primary nodes

272

## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

273

## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe

274

## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

275

## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe

276

## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe

277

278

readinessProbe:

279

enabled: true

280

initialDelaySeconds: 20

281

periodSeconds: 5

282

timeoutSeconds: 1

283

successThreshold: 1

284

failureThreshold: 5

285

## @param primary.customStartupProbe Custom startupProbe that overrides the default one

286

287

customStartupProbe: {}

288

## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one

289

290

customLivenessProbe: {}

291

## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one

292

293

customReadinessProbe: {}

294

## Valkey primary resource requests and limits

295

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

296

## @param primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).

297

298

resourcesPreset: "nano"

299

## @param primary.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

300

## Example:

301

## resources:

302

## requests:

303

## cpu: 2

304

## memory: 512Mi

305

## limits:

306

## cpu: 3

307

## memory: 1024Mi

308

309

resources: {}

310

## Configure Pods Security Context

311

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

312

## @param primary.podSecurityContext.enabled Enable Valkey primary pods' Security Context

313

## @param primary.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

314

## @param primary.podSecurityContext.sysctls Set kernel settings using the sysctl interface

315

## @param primary.podSecurityContext.supplementalGroups Set filesystem extra groups

316

## @param primary.podSecurityContext.fsGroup Set Valkey primary pod's Security Context fsGroup

317

318

podSecurityContext:

319

enabled: true

320

fsGroupChangePolicy: Always

321

sysctls: []

322

supplementalGroups: []

323

fsGroup: 1001

324

## Configure Container Security Context

325

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

326

## @param primary.containerSecurityContext.enabled Enable Valkey primary containers' Security Context

327

## @param primary.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

328

## @param primary.containerSecurityContext.runAsUser Set Valkey primary containers' Security Context runAsUser

329

## @param primary.containerSecurityContext.runAsGroup Set Valkey primary containers' Security Context runAsGroup

330

## @param primary.containerSecurityContext.runAsNonRoot Set Valkey primary containers' Security Context runAsNonRoot

331

## @param primary.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Valkey pod(s) privileges

332

## @param primary.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem

333

## @param primary.containerSecurityContext.seccompProfile.type Set Valkey primary containers' Security Context seccompProfile

334

## @param primary.containerSecurityContext.capabilities.drop Set Valkey primary containers' Security Context capabilities to drop

335

336

containerSecurityContext:

337

enabled: true

338

seLinuxOptions: {}

339

runAsUser: 1001

340

runAsGroup: 1001

341

runAsNonRoot: true

342

allowPrivilegeEscalation: false

343

readOnlyRootFilesystem: true

344

seccompProfile:

345

type: RuntimeDefault

346

capabilities:

347

drop: ["ALL"]

348

## @param primary.kind Use either Deployment, StatefulSet (default) or DaemonSet

349

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/

350

351

kind: StatefulSet

352

## @param primary.schedulerName Alternate scheduler for Valkey primary pods

353

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

354

355

schedulerName: ""

356

## @param primary.updateStrategy.type Valkey primary statefulset strategy type

357

## @skip primary.updateStrategy.rollingUpdate

358

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies

359

360

updateStrategy:

361

## StrategyType

362

## Can be set to RollingUpdate, OnDelete (statefulset), Recreate (deployment)

363

364

type: RollingUpdate

365

## @param primary.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update

366

367

minReadySeconds: 0

368

## @param primary.priorityClassName Valkey primary pods' priorityClassName

369

370

priorityClassName: ""

371

## @param primary.automountServiceAccountToken Mount Service Account token in pod

372

373

automountServiceAccountToken: false

374

## @param primary.hostAliases Valkey primary pods host aliases

375

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

376

377

hostAliases: []

378

## @param primary.runtimeClassName Name of the runtime class to be used by pod(s)

379

## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/

380

381

runtimeClassName: ""

382

## @param primary.podLabels Extra labels for Valkey primary pods

383

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

384

385

podLabels: {}

386

## @param primary.podAnnotations Annotations for Valkey primary pods

387

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

388

389

podAnnotations: {}

390

## @param primary.shareProcessNamespace Share a single process namespace between all of the containers in Valkey primary pods

391

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/

392

393

shareProcessNamespace: false

394

## @param primary.podAffinityPreset Pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`

395

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

396

397

podAffinityPreset: ""

398

## @param primary.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`

399

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

400

401

podAntiAffinityPreset: soft

402

## Node primary.affinity preset

403

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

404

405

nodeAffinityPreset:

406

## @param primary.nodeAffinityPreset.type Node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard`

407

408

type: ""

409

## @param primary.nodeAffinityPreset.key Node label key to match. Ignored if `primary.affinity` is set

410

411

key: ""

412

## @param primary.nodeAffinityPreset.values Node label values to match. Ignored if `primary.affinity` is set

413

## Example:

414

## values:

415

## - e2e-az1

416

## - e2e-az2

417

418

values: []

419

## @param primary.affinity Affinity for Valkey primary pods assignment

420

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

421

## NOTE: `primary.podAffinityPreset`, `primary.podAntiAffinityPreset`, and `primary.nodeAffinityPreset` will be ignored when it's set

422

423

affinity: {}

424

## @param primary.nodeSelector Node labels for Valkey primary pods assignment

425

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

426

427

nodeSelector: {}

428

## @param primary.tolerations Tolerations for Valkey primary pods assignment

429

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

430

431

tolerations: []

432

## @param primary.topologySpreadConstraints Spread Constraints for Valkey primary pod assignment

433

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

434

## Example:

435

## topologySpreadConstraints:

436

## - maxSkew: 1

437

## topologyKey: node

438

## whenUnsatisfiable: DoNotSchedule

439

440

topologySpreadConstraints: []

441

## @param primary.dnsPolicy DNS Policy for Valkey primary pod

442

## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/

443

## Example:

444

## dnsPolicy: ClusterFirst

445

446

dnsPolicy: ""

447

## @param primary.dnsConfig DNS Configuration for Valkey primary pod

448

## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/

449

## Example:

450

## dnsConfig:

451

## options:

452

## - name: ndots

453

## value: "4"

454

## - name: single-request-reopen

455

456

dnsConfig: {}

457

## @param primary.lifecycleHooks for the Valkey primary container(s) to automate configuration before or after startup

458

459

lifecycleHooks: {}

460

## @param primary.extraVolumes Optionally, specify extra list of additional volumes for the Valkey primary pod(s)

461

462

extraVolumes: []

463

## @param primary.extraVolumeMounts Optionally, specify extra list of additional volumeMounts for the Valkey primary container(s)

464

465

extraVolumeMounts: []

466

## @param primary.sidecars Add additional sidecar containers to the Valkey primary pod(s)

467

## Example:

468

## sidecars:

469

## - name: your-image-name

470

## image: your-image

471

## imagePullPolicy: Always

472

## ports:

473

## - name: portname

474

## containerPort: 1234

475

476

sidecars: []

477

## @param primary.initContainers Add additional init containers to the Valkey primary pod(s)

478

## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

479

## Example:

480

## initContainers:

481

## - name: your-image-name

482

## image: your-image

483

## imagePullPolicy: Always

484

## command: ['sh', '-c', 'echo "hello world"']

485

486

initContainers: []

487

## Persistence parameters

488

## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/

489

490

persistence:

491

## @param primary.persistence.enabled Enable persistence on Valkey primary nodes using Persistent Volume Claims

492

493

enabled: true

494

## @param primary.persistence.medium Provide a medium for `emptyDir` volumes.

495

496

medium: ""

497

## @param primary.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes.

498

499

sizeLimit: ""

500

## @param primary.persistence.path The path the volume will be mounted at on Valkey primary containers

501

## NOTE: Useful when using different Valkey images

502

503

path: /data

504

## @param primary.persistence.subPath The subdirectory of the volume to mount on Valkey primary containers

505

## NOTE: Useful in dev environments

506

507

subPath: ""

508

## @param primary.persistence.subPathExpr Used to construct the subPath subdirectory of the volume to mount on Valkey primary containers

509

510

subPathExpr: ""

511

## @param primary.persistence.storageClass Persistent Volume storage class

512

## If defined, storageClassName: <storageClass>

513

## If set to "-", storageClassName: "", which disables dynamic provisioning

514

## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner

515

516

storageClass: ""

517

## @param primary.persistence.accessModes Persistent Volume access modes

518

519

accessModes:

520

- ReadWriteOnce

521

## @param primary.persistence.size Persistent Volume size

522

523

size: 8Gi

524

## @param primary.persistence.annotations Additional custom annotations for the PVC

525

526

annotations: {}

527

## @param primary.persistence.labels Additional custom labels for the PVC

528

529

labels: {}

530

## @param primary.persistence.selector Additional labels to match for the PVC

531

## Example:

532

## selector:

533

## matchLabels:

534

## app: my-app

535

536

selector: {}

537

## @param primary.persistence.dataSource Custom PVC data source

538

539

dataSource: {}

540

## @param primary.persistence.existingClaim Use an existing PVC which must be created manually before bound

541

## NOTE: requires primary.persistence.enabled: true

542

543

existingClaim: ""

