Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

These are the helm values supported in this release of Usage Engine Private Edition.

## Default values for Usage Engine Private Edition.
## This is a YAML-formatted file.
## Declare variables to be passed into your templates.
## Pure documentation comments are prefixed with ## (double hash)
## Commented out values are prefixed with # (single hash)

## Supported environments are on-premise, aws, gcp, oci and azure
environment: on-premise

global:
  ## The domain value is used when a hostname ingress is configured.
  #domain: my.domain.com
  ## The region that the kubernetes cluster belongs to
  #region: west1
  ## Service Account used to apply the objects
  #serviceAccountName: default
  
  ## Whether this installation is part of a multi-tenant installation or not. 
  ## Please refer to the InfoZone documentation on the topic of Multi Tenancy for details.
  multiTenant: false

  ## If the container images shall be pulled from a private registry,
  ## then uncomment this section and specify the name of the secret 
  ## containing the credentials for that registry.
  #imagePullSecrets:
  #- name: regcred

  ## Performance metrics are generated and exposed by default.
  metrics:
    ## Monitor resources (PodMonitor / ServiceMonitor) are setup automatically if those resource definitions exist in the cluster,
    ## thereby making the metrics automatically discoverable by your Prometheus resource.
    monitor:
      ## Set the label(s) required by your Prometheus resource. If any.
      ## For details refer to the serviceMonitorSelector.matchLabels and podMonitorSelector.matchLabels fields in the Prometheus documentation: 
      ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md
      labels: {}
  ## Set to true to force roll of all deployments and statefulsets in this chart
  forceRoll: false

  namespace:
    ## Enables namespace if you have multiple Usage Engine Private Edition installations in multiple namespaces in EKS/GKE cluster
    ## When setting global.namespace.enabled to false:
    ## - Resulting domain name to be <function>.<domain name>, e.g. desktop-online.uepe-eks.example.com
    ## - [postgres | oracle | saphana].db as per value
    ## When setting global.namespace.enabled to true:
    ## - "-<namespace>" will be added into domain name, resulting <function>-<namespace>.<domain name>, e.g. desktop-online-namespace1.uepe-eks.example.com
    ## - If [postgres | oracle | saphana].db is empty, a suffix "<namespace>" will be added to [postgres | oracle | saphana].db value, e.g. namespace1
    ## Note that if you are using GCP managed certificate, before enable this property you need to remove the existing certificate
    enabled: false

  ingressController:
    ## The name of the nginx ingress controller service, this was used by the alb ingress resource
    serviceName: "{{ .Release.Name }}-ingress-nginx-v4-controller"

debug:
  script:
    enabled: false
  log:
    level:
      codeserver: info
      jetty: 'off'
      others: warn
jmx:
  ## Legacy configuration to expose metrics for scraping by prometheus.
  ## This is deprecated in favor of using the automatic service discovery capabilites of the prometheus stack. 
  ## Refer to the global.metrics values.
  export:
    ## Set to true to expose platform metrics for scraping by prometheus.
    enabled: false
    ## The port on which the platform metrics are exposed. 
    port: 8888

log:
  ## Format can be "json" or "raw". Default is "raw"
  format: raw
  ## Pattern is only for raw format, refer to log4j standard
  pattern: '%d: %5p: %m%n'

## Paste the license key here, otherwise use the option '--set-file licenseKey=<licenseKey_file>' when running helm install.
licenseKey: ' '

## Timezone MediationZone should run as, e.g. 'Europe/Stockholm'
timezone: UTC

## Schedule downtime for all ECDs for the purpose of cold backup.
suspend:
  ## The time when the downtime shall begin. Needs to be specified on crontab format.
  #from: "0 3 * * *"
  ## The time when the downtime shall end. Needs to be specified on crontab format.
  #until: "10 3 * * *"

persistence:
  enabled: false

  ## A manually managed Persistent Volume and Claim
  ## If defined, the PVC must be created manually before the volume will be bound
  ## The value is evaluated as a template, so, for example, the name can depend on .Release or .Chart
  #existingClaim:

  ## If existingClaim is not defined, it will fallback to a bundled PVC based on the current environment.
  ## Currently only aws environment has a bundled PVC associated with it.
  #bundledClaim:
    ## The amount of storage to request. Default is 1Gi.
    #storageRequest: "10Gi"
    ## See https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes for the available access modes.
    ## aws default is "ReadWriteMany", others default to "ReadWriteOnce".
    #accessModes: []
    ## Specify the storage class to be used in the bundled PVC.
    ## If this is not set, default storage class name will be used. aws defaults to "aws-efs".
    #storageClassName:

platform:
  metadata:
    annotations: {}
    labels: {}
  replicaCount: 1
  repository: 462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition
  tag: 4.2.0
  pullPolicy: IfNotPresent

  ## Add/override jvm arguments
  jvmArgs:
    - XX:MaxMetaspaceSize=512m
    - Xms256m
    - Xmx2g

  ## Add/override system properties
  ## It is possible to refer to another system property by wrapping it in ${...}
  systemProperties:
    #- someotherprop=${mz.home}/someothervalue

  init:
    ## Platform init container resources
    ## Set this if you need to specify resource requests and/or limits
    ## Reference: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
    resources: {}

  db:
    ## derby, postgresql, oracle or saphana
    type: derby

    ## The credentials of the jdbc user. I.e. the user that is used in runtime to connect to the system database.
    ## It is not recommended to provide the password in this way since it is a potential security risk.
    ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
    jdbcUser: mzadmin
    #jdbcPassword: bXo=

  ## Keystore is stored in /opt/mz/persistent/keys even if persistence is disabled.
  tls:
    enabled: false
    cert:
      ## Method to provide certificate.
      ## Supported values are:
      ## 'certManager' - Generation and renewal of cert is managed by cert-manager (needs to be installed separately).
      ## 'secret' - A keystore is manually stored in a K8s secret with the specified name
      ## 'key' A self signed certificate is generated and stored on disk - this is  deprecated and will be removed in a future release.
      public: key

    ## Used when "platform.tls.cert.public=certManager" to automate certificate management using cert-manager
    ## Requires an Issuer or ClusterIssuer to be created separately
    ## See details in https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/107217404/Bootstrapping+System+Certificates+and+Secrets+-+Private+Cloud+4.0
    #certManager:
    #  public:
    #    issuer:
    #      name: letsencrypt-prod
    #      kind: ClusterIssuer
    ## This value is deprecated, please use global.domain instead.
    ##      domain: xxx.xxx.xxx

    ## Used when "platform.tls.cert.public=secret" to configure manually provisioned keystore and certificate
    ## See details in https://infozone.atlassian.net/wiki/spaces/UEPE4D/pages/107217404/Bootstrapping+System+Certificates+and+Secrets+-+Private+Cloud+4.0
    #secret:
    #  public:
    #    name: mz-cert

    key:
      ## Uncomment if credentials are not already provided through secret "env-secrets"
      ## Note that when cert-manager is used, password and storepassword must have the same values!
      #password: RGVmYXVsdEtleXN0b3JlUFdE
      #storepassword: RGVmYXVsdEtleXN0b3JlUFdE
      alias: certificate
  
  ## Platform container resources
  ## Set this if you need to specify resource requests and/or limits
  ## Reference: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  resources: {}

  probes:
    ## If the platform takes a very long time to start it
    ## might get restarted because the thresholds have been reached.
    ## If a pod does not reach ready state (readiness probe success) it will be restarted.
    ## If a pod's liveness probe fails for X times, the pod will be restarted.
    liveness:
      initialDelaySeconds: 300
      periodSeconds: 15
      timeoutSeconds: 10
      successThreshold: 1
      failureThreshold: 3
    readiness:
      initialDelaySeconds: 10
      periodSeconds: 5
      timeoutSeconds: 10
      successThreshold: 1
      failureThreshold: 120

  ## Node, affinity, tolerations for pod assignment
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
  nodeSelector: {}
  affinity: {}
  tolerations: []

  service:
    metadata:
      annotations: {}
    type: NodePort
    ports:
      - name: http
        port: 9000
        #nodePort: 30900 # Use this to explicitly set the external port
        targetPort: 9000
        protocol: TCP
      - name: rcp
        port: 6790
        #nodePort: 30679 # Use this to explicitly set the external port
        targetPort: 6790
        protocol: TCP
  
  ## Use the configMaps field to mount configuration files
  ## like external references files
  ## into /opt/mz/etc
  #configMaps:
  #- file: extrefs.txt
  #  data: |
  #    parameter1=value1
  #    parameter2=value2

  ## Metrics configuration specific to the platform.
  metrics:
    podMonitor:
      ## Relabeling to apply to the platform podMonitor resource.
      ## Need to be given as an array of RelabelConfig. 
      ## Refer to the prometheus documentation for details:
      ## https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md
      relabelings: []

  ## Defines additional secret mounts. Secrets must be manually created in the namespace.
  extraSecretMounts: []
    #- name: secret-files
    #  mountPath: /etc/secrets
    #  subPath: ""
    #  secretName: my-secret-files
    #  readOnly: true

  ## Defines additional config map mounts. Config maps must be manually created in the namespace.
  extraConfigmapMounts: []
    #- name: my-configmap
    #  mountPath: /etc/config
    #  subPath: ""
    #  configMap: my-configmap
    #  readOnly: true

  ## Extra general purpose volume mounts
  extraVolumeMounts: []
    #- name: example
    #  mountPath: /example

  ## Extra general purpose volumes
  extraVolumes: []
    #- name: example
    #  emptyDir: {}

  ## Optional sidecar containers.
  ## The items in this list must be specified according the Kubernetes Container API.
  sidecars: []
    #- name: example
    #  image: example/example
    #  imagePullPolicy: IfNotPresent
    #  resources: {}
    #  ports:
    #    - name: example
    #      containerPort: 8080
    #      protocol: TCP
    #  env:
    #    - name: EXAMPLE
    #      value: example
    #  volumeMounts:
    #    - name: example
    #      mountPath: /example

postgres:
  ## The PostgreSQL database administrator username.
  ## Only required if the Usage Engine Private Edition system database is to be automatically created.
  ## Refer to the System Database section in the installation guide on InfoZone additional information about this.
  adminUsername: postgres

