diff --git a/charts/platform/CHANGELOG.md b/charts/platform/CHANGELOG.md index 9a45ba3..0ed31eb 100644 --- a/charts/platform/CHANGELOG.md +++ b/charts/platform/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [0.33.0] - 2026-04-30 ### Added diff --git a/charts/platform/README.md b/charts/platform/README.md index 8e1ea9b..325ebda 100644 --- a/charts/platform/README.md +++ b/charts/platform/README.md @@ -73,387 +73,654 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.platformExternalDomain | string | ``"example.com"`` | Domain where Seqera Platform listens | +| global.contentDomain | string | ``"{{ printf \"user-data.%s\" .Values.global.platformExternalDomain }}"`` | Domain where user-created Platform reports are exposed, to avoid Cross-Site Scripting (XSS) attacks. If unset, data is served through the main domain `.global.platformExternalDomain`. Evaluated as a template | +| global.platformServiceAddress | string | ``"{{ printf \"%s-platform-backend\" .Release.Name | lower }}"`` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template | +| global.platformServicePort | int | ``8080`` | Seqera Platform Service port | +| global.studiosDomain | string | ``"{{ printf \"studios.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Studios service listens. Make sure the TLS certificate covers this and its wildcard subdomains. Evaluated as a template | +| global.studiosConnectionUrl | string | ``"{{ printf \"https://connect.%s\" (tpl .Values.global.studiosDomain $) }}"`` | Base URL for Studios connections: can be any value, since each session will use a unique subdomain under `.global.studiosDomain` anyway to connect. Evaluated as a template | +| global.waveDomain | string | ``"{{ printf \"wave.%s\" .Values.global.platformExternalDomain }}"`` | Domain where Wave listens. Evaluated as a template | +| global.mcpDomain | string | ``"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"`` | Domain where Seqera MCP listens. Evaluated as a template | +| global.agentBackendDomain | string | ``"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Agent Backend service listens. Evaluated as a template | +| global.portalWebDomain | string | ``"{{ printf \"ai.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Portal Web frontend listens. Evaluated as a template | + +### Global: Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.ingress.enabled | bool | ``false`` | Enable Ingress for the parent chart and every subchart that exposes one. Each chart's local `ingress.enabled` is OR'd with this — set this to `true` to turn on all Ingresses in one switch | +| global.ingress.path | string | ``"/"`` | Default path applied to ingress rules when a chart's local `ingress.path` is not set. AWS ALB users should override to `/*`. | +| global.ingress.defaultPathType | string | ``"Prefix"`` | Default path type applied to ingress rules when a chart's local `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. Override to `ImplementationSpecific` only if your controller requires it (e.g. older GKE). | +| global.ingress.ingressClassName | string | ``""`` | Default ingress class name applied to ingress rules when a chart's local `ingress.ingressClassName` is not set. Replaces the deprecated `kubernetes.io/ingress.class` annotation | +| global.ingress.annotations | object | ``{}`` | Annotations merged into every chart's Ingress (e.g. cert-manager issuer, NGINX `proxy-body-size`, ALB SSL config). Local `ingress.annotations` wins on key collision. Evaluated as a template | +| global.ingress.extraLabels | object | ``{}`` | Extra labels merged into every chart's Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | +| global.ingress.tls | list | ``[]`` | TLS entries concatenated with each chart's local `ingress.tls`. Useful for a single wildcard cert that covers all services. Evaluated as a template | + +### Global: Image Credentials + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### Global: Azure Images + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.azure.images.platformBackend.registry | string | ``nil`` | Image registry for the Platform backend image deployed on Azure. Example: `myregistry.azurecr.io`. Evaluated as a template | +| global.azure.images.platformBackend.image | string | ``nil`` | Image repository for the Platform backend image deployed on Azure. Example: `myteam/platform-backend`. Evaluated as a template | +| global.azure.images.platformBackend.tag | string | ``nil`` | Image tag for the Platform backend on Azure. Defaults to the application version defined in the Chart.yaml file. Evaluated as a template | +| global.azure.images.platformBackend.digest | string | ``nil`` | Image digest for the Platform backend