544

## persistentVolumeClaimRetentionPolicy

545

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention

546

## @param primary.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet

547

## @param primary.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced

548

## @param primary.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted

549

550

persistentVolumeClaimRetentionPolicy:

551

enabled: false

552

whenScaled: Retain

553

whenDeleted: Retain

554

## Valkey primary service parameters

555

556

service:

557

## @param primary.service.type Valkey primary service type

558

559

type: ClusterIP

560

## @param primary.service.ports.valkey Valkey primary service port

561

562

ports:

563

valkey: 6379

564

## @param primary.service.nodePorts.valkey Node port for Valkey primary

565

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

566

## NOTE: choose port between <30000-32767>

567

568

nodePorts:

569

valkey: ""

570

## @param primary.service.externalTrafficPolicy Valkey primary service external traffic policy

571

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

572

573

externalTrafficPolicy: Cluster

574

## @param primary.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

575

576

extraPorts: []

577

## @param primary.service.internalTrafficPolicy Valkey primary service internal traffic policy (requires Kubernetes v1.22 or greater to be usable)

578

## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/

579

580

internalTrafficPolicy: Cluster

581

## @param primary.service.clusterIP Valkey primary service Cluster IP

582

583

clusterIP: ""

584

## @param primary.service.loadBalancerIP Valkey primary service Load Balancer IP

585

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

586

587

loadBalancerIP: ""

588

## @param primary.service.loadBalancerClass primary service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

589

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

590

591

loadBalancerClass: ""

592

## @param primary.service.loadBalancerSourceRanges Valkey primary service Load Balancer sources

593

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

594

## Example:

595

## loadBalancerSourceRanges:

596

## - 10.10.10.0/24

597

598

loadBalancerSourceRanges: []

599

## @param primary.service.externalIPs Valkey primary service External IPs

600

## https://kubernetes.io/docs/concepts/services-networking/service/#external-ips

601

## Example:

602

## externalIPs:

603

## - 10.10.10.1

604

## - 201.22.30.1

605

606

externalIPs: []

607

## @param primary.service.annotations Additional custom annotations for Valkey primary service

608

609

annotations: {}

610

## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

611

## If "ClientIP", consecutive client requests will be directed to the same Pod

612

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

613

614

sessionAffinity: None

615

## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `primary.service.sessionAffinity` is `None`

616

## sessionAffinityConfig:

617

## clientIP:

618

## timeoutSeconds: 300

619

620

sessionAffinityConfig: {}

621

## @param primary.terminationGracePeriodSeconds Integer setting the termination grace period for the valkey-primary pods

622

623

terminationGracePeriodSeconds: 30

624

## ServiceAccount configuration

625

626

serviceAccount:

627

## @param primary.serviceAccount.create Specifies whether a ServiceAccount should be created

628

629

create: true

630

## @param primary.serviceAccount.name The name of the ServiceAccount to use.

631

## If not set and create is true, a name is generated using the common.names.fullname template

632

633

634

## @param primary.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token

635

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

636

637

automountServiceAccountToken: false

638

## @param primary.serviceAccount.annotations Additional custom annotations for the ServiceAccount

639

640

annotations: {}

641

## Pod Disruption Budget configuration

642

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb

643

## @param primary.pdb.create Enable/disable a Pod Disruption Budget creation

644

## @param primary.pdb.minAvailable [object] Minimum number/percentage of pods that should remain scheduled

645

## @param primary.pdb.maxUnavailable [object] Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `primary.pdb.minAvailable` and `primary.pdb.maxUnavailable` are empty.

646

647

pdb:

648

create: true

649

minAvailable: ""

650

maxUnavailable: ""

651

## @section Valkey replicas configuration parameters

652

653

replica:

654

## @param replica.kind Use either DaemonSet or StatefulSet (default)

655

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/

656

657

kind: StatefulSet

658

## @param replica.replicaCount Number of Valkey replicas to deploy

659

660

replicaCount: 3

661

## @param replica.configuration Configuration for Valkey replicas nodes

662

## ref: https://valkey.io/topics/config

663

664

configuration: ""

665

## @param replica.disableCommands Array with Valkey commands to disable on replicas nodes

666

## Commands will be completely disabled by renaming each to an empty string.

667

## ref: https://valkey.io/topics/security#disabling-of-specific-commands

668

669

disableCommands:

670

- FLUSHDB

671

- FLUSHALL

672

## @param replica.command Override default container command (useful when using custom images)

673

674

command: []

675

## @param replica.args Override default container args (useful when using custom images)

676

677

args: []

678

## @param replica.enableServiceLinks Whether information about services should be injected into pod's environment variable

679

680

enableServiceLinks: true

681

## @param replica.preExecCmds Additional commands to run prior to starting Valkey replicas

682

683

preExecCmds: []

684

## @param replica.extraFlags Array with additional command line flags for Valkey replicas

685

## Example:

686

## extraFlags:

687

## - "--maxmemory-policy volatile-ttl"

688

## - "--repl-backlog-size 1024mb"

689

690

extraFlags: []

691

## @param replica.extraEnvVars Array with extra environment variables to add to Valkey replicas nodes

692

## Example:

693

## extraEnvVars:

694

## - name: FOO

695

## value: "bar"

696

697

extraEnvVars: []

698

## @param replica.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Valkey replicas nodes

699

700

extraEnvVarsCM: ""

701

## @param replica.extraEnvVarsSecret Name of existing Secret containing extra env vars for Valkey replicas nodes

702

703

extraEnvVarsSecret: ""

704

## @param replica.externalPrimary.enabled Use external primary for bootstrapping

705

## @param replica.externalPrimary.host External primary host to bootstrap from

706

## @param replica.externalPrimary.port Port for Valkey service external primary host

707

708

externalPrimary:

709

enabled: false

710

host: ""

711

port: 6379

712

## @param replica.containerPorts.valkey Container port to open on Valkey replicas nodes

713

714

containerPorts:

715

valkey: 6379

716

## Configure extra options for Valkey containers' liveness and readiness probes

717

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

718

## @param replica.startupProbe.enabled Enable startupProbe on Valkey replicas nodes

719

## @param replica.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe

720

## @param replica.startupProbe.periodSeconds Period seconds for startupProbe

721

## @param replica.startupProbe.timeoutSeconds Timeout seconds for startupProbe

722

## @param replica.startupProbe.failureThreshold Failure threshold for startupProbe

723

## @param replica.startupProbe.successThreshold Success threshold for startupProbe

724

725

startupProbe:

726

enabled: true

727

initialDelaySeconds: 10

728

periodSeconds: 10

729

timeoutSeconds: 5

730

successThreshold: 1

731

failureThreshold: 22

732

## @param replica.livenessProbe.enabled Enable livenessProbe on Valkey replicas nodes

733

## @param replica.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

734

## @param replica.livenessProbe.periodSeconds Period seconds for livenessProbe

735

## @param replica.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

736

## @param replica.livenessProbe.failureThreshold Failure threshold for livenessProbe

737

## @param replica.livenessProbe.successThreshold Success threshold for livenessProbe

738

739

livenessProbe:

740

enabled: true

741

initialDelaySeconds: 20

742

periodSeconds: 5

743

timeoutSeconds: 5

744

successThreshold: 1

745

failureThreshold: 5

746

## @param replica.readinessProbe.enabled Enable readinessProbe on Valkey replicas nodes

747

## @param replica.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

748

## @param replica.readinessProbe.periodSeconds Period seconds for readinessProbe

749

## @param replica.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

750

## @param replica.readinessProbe.failureThreshold Failure threshold for readinessProbe

751

## @param replica.readinessProbe.successThreshold Success threshold for readinessProbe

752

753

readinessProbe:

754

enabled: true

755

initialDelaySeconds: 20

756

periodSeconds: 5

757

timeoutSeconds: 1

758

successThreshold: 1

759

failureThreshold: 5

760

## @param replica.customStartupProbe Custom startupProbe that overrides the default one

761

762

customStartupProbe: {}

763

## @param replica.customLivenessProbe Custom livenessProbe that overrides the default one

764

765

customLivenessProbe: {}

766

## @param replica.customReadinessProbe Custom readinessProbe that overrides the default one

767

768

customReadinessProbe: {}

769

## Valkey replicas resource requests and limits

770

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

771

## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production).

