4# (eg. disable helm hook delete policy)
7# Custom Service account management
9 # Whether to create service account or not
11 # Name of the service account.
13 # If `create: true` defaults to temporal.fullname, otherwise uses the namespace's default serviceAccount.
15 # extraAnnotations would let users add additional annotations
17additionalAnnotations: {}
19# Array of extra K8s manifests to deploy
24 repository: cgr.dev/chainguard-private/temporal-server-fips
25 tag: latest@sha256:4ea2ff93081c4637f1005ff8943223eba5e8e27cff618d8418fba09129237d72
26 pullPolicy: IfNotPresent
27 # Global default settings (can be overridden per service)
31 # Annotate pods and services directly with the following Prometheus annotations.
34 # prometheus.io/scheme
35 # prometheus.io/scrape
38 # Enable Prometheus ServiceMonitor
39 # Use this if you installed the Prometheus Operator (https://github.com/coreos/prometheus-operator).
43 # Set additional lables to all the ServiceMonitor resources
47 # Set Prometheus metric_relabel_configs via ServiceMonitor
48 # Use metricRelabelings to adjust metric and label names as needed
52 # - exported_namespace
53 # targetLabel: temporal_namespace
55 # regex: service_errors_(.+)
59 # targetLabel: temporal_error_kind
61 # regex: service_errors_.+
62 # replacement: temporal_service_errors
65 # targetLabel: __name__
67 deploymentAnnotations: {}
68 deploymentStrategy: {}
74 # We usually recommend not to specify default resources and to leave this as a conscious
75 # choice for the user. This also increases chances charts run on environments with little
76 # resources, such as Minikube. If you do want to specify resources, uncomment the following
77 # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
88 terminationGracePeriodSeconds: null
90 additionalVolumeMounts: []
92 additionalEnvSecretName: ""
93 additionalEnvConfigMapName: ""
94 # for sidecar containers, add containers here with restartPolicy: Always
95 additionalInitContainers: []
96 # publicClientHostPort: "temporal-frontend.example.svc:7233"
101 logLevel: "debug,info"
102 # Define your TLS configuration here. See https://docs.temporal.io/references/configuration#tls
103 # for configuration options. You must also use `server.additionalVolumeMounts` and `server.additionalVolumes`
104 # to mount certificates (from Secret or ConfigMap etc) to the path you use below.
108 # certFile: /path/to/internode/cert/file
109 # keyFile: /path/to/internode/key/file
110 # requireClientAuth: true
112 # - /path/to/internode/serverCa
114 # serverName: dnsSanInInternodeCertificate
116 # - /path/to/internode/serverCa
119 # certFile: /path/to/frontend/cert/file
120 # keyFile: /path/to/frontend/key/file
121 # requireClientAuth: true
123 # - /path/to/internode/serverCa
124 # - /path/to/sdkClientPool1/ca
125 # - /path/to/sdkClientPool2/ca
127 # serverName: dnsSanInFrontendCertificate
129 # - /path/to/frontend/serverCa
130 # Define your Authorizer and ClaimMapper configuration here. See https://docs.temporal.io/self-hosted-guide/security#authorization
134 # - http://localhost:/jwks.json
135 # refreshInterval: 1m
136 # permissionsClaimName: permissions
137 # authorizer: default
138 # claimMapper: default
140 defaultStore: default
141 visibilityStore: visibility
142 # Important: numHistoryShards cannot be changed after the initial deployment.
143 numHistoryShards: 512
144 # Persistence configuration follows the raw Temporal server config format.
145 # Driver is determined by which top-level key is present (cassandra vs sql).
146 # For SQL stores, you can use either connectAddr: "host:port" or separate host/port fields.
147 # Helm-specific fields (existingSecret, secretKey) are stripped before rendering to server config.
150 # Example SQL configuration:
152 # createDatabase: false
153 # manageSchema: false
154 # pluginName: mysql8 # or postgres12, postgres12_pgx
156 # databaseName: temporal
157 # connectAddr: "mysql.example.com:3306" # preferred format
158 # connectProtocol: "tcp"
159 # # OR use separate host/port:
160 # # host: mysql.example.com
162 # user: temporal_user
163 # password: "" # optional, use existingSecret instead
164 # existingSecret: temporal-db-secret # Helm-specific, stripped before rendering
165 # secretKey: password # Helm-specific, default: password
166 # # Server v1.31+ alternative to password/existingSecret (SQL datastores
167 # # only). When set, no password Secret is created and no SQL_PASSWORD
168 # # env is wired; the server invokes the command per new connection.