  ## The PostgreSQL database administrator password.
  ## Only required if the Usage Engine Private Edition system database is to be automatically created.
  ## Refer to the System Database section in the installation guide on InfoZone for additional information about this.
  ## Also, it is not recommended to provide the password in this way since it is a potential security risk.
  ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
  #adminPassword: dGVzdA==

  ## The password of the mzowner user. I.e. the user that is the owner of the system database schema.
  ## It is not recommended to provide the password in this way since it is a potential security risk.
  ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
  #mzownerPassword: bXpwb3N0Z3Jlcw==

  ## If postgres.db is set, db name will be created as per value
  ## Else if global.namespace.enabled is true and env is "aws/gcp/oci/azure", default to mz<namespace>, e.g. mznamespace1
  ## Else default to "mz"
  db:
  port: 5432
  host: postgresql

saphana:
  ## The SAP HANA database administrator username.
  ## Only required if the Usage Engine Private Edition system database is to be automatically created.
  ## Refer to the System Database section in the installation guide on InfoZone additional information about this.
  adminUsername: SYSTEM

  ## The SAP HANA database administrator password.
  ## Only required if the Usage Engine Private Edition system database is to be automatically created.
  ## Refer to the System Database section in the installation guide on InfoZone for additional information about this.
  ## Also, it is not recommended to provide the password in this way since it is a potential security risk.
  ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
  #adminPassword: dGVzdA==

  ## The name of the Usage Engine Private Edition system database.
  db: MZ

  ports:
    ## The port that will be used in runtime for jdbc connections towards the Usage Engine Private Edition system database.
    jdbc: 39041

    ## The port that will be used by the hdbsql client when first creating the Usage Engine Private Edition system database.
    hdbsql: 39013

  ## The host of the SAP HANA database service.
  host: saphana

  ## The name of the SAP HANA System Database
  systemDb: SYSTEMDB

  ## The SAP HANA instance number
  instance: 90

oracle:
  ## The Oracle database administrator username.
  ## Only required if the Usage Engine Private Edition system database is to be automatically created (only supported for Oracle Expresse Edition - see the expressEdition value below).
  ## Refer to the System Database section in the installation guide on InfoZone additional information about this.
  adminUsername: sys

  ## The Oracle database administrator password.
  ## Only required if the Usage Engine Private Edition system database is to be automatically created (only supported for Oracle Expresse Edition - see the expressEdition value below).
  ## Refer to the System Database section in the installation guide on InfoZone additional information about this.
  ## Also, it is not recommended to provide the password in this way since it is a potential security risk.
  ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
  #adminPassword: T3JhY2xlMTg=

  ## The password of the mzowner user. I.e. the user that is the owner of the system database schema.
  ## It is not recommended to provide the password in this way since it is a potential security risk.
  ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
  #mzownerPassword: ZHI=

  ## The oracle home. Needs to correspond to the ORACLE_HOME env var on the database server.
  ## Not required when using Oracle Expresse Edition (see the expressEdition value below).
  home:
  ## The host and domain of the database server.
  host: oracle18xe
  ## The port.
  port: 1521
  ## The name of the database. Translates to the SID (or pluggable database name if using Oracle Expresse Edition).
  db: MZ
  ## The database size (small, medium or large).
  size: small
  ## The path where the data files should be located.
  data: /opt/oracle/oradata/XE
  ## Set to true when using an Oracle Express Edition (XE) installation. Only for dev/test purposes.
  expressEdition: true
  ## The Oracle client version to use. Should be specified on <major>.<minor> format.
  ## Currently, only version 19.x is supported.
  ## Needs to correspond with the basicLiteRpm and sqlPlusRpm values below.
  clientVersion: 19.9
  ## The name of the basic lite rpm file corresponding with the Oracle client version specified above.
  ## This file will have to be added through an extension image.
  ## See the documentation on the extensions.* values elsewhere in this values file for further details.
  basicLiteRpm: oracle-instantclient19.9-basiclite-19.9.0.0.0-1.x86_64.rpm
  ## The name of the sqlplus rpm file corresponding with the Oracle client version specified above.
  ## This file will have to be added through an extension image.
  ## See the documentation on the extensions.* values elsewhere in this values file for further details.
  sqlPlusRpm: oracle-instantclient19.9-sqlplus-19.9.0.0.0-1.x86_64.rpm

## Operator deployment.
operator:
  metadata:
    annotations: {}
    labels: {}

  ## Enable/disable the operator. Setting this to false means the operator related kubernetes resources will not be created.
  enabled: true

  ## Set to false if you do not want to install the CRDs that are part of this helm chart.
  ## One reason for doing this is in the situation where the user installing the helm chart does not have permissions
  ## to create/update CRDs in the cluster.
  ## In this situation a cluster admin will have to manually install/update the CRDs.
  ## See the documentation for further details.
  installCRDs: true

  ## Set a specific namespace that the operator *listens* on.
  ## Ie. If you have a non-clusterwide operator it will only act
  ## on resources deployed to this namespace.
  ## Defaults to the helm release namespace!
  #namespace: operatornamespace

  repository: 462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition
  tag: 4.2.0-operator
  pullPolicy: IfNotPresent

  ## The auth proxy protects the /metrics endpoint
  rbacAuthProxy:
    enabled: true

  webhook:
    enabled: false
    tls:
      cert:
        ## Delegate certificate management to either certManager or internal.
        ## Selecting certManager requires cert-manager (https://cert-manager.io) to have been deployed priorly.
        ## Selecting internal means basic self-signed certificate management without auto-renewal.
        delegate: certManager

  ## Node, affinity, tolerations for pod assignment
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
  nodeSelector: {}
  affinity: {}
  tolerations: []

  ## Common config for the resources that the operator is managing
  common:
    ## List of common config for the ECDs that the operator manages
    ## This enables configuring common annotations, labels and serviceAccount on groups of ECDs.
    ## The grouping is achieved via the nameRegex.
    ##
    ## If you specify that an ECD shall be using a custom serviceAccount here, 
    ## then you need to make sure that it has permissions to perform get and patch operation on the pods/status resource.
    ## This is an example rule specification to achieve this:
    ## kind: Role
    ## apiVersion: rbac.authorization.k8s.io/v1
    ## metadata:
    ##   name: my-ecd-role
    ## rules:
    ##   - apiGroups: [""]
    ##     resources: ["pods/status"]
    ##     verbs: ["get", "patch"]
    ##
    ecd:
      #- nameRegex: ecd1-.*
      #  annotations:
      #    annotation1: some-annotation-value
      #    annotation2: some-other-annotation-value
      #  labels:
      #    label1: some-label-value
      #    label2: some-other-label-value
      #  serviceAccount: serviceAccount1
      #- nameRegex: ecd2-.*
      #  annotations:
      #    annotation3: some-annotation-value
      #    annotation4: some-other-annotation-value
      #  labels:
      #    label3: some-label-value
      #    label4: some-other-label-value
      #  serviceAccount: serviceAccount2

  ## Debug logging for operator
  debug:
    enabled: false

  ## Should only be changed if deploying to an environment with an offline network
  kubeRbacProxyImageRepository: gcr.io/kubebuilder/kube-rbac-proxy

  ## Resources for the operator pod. Uncomment to use custom resources.
  #resources:
    #limits:
      #cpu: 100m
      #memory: 300Mi
    #requests:
      #cpu: 100m
      #memory: 200Mi

  ## The syncPeriod is the time the operator waits in between each reconcile loop.
  ## For large systems (i.e. with many ECDs and many workflows) it may be required to
  ## increase this in order to prevent the reconcile loops from from piling up.
  ## Default is 300 s.
  #syncPeriod: 300s

  ## The time to wait before requeuing a previously failed reconciliation.
  ## The value must be a parseable duration (see golang time package).
  ## Default is 2 seconds.
  #requeueAfter: 2s

  ## The timeout value used when the operator places http requests against the platform as part of the process
  ## of reconciling workflows.
  ## If you see errors like "context deadline exceeded" in the operator log when reconciling workflows,
  ## then you can try to increase this timeout.
  httpTimeout: 20s  

  ## The password of the mzk8soperator user.
  ## This user is used for internal communication between the operator and the platform.
  ## It is not recommended to provide the password in this way since it is a potential security risk.
  ## Refer to the Bootstrapping System Credentials section in the installation guide on InfoZone for additional information about this.
  #operatorPassword:

## aws setup
## Setup aws load balancers and route53 records for the hosted zones and
## control allowed cidrs to access the platform services
aws:
  ## This value is deprecated, please use global.namespace.enabled instead.
  #namespace:
    ## Enables namespace if you have multiple Usage Engine Private Edition installations in multiple namespaces in EKS cluster
    ## When setting aws.namespace.enabled to false:
    ## - Resulting domain name to be <function>.<domain name>, e.g. desktop-online.uepe-eks.example.com
    ## - [postgres | oracle | saphana].db as per value
    ## When setting aws.namespace.enabled to true:
    ## - "-<namespace>" will be added into domain name, resulting <function>-<namespace>.<domain name>, e.g. desktop-online-namespace1.uepe-eks.example.com
    ## - If [postgres | oracle | saphana].db is empty, a suffix "<namespace>" will be added to [postgres | oracle | saphana].db value, e.g. namespace1
    #enabled: false
  ## The certificate to use for ingress traffic.
  ## Check the AWS Certificate Manager in the AWS Management Console to find out which certificates that are available.
  acm_certificate: arn:aws:acm:eu-west-1:1234567890:certificate/xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxx
  ## This list of values controls from which network ranges ingress traffic is accepted. Use CIDR notation when setting this value.
  access_cidr_blocks:
    - 0.0.0.0/0
  ingress:
    metadata:
      ## Annotations for the ingress-alb ingress.
      annotations:
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80},{"HTTPS": 443}]'
        alb.ingress.kubernetes.io/ssl-policy: "ELBSecurityPolicy-FS-1-2-Res-2019-08"
        alb.ingress.kubernetes.io/successCodes: "200-404"
        alb.ingress.kubernetes.io/success-codes: "200-404"
    ## This value is deprecated, please use global.ingressController.serviceName instead.
    ## The name of the ingress controller service to use
    #serviceName: "{{ .Release.Name }}-ingress-nginx-v4-controller"
  platform:
    service:
      metadata:
        ## Annotations for the platform service.
        annotations:
          service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
          service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "9000,443"
          service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
          service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "True"
          service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
          service.beta.kubernetes.io/aws-load-balancer-type: external
          service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: ip
          external-dns.alpha.kubernetes.io/ttl: "60"
  ## This helm chart sets some aws related annotations by default on the platform service and the ingress-alb ingress.
  ## If this is not suitable for one reason or another, they can be excluded by adding the annotation name to this list.
  excludeDefaultAnnotations: []

## gcp setup
## This helm chart by default is using GCP CRDs (ManagedCertificate, FrontendConfig and BackendConfig) to setting up
## load balancer certificate, ingress HTTP-to-HTTPS redirect and custom health check. If they are not suitable for the setup,
## you can disable them by adding the associated ingress alb or platform service annotation to "gcp.excludeDefaultAnnotations".
gcp:
  managedCert:
    ## If this is enabled, a Google managed certificate (ManagedCertificate CRD) will be created.
    ## While the certificate is being provision, the certificate can take a considerable amount of time to be validated.
    ## Note that the issued certificate will not be overwritten or removed by the subsequent helm chart installation or uninstall.
    ## To regenerate the certificate, you need to manually delete the ManagedCertificate CRD object and install helm chart again.
    enabled: true
    name: managed-cert
  ingress:
    metadata:
      ## Annotations for the ingress-alb ingress.
      annotations: {}
  platform:
    service:
      metadata:
        ## Annotations for the platform service.
        annotations:
          cloud.google.com/l4-rbs: "enabled"
          external-dns.alpha.kubernetes.io/ttl: "60"
  ## This helm chart sets some gcp related annotations by default on the platform service and the ingress-alb ingress.
  ## If this is not suitable for one reason or another, they can be excluded by adding the annotation name to this list.
  excludeDefaultAnnotations: []

oci:
  certificates:
    enabled: false
    id: ocid1.certificate.oc1.eu-frankfurt-1.amaaaaaaqpnxi2aan5gjqfr6jyrdes4wifau2diswdcwtvk25pcvspxmce7a
  backendNSG: ocid1.networksecuritygroup.oc1.eu-frankfurt-1.aaaaaaaa6jjj2fq2mnfzqfna42bwl3md67jxusjyksac5b5tmvkioduitigq
  healthcheck:
    desktoponline:
      path: /desktop/
      port: 0
    ingressnginx:
      path: /healthz
      port: 0
  ingressclass:
    name: native-ic-ingress-class
  loadbalancer:
    secret: lb-cert
    backendsetSecret: ca-ser-secret
  ingress:
    metadata:
      ## Annotations for the ingress-alb ingress.
      annotations:
        oci-native-ingress.oraclecloud.com/protocol: "HTTP"
        oci-native-ingress.oraclecloud.com/policy: "ROUND_ROBIN"
        oci-native-ingress.oraclecloud.com/healthcheck-protocol: "HTTP"
        oci-native-ingress.oraclecloud.com/healthcheck-return-code: "200"
  platform:
    service:
      metadata:
        ## Annotations for the platform service.
        annotations:
          oci.oraclecloud.com/load-balancer-type: "lb"
          oci.oraclecloud.com/security-rule-management-mode: "NSG"
          service.beta.kubernetes.io/oci-load-balancer-shape: "flexible"
          service.beta.kubernetes.io/oci-load-balancer-shape-flex-min: "100"
          service.beta.kubernetes.io/oci-load-balancer-shape-flex-max: "400"
          external-dns.alpha.kubernetes.io/ttl: "60"

  ## This helm chart sets some oci related annotations by default on the platform service and the ingress-alb ingress.
  ## If this is not suitable for one reason or another, they can be excluded by adding the annotation name to this list.
  excludeDefaultAnnotations: []

## azure setup
## This helm chart required Azure Application Gateway Ingress Controller (AGIC) to be installed.
## AGIC will convert alb ingress resource to Application Gateway configuration to allow gateway to load-balance traffic to kubernetes pod.
## By default, it is assumed that you have created a tls secret "lb-cert" with the necessary certificate and key for the Application Gateway certificate.
## If you wish to use a certificate that was pre-installed in the gateway, uncomment appgw.certificates.preInstalledCert and specify your cert name.
azure:
  appgw:
    secret: lb-cert
   # certificates:
    ## If uncommented, it will use the pre-installed cert instead of secret for the Application Gateway certificate.
    #  preInstalledCert: appgw-installed-certificate
    ## This section is only required when you are using owned self-signed certificate for Usage Engine Private Edition.
    ## In this case, you must manually upload the root CA certificate to Application Gateway and specify the cert name.
    ## See https://learn.microsoft.com/en-us/azure/application-gateway/self-signed-certificates for more information.
    #  trustedRootCert: appgw-trusted-root-certificate
  ingress:
    metadata:
      ## Annotations for the ingress-alb ingress.
      ## Refers to https://azure.github.io/application-gateway-kubernetes-ingress/annotations/ to see all available annotations.
      annotations: {}
  platform:
    service:
      metadata:
        ## Annotations for the platform service.
        ## Refers to https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard#customizations-via-kubernetes-annotations
        ## to see all available annotations.
        annotations:
  ## This helm chart sets some azure related annotations by default on the platform service and the ingress-alb ingress.
  ## If this is not suitable for one reason or another, they can be excluded by adding the annotation name to this list.
  excludeDefaultAnnotations: []

portal:
  ## Configuration of the apps that shall be present on the portal page.
  ## The portal page is accessible at: http(s)://<desktop online host>/desktop/portal
  ## If hostname ingress is setup, the $(domain) token can be used to have the domain automatically resolved based on the global.domain value.
  apps:
    - name: Desktop Online
      url: https://desktop-online$(domain)
    - name: InfoZone
      url: https://infozone.atlassian.net/wiki/spaces/UEPE4D
    - name: mzcli
      url: https://platform$(domain)/download/mzcli
    - name: Desktop Client
      url: https://platform$(domain)/launch/desktop/
    - name: Grafana
      url: https://grafana$(domain)
    - name: Kubernetes Dashboard
      url: https://dashboard$(domain)

security:
  password:
    control:
      ## Set this to true to enforce stricter password requirements and mandate a password change upon the first login.
      enabled: true

auth:
  oidc:

    rp:
      ## Activate/deactivate Usage Engine Private Edition as OIDC Relying Party
      enabled: false
      
      auth:
        ## Available auth methods is CLIENT_SECRET_BASIC and PRIVATE_KEY_JWT
        method: "CLIENT_SECRET_BASIC"
        client:
          ## Client id
          id: ""
          ## Client secret is only used when the method is CLIENT_SECRET_BASIC
          ## Uncomment if credentials are not already provided through secret "oidc-rp-secret"
          #secret: ""
        ## JWT section only used when method is PRIVATE_KEY_JWT
        jwt:
          ## Opional ID Provider KeyId
          keyId:
          jks:
            secret:
              ## Name of secret to store jks
              name:
            ## Key Alias
            alias:

            ## Key password
            ## Uncomment if credentials are not already provided through secret "oidc-rp-secret"
            #password:

            ## Keystore password
            ## Uncomment if credentials are not already provided through secret "oidc-rp-secret"
            #storePassword:

      provider:
        ## Base URL for Identity Provider
        ## URL before /.well-known/openid-configuration
        ## Eg. https://login.microsoftonline.com/<tenant_ID>/v2.0
        url:
        ## Name of Provider, eg. Azure
        name: ""
      
      group:
        ## Path in UserInfo or ID Token to find access groups mapping, separated by dot (.)
        ## The groups should be a array of Strings.
        ## *** Exampel ***
        ## Here is the groups array inside a object.
        ## { myObject : { myGroups : [ "myGroup1", "mygroup2" ] } }
        ## The path should then be:
        ## groupPath: myObject.myGroups
        ## When the groups array is direct under UserInfo then groupPath is just the 
        ## name of the groups array.
        path:
        ## Disable group syncronization from Identity Provider.
        ## When this is true groups is set manually on SSO Users
        syncDisabled: false
        ## When Group Sync is disabled a defualt group can be added to users logged in through SSO
        defaultGroup: ""

      ## Claim to use for Username
      userNameClaim:

      ## Additional scopes
      scopes:

      ## Set this to true during implementation of SSO Access to get more information.
      debug: false

    ip:
      ## Activate/deactivate Usage Engine Private Edition as OIDC Identity Provider
      enabled: false

      ## The oidc base url. Needs to be usable by clients to reach the platform webserver.
      ## The $(domain) token can be used to have the domain automatically resolved based on the global.domain value.
      ## The default value is set based on the assumption that hostname ingress is used. If not using hostname ingress,
      ## the value should point to the ip address and port of the desktop app instead.
      ## Example: https://192.168.205.5:31327
      oidcBaseUrl: https://platform$(domain)

      ## Whether to use helm generated secrets or not.
      ## When this is true, the client id and client secret for each client in the list of clients below will be auto-generated by helm.
      ## When this is false, the client id:s and client secrets have to be specified explicitly.
      useHelmGeneratedSecrets: true

      ## List of clients that are granted to use MediationZone as OIDC provider when authenticating
      clients:
        ## -----------------------------------------------
        ## Example client using helm generated secrets
        ## -----------------------------------------------
        #- clientName: Some Application
        ## The clientId value is just an arbitrary name of the secret in env-secrets that will hold the real clientId.
        ## Just make sure that it is unique related to any other client id in this list.
        ## If the secret does not already exists it will be automatically generated.
        #  clientId: someAppClientId
        ## The clientSecret value is just an arbitrary name of the secret in env-secrets that will hold the real clientSecret.
        ## Just make sure that it is unique related to any other client secret in this list.
        ## If the secret does not already exists it will be automatically generated.
        #  clientSecret: someAppClientSecret
        ## The list of roles associated with the client.
        ## This controls what level of access that can be provisioned for a given client in the Access Controller.
        #  roles:
        #    - Editor
        #    - Viewer
        ## -----------------------------------------------
        ## Example client NOT using helm generated secrets
        ## -----------------------------------------------
        #- clientName: Some Application
        ## The clientId value is expected to be a UUID.
        #  clientId: 123e4567-e89b-12d3-a456-426614174000
        ## The clientSecret value is expected to be a cryptographically secure random.
        #  clientSecret: 33v1rxwAtBhFTl9SLtQ2lqeCAigN798cUJpZIFFMCz3Nf9PSeVd3ze4MsPMrrNSP
        ## The list of roles associated with the client.
        ## This controls what level of access that can be provisioned for a given client in the Access Controller.
        #  roles:
        #    - Editor
        #    - Viewer