772

773

resourcesPreset: "nano"

774

## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

775

## Example:

776

## resources:

777

## requests:

778

## cpu: 2

779

## memory: 512Mi

780

## limits:

781

## cpu: 3

782

## memory: 1024Mi

783

784

resources: {}

785

## Configure Pods Security Context

786

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

787

## @param replica.podSecurityContext.enabled Enable Valkey replicas pods' Security Context

788

## @param replica.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

789

## @param replica.podSecurityContext.sysctls Set kernel settings using the sysctl interface

790

## @param replica.podSecurityContext.supplementalGroups Set filesystem extra groups

791

## @param replica.podSecurityContext.fsGroup Set Valkey replicas pod's Security Context fsGroup

792

793

podSecurityContext:

794

enabled: true

795

fsGroupChangePolicy: Always

796

sysctls: []

797

supplementalGroups: []

798

fsGroup: 1001

799

## Configure Container Security Context

800

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

801

## @param replica.containerSecurityContext.enabled Enable Valkey replicas containers' Security Context

802

## @param replica.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

803

## @param replica.containerSecurityContext.runAsUser Set Valkey replicas containers' Security Context runAsUser

804

## @param replica.containerSecurityContext.runAsGroup Set Valkey replicas containers' Security Context runAsGroup

805

## @param replica.containerSecurityContext.runAsNonRoot Set Valkey replicas containers' Security Context runAsNonRoot

806

## @param replica.containerSecurityContext.allowPrivilegeEscalation Set Valkey replicas pod's Security Context allowPrivilegeEscalation

807

## @param replica.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem

808

## @param replica.containerSecurityContext.seccompProfile.type Set Valkey replicas containers' Security Context seccompProfile

809

## @param replica.containerSecurityContext.capabilities.drop Set Valkey replicas containers' Security Context capabilities to drop

810

811

containerSecurityContext:

812

enabled: true

813

seLinuxOptions: {}

814

runAsUser: 1001

815

runAsGroup: 1001

816

runAsNonRoot: true

817

allowPrivilegeEscalation: false

818

readOnlyRootFilesystem: true

819

seccompProfile:

820

type: RuntimeDefault

821

capabilities:

822

drop: ["ALL"]

823

## @param replica.schedulerName Alternate scheduler for Valkey replicas pods

824

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

825

826

schedulerName: ""

827

## @param replica.runtimeClassName Name of the runtime class to be used by replica pod(s)

828

829

runtimeClassName: ""

830

## @param replica.updateStrategy.type Valkey replicas statefulset strategy type

831

## @skip replica.updateStrategy.rollingUpdate

832

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies

833

834

updateStrategy:

835

## StrategyType

836

## Can be set to RollingUpdate, OnDelete (statefulset), Recreate (deployment)

837

838

type: RollingUpdate

839

## @param replica.minReadySeconds How many seconds a pod needs to be ready before killing the next, during update

840

841

minReadySeconds: 0

842

## @param replica.priorityClassName Valkey replicas pods' priorityClassName

843

844

priorityClassName: ""

845

## @param replica.podManagementPolicy podManagementPolicy to manage scaling operation of %%MAIN_CONTAINER_NAME%% pods

846

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies

847

848

podManagementPolicy: ""

849

## @param replica.automountServiceAccountToken Mount Service Account token in pod

850

851

automountServiceAccountToken: false

852

## @param replica.hostAliases Valkey replicas pods host aliases

853

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

854

855

hostAliases: []

856

## @param replica.podLabels Extra labels for Valkey replicas pods

857

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

858

859

podLabels: {}

860

## @param replica.podAnnotations Annotations for Valkey replicas pods

861

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

862

863

podAnnotations: {}

864

## @param replica.shareProcessNamespace Share a single process namespace between all of the containers in Valkey replicas pods

865

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/

866

867

shareProcessNamespace: false

868

## @param replica.podAffinityPreset Pod affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard`

869

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

870

871

podAffinityPreset: ""

872

## @param replica.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard`

873

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

874

875

podAntiAffinityPreset: soft

876

## Node affinity preset

877

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

878

879

nodeAffinityPreset:

880

## @param replica.nodeAffinityPreset.type Node affinity preset type. Ignored if `replica.affinity` is set. Allowed values: `soft` or `hard`

881

882

type: ""

883

## @param replica.nodeAffinityPreset.key Node label key to match. Ignored if `replica.affinity` is set

884

885

key: ""

886

## @param replica.nodeAffinityPreset.values Node label values to match. Ignored if `replica.affinity` is set

887

## Example:

888

## values:

889

## - e2e-az1

890

## - e2e-az2

891

892

values: []

893

## @param replica.affinity Affinity for Valkey replicas pods assignment

894

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

895

## NOTE: `replica.podAffinityPreset`, `replica.podAntiAffinityPreset`, and `replica.nodeAffinityPreset` will be ignored when it's set

896

897

affinity: {}

898

## @param replica.nodeSelector Node labels for Valkey replicas pods assignment

899

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

900

901

nodeSelector: {}

902

## @param replica.tolerations Tolerations for Valkey replicas pods assignment

903

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

904

905

tolerations: []

906

## @param replica.topologySpreadConstraints Spread Constraints for Valkey replicas pod assignment

907

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

908

## Example:

909

## topologySpreadConstraints:

910

## - maxSkew: 1

911

## topologyKey: node

912

## whenUnsatisfiable: DoNotSchedule

913

914

topologySpreadConstraints: []

915

## @param replica.dnsPolicy DNS Policy for Valkey replica pods

916

## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/

917

## Example:

918

## dnsPolicy: ClusterFirst

919

920

dnsPolicy: ""

921

## @param replica.dnsConfig DNS Configuration for Valkey replica pods

922

## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/

923

## Example:

924

## dnsConfig:

925

## options:

926

## - name: ndots

927

## value: "4"

928

## - name: single-request-reopen

929

930

dnsConfig: {}

931

## @param replica.lifecycleHooks for the Valkey replica container(s) to automate configuration before or after startup

932

933

lifecycleHooks: {}

934

## @param replica.extraVolumes Optionally, specify an extra list of additional volumes for the Valkey replicas pod(s)

935

936

extraVolumes: []

937

## @param replica.extraVolumeMounts Optionally, specify extra list of additional volumeMounts for the Valkey replicas container(s)

938

939

extraVolumeMounts: []

940

## @param replica.sidecars Add additional sidecar containers to the Valkey replicas pod(s)

941

## Example:

942

## sidecars:

943

## - name: your-image-name

944

## image: your-image

945

## imagePullPolicy: Always

946

## ports:

947

## - name: portname

948

## containerPort: 1234

949

950

sidecars: []

951

## @param replica.initContainers Add additional init containers to the Valkey replicas pod(s)

952

## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

953

## Example:

954

## initContainers:

955

## - name: your-image-name

956

## image: your-image

957

## imagePullPolicy: Always

958

## command: ['sh', '-c', 'echo "hello world"']

959

960

initContainers: []

961

## Persistence Parameters

962

## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/

963

964

persistence:

965

## @param replica.persistence.enabled Enable persistence on Valkey replicas nodes using Persistent Volume Claims

966

967

enabled: true

968

## @param replica.persistence.medium Provide a medium for `emptyDir` volumes.

969

970

medium: ""

971

## @param replica.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes.

972

973

sizeLimit: ""

974

## @param replica.persistence.path The path the volume will be mounted at on Valkey replicas containers

975

## NOTE: Useful when using different Valkey images

976

977

path: /data

978

## @param replica.persistence.subPath The subdirectory of the volume to mount on Valkey replicas containers

979

## NOTE: Useful in dev environments

980

981

subPath: ""

982

## @param replica.persistence.subPathExpr Used to construct the subPath subdirectory of the volume to mount on Valkey replicas containers

983

984

subPathExpr: ""

985

## @param replica.persistence.storageClass Persistent Volume storage class

986

## If defined, storageClassName: <storageClass>

987

## If set to "-", storageClassName: "", which disables dynamic provisioning

988

## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner

989

990

storageClass: ""

991

## @param replica.persistence.accessModes Persistent Volume access modes

992

993

accessModes:

994

- ReadWriteOnce

995

## @param replica.persistence.size Persistent Volume size

996

997

size: 8Gi

998

## @param replica.persistence.annotations Additional custom annotations for the PVC

999

1000

annotations: {}

1001

## @param replica.persistence.labels Additional custom labels for the PVC

1002

1003

labels: {}

1004

## @param replica.persistence.selector Additional labels to match for the PVC

1005

## Example:

1006

## selector:

1007

## matchLabels:

1008

## app: my-app

1009

1010

selector: {}

1011

## @param replica.persistence.dataSource Custom PVC data source

1012

1013

dataSource: {}

1014

## @param replica.persistence.existingClaim Use an existing PVC which must be created manually before bound

1015

## NOTE: requires replica.persistence.enabled: true

1016

1017

existingClaim: ""

1018

## persistentVolumeClaimRetentionPolicy

1019

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention

1020

## @param replica.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet

1021

## @param replica.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced

1022

## @param replica.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted

1023

1024

persistentVolumeClaimRetentionPolicy:

1025

enabled: false

1026

whenScaled: Retain

1027

whenDeleted: Retain

1028

## Valkey replicas service parameters

1029

1030

service:

1031

## @param replica.service.type Valkey replicas service type

1032

1033

type: ClusterIP

1034

## @param replica.service.ports.valkey Valkey replicas service port

1035

1036

ports:

1037

valkey: 6379

1038

## @param replica.service.nodePorts.valkey Node port for Valkey replicas

1039

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

1040

## NOTE: choose port between <30000-32767>

1041

1042

nodePorts:

1043

valkey: ""

1044

## @param replica.service.externalTrafficPolicy Valkey replicas service external traffic policy

1045

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

1046

1047

externalTrafficPolicy: Cluster

1048

## @param replica.service.internalTrafficPolicy Valkey replicas service internal traffic policy (requires Kubernetes v1.22 or greater to be usable)

1049

## ref: https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/

1050

1051

internalTrafficPolicy: Cluster

1052

## @param replica.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

1053

1054

extraPorts: []

1055

## @param replica.service.clusterIP Valkey replicas service Cluster IP

1056

1057

clusterIP: ""

1058

## @param replica.service.loadBalancerIP Valkey replicas service Load Balancer IP

1059

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

1060

1061

loadBalancerIP: ""

1062

## @param replica.service.loadBalancerClass replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

1063

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

1064

1065

loadBalancerClass: ""

1066

## @param replica.service.loadBalancerSourceRanges Valkey replicas service Load Balancer sources

1067

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

1068

## Example:

1069

## loadBalancerSourceRanges:

1070

## - 10.10.10.0/24

1071

1072

loadBalancerSourceRanges: []

1073

## @param replica.service.annotations Additional custom annotations for Valkey replicas service

1074

1075

annotations: {}

1076

## @param replica.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

1077

## If "ClientIP", consecutive client requests will be directed to the same Pod

1078

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

1079

1080

sessionAffinity: None

1081

## @param replica.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `replica.service.sessionAffinity` is `None`

1082

## Example:

1083

## sessionAffinityConfig:

1084

## clientIP:

1085

## timeoutSeconds: 300

1086

1087

sessionAffinityConfig: {}

1088

## @param replica.terminationGracePeriodSeconds Integer setting the termination grace period for the valkey-replicas pods

1089

1090

terminationGracePeriodSeconds: 30

1091

## @section Autoscaling

1092

## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/

1093

1094

autoscaling:

1095

vpa:

1096

## @param replica.autoscaling.vpa.enabled Enable VPA

1097

1098

enabled: false

1099

## @param replica.autoscaling.vpa.annotations Annotations for VPA resource

1100

1101

annotations: {}

1102

## @param replica.autoscaling.vpa.controlledResources VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory

1103

1104

controlledResources: []

1105

## @param replica.autoscaling.vpa.maxAllowed VPA Max allowed resources for the pod

1106

## Example:

1107

## maxAllowed:

1108

## cpu: 200m

1109

## memory: 100Mi

1110

1111

maxAllowed: {}

1112

## @param replica.autoscaling.vpa.minAllowed VPA Min allowed resources for the pod

1113

## Example:

1114

## maxAllowed:

1115

## cpu: 200m

1116

## memory: 100Mi

1117

1118

minAllowed: {}

1119

## @section VPA update policy

1120

1121

updatePolicy:

1122

## @param replica.autoscaling.vpa.updatePolicy.updateMode Autoscaling update policy Specifies whether recommended updates are applied when a Pod is started and whether recommended updates are applied during the life of a Pod

1123

## Possible values are "Off", "Initial", "Recreate", and "Auto".

1124

1125

updateMode: Auto

1126

hpa:

1127

## @param replica.autoscaling.hpa.enabled Enable HPA

1128

1129

enabled: false

1130

## @param replica.autoscaling.hpa.minReplicas Minimum number of replicas

1131

1132

minReplicas: ""

1133

## @param replica.autoscaling.hpa.maxReplicas Maximum number of replicas

1134

1135

maxReplicas: ""

1136

## @param replica.autoscaling.hpa.targetCPU Target CPU utilization percentage

1137

1138

targetCPU: ""

1139

## @param replica.autoscaling.hpa.targetMemory Target Memory utilization percentage

1140

1141

targetMemory: ""

1142

## ServiceAccount configuration

1143

1144

serviceAccount:

1145

## @param replica.serviceAccount.create Specifies whether a ServiceAccount should be created

1146

1147

create: true

1148

## @param replica.serviceAccount.name The name of the ServiceAccount to use.

1149

## If not set and create is true, a name is generated using the common.names.fullname template

1150

1151

1152

## @param replica.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token

1153

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

1154

1155

automountServiceAccountToken: false

1156

## @param replica.serviceAccount.annotations Additional custom annotations for the ServiceAccount

1157

1158

annotations: {}

1159

## Pod Disruption Budget configuration

1160

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb

1161

## @param replica.pdb.create Enable/disable a Pod Disruption Budget creation

1162

## @param replica.pdb.minAvailable [object] Minimum number/percentage of pods that should remain scheduled

1163

## @param replica.pdb.maxUnavailable [object] Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `replica.pdb.minAvailable` and `replica.pdb.maxUnavailable` are empty.

1164

1165

pdb:

1166

create: true

1167

minAvailable: ""

1168

maxUnavailable: ""

1169

## @section Valkey Sentinel configuration parameters

1170

1171

sentinel:

1172

## @param sentinel.enabled Use Valkey Sentinel on Valkey pods.

1173

## IMPORTANT: this will disable the primary and replicas services and

1174

## create a single Valkey service exposing both the Valkey and Sentinel ports

1175

1176

enabled: false

1177

## Iamguarded Valkey Sentinel image version

1178

## @param sentinel.image.registry [default: REGISTRY_NAME] Valkey Sentinel image registry

1179

## @param sentinel.image.repository [default: REPOSITORY_NAME/valkey-sentinel] Valkey Sentinel image repository

1180

## @skip sentinel.image.tag Valkey Sentinel image tag (immutable tags are recommended)

1181

## @param sentinel.image.digest Valkey Sentinel image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

1182

## @param sentinel.image.pullPolicy Valkey Sentinel image pull policy

1183

## @param sentinel.image.pullSecrets Valkey Sentinel image pull secrets

1184

## @param sentinel.image.debug Enable image debug mode

1185

1186

image:

1187

registry: cgr.dev

1188

repository: chainguard-private/valkey-sentinel-iamguarded-sentinel-iamguarded

1189

tag: 9.0.3

1190

digest: ""

1191

## Specify a imagePullPolicy

1192

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

1193

1194

pullPolicy: IfNotPresent

1195

## Optionally, specify an array of imagePullSecrets.

1196

## Secrets must be manually created in the namespace.

1197

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

1198

## Example:

1199

## pullSecrets:

1200

## - myRegistryKeySecretName

1201

1202

pullSecrets: []

1203

## Enable debug mode

1204

1205

debug: false

1206

## @param sentinel.annotations Additional custom annotations for Valkey Sentinel resource

1207

1208

annotations: {}

1209

## @param sentinel.primarySet Primary set name

1210

1211

primarySet: myprimary

1212

## @param sentinel.quorum Sentinel Quorum

1213

1214

quorum: 2

1215

## @param sentinel.getPrimaryTimeout Amount of time to allow before get_sentinel_primary_info() times out.

1216

1217

getPrimaryTimeout: 90

1218

## @param sentinel.automateClusterRecovery Automate cluster recovery in cases where the last replica is not considered a good replica and Sentinel won't automatically fail over to it.

1219

## This also prevents any new replica from starting until the last remaining replica is elected as primary to guarantee that it is the one to be elected by Sentinel, and not a newly started replica with no data.

1220

## NOTE: This feature requires a "downAfterMilliseconds" value less or equal to 2000.

1221

1222

automateClusterRecovery: false

1223

## @param sentinel.valkeyShutdownWaitFailover Whether the Valkey primary container waits for the failover at shutdown (in addition to the Valkey Sentinel container).

1224

1225

valkeyShutdownWaitFailover: true

1226

## Sentinel timing restrictions

1227

## @param sentinel.downAfterMilliseconds Timeout for detecting a Valkey node is down

1228

## @param sentinel.failoverTimeout Timeout for performing the election failover

1229

1230

downAfterMilliseconds: 60000

1231

failoverTimeout: 180000

1232

## @param sentinel.parallelSyncs Number of replicas that can be reconfigured in parallel to use the new primary after the failover

1233

1234

parallelSyncs: 1

1235

## @param sentinel.replicaSyncCheck Wait for data full sync on replicas before marking them as ready (experimental)

1236

1237

replicaSyncCheck: false

1238

## @param sentinel.configuration Configuration for Valkey Sentinel nodes

1239

## ref: https://valkey.io/topics/sentinel

1240

1241

configuration: ""

1242

## @param sentinel.command Override default container command (useful when using custom images)

1243

1244

command: []

1245

## @param sentinel.args Override default container args (useful when using custom images)

1246

1247

args: []

1248

## @param sentinel.enableServiceLinks Whether information about services should be injected into pod's environment variable

1249

1250

enableServiceLinks: true

1251

## @param sentinel.preExecCmds Additional commands to run prior to starting Valkey Sentinel

1252

1253

preExecCmds: []