170 # command: my-token-helper
175 # maxConnLifetime: "1h"
177 # tx_isolation: "READ-COMMITTED"
180 # caFile: /path/to/ca.pem
181 # Example Cassandra configuration:
183 # createDatabase: false
184 # manageSchema: false
185 # hosts: "host1,host2"
188 # user: cassandra_user
189 # password: "" # optional, use existingSecret instead
190 # existingSecret: temporal-cassandra-secret
191 # secretKey: password
192 # replicationFactor: 3
195 # consistency: "local_quorum"
196 # serialConsistency: "local_serial"
198 # Example SQL configuration (same structure as default.sql):
200 # createDatabase: false
201 # manageSchema: false
204 # databaseName: temporal_visibility
205 # connectAddr: "mysql.example.com:3306"
206 # connectProtocol: "tcp"
207 # user: temporal_user
208 # existingSecret: temporal-db-secret
209 # secretKey: password
210 # Example Elasticsearch configuration:
215 # host: "elasticsearch:9200"
218 # existingSecret: temporal-es-secret
219 # secretKey: password
222 # visibility: temporal_visibility_v1
225 # caFile: /path/to/ca.crt
226 # certFile: /path/to/client.crt
227 # keyFile: /path/to/client.key
228 # serverName: elasticsearch.internal
229 # enableHostVerification: true
230 # aws-request-signing:
231 # credentialProvider: environment # static, environment, or aws-sdk-default
235 # secretAccessKey: ""
237 # Additional stores can be added here and will pass through directly
240 # pluginName: postgres12
243 # Additional tags to be added to Prometheus metrics
245 # ... All other fields from https://github.com/temporalio/temporal/blob/main/common/metrics/config.go
251 listenAddress: "0.0.0.0:9090"
253 # Enable this to create namespaces
261 # Evaluated as template
267 membershipAppProtocol: tcp
269 httpAppProtocol: http
270 # Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
271 # gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
276 # service: temporal.api.workflowservice.v1.WorkflowService
281 # kubernetes.io/ingress.class: traefik
282 # ingress.kubernetes.io/ssl-redirect: "false"
283 # traefik.frontend.rule.type: PathPrefix
289 # - secretName: chart-example-tls
291 # - chart-example.local
298 # timerType: histogram
300 deploymentAnnotations: {}
301 deploymentStrategy: {}
310 containerSecurityContext: {}
311 topologySpreadConstraints: []
312 podDisruptionBudget: {}
314 # Enable this to create internal-frontend
317 # Evaluated as template
323 membershipAppProtocol: tcp
325 httpAppProtocol: http
326 # Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
327 # gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
332 # service: temporal.api.workflowservice.v1.WorkflowService
339 # timerType: histogram
341 deploymentAnnotations: {}
342 deploymentStrategy: {}
351 containerSecurityContext: {}
352 topologySpreadConstraints: []
353 podDisruptionBudget: {}
361 membershipAppProtocol: tcp
369 # timerType: histogram
371 deploymentAnnotations: {}
372 deploymentStrategy: {}
381 containerSecurityContext: {}
382 topologySpreadConstraints: []
383 podDisruptionBudget: {}
391 membershipAppProtocol: tcp
399 # timerType: histogram
401 deploymentAnnotations: {}
402 deploymentStrategy: {}
411 containerSecurityContext: {}
412 topologySpreadConstraints: []
413 podDisruptionBudget: {}
421 membershipAppProtocol: tcp
429 # timerType: histogram
431 deploymentAnnotations: {}
432 deploymentStrategy: {}
441 containerSecurityContext: {}
442 topologySpreadConstraints: []
443 podDisruptionBudget: {}
447 repository: cgr.dev/chainguard-private/temporal-admin-tools-fips
448 tag: latest@sha256:9d8c09326641e8d803092b010b7ef4f1d3523b6ec516da06449ee08c6d1a3363
449 pullPolicy: IfNotPresent
455 deploymentAnnotations: {}
456 deploymentStrategy: {}
462 additionalVolumes: []
463 additionalVolumeMounts: []
465 additionalEnvSecretName: ""
466 additionalEnvConfigMapName: ""
467 # temporalAddress: "localhost:7233"
468 # for sidecar containers, add containers here with restartPolicy: Always
469 additionalInitContainers: []
471 containerSecurityContext: {}
474 podDisruptionBudget: {}
476 # additionalInitContainers: []
480 repository: cgr.dev/chainguard-private/temporal-ui-server-fips
481 tag: latest@sha256:5c3ace80397a5a47a4a731ec2a4e9c2d5d7111da241c8bc64d523f7d90ba7231
482 pullPolicy: IfNotPresent
484 # set type to NodePort if access to web needs access from outside the cluster
485 # for more info see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
487 # The below clusterIP setting can be set to "None" to make the temporal-web service headless.
488 # Note that this requires the web.service.type to be the default ClusterIP value.
494 # Override the address the UI uses to connect to the Temporal frontend.
495 # Defaults to <fullname>-frontend.<namespace>.svc:<server.frontend.service.port>.
496 # Useful when running a proxy sidecar that intercepts gRPC traffic.
497 # temporalAddress: "localhost:7233"
499 initialDelaySeconds: 10
507 # kubernetes.io/ingress.class: traefik
508 # ingress.kubernetes.io/ssl-redirect: "false"
509 # traefik.frontend.rule.type: PathPrefix
515 # - secretName: chart-example-tls
517 # - chart-example.local
519 deploymentAnnotations: {}
520 deploymentStrategy: {}
524 # We usually recommend not to specify default resources and to leave this as a conscious
525 # choice for the user. This also increases chances charts run on environments with little
526 # resources, such as Minikube. If you do want to specify resources, uncomment the following
527 # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
537 additionalVolumes: []
538 additionalVolumeMounts: []
539 # Adjust Web UI config with environment variables:
540 # https://docs.temporal.io/references/web-ui-environment-variables
542 additionalEnvSecretName: ""
543 additionalEnvConfigMapName: ""
544 containerSecurityContext: {}
546 topologySpreadConstraints: []
548 podDisruptionBudget: {}
550 # Use Helm hooks to ensure schema setup completes before server pods start.
551 # Set to false if using Flux, Rancher or Terraform.
554 activeDeadlineSeconds: null
555 ttlSecondsAfterFinished: 86400
560 containerSecurityContext: {}
563 # Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
565 # Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
566 elasticsearchTool: true