# Default values for k10.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

rbac:
  create: true
serviceAccount:
  # Specifies whether a ServiceAccount should be created
  create: true
  # The name of the ServiceAccount to use.
  # If not set and create is true, a name is derived using the release and chart names.
  name: ""

scc:
  create: false

networkPolicy:
  create: true

global:
  # These are the default values for picking k10 images. They can be overridden
  # to specify a particular registy and tag.
  image:
    registry: gcr.io/kasten-images
    tag: ''
    pullPolicy: Always
  airgapped:
    repository: ''
  persistence:
    mountPath: "/mnt/k10state"
    enabled: true
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: ""
    accessMode: ReadWriteOnce
    size: 20Gi
    metering:
      size: 2Gi
    catalog:
      size: ""
    jobs:
      size: ""
    logging:
      size: ""
    grafana:
      # Default value is set to 5Gi. This is the same as the default value
      # from previous releases <= 4.5.1 where the Grafana sub chart used to
      # reference grafana.persistence.size instead of the global values.
      # Since the size remains the same across upgrades, the Grafana PVC
      # is not deleted and recreated which means no Grafana data is lost
      # while upgrading from <= 4.5.1
      size: 5Gi
  ## Set it to true while generating helm operator
  rhMarketPlace: false
  ## these values should not be provided us, these are to be used by
  ## red hat marketplace
  images:
    admin: ''
    aggregatedapis: ''
    ambassador: ''
    auth: ''
    bloblifecyclemanager: ''
    catalog: ''
    cephtool: ''
    configmap-reload: ''
    controllermanager: ''
    crypto: ''
    dashboardbff: ''
    datamover: ''
    dex: ''
    emissary: ''
    events: ''
    executor: ''
    frontend: ''
    grafana: ''
    init: ''
    jobs: ''
    kanister-tools: ''
    kanister: ''
    logging: ''
    metering: ''
    paygo_daemonset: ''
    prometheus: ''
    state: ''
    upgrade: ''
    vbrintegrationapi: ''
    garbagecollector: ''
  imagePullSecret: ''
  ingress:
    create: false
    urlPath: "" #url path for k10 gateway
  route:
    enabled: false
    path: ""
  prometheus:
    external:
      host: '' #FQDN of prometheus-service
      port: ''
      baseURL: ''
  network:
    enable_ipv6: false


## OpenShift route configuration.
route:
  enabled: false
  # Host name for the route
  host: ""
  # Default path for the route
  path: ""

  annotations: {}
    # kubernetes.io/tls-acme: "true"
    # haproxy.router.openshift.io/disable_cookies: "true"
    # haproxy.router.openshift.io/balance: roundrobin

  labels: {}
    # key: value

  # TLS configuration
  tls:
    enabled: false
    # What to do in case of an insecure traffic edge termination
    insecureEdgeTerminationPolicy: "Redirect"
    # Where this TLS configuration should terminate
    termination: "edge"

toolsImage:
  enabled: true
  pullPolicy: Always

dexImage:
  registry: ghcr.io
  repository: dexidp
  image: dex

kanisterToolsImage:
  registry: ghcr.io
  repository: kanisterio
  image: kanister-tools
  pullPolicy: Always

ingress:
  create: false
  tls:
    enabled: false
  class: "" #Ingress controller type
  host: "" #ingress object host name
  urlPath: "" #url path for k10 gateway
  pathType: "ImplementationSpecific"

eula:
  accept: false #true value if EULA accepted

license: "" #base64 encoded string provided by Kasten

cluster:
  domainName: "cluster.local" #default value is cluster.local

prometheus:
  # Disabling init container
  # which uses root cmds
  initChownData:
    enabled: false
  rbac:
    create: false
  alertmanager:
    enabled: false
  kubeStateMetrics:
    enabled: false
  networkPolicy:
    enabled: true
  nodeExporter:
    enabled: false
  pushgateway:
    enabled: false
  scrapeCAdvisor: false
  server:
    # UID and groupid are from prometheus helm chart
    enabled: true
    securityContext:
      runAsUser: 65534
      runAsNonRoot: true
      runAsGroup: 65534
      fsGroup: 65534
    retention: 30d
    strategy:
      rollingUpdate:
        maxSurge: 100%
        maxUnavailable: 100%
      type: RollingUpdate
    persistentVolume:
      enabled: true
      storageClass: ""
    configMapOverrideName: k10-prometheus-config
    fullnameOverride: prometheus-server
    baseURL: /k10/prometheus/
    prefixURL: /k10/prometheus
  serviceAccounts:
    alertmanager:
      create: false
    kubeStateMetrics:
      create: false
    nodeExporter:
      create: false
    pushgateway:
      create: false
    server:
      create: true

