## Confluent operator name
##
name: confluent-operator
##
## license Key
##
licenseKey: ""
##
## Load license either from the secret or through directoryPath.
## This will take precedence over licenseKey field.
##
license:
  ##
  ## The license secret reference name is injected through
  ## CONFLUENT_LICENSE_SECRET_NAME environment variable.
  ## The expected key: license.txt. license.txt contains raw license data.
  ## For backward compatibility, licenseSecretRef field takes precedence if configured.
  secretRef: ""
  ## The directoryPathInContainer value is injected through
  ## CONFLUENT_LICENSE_DIRECTORY_PATH environment variable.
  ## The expected key: license.txt. license.txt file must have value in pattern `license=<replace_with_key>`.
  ##
  ## This configuration takes precedence over license.secretRef or licenseSecretRef field.
  ##
  directoryPathInContainer: ""

##
## AutoGenerated certificates configuration.
## We will continue using older model of reading CA from secret "ca-pair-sslcerts" unless
## managedCerts.enabled is set to true.
##
managedCerts:
  ##
  ## Denotes whether CFK managed certs are configured with helm values. If this is set to true
  ## values below will be used for auto-generated certificates and will cause a cluster roll
  ## first time after this is enabled.
  ##
  enabled: false
  ##
  ## CA certificate pair for AutoGenerated certificates in this CFK operator deployment.
  ##
  caCertificate:
    ##
    ## CA pair secret reference name is injected through
    ## CONFLUENT_MANAGED_CERTS_SECRET_NAME environment variable.
    ## The expected keys are tls.crt and tls.key for CA Certificate and CA Certificate Key
    ## respectively.
    ##
    secretRef: ""
    ## The directoryPathInContainer value for CA pair certificates are injected through
    ## CONFLUENT_MANAGED_CERTS_DIRECTORY_PATH environment variable.
    ## The expected files are tls.crt and tls.key for CA Certificate and CA Certificate Key
    ## respectively.
    ##
    directoryPathInContainer: ""
  ##
  ## Validity for Auto-generated certificates is injected through
  ## CONFLUENT_MANAGED_CERTS_DURATION_DAYS environment variable.
  ##
  certDurationInDays: 60
  ##
  ## Renewal time for Auto-generated certificates is injected through
  ## CONFLUENT_MANAGED_CERTS_RENEW_BEFORE_DAYS environment variable.
  ##
  renewBeforeInDays: 30
  ##
  ## SANs to be added for all auto-generated certificates generated by this
  ## CFK operator. This is injected through CONFLUENT_MANAGED_CERTS_SANS
  ## environment variable.
  ## Use this for adding wild card SANs. Modifying this will trigger regeneration of
  ## certs for all CP clusters managed by the CFK operator.
  ##
  sans: ""

###
## Image pull secret
imagePullSecretRef:  confluent-registry
## Confluent Operator Image Information
##
image:
  registry: docker.io
  repository: confluentinc/confluent-operator
  pullPolicy: IfNotPresent
  tag: "0.581.16"

###
## Priority class for Confluent Operator pod
priorityClassName: ""
## Number of pods for Operator
## Enables leader election if more than one replica
replicas: 1
## Confluent Operator Cluster Access
## If true, operator only creates roles/rolebinding for the release namespace
## Otherwise, it has cluster access with clusterrole/clusterrrolebinding
namespaced: true
### list of namespaces to watch by operator
### This field only takes in effect if `namespaced=true`. By default, it will only watch the release namespace
### Otherwise, it will watch specified namespaces. If watching only release namespace, do not specify this field
namespaceList: []
## Confluent Operator Pod Resources
##
resources:
  limits:
    cpu: 500m
    memory: 512Mi
  requests:
    cpu: 100m
    memory: 256Mi
## Pod termination grace-period
##
terminationGracePeriodSeconds: 30
## Enable debugging
##
debug: false
##
## Configure affinity,
## More information here https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
##
affinity: {}
##  Example for nodeAffinity, configure as required.
##affinity:
##  nodeAffinity:
##    requiredDuringSchedulingIgnoredDuringExecution:
##      nodeSelectorTerms:
##      - matchExpressions:
##        - key: "node-role.kubernetes.io/compute"
##          operator: In
##          values:
##          - "true"

##
## Configure tolerations
## https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
##
##tolerations:
##- key: "dedicated"
##  operator: "Equal"
##  value: "operator"
##  effect: "NoSchedule"

## Pod Security Context
##
podSecurity:
  enabled: true
  securityContext:
    fsGroup: 1001
    runAsUser: 1001
    runAsNonRoot: true

## Container Security Context
## Container security context overrides security context defined at pod level.
## For example following container security context would override the
## default PodSecurityContext defined above
##
## securityContext:
##   runAsUser: 2001
##   runAsNonRoot: false
##
## Refer to this documentation on how configure security context for container
## https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-containerh
##
containerSecurity:
  enabled: false
  securityContext: {}

##
## ServiceAccount
## If enabled it will create, otherwise it will
## not create
##
serviceAccount:
  create: true
  name: ""
## Enable Kubernetes RBAC
## When set to true, it will create a proper role/rolebinding or cluster/clusterrolebinding based on namespaced field.
## If a user doesn't have permission to create role/rolebinding then they can disable rbac field and
## create required resources out of band to be used by the Operator. In this case, follow the
## templates/clusterrole.yaml and templates/clusterrolebiding.yaml to create proper required resources.
rbac: true

## Enable extra Kubernetes API groups in role/clusterrole resource
## When set to true, it will add apiGroups to role/clusterrole for OpenShift route resource
clusterRole:
  openshift: true

###
### Confluent Telemetry Report configuration
## The secretRef contains following data,
## telemetry.txt: |-
##   api.key=<api_key>
##   api.secret=<api_secret>
##   proxy.url=<proxy_url>  # only required if proxy is enabled
##   proxy.username=<proxy_username> # only required if proxy requires credential
##   proxy.password=<proxy_password>
##
telemetry:
  enabled: false
  proxy:
    enabled: false
    credentialRequired: false
  secretRef: ""
  ## To use directoryPathInContainer, need to make sure
  ## you mount telemetry.txt in the path you provided here in each pod
  directoryPathInContainer: ""

###
### Webhooks configuration
## To enable webhooks, it requires TLS certificates to set up webhook server,
## which used for secure communication between webhook server and kubernetes api server.
## Please provide the TLS keys and certificates with format as mentioned in this doc:
## https://docs.confluent.io/operator/current/co-network-encryption.html#provide-tls-keys-and-certificates-in-pem-format.
## The certificate must have the Subject Alternative Name (SAN) of the form: confluent-operator.<namespace>.svc
webhooks:
  enabled: false
  port: 8443
  tls:
    secretRef: ""
    directoryPathInContainer: ""

##
## Pod annotations/labels configurations
##
pod:
  annotations:
    prometheus.io/path: "/metrics"
    prometheus.io/port: "7778"
    prometheus.io/scrape: "true"
  labels: {}
# labels:
#   key: "value"

##
## Load license from the secret reference
## +Deprecated, use license.secretRef instead.
##
licenseSecretRef: ""

##
## Volumes to mount on CFK operator
## Refer to the Kubernetes volume/volumeMounts format: https://kubernetes.io/docs/concepts/storage/volumes/
##
## Example with a PVC.
## mountedVolumes:
##   volumes:
##   - name: custom-volume
##     persistentVolumeClaim:
##       claimName: pvc-test
##   volumeMounts:
##   - name: custom-volume
##     mountPath: /mnt/<path_of_your_choice>
##
mountedVolumes:
  volumes: []
  volumeMounts: []