1254

## @param sentinel.extraEnvVars Array with extra environment variables to add to Valkey Sentinel nodes

1255

## Example:

1256

## extraEnvVars:

1257

## - name: FOO

1258

## value: "bar"

1259

1260

extraEnvVars: []

1261

## @param sentinel.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Valkey Sentinel nodes

1262

1263

extraEnvVarsCM: ""

1264

## @param sentinel.extraEnvVarsSecret Name of existing Secret containing extra env vars for Valkey Sentinel nodes

1265

1266

extraEnvVarsSecret: ""

1267

## @param sentinel.externalPrimary.enabled Use external primary for bootstrapping

1268

## @param sentinel.externalPrimary.host External primary host to bootstrap from

1269

## @param sentinel.externalPrimary.port Port for Valkey service external primary host

1270

1271

externalPrimary:

1272

enabled: false

1273

host: ""

1274

port: 6379

1275

## @param sentinel.containerPorts.sentinel Container port to open on Valkey Sentinel nodes

1276

1277

containerPorts:

1278

sentinel: 26379

1279

## Configure extra options for Valkey containers' liveness and readiness probes

1280

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

1281

## @param sentinel.startupProbe.enabled Enable startupProbe on Valkey Sentinel nodes

1282

## @param sentinel.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe

1283

## @param sentinel.startupProbe.periodSeconds Period seconds for startupProbe

1284

## @param sentinel.startupProbe.timeoutSeconds Timeout seconds for startupProbe

1285

## @param sentinel.startupProbe.failureThreshold Failure threshold for startupProbe

1286

## @param sentinel.startupProbe.successThreshold Success threshold for startupProbe

1287

1288

startupProbe:

1289

enabled: true

1290

initialDelaySeconds: 10

1291

periodSeconds: 10

1292

timeoutSeconds: 5

1293

successThreshold: 1

1294

failureThreshold: 22

1295

## @param sentinel.livenessProbe.enabled Enable livenessProbe on Valkey Sentinel nodes

1296

## @param sentinel.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

1297

## @param sentinel.livenessProbe.periodSeconds Period seconds for livenessProbe

1298

## @param sentinel.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

1299

## @param sentinel.livenessProbe.failureThreshold Failure threshold for livenessProbe

1300

## @param sentinel.livenessProbe.successThreshold Success threshold for livenessProbe

1301

1302

livenessProbe:

1303

enabled: true

1304

initialDelaySeconds: 20

1305

periodSeconds: 10

1306

timeoutSeconds: 5

1307

successThreshold: 1

1308

failureThreshold: 6

1309

## @param sentinel.readinessProbe.enabled Enable readinessProbe on Valkey Sentinel nodes

1310

## @param sentinel.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

1311

## @param sentinel.readinessProbe.periodSeconds Period seconds for readinessProbe

1312

## @param sentinel.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

1313

## @param sentinel.readinessProbe.failureThreshold Failure threshold for readinessProbe

1314

## @param sentinel.readinessProbe.successThreshold Success threshold for readinessProbe

1315

1316

readinessProbe:

1317

enabled: true

1318

initialDelaySeconds: 20

1319

periodSeconds: 5

1320

timeoutSeconds: 1

1321

successThreshold: 1

1322

failureThreshold: 6

1323

## @param sentinel.customStartupProbe Custom startupProbe that overrides the default one

1324

1325

customStartupProbe: {}

1326

## @param sentinel.customLivenessProbe Custom livenessProbe that overrides the default one

1327

1328

customLivenessProbe: {}

1329

## @param sentinel.customReadinessProbe Custom readinessProbe that overrides the default one

1330

1331

customReadinessProbe: {}

1332

## Persistence parameters

1333

## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/

1334

1335

persistence:

1336

## @param sentinel.persistence.enabled Enable persistence on Valkey sentinel nodes using Persistent Volume Claims (Experimental)

1337

1338

enabled: false

1339

## @param sentinel.persistence.storageClass Persistent Volume storage class

1340

## If defined, storageClassName: <storageClass>

1341

## If set to "-", storageClassName: "", which disables dynamic provisioning

1342

## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner

1343

1344

storageClass: ""

1345

## @param sentinel.persistence.accessModes Persistent Volume access modes

1346

1347

accessModes:

1348

- ReadWriteOnce

1349

## @param sentinel.persistence.size Persistent Volume size

1350

1351

size: 100Mi

1352

## @param sentinel.persistence.annotations Additional custom annotations for the PVC

1353

1354

annotations: {}

1355

## @param sentinel.persistence.labels Additional custom labels for the PVC

1356

1357

labels: {}

1358

## @param sentinel.persistence.selector Additional labels to match for the PVC

1359

## Example:

1360

## selector:

1361

## matchLabels:

1362

## app: my-app

1363

1364

selector: {}

1365

## @param sentinel.persistence.dataSource Custom PVC data source

1366

1367

dataSource: {}

1368

## @param sentinel.persistence.medium Provide a medium for `emptyDir` volumes.

1369

1370

medium: ""

1371

## @param sentinel.persistence.sizeLimit Set this to enable a size limit for `emptyDir` volumes.

1372

1373

sizeLimit: ""

1374

## persistentVolumeClaimRetentionPolicy

1375

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention

1376

## @param sentinel.persistentVolumeClaimRetentionPolicy.enabled Controls if and how PVCs are deleted during the lifecycle of a StatefulSet

1377

## @param sentinel.persistentVolumeClaimRetentionPolicy.whenScaled Volume retention behavior when the replica count of the StatefulSet is reduced

1378

## @param sentinel.persistentVolumeClaimRetentionPolicy.whenDeleted Volume retention behavior that applies when the StatefulSet is deleted

1379

1380

persistentVolumeClaimRetentionPolicy:

1381

enabled: false

1382

whenScaled: Retain

1383

whenDeleted: Retain

1384

## Valkey Sentinel resource requests and limits

1385

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

1386

## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production).

1387

1388

resourcesPreset: "nano"

1389

## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

1390

## Example:

1391

## resources:

1392

## requests:

1393

## cpu: 2

1394

## memory: 512Mi

1395

## limits:

1396

## cpu: 3

1397

## memory: 1024Mi

1398

1399

resources: {}

1400

## @param sentinel.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

1401

1402

fips:

1403

openssl: ""

1404

1405

## Configure Container Security Context

1406

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

1407

## @param sentinel.containerSecurityContext.enabled Enable Valkey Sentinel containers' Security Context

1408

## @param sentinel.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

1409

## @param sentinel.containerSecurityContext.runAsUser Set Valkey Sentinel containers' Security Context runAsUser

1410

## @param sentinel.containerSecurityContext.runAsGroup Set Valkey Sentinel containers' Security Context runAsGroup

1411

## @param sentinel.containerSecurityContext.runAsNonRoot Set Valkey Sentinel containers' Security Context runAsNonRoot

1412

## @param sentinel.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem

1413

## @param sentinel.containerSecurityContext.allowPrivilegeEscalation Set Valkey Sentinel containers' Security Context allowPrivilegeEscalation

1414

## @param sentinel.containerSecurityContext.seccompProfile.type Set Valkey Sentinel containers' Security Context seccompProfile

1415

## @param sentinel.containerSecurityContext.capabilities.drop Set Valkey Sentinel containers' Security Context capabilities to drop

1416

1417

containerSecurityContext:

1418

enabled: true

1419

seLinuxOptions: {}

1420

runAsUser: 1001

1421

runAsGroup: 1001

1422

runAsNonRoot: true

1423

allowPrivilegeEscalation: false

1424

readOnlyRootFilesystem: true

1425

seccompProfile:

1426

type: RuntimeDefault

1427

capabilities:

1428

drop: ["ALL"]

1429

## @param sentinel.lifecycleHooks for the Valkey sentinel container(s) to automate configuration before or after startup

1430

1431

lifecycleHooks: {}

1432

## @param sentinel.extraVolumes Optionally, specify extra list of additional volumes for the Valkey Sentinel

1433

1434

extraVolumes: []

1435

## @param sentinel.extraVolumeMounts Optionally, specify extra list of additional volumeMounts for the Valkey Sentinel container(s)

1436

1437

extraVolumeMounts: []

1438

## Valkey Sentinel service parameters

1439

1440

service:

1441

## @param sentinel.service.type Valkey Sentinel service type

1442

1443

type: ClusterIP

1444

## @param sentinel.service.ports.valkey Valkey service port for Valkey

1445

## @param sentinel.service.ports.sentinel Valkey service port for Valkey Sentinel

1446

1447

ports:

1448

valkey: 6379

1449

sentinel: 26379

1450

## @param sentinel.service.nodePorts.valkey Node port for Valkey

1451

## @param sentinel.service.nodePorts.sentinel Node port for Sentinel

1452

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

1453

## NOTE: choose port between <30000-32767>

1454

## NOTE: By leaving these values blank, they will be generated by ports-configmap

1455

## If setting manually, please leave at least replica.replicaCount + 1 in between sentinel.service.nodePorts.valkey and sentinel.service.nodePorts.sentinel to take into account the ports that will be created while incrementing that base port

1456

1457

nodePorts:

1458

valkey: ""

1459

sentinel: ""

1460

## @param sentinel.service.externalTrafficPolicy Valkey Sentinel service external traffic policy

1461

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

1462

1463

externalTrafficPolicy: Cluster

1464

## @param sentinel.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

1465

1466

extraPorts: []

1467

## @param sentinel.service.clusterIP Valkey Sentinel service Cluster IP

1468

1469

clusterIP: ""

1470

## @param sentinel.service.createPrimary Enable primary service pointing to the current primary (experimental)

1471

## NOTE: rbac.create need to be set to true

1472

1473

createPrimary: false

1474

## @param sentinel.service.loadBalancerIP Valkey Sentinel service Load Balancer IP

1475

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

1476

1477

loadBalancerIP: ""

1478

## @param sentinel.service.loadBalancerClass sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

1479

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

1480

1481

loadBalancerClass: ""

1482

## @param sentinel.service.loadBalancerSourceRanges Valkey Sentinel service Load Balancer sources

1483

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

1484

## Example:

1485

## loadBalancerSourceRanges:

1486

## - 10.10.10.0/24

1487

1488

loadBalancerSourceRanges: []

1489

## @param sentinel.service.annotations Additional custom annotations for Valkey Sentinel service

1490

1491

annotations: {}

1492

## @param sentinel.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

1493

## If "ClientIP", consecutive client requests will be directed to the same Pod

1494

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

1495

1496

sessionAffinity: None

1497

## @param sentinel.service.sessionAffinityConfig Additional settings for the sessionAffinity. Ignored if `sentinel.service.sessionAffinity` is `None`

1498

## Example:

1499

## sessionAffinityConfig:

1500

## clientIP:

1501

## timeoutSeconds: 300

1502

1503

sessionAffinityConfig: {}

1504

## Headless service properties

1505

1506

headless:

1507

## @param sentinel.service.headless.annotations Annotations for the headless service.

1508

1509

annotations: {}

1510

## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the valkey-node pods

1511

1512

terminationGracePeriodSeconds: 30

1513

## @section Other Parameters

1514

1515

1516

## @param serviceBindings.enabled Create secret for service binding (Experimental)

1517

## Ref: https://servicebinding.io/service-provider/

1518

1519

serviceBindings:

1520

enabled: false

1521

## Network Policy configuration

1522

## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

1523

1524

networkPolicy:

1525

## @param networkPolicy.enabled Enable creation of NetworkPolicy resources

1526

1527

enabled: true

1528

## @param networkPolicy.allowExternal Don't require client label for connections

1529

## When set to false, only pods with the correct client label will have network access to the ports

1530

## Valkey is listening on. When true, Valkey will accept connections from any source

1531

## (with the correct destination port).

1532

1533

allowExternal: true

1534

## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

1535

1536

allowExternalEgress: true

1537

## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy

1538

## Example:

1539

## extraIngress:

1540

## - ports:

1541

## - port: 1234

1542

## from:

1543

## - podSelector:

1544

## - matchLabels:

1545

## - role: frontend

1546

## - podSelector:

1547

## - matchExpressions:

1548

## - key: role

1549

## operator: In

1550

## values:

1551

## - frontend

1552

1553

extraIngress: []

1554

## @param networkPolicy.extraEgress Add extra egress rules to the NetworkPolicy

1555

## Example:

1556

## extraEgress:

1557

## - ports:

1558

## - port: 1234

1559

## to:

1560

## - podSelector:

1561

## - matchLabels:

1562

## - role: frontend

1563

## - podSelector:

1564

## - matchExpressions:

1565

## - key: role

1566

## operator: In

1567

## values:

1568

## - frontend

1569

1570

extraEgress: []

1571

## @param networkPolicy.ingressNSMatchLabels Labels to match to allow traffic from other namespaces

1572

## @param networkPolicy.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces

1573

1574

ingressNSMatchLabels: {}

1575

ingressNSPodMatchLabels: {}

1576

metrics:

1577

## @param networkPolicy.metrics.allowExternal Don't require client label for connections for metrics endpoint

1578

## When set to false, only pods with the correct client label will have network access to the metrics port

1579

1580

allowExternal: true

1581

## @param networkPolicy.metrics.ingressNSMatchLabels Labels to match to allow traffic from other namespaces to metrics endpoint

1582

## @param networkPolicy.metrics.ingressNSPodMatchLabels Pod labels to match to allow traffic from other namespaces to metrics endpoint

1583

1584

ingressNSMatchLabels: {}

1585

ingressNSPodMatchLabels: {}

1586

## PodSecurityPolicy configuration

1587

## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/

1588

1589

podSecurityPolicy:

1590

## @param podSecurityPolicy.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later

1591

1592

create: false

1593

## @param podSecurityPolicy.enabled Enable PodSecurityPolicy's RBAC rules

1594

1595

enabled: false

1596

## RBAC configuration

1597

1598

rbac:

1599

## @param rbac.create Specifies whether RBAC resources should be created

1600

1601

create: false

1602

## @param rbac.rules Custom RBAC rules to set

1603

## Example:

1604

## rules:

1605

## - apiGroups:

1606

## - ""

1607

## resources:

1608

## - pods

1609

## verbs:

1610

## - get

1611

## - list

1612

1613

rules: []

1614

## ServiceAccount configuration

1615

1616

serviceAccount:

1617

## @param serviceAccount.create Specifies whether a ServiceAccount should be created

1618

1619

create: true

1620

## @param serviceAccount.name The name of the ServiceAccount to use.

1621

## If not set and create is true, a name is generated using the common.names.fullname template

1622

1623

1624

## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token

1625

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

1626

1627

automountServiceAccountToken: false

1628

## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount

1629

1630

annotations: {}

1631

## Redis® Pod Disruption Budget configuration

1632

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/

1633

## @param pdb DEPRECATED Please use `primary.pdb` and `replica.pdb` values instead

1634

1635

pdb: {}

1636

## TLS configuration

1637

1638

tls:

1639

## @param tls.enabled Enable TLS traffic

1640

1641

enabled: false

1642

## @param tls.authClients Require clients to authenticate

1643

1644

authClients: true

1645

## @param tls.autoGenerated Enable autogenerated certificates

1646

1647

autoGenerated: false

1648

## @param tls.existingSecret The name of the existing secret that contains the TLS certificates

1649

1650

existingSecret: ""

1651

## @param tls.certFilename Certificate filename

1652

1653

certFilename: ""

1654

## @param tls.certKeyFilename Certificate Key filename

1655

1656

certKeyFilename: ""

1657

## @param tls.certCAFilename CA Certificate filename

1658

1659

certCAFilename: ""

1660

## @param tls.dhParamsFilename File containing DH params (to support DH-based ciphers)

1661

1662

dhParamsFilename: ""

1663

## @section Metrics Parameters

1664

1665

metrics:

1666

## @param metrics.enabled Start a sidecar Prometheus Exporter to expose Valkey metrics

1667

1668

enabled: false

1669

## Iamguarded Redis(R) Exporter image

1670

## @param metrics.image.registry [default: REGISTRY_NAME] Redis(R) Exporter image registry

1671

## @param metrics.image.repository [default: REPOSITORY_NAME/redis-exporter] Redis(R) Exporter image repository

1672

## @skip metrics.image.tag Redis(R) Exporter image tag (immutable tags are recommended)

1673

## @param metrics.image.digest Redis(R) Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

1674

## @param metrics.image.pullPolicy Redis(R) Exporter image pull policy

1675

## @param metrics.image.pullSecrets Redis(R) Exporter image pull secrets

1676

1677

image:

1678

registry: cgr.dev

1679

repository: chainguard-private/iamguarded-charts/prometheus-redis-exporter-iamguarded

1680

tag: 1.82.0

1681

digest: ""

1682

pullPolicy: IfNotPresent

1683

## Optionally, specify an array of imagePullSecrets.

1684

## Secrets must be manually created in the namespace.

1685

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

1686

## Example:

1687

## pullSecrets:

1688

## - myRegistryKeySecretName

1689

1690

pullSecrets: []

1691

## @param metrics.containerPorts.http Metrics HTTP container port

1692

1693

containerPorts:

1694

http: 9121

1695

## Configure extra options for Valkey containers' liveness, readiness & startup probes

1696

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/

1697

## @param metrics.startupProbe.enabled Enable startupProbe on Valkey replicas nodes

1698

## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe

1699

## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe

1700

## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe

1701

## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe

1702

## @param metrics.startupProbe.successThreshold Success threshold for startupProbe

1703

1704

startupProbe:

1705

enabled: false

1706

initialDelaySeconds: 10

1707

periodSeconds: 10

1708

timeoutSeconds: 5

1709

successThreshold: 1

1710

failureThreshold: 5

1711

## @param metrics.livenessProbe.enabled Enable livenessProbe on Valkey replicas nodes

1712

## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

1713

## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe

1714

## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

1715

## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe

1716

## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe

1717

1718

livenessProbe:

1719

enabled: true

1720

initialDelaySeconds: 10

1721

periodSeconds: 10

1722

timeoutSeconds: 5

1723

successThreshold: 1

1724

failureThreshold: 5

1725

## @param metrics.readinessProbe.enabled Enable readinessProbe on Valkey replicas nodes

1726

## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

1727

## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe

1728

## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

1729

## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe

1730

## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe

1731

1732

readinessProbe:

1733

enabled: true

1734

initialDelaySeconds: 5

1735

periodSeconds: 10

1736

timeoutSeconds: 1

1737

successThreshold: 1

1738

failureThreshold: 3

1739

## @param metrics.customStartupProbe Custom startupProbe that overrides the default one

1740

1741

customStartupProbe: {}

1742

## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one

1743

1744

customLivenessProbe: {}

1745

## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one

1746

1747

customReadinessProbe: {}

1748

## @param metrics.command Override default metrics container init command (useful when using custom images)

1749

1750

command: []

1751

## @param metrics.valkeyTargetHost A way to specify an alternative Valkey hostname

1752

## Useful for certificate CN/SAN matching

1753

1754

valkeyTargetHost: "localhost"

1755

## @param metrics.extraArgs Extra arguments for Redis(R) Exporter

1756

## Example:

1757

## extraArgs:

1758

## check-keys: myKey,myOtherKey

1759

1760

extraArgs: {}

1761

## @param metrics.extraEnvVars Array with extra environment variables to add to Redis(R) Exporter

1762

## Example:

1763

## extraEnvVars:

1764

## - name: FOO

1765

## value: "bar"

1766

1767

extraEnvVars: []

1768

## Configure Container Security Context

1769

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

1770

## @param metrics.containerSecurityContext.enabled Enable Redis(R) Exporter containers' Security Context

1771

## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

1772

## @param metrics.containerSecurityContext.runAsUser Set Redis(R) Exporter containers' Security Context runAsUser

1773

## @param metrics.containerSecurityContext.runAsGroup Set Redis(R) Exporter containers' Security Context runAsGroup

1774

## @param metrics.containerSecurityContext.runAsNonRoot Set Redis(R) Exporter containers' Security Context runAsNonRoot

1775

## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set Redis(R) Exporter containers' Security Context allowPrivilegeEscalation

1776

## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem

1777

## @param metrics.containerSecurityContext.seccompProfile.type Set Redis(R) Exporter containers' Security Context seccompProfile

1778

## @param metrics.containerSecurityContext.capabilities.drop Set Redis(R) Exporter containers' Security Context capabilities to drop

1779

1780

containerSecurityContext:

1781

enabled: true

1782

seLinuxOptions: {}

1783

runAsUser: 1001

1784

runAsGroup: 1001

1785

runAsNonRoot: true

1786

allowPrivilegeEscalation: false

1787

readOnlyRootFilesystem: true

1788

seccompProfile:

1789

type: RuntimeDefault

1790

capabilities:

1791

drop: ["ALL"]

1792

## @param metrics.extraVolumes Optionally, specify extra list of additional volumes for the Valkey metrics sidecar

1793

1794

extraVolumes: []

1795

## @param metrics.extraVolumeMounts Optionally, specify extra list of additional volumeMounts for the Valkey metrics sidecar

1796

1797

extraVolumeMounts: []

1798

## Redis(R) Exporter resource requests and limits

1799

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

1800

## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).

1801

1802

resourcesPreset: "nano"

1803

## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

1804

## Example:

1805

## resources:

1806

## requests:

1807

## cpu: 2

1808

## memory: 512Mi

1809

## limits:

1810

## cpu: 3

1811

## memory: 1024Mi

1812

1813

resources: {}

1814

## @param metrics.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

1815

## @param metrics.fips.golang Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

1816

1817

fips:

1818

openssl: ""

1819

golang: restricted

1820

1821

## @param metrics.podLabels Extra labels for Redis(R) Exporter pods

1822

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

1823

1824

podLabels: {}

1825

## @param metrics.podAnnotations [object] Annotations for Redis(R) Exporter pods

1826

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

1827

1828

podAnnotations:

1829

prometheus.io/scrape: "true"

1830

prometheus.io/port: "9121"

1831

## Redis(R) Exporter service parameters

1832

1833

service:

1834

## @param metrics.service.enabled Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor

1835

1836

enabled: true

1837

## @param metrics.service.type Redis(R) Exporter service type

1838

1839

type: ClusterIP

1840

## @param metrics.service.ports.http Redis(R) Exporter service port

1841

1842

ports:

1843

http: 9121

1844

## @param metrics.service.externalTrafficPolicy Redis(R) Exporter service external traffic policy

1845

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

1846

1847

externalTrafficPolicy: Cluster

1848

## @param metrics.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

1849

1850

extraPorts: []

1851

## @param metrics.service.loadBalancerIP Redis(R) Exporter service Load Balancer IP

1852

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

1853

1854

loadBalancerIP: ""

1855

## @param metrics.service.loadBalancerClass Exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

1856

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

1857

1858

loadBalancerClass: ""

1859

## @param metrics.service.loadBalancerSourceRanges Redis(R) Exporter service Load Balancer sources

1860

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

1861

## Example:

1862

## loadBalancerSourceRanges:

1863

## - 10.10.10.0/24

1864

1865

loadBalancerSourceRanges: []

1866

## @param metrics.service.annotations Additional custom annotations for Redis(R) Exporter service

1867

1868

annotations: {}

1869

## @param metrics.service.clusterIP Redis(R) Exporter service Cluster IP

1870

1871

clusterIP: ""

1872

## Prometheus Service Monitor

1873

## ref: https://github.com/coreos/prometheus-operator

1874

## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

1875

1876

serviceMonitor:

1877

## @param metrics.serviceMonitor.port the service port to scrape metrics from

1878

1879

port: http-metrics

1880

## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator

1881

1882

enabled: false

1883

## @param metrics.serviceMonitor.namespace The namespace in which the ServiceMonitor will be created

1884

1885

namespace: ""

1886

## @param metrics.serviceMonitor.interval The interval at which metrics should be scraped

1887

1888

interval: 30s

1889

## @param metrics.serviceMonitor.scrapeTimeout The timeout after which the scrape is ended

1890

1891

scrapeTimeout: ""

1892

## @param metrics.serviceMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping.

1893

1894

relabelings: []

1895

## @param metrics.serviceMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion.

1896

1897

metricRelabelings: []

1898

## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint

1899

1900

honorLabels: false

1901

## @param metrics.serviceMonitor.additionalLabels Additional labels that can be used so ServiceMonitor resource(s) can be discovered by Prometheus

1902

1903

additionalLabels: {}

1904

## @param metrics.serviceMonitor.podTargetLabels Labels from the Kubernetes pod to be transferred to the created metrics

1905

1906

podTargetLabels: []

1907

## @param metrics.serviceMonitor.sampleLimit Limit of how many samples should be scraped from every Pod

1908

1909

sampleLimit: false

1910

## @param metrics.serviceMonitor.targetLimit Limit of how many targets should be scraped

1911

1912

targetLimit: false

1913

## @param metrics.serviceMonitor.additionalEndpoints Additional endpoints to scrape (e.g., sentinel)

1914

## Example to scrape sentinel metrics, also to in order distinguish between Sentinel and Valkey container metrics

1915

## add metricRelabelings with label like app=valkey to main valkey pod-monitor port:

1916

## additionalEndpoints:

1917

## - interval: "30s"

1918

## path: "/scrape"

1919

## port: "metrics"

1920

## params:

1921

## target: ["localhost:26379"]

1922

## metricRelabelings:

1923

## - targetLabel: "app"

1924

## replacement: "sentinel"

1925

1926

additionalEndpoints: []

1927

## Prometheus Pod Monitor

1928

## ref: https://github.com/coreos/prometheus-operator

1929

## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#podmonitor

1930

1931

podMonitor:

1932

## @param metrics.podMonitor.port the pod port to scrape metrics from

1933

1934

port: metrics

1935

## @param metrics.podMonitor.enabled Create PodMonitor resource(s) for scraping metrics using PrometheusOperator

1936

1937

enabled: false

1938

## @param metrics.podMonitor.namespace The namespace in which the PodMonitor will be created

1939

1940

namespace: ""

1941

## @param metrics.podMonitor.interval The interval at which metrics should be scraped

1942

1943

interval: 30s

1944

## @param metrics.podMonitor.scrapeTimeout The timeout after which the scrape is ended

1945

1946

scrapeTimeout: ""

1947

## @param metrics.podMonitor.relabelings Metrics RelabelConfigs to apply to samples before scraping.

1948

1949

relabelings: []

1950

## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion.

1951

## Example:

1952

## metricRelabelings:

1953

## - targetLabel: "app"

1954

## replacement: "valkey"

1955

1956

metricRelabelings: []

1957

## @param metrics.podMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint

1958

1959

honorLabels: false

1960

## @param metrics.podMonitor.additionalLabels Additional labels that can be used so PodMonitor resource(s) can be discovered by Prometheus

1961

1962

additionalLabels: {}

1963

## @param metrics.podMonitor.podTargetLabels Labels from the Kubernetes pod to be transferred to the created metrics

1964

1965

podTargetLabels: []

1966

## @param metrics.podMonitor.sampleLimit Limit of how many samples should be scraped from every Pod

1967

1968

sampleLimit: false

1969

## @param metrics.podMonitor.targetLimit Limit of how many targets should be scraped

1970

1971

targetLimit: false

1972

## @param metrics.podMonitor.additionalEndpoints Additional endpoints to scrape (e.g., sentinel)

1973

## Example:

1974

## additionalEndpoints:

1975

## - interval: "30s"

1976

## path: "/scrape"

1977

## port: "metrics"

1978

## params:

1979

## target: ["localhost:26379"]

1980

## metricRelabelings:

1981

## - targetLabel: "app"

1982

## replacement: "sentinel"

1983

1984

additionalEndpoints: []

1985

## Custom PrometheusRule to be defined

1986

## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions

1987

1988

prometheusRule:

1989

## @param metrics.prometheusRule.enabled Create a custom prometheusRule Resource for scraping metrics using PrometheusOperator

1990

1991

enabled: false

1992

## @param metrics.prometheusRule.namespace The namespace in which the prometheusRule will be created

1993

1994

namespace: ""

1995

## @param metrics.prometheusRule.additionalLabels Additional labels for the prometheusRule

1996

1997

additionalLabels: {}

1998

## @param metrics.prometheusRule.rules Custom Prometheus rules

1999

## Example:

2000

## rules:

2001

## - alert: ValkeyDown

2002

## expr: valkey_up{service="{{ template "common.names.fullname" . }}-metrics"} == 0

2003

## for: 2m

2004

## labels:

2005

## severity: error

2006

## annotations:

2007

## summary: Valkey instance {{ "{{ $labels.instance }}" }} down

2008

## description: Valkey instance {{ "{{ $labels.instance }}" }} is down

2009

## - alert: ValkeyMemoryHigh

2010

## expr: >

2011

## valkey_memory_used_bytes{service="{{ template "common.names.fullname" . }}-metrics"} * 100

2012

## /

2013

## valkey_memory_max_bytes{service="{{ template "common.names.fullname" . }}-metrics"}

2014

## > 90

2015

## for: 2m

2016

## labels:

2017

## severity: error

2018

## annotations:

2019

## summary: Valkey instance {{ "{{ $labels.instance }}" }} is using too much memory

2020

## description: |

2021

## Valkey instance {{ "{{ $labels.instance }}" }} is using {{ "{{ $value }}" }}% of its available memory.

2022

## - alert: ValkeyKeyEviction

2023

## expr: |

2024

## increase(valkey_evicted_keys_total{service="{{ template "common.names.fullname" . }}-metrics"}[5m]) > 0

2025

## for: 1s

2026

## labels:

2027

## severity: error

2028

## annotations:

2029

## summary: Valkey instance {{ "{{ $labels.instance }}" }} has evicted keys

2030

## description: |

2031

## Valkey instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes.

2032

2033

rules: []

2034

## @section Init Container Parameters

2035

2036

2037

## 'volumePermissions' init container parameters

2038

## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values

2039

## based on the *podSecurityContext/*containerSecurityContext parameters

2040

2041

volumePermissions:

2042

## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`

2043

2044

enabled: false

2045

## OS Shell + Utility image

2046

## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry

2047

## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository

2048

## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended)

2049

## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

2050

## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy

2051

## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets

2052

2053

image:

2054

registry: cgr.dev

2055

repository: chainguard-private/iamguarded-charts/os-shell-iamguarded

2056

tag: 1.0.0

2057

digest: ""

2058

pullPolicy: IfNotPresent

2059

## Optionally, specify an array of imagePullSecrets.

2060

## Secrets must be manually created in the namespace.

2061

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

2062

## Example:

2063

## pullSecrets:

2064

## - myRegistryKeySecretName

2065

2066

pullSecrets: []

2067

## Init container's resource requests and limits

2068

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

2069

## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).

2070

2071

resourcesPreset: "nano"

2072

## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

2073

## Example:

2074

## resources:

2075

## requests:

2076

## cpu: 2

2077

## memory: 512Mi

2078

## limits:

2079

## cpu: 3

2080

## memory: 1024Mi

2081

2082

resources: {}

2083

## @param volumePermissions.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

2084

2085

fips:

2086

openssl: ""

2087

2088

## Init container Security Context

2089

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

2090

## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

2091

## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser

2092

## NOTE: when runAsUser is set to special value "auto", init container will try to chown the

2093

## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`

2094

## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)

2095

2096

containerSecurityContext:

2097

seLinuxOptions: {}

2098

runAsUser: 0

2099

## Kubectl InitContainer

2100

## used by Sentinel to update the isPrimary label on the Valkey(TM) pods

2101

2102

kubectl:

2103

## Iamguarded Kubectl image version

2104

## @param kubectl.image.registry [default: REGISTRY_NAME] Kubectl image registry

2105

## @param kubectl.image.repository [default: REPOSITORY_NAME/kubectl] Kubectl image repository

2106

## @skip kubectl.image.tag Kubectl image tag (immutable tags are recommended), by default, using the current version

2107

## @param kubectl.image.digest Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

2108

## @param kubectl.image.pullPolicy Kubectl image pull policy

2109

## @param kubectl.image.pullSecrets Kubectl pull secrets

2110

2111

image:

2112

registry: cgr.dev

2113

repository: chainguard-private/iamguarded-charts/kubectl-iamguarded

2114

tag: 1.35.3

2115

digest: ""

2116

## Specify a imagePullPolicy

2117

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

2118

2119

pullPolicy: IfNotPresent

2120

## Optionally, specify an array of imagePullSecrets.

2121

## Secrets must be manually created in the namespace.

2122

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

2123

## Example:

2124

## pullSecrets:

2125

## - myRegistryKeySecretName

2126

2127

pullSecrets: []

2128

## @param kubectl.command kubectl command to execute

2129

2130

command: ["/opt/iamguarded/scripts/kubectl-scripts/update-primary-label.sh"]

2131

## Configure Container Security Context

2132

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

2133

## @param kubectl.containerSecurityContext.enabled Enable kubectl containers' Security Context

2134

## @param kubectl.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

2135

## @param kubectl.containerSecurityContext.runAsUser Set kubectl containers' Security Context runAsUser

2136

## @param kubectl.containerSecurityContext.runAsGroup Set kubectl containers' Security Context runAsGroup

2137

## @param kubectl.containerSecurityContext.runAsNonRoot Set kubectl containers' Security Context runAsNonRoot

2138

## @param kubectl.containerSecurityContext.allowPrivilegeEscalation Set kubectl containers' Security Context allowPrivilegeEscalation

2139

## @param kubectl.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem

2140

## @param kubectl.containerSecurityContext.seccompProfile.type Set kubectl containers' Security Context seccompProfile

2141

## @param kubectl.containerSecurityContext.capabilities.drop Set kubectl containers' Security Context capabilities to drop

2142

2143

containerSecurityContext:

2144

enabled: true

2145

seLinuxOptions: {}

2146

runAsUser: 1001

2147

runAsGroup: 1001

2148

runAsNonRoot: true

2149

allowPrivilegeEscalation: false

2150

readOnlyRootFilesystem: true

2151

seccompProfile:

2152

type: RuntimeDefault

2153

capabilities:

2154

drop: ["ALL"]

2155

## Iamguarded Kubectl resource requests and limits

2156

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

2157

## @param kubectl.resources.limits The resources limits for the kubectl containers

2158

## @param kubectl.resources.requests The requested resources for the kubectl containers

2159

2160

resources:

2161

limits: {}

2162

requests: {}

2163

## @param kubectl.fips.openssl Configure OpenSSL FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

2164

## @param kubectl.fips.golang Configure Golang FIPS mode: '', 'restricted', 'relaxed', 'off'. If empty (""), 'global.defaultFips' would be used

2165

2166

fips:

2167

openssl: ""

2168

golang: relaxed

2169

2170

## @section useExternalDNS Parameters

2171

2172

## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work. Note this requires a working installation of `external-dns` to be usable.

2173

## @param useExternalDNS.additionalAnnotations Extra annotations to be utilized when `external-dns` is enabled.

2174

## @param useExternalDNS.annotationKey The annotation key utilized when `external-dns` is enabled. Setting this to `false` will disable annotations.

2175

## @param useExternalDNS.suffix The DNS suffix utilized when `external-dns` is enabled. Note that we prepend the suffix with the full name of the release.

2176

2177

useExternalDNS:

2178

enabled: false

2179

suffix: ""

2180

annotationKey: external-dns.alpha.kubernetes.io/

2181

additionalAnnotations: {}

2182

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

valkey

The trusted source for open source

Product

Solutions

Customers

Resources

Company