jaeger:
  enabled: false
  agentDNS: ""

service:
  externalPort: 8000
  internalPort: 8000
  aggregatedApiPort: 10250
  gatewayAdminPort: 8877

secrets:
  awsAccessKeyId: ''
  awsSecretAccessKey: ''
  awsIamRole: ''
  googleApiKey: ''
  dockerConfig: ''
  dockerConfigPath: ''
  azureTenantId: ''
  azureClientId: ''
  azureClientSecret: ''
  azureResourceGroup: ''
  azureSubscriptionID: ''
  azureResourceMgrEndpoint: ''
  azureADEndpoint: ''
  azureADResourceID: ''
  azureCloudEnvID: ''
  apiTlsCrt: ''
  apiTlsKey: ''
  tlsSecret: ''
  ibmSoftLayerApiKey: ''
  ibmSoftLayerApiUsername: ''
  vsphereEndpoint: ''
  vsphereUsername: ''
  vspherePassword: ''

metering:
  reportingKey: "" #[base64-encoded key]
  consumerId: "" #project:<project_id>
  awsRegion: ''
  awsMarketPlaceIamRole: ''
  awsMarketplace: false # AWS cloud metering license mode
  awsManagedLicense: false # AWS managed license mode
  licenseConfigSecretName: '' # AWS managed license config secret for non-eks clusters
  serviceAccount:
    create: false
    name: ""
  mode: '' # controls metric and license reporting (set to `airgap` for private-network installs)
  redhatMarketplacePayg: false # Redhat cloud metering license mode
  reportCollectionPeriod: 1800 # metric report collection period in seconds
  reportPushPeriod: 3600 # metric report push period in seconds
  promoID: '' # sets the K10 promotion ID

clusterName: ''
executorReplicas: 3
logLevel: info

externalGateway:
  create: false
  # Any standard service annotations
  annotations: {}
  # Host and domain name for the K10 API server
  fqdn:
    name: ""
    #Supported types route53-mapper, external-dns
    type: ""
  # ARN for the AWS ACM SSL certificate used in the K10 API server (load balancer)
  awsSSLCertARN: ''

auth:
  groupAllowList: []
#  - "group1"
#  - "group2"
  basicAuth:
    enabled: false
    secretName: "" #htpasswd based existing secret
    htpasswd: "" #htpasswd string, which will be used for basic auth
  tokenAuth:
    enabled: false
  oidcAuth:
    enabled: false
    providerURL: "" #URL to your OIDC provider
    redirectURL: "" #URL to the K10 gateway service
    scopes: "" #Space separated OIDC scopes required for userinfo. Example: "profile email"
    prompt: "select_account" #The prompt type to be requested with the OIDC provider. Default is select_account.
    clientID: "" #ClientID given by the OIDC provider for K10
    clientSecret: "" #ClientSecret given by the OIDC provider for K10
    usernameClaim: "" #Claim to be used as the username
    usernamePrefix: "" #Prefix that has to be used with the username obtained from the username claim
    groupClaim: "" #Name of a custom OpenID Connect claim for specifying user groups
    groupPrefix: "" #All groups will be prefixed with this value to prevent conflicts.
    logoutURL: "" #URL to your OIDC provider's logout endpoint
    #OIDC config based existing secret.
    #Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL.
    secretName: ""
  dex:
    enabled: false
    providerURL: ""
    redirectURL: ""
  openshift:
    enabled: false
    serviceAccount: "" #service account used as the OAuth client
    clientSecret: "" #The token from the service account
    dashboardURL: "" #The URL for accessing K10's dashboard
    openshiftURL: "" #The URL of the Openshift API server
    insecureCA: false
    useServiceAccountCA: false
    secretName: "" # The Kubernetes Secret that contains OIDC settings
    usernameClaim: "email"
    usernamePrefix: ""
    groupnameClaim: "groups"
    groupnamePrefix: ""
  ldap:
    enabled: false
    restartPod: false # Enable this value to force a restart of the authentication service pod
    dashboardURL: "" #The URL for accessing K10's dashboard
    host: ""
    insecureNoSSL: false
    insecureSkipVerifySSL: false
    startTLS: false
    bindDN: ""
    bindPW: ""
    bindPWSecretName: ""
    userSearch:
      baseDN: ""
      filter: ""
      username: ""
      idAttr: ""
      emailAttr: ""
      nameAttr: ""
      preferredUsernameAttr: ""
    groupSearch:
      baseDN: ""
      filter: ""
      userMatchers: []
#      - userAttr:
#        groupAttr:
      nameAttr: ""
    secretName: "" # The Kubernetes Secret that contains OIDC settings
    usernameClaim: "email"
    usernamePrefix: ""
    groupnameClaim: "groups"
    groupnamePrefix: ""
  k10AdminUsers: []
  k10AdminGroups: []

optionalColocatedServices:
  vbrintegrationapi:
    enabled: true

cacertconfigmap:
  name: "" #Name of the configmap

apiservices:
  deployed: true # If false APIService objects will not be deployed

injectKanisterSidecar:
  enabled: false
  namespaceSelector:
    matchLabels: {}
  # Set objectSelector to filter workloads
  objectSelector:
    matchLabels: {}
  webhookServer:
    port: 8080  # should not conflict with config server port (8000)

kanisterPodCustomLabels : ""

kanisterPodCustomAnnotations : ""

genericVolumeSnapshot:
  resources:
    requests:
      memory: ""
      cpu: ""
    limits:
      memory: ""
      cpu: ""

garbagecollector:
  daemonPeriod: 21600
  keepMaxActions: 1000
  importRunActions:
    enabled: false
  retireActions:
    enabled: false

resources: {}

services:
  executor:
    hostNetwork: false
    workerCount: 8
    maxConcurrentRestoreCsiSnapshots: 3
    maxConcurrentRestoreGenericVolumeSnapshots: 3
    maxConcurrentRestoreWorkloads: 3
  dashboardbff:
    hostNetwork: false
  securityContext:
    runAsUser: 1000
    fsGroup: 1000
  aggregatedapis:
    hostNetwork: false

apigateway:
  serviceResolver: dns

limiter:
  genericVolumeSnapshots: 10
  genericVolumeCopies: 10
  genericVolumeRestores: 10
  csiSnapshots: 10
  providerSnapshots: 10

gateway:
  insecureDisableSSLVerify: false
  exposeAdminPort: true
  resources:
    requests:
      memory: 300Mi
      cpu: 200m
    limits:
      memory: 1Gi
      cpu: 1000m

kanister:
  backupTimeout: 45
  restoreTimeout: 600
  deleteTimeout: 45
  hookTimeout: 20
  checkRepoTimeout: 20
  statsTimeout: 20
  efsPostRestoreTimeout: 45
  podReadyWaitTimeout: 15

awsConfig:
  assumeRoleDuration: ""
  efsBackupVaultName: "k10vault"

excludedApps: []

grafana:
  enabled: true
  prometheusName: prometheus-server
  prometheusPrefixURL: /k10/prometheus
  rbac:
    namespaced: true
    pspEnabled: false
  extraLabels:
    component: grafana
  podLabels:
    component: grafana

encryption:
  primaryKey: # primaryKey is used for enabling encryption of K10 primary key
    awsCmkKeyId: '' # Ensures AWS CMK is used for encrypting K10 primary key
    vaultTransitKeyName: ''
    vaultTransitPath: ''

vmWare:
  taskTimeoutMin: 60

azure:
  useDefaultMSI: false

vault:
  role: ""                                             # Role that was bound to the service account name and namespace from cluster
  serviceAccountTokenPath: ""                          # This will default to /var/run/secrets/kubernetes.io/serviceaccount/token within the code if left blank
  address: "http://vault.vault.svc:8200"               # Address for dev mode in cluster vault server in vault namespace
  secretName: ""                                       # Ensures backward compatibility for now. We can remove once we tell all customers this is deprecated.
  # This is how the token can be passed into default if K8S auth mode fails for whatever reason.

kubeVirtVMs:
  snapshot:
    unfreezeTimeout: "5m"