## PCC backend configuration.
## Supported production grade storages are Couchbase and Redis.
## The memory/directory storage is only meant for development and testing purposes.
pcc:
  ## Set to true to enable the PCC backend configuration.
  ## In addition to this, an ECDeployment having system property mz.pcc.properties=/etc/pcc/pcc.properties will have to be created.
  ## This ECDeployment will automatically handle the communication with the PCC backend storage.
  enabled: false
  properties:
    ## PCC Config Storage Class
    # mz.pcc.config.storage.class: com.digitalroute.pcc.storage.config.mysqlc.MySQLClusterStorage
    mz.pcc.config.storage.class: com.digitalroute.pcc.storage.config.directory.DirectoryStorage
    #mz.pcc.config.storage.class: com.digitalroute.pcc.storage.config.couchbase.CouchbaseConfigStorage
    #mz.pcc.config.storage.class: com.digitalroute.pcc.storage.config.redis.RedisConfigStorage

    ## Directory Config Storage Properties (if used)
    mz.pcc.directorystorage.directory: ${mz.home}/tmp/pcc

    ## PCC Bucket Storage Class
    # mz.pcc.bucket.storage.class: com.digitalroute.pcc.buckets.storage.mysqlc.MySQLClusterBucketStorage
    mz.pcc.bucket.storage.class: com.digitalroute.pcc.buckets.storage.memory.MemoryBucketStorage
    #mz.pcc.bucket.storage.class: com.digitalroute.pcc.buckets.storage.couchbase.CouchbaseBucketStorage
    #mz.pcc.bucket.storage.class: com.digitalroute.pcc.buckets.storage.redis.RedisBucketStorage

    ## Timeout bucket data storage locks (transactions) after timeout milliseconds
    mz.pcc.storage.lock.timeout: 3000

    ## Couchbase Storage Properties (if used)
    ## The qualified name of the couchbase profile representing the storage area of products and rules.
    #mz.pcc.storage.couchbase.config.profile:
    ## The qualified name of the couchbase profile representing the storage area of buckets.
    #mz.pcc.storage.couchbase.buckets.profile:

    ## Redis Storage Properties (if used)
    ## The qualified name of the redis profile representing the storage area of products and rules.
    #mz.pcc.storage.redis.config.profile:
    ## The qualified name of the redis profile representing the storage area of buckets.
    #mz.pcc.storage.redis.buckets.profile:

    ## MySQL Cluster Storage Properties (if used)
    #mz.pcc.storage.mysqlc.host: 
    #mz.pcc.storage.mysqlc.port: 1186
    #mz.pcc.storage.mysqlc.database: pcc
    #mz.pcc.storage.mysqlc.clusterj.retries: 4
    #mz.pcc.storage.mysqlc.clusterj.delay: 5
    #mz.pcc.storage.mysqlc.clusterj.verbose: 1
    #mz.pcc.storage.mysqlc.clusterj.timeout.before: 30
    #mz.pcc.storage.mysqlc.clusterj.timeout.after: 20
    #mz.pcc.storage.mysqlc.clusterj.max.transactions: 1024
    #mz.pcc.storage.mysqlc.clusterj.connection.pool.size: 2

    ## If the connection to MySQL Cluster is detected as down
    ## it will try to reconnect
    ## Set to false to disable reconnect
    #mz.pcc.storage.mysqlc.auto.reconnect: true

    ## If MySQL Cluster key should support string, set this to true and
    ## make sure to create the commented table schema in pcc_bucket_mysqlc.sql.
    #mz.pcc.storage.mysqlc.stringkey: false

    ## PCC Batch Storage Class (used for Batch Counting)
    mz.pcc.batch.storage.class: com.digitalroute.pcc.batch.storage.directory.DirectoryBatchStorage
    mz.pcc.batchdirectorystorage.directory: ${mz.home}/tmp/pccbatch

    ## Toggle for the system log trace (one log per action)
    ## Valid values are enabled or disabled
    #mz.system.log.trace: enabled

authorizationServer:
  enabled: false
  storage:
    # The storage type can be either "file-based" or "database"
    type: file-based
    database:
      # Only used when storage type is "database". PostgreSQL or Oracle DB only
      profile-name: <Path.DBProfileName>
      poolsize: 8
    file-based:
      # Only used when storage type is "file-based"
      storage-location: /opt/mz/persistent/auth-server/storage
  management-api:
    # HTTP Basic Authentication
    enable-basic-auth: true
    ## Uncomment if credentials are not already provided through secret "authorization-server-secrets"
    ## If the username does not already exist mzadmin will be the default value.
    #username: mzadmin
    ## If the password does not already exist it will be automatically generated.
    #password:
  jwt:
    # Only RS256, RS384 and RS512 are supported
    signature-algorithm: RS256
    ## Uncomment if credentials are not already provided through secret "authorization-server-secrets"
    ## Keystore is the base64 encoded string from local keystore file, it can be generated through command below:
    ## 'base64 -i /path/to/keystore.jks -o keystore_b64Encoded.txt'
    #keystore:
    #key-id:
    #key-password:
    #keystore-password:
  server:
    # Validity period in seconds for access token generated
    access-token-expiry: 1800

## Optionally deploy DTK mzp:s. 
## This is done from a custom container image that you need to build and maintain.
## The only requirement on this container image is that it contains one specific folder holding the DTK mzp:s to deploy
## (it needs to be a flat list of mzp:s - i.e. nested folders are not supported).
## This is a minimal Dockerfile example that can be used to build such a container image:
## ----------------------------------------
## FROM alpine:latest
## ARG DTK_MZP_DIR
## RUN  mkdir -p /opt/my-dtk-mzps/
## COPY $DTK_MZP_DIR/* /opt/my-dtk-mzps/
## ----------------------------------------
## Here the DTK_MZP_DIR argument is expected to be the local folder holding the DTK mzp:s to deploy.
## Using a container image built using the above Dockerfile would mean 
## that the dtk.path value should be set to "/opt/my-dtk-mzps".
#dtk:
  ## The container image containing the DTK mzp:s
  #image: <container repo>:<container version>
  ## The path of the folder within the container image that contains the DTK mzp:s
  #path: /opt/my-dtk-mzps

## Values related to desktop online
desktopOnline:
  ## Config for the desktop online container image
  repository: 462803626708.dkr.ecr.eu-west-1.amazonaws.com/usage-engine-private-edition
  tag: 4.2.0-ui
  pullPolicy: IfNotPresent

  ## Add/override jvm arguments
  jvmArgs:
    - XX:MaxMetaspaceSize=512m
    - Xms256m
    - Xmx2g

  ## Add/override system properties
  systemProperties:
  #  - someprop=somevalue

  ## Configure pod resources (limits and/or requests) here if needed
  resources: {}

  ## Allows for the configuration of the liveness and readiness probes respectively
  probes:
    liveness:
      initialDelaySeconds: 300
      periodSeconds: 15
      timeoutSeconds: 10
      successThreshold: 1
      failureThreshold: 3
    readiness:
      initialDelaySeconds: 10
      periodSeconds: 15
      timeoutSeconds: 10
      successThreshold: 1
      failureThreshold: 10

  ecd:
    ## Allows for tying a given ECD to specific node in the cluster.
    ## Enabling this will result in the necessary ClusterRoles being created.
    ## If ClusterRoles are not allowed this feature must therefore be disabled.
    nodeHostSelectionEnabled: true

  ## Node, affinity, tolerations for pod assignment
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#taints-and-tolerations-beta-feature
  ##
  nodeSelector: {}
  affinity: {}
  tolerations: []

  service:
    ## Uncomment to set an explicit node port
    #nodePort: 30000

  ## The desktop online web server base url. This is used to locate the desktop online app.
  ## The $(domain) token can be used to have the domain automatically resolved based on the global.domain value.
  ## The default value is set based on the assumption that hostname ingress is used. If not using hostname ingress,
  ## the value should point to the ip address and port of the desktop app instead.
  ## Example: https://192.168.205.5:31327
  baseUrl: https://desktop-online$(domain)

utils:
  kubectl:
    ## The kubectl container image repo
    ## Should only be changed if deploying to an environment with an offline network
    repository: "bitnami/kubectl"

    ## The tag of the kubectl container image
    tag: "1.29.3-debian-12-r0"

## Optionally add extensions.
## An extension can be an arbitrary third party product (3pp) such as a jar file, a shared library or any file really.
## This is done via a custom container image that you need to build and maintain.
## The only requirement on this container image is that it contains two specific folders, namely:
##
## "/opt/uepe/3pp": This folder can be used for adding arbitrary 3pp(s).
## 3pp(s) in the form of jar files that are added to this folder will be added to the runtime classpath automatically.
##
## "/opt/uepe/jni": This folder must be used for adding shared libraries required for JNI, such as a .so file.
##
## This is a minimal Dockerfile example that can be used to build such a container image:
## ----------------------------------------
## FROM alpine:latest
## COPY 3pp /opt/uepe/3pp/
## COPY jni /opt/uepe/jni/
## ----------------------------------------
## Here the 3pp and jni folders are expected to be local folders holding the 3pp(s) and shared libraries respectively.
## Note that Usage Engine Private Edition supports both amd64 and arm64 platform architecture.
## When building the extension image, you need to make sure to use the same architecture that Usage Engine Private Edition is running on.
## For more info about building multiple architecture images, please refer to https://docs.docker.com/build/building/multi-platform/.
extensions:
  ## Whether to enable extensions or not.
  enabled: false
  ## The container image containing the extensions.
  image: my-uepe-extensions:1.0.0

  • No labels