on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | +| global.azure.images.platformFrontend.registry | string | ``nil`` | Image registry for the Platform frontend image deployed on Azure. Evaluated as a template | +| global.azure.images.platformFrontend.image | string | ``nil`` | Image repository for the Platform frontend image deployed on Azure. Evaluated as a template | +| global.azure.images.platformFrontend.tag | string | ``nil`` | Image tag for the Platform frontend on Azure. Defaults to the application version defined in the Chart.yaml file. Evaluated as a template | +| global.azure.images.platformFrontend.digest | string | ``nil`` | Image digest for the Platform frontend on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | +| global.azure.images.platformCronMigrateDB.registry | string | ``nil`` | Image registry for the Platform cron migrate-db init container image deployed on Azure. Evaluated as a template | +| global.azure.images.platformCronMigrateDB.image | string | ``nil`` | Image repository for the Platform cron migrate-db init container image deployed on Azure. Evaluated as a template | +| global.azure.images.platformCronMigrateDB.tag | string | ``nil`` | Image tag for the Platform cron migrate-db init container on Azure. Defaults to the application version defined in the Chart.yaml file. Evaluated as a template | +| global.azure.images.platformCronMigrateDB.digest | string | ``nil`` | Image digest for the Platform cron migrate-db init container on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | +| global.azure.images.studiosProxy.registry | string | ``nil`` | Image registry for the Studios proxy image deployed on Azure. Evaluated as a template | +| global.azure.images.studiosProxy.image | string | ``nil`` | Image repository for the Studios proxy image deployed on Azure. Evaluated as a template | +| global.azure.images.studiosProxy.tag | string | ``nil`` | Image tag for the Studios proxy on Azure. Evaluated as a template | +| global.azure.images.studiosProxy.digest | string | ``nil`` | Image digest for the Studios proxy on Azure. Evaluated as a template | +| global.azure.images.studiosServer.registry | string | ``nil`` | Image registry for the Studios server image deployed on Azure. Evaluated as a template | +| global.azure.images.studiosServer.image | string | ``nil`` | Image repository for the Studios server image deployed on Azure. Evaluated as a template | +| global.azure.images.studiosServer.tag | string | ``nil`` | Image tag for the Studios server on Azure. Evaluated as a template | +| global.azure.images.studiosServer.digest | string | ``nil`` | Image digest for the Studios server on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimization.registry | string | ``nil`` | Image registry for the Pipeline Optimization image deployed on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimization.image | string | ``nil`` | Image repository for the Pipeline Optimization image deployed on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimization.tag | string | ``nil`` | Image tag for the Pipeline Optimization on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimization.digest | string | ``nil`` | Image digest for the Pipeline Optimization on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimizationMigrateDB.registry | string | ``nil`` | Image registry for the Pipeline Optimization migrate-db init container image deployed on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimizationMigrateDB.image | string | ``nil`` | Image repository for the Pipeline Optimization migrate-db init container image deployed on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimizationMigrateDB.tag | string | ``nil`` | Image tag for the Pipeline Optimization migrate-db init container on Azure. Evaluated as a template | +| global.azure.images.pipelineOptimizationMigrateDB.digest | string | ``nil`` | Image digest for the Pipeline Optimization migrate-db init container on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | +| global.azure.images.agentBackend.registry | string | ``nil`` | Image registry for the Agent Backend image deployed on Azure. Evaluated as a template | +| global.azure.images.agentBackend.image | string | ``nil`` | Image repository for the Agent Backend image deployed on Azure. Evaluated as a template | +| global.azure.images.agentBackend.tag | string | ``nil`` | Image tag for the Agent Backend on Azure. Evaluated as a template | +| global.azure.images.agentBackend.digest | string | ``nil`` | Image digest for the Agent Backend on Azure. Evaluated as a template | +| global.azure.images.waitForCron.registry | string | ``nil`` | Image registry for the wait-for-cron init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForCron.image | string | ``nil`` | Image repository for the wait-for-cron init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForCron.tag | string | ``nil`` | Image tag for the wait-for-cron init container on Azure. Evaluated as a template | +| global.azure.images.waitForCron.digest | string | ``nil`` | Image digest for the wait-for-cron init container on Azure. Evaluated as a template | +| global.azure.images.waitForPlatform.registry | string | ``nil`` | Image registry for the wait-for-platform init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForPlatform.image | string | ``nil`` | Image repository for the wait-for-platform init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForPlatform.tag | string | ``nil`` | Image tag for the wait-for-platform init container on Azure. Evaluated as a template | +| global.azure.images.waitForPlatform.digest | string | ``nil`` | Image digest for the wait-for-platform init container on Azure. Evaluated as a template | +| global.azure.images.waitForMySQL.registry | string | ``nil`` | Image registry for the wait-for-MySQL init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForMySQL.image | string | ``nil`` | Image repository for the wait-for-MySQL init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForMySQL.tag | string | ``nil`` | Image tag for the wait-for-MySQL init container on Azure. Evaluated as a template | +| global.azure.images.waitForMySQL.digest | string | ``nil`` | Image digest for the wait-for-MySQL init container on Azure. Evaluated as a template | +| global.azure.images.waitForRedis.registry | string | ``nil`` | Image registry for the wait-for-Redis init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForRedis.image | string | ``nil`` | Image repository for the wait-for-Redis init container image deployed on Azure. Evaluated as a template | +| global.azure.images.waitForRedis.tag | string | ``nil`` | Image tag for the wait-for-Redis init container on Azure. Evaluated as a template | +| global.azure.images.waitForRedis.digest | string | ``nil`` | Image digest for the wait-for-Redis init container on Azure. Evaluated as a template | + +### Platform Database + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platformDatabase.host | string | ``""`` | Platform MySQL database hostname | +| platformDatabase.port | int | ``3306`` | Platform MySQL database port | +| platformDatabase.name | string | ``""`` | Platform MySQL database name | +| platformDatabase.username | string | ``""`` | Platform MySQL database username | +| platformDatabase.password | string | ``""`` | Platform MySQL database password | +| platformDatabase.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for the Platform MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platformDatabase.existingSecretKey | string | ``"TOWER_DB_PASSWORD"`` | Key in the existing Secret containing the password for the Platform MySQL database | +| platformDatabase.driver | string | ``"mariadb"`` | Database driver. Possible options: "mariadb" (or its alias "mysql") | +| platformDatabase.connectionOptions | object | ``{"mariadb":["permitMysqlScheme=true"]}`` | Connection options to compose in the driver URL according to the driver used. The only driver that can be set is 'mariadb' | +| platformDatabase.connectionOptions.mariadb | list | ``["permitMysqlScheme=true"]`` | Connection options to use with the MariaDB driver. For the full list of supported options see: https://mariadb.com/docs/connectors/mariadb-connector-j/about-mariadb-connector-j | +| platformDatabase.dialect | string | ``"mysql-8"`` | Hibernate dialect to use, depending on the database version. Possible options: mysql-8 (default), mariadb-10 | +| platformDatabase.minPoolSize | string | ``"2"`` | Connection pool minimum size | +| platformDatabase.maxPoolSize | string | ``"10"`` | Connection pool maximum size | +| platformDatabase.maxLifetime | string | ``"180000"`` | Connection pool maximum lifetime | + +### Platform + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.YAMLConfigFileContent | string | ``""`` | Content to insert into the tower.yml file (you can use `\|-` YAML multilines). See https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview | +| platform.contactEmail | string | ``"support@example.com"`` | Sender email address for user support | + +### Platform: JWT Seed + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.jwtSeedString | string | ``""`` | JWT seed, defined as string, used to sign authentication tokens. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random 35-character string. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | +| platform.jwtSeedSecretName | string | ``""`` | Name of an existing Secret containing the JWT seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platform.jwtSeedSecretKey | string | ``"TOWER_JWT_SECRET"`` | Key in the existing Secret containing the JWT seed | + +### Platform: Crypto Seed + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.cryptoSeedString | string | ``""`` | Crypto seed, defined as string, used to encrypt sensitive data in the database. Note: this needs to be a stable value that doesn't change between deployments, otherwise encrypted data in the database will become inaccessible. Either define the value as a String or a Secret, not both at the same time. If neither is defined, a random 35 characters long string will be generated by Helm WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | +| platform.cryptoSeedSecretName | string | ``""`` | Name of an existing Secret containing the crypto seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platform.cryptoSeedSecretKey | string | ``"TOWER_CRYPTO_SECRETKEY"`` | Key in the existing Secret containing the crypto seed | + +### Platform: Execution Backends + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.executionBackends | list | ``["altair-platform","awsbatch-platform","awscloud-platform","azbatch-platform","azcloud-platform","eks-platform","gke-platform","googlebatch-platform","googlecloud-platform","k8s-platform","lsf-platform","moab-platform","slurm-platform","uge-platform"]`` | List of execution backends to enable. At least one is required. See https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#compute-environments | + +### Platform: License + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.licenseString | string | ``""`` | Platform license key. A license key is a long alphanumeric string provided by your Seqera account manager. Define the value as a String or a Secret, not both at the same time | +| platform.licenseSecretName | string | ``""`` | Name of an existing Secret containing the Platform license key, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platform.licenseSecretKey | string | ``"TOWER_LICENSE"`` | Key in the existing Secret containing the Platform license key | + +### Platform: OIDC + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.oidcPrivateKeyBase64 | string | ``""`` | OIDC private key in PEM format, base64-encoded. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random private key. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | +| platform.oidcPrivateKeySecretName | string | ``""`` | Name of an existing Secret containing the OIDC private key in PEM format, as an alternative to the base64-encoded string field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platform.oidcPrivateKeySecretKey | string | ``"oidc.pem"`` | Key in the existing Secret containing the OIDC private key in PEM format | +| platform.oidcClientRegistrationToken | string | ``""`` | OIDC client registration token as a string. Used by Studios and MCP to dynamically register OAuth clients with Seqera Platform's OIDC provider. If neither this nor oidcClientRegistrationTokenSecretName is set, a random value is generated. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | +| platform.oidcClientRegistrationTokenSecretName | string | ``""`` | Name of an existing Secret containing the OIDC client registration token, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platform.oidcClientRegistrationTokenSecretKey | string | ``"MCP_OAUTH_INITIAL_ACCESS_TOKEN"`` | Key in the existing Secret containing the OIDC client registration token | + +### Platform: SMTP + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.smtp.host | string | ``""`` | SMTP server hostname to let users authenticate through email, and to send email notifications for events | +| platform.smtp.port | string | ``""`` | SMTP server port | +| platform.smtp.user | string | ``""`` | SMTP server username | +| platform.smtp.password | string | ``""`` | SMTP server password | +| platform.smtp.existingSecretName | string | ``""`` | Name of an existing secret containing the SMTP password | +| platform.smtp.existingSecretKey | string | ``"TOWER_SMTP_PASSWORD"`` | Key in the existing Secret containing the SMTP password | + +### Platform: Wave & Data Explorer + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.waveServerUrl | string | ``"https://wave.seqera.io"`` | URL of the Wave service Platform uses. Evaluated as a template. The Wave service provided by Seqera is `https://wave.seqera.io` | +| platform.dataExplorer.enabled | bool | ``false`` | Enable the Data Explorer feature: https://docs.seqera.io/platform-enterprise/data/data-explorer | + +### Platform: Studios + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.studios.customImageRegistry | string | ``""`` | Image registry where Wave (defined at `.platform.waveServerUrl`) will push custom Studios images built for user sessions. Credentials to the registry/repository must be defined in each Platform Workspace. Example: `myregistry.example.com` | +| platform.studios.customImageRepository | string | ``""`` | Image repository where Wave (defined at `.platform.waveServerUrl`) will push custom Studios images built for user sessions. Example: `myteam/studios-container-repo` | +| platform.studios.tools | object | ``{"jupyter":{"deprecated":"public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.8","recommended":"public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.11","tool":"jupyter"},"rstudio":{"deprecated":"public.cr.seqera.io/platform/data-studio-ride:2025.04.1-0.8","recommended":"public.cr.seqera.io/platform/data-studio-ride:2025.04.1-0.11","tool":"rstudio"},"vscode":{"deprecated":"public.cr.seqera.io/platform/data-studio-vscode:1.101.2-0.8","recommended":"public.cr.seqera.io/platform/data-studio-vscode:1.101.2-0.11","tool":"vscode"},"xpra":{"deprecated":"public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.8","recommended":"public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.11","tool":"xpra"}}`` | Map of tools to make available in Studios. Recommended and deprecated versions can be specified for each tool to allow upgrading from an older version. Refer to the documentation for more details: https://docs.seqera.io/platform-enterprise/studios/managing#migrate-a-studio-from-an-earlier-container-image-template | + +### Platform: Labels & Annotations + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platform.configMapLabels | object | ``{}`` | Additional labels for the ConfigMap objects. Evaluated as a template | +| platform.secretLabels | object | ``{}`` | Additional labels for the Secret objects. Evaluated as a template | +| platform.serviceLabels | object | ``{}`` | Additional labels for the Service objects. Evaluated as a template | +| platform.configMapAnnotations | object | ``{}`` | Additional annotations for the ConfigMap objects. Evaluated as a template | +| platform.secretAnnotations | object | ``{}`` | Additional annotations for the Secret objects. Evaluated as a template | +| platform.serviceAnnotations | object | ``{}`` | Additional annotations for the Service objects. Evaluated as a template | + +### Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| redis.host | string | ``""`` | Redis hostname | +| redis.port | int | ``6379`` | Redis port | +| redis.password | string | ``""`` | Redis password if the installation requires it | +| redis.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for Redis, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| redis.existingSecretKey | string | ``"TOWER_REDIS_PASSWORD"`` | Key in the existing Secret containing the password for Redis | +| redis.enableTls | bool | ``false`` | Enable TLS when connecting to Redis | + +### Backend: Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.image.registry | string | ``""`` | Backend container image registry | +| backend.image.repository | string | ``"private/nf-tower-enterprise/backend"`` | Backend container image repository | +| backend.image.tag | string | ``"{{ .chart.AppVersion }}"`` | Backend container image tag | +| backend.image.digest | string | ``""`` | Backend container image digest in the format `sha256:1234abcdef` | +| backend.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the backend container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| backend.image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | +| backend.micronautEnvironments | list | ``["prod","redis","ha"]`` | List of Micronaut Environments to enable on the backend pod | + +### Backend: Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.service.type | string | ``"ClusterIP"`` | Backend Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| backend.service.http.name | string | ``"http"`` | Service name to use | +| backend.service.http.targetPort | int | ``8080`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port). Platform v25.3+ only; previous versions were hardcoded to 8080 | +| backend.service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| backend.service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| backend.service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Backend: Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.initContainers | list | ``[]`` | Additional init containers for the backend pod. Evaluated as a template | +| backend.command | list | ``[]`` | Override default container command (useful when using custom images) | +| backend.args | list | ``[]`` | Override default container args (useful when using custom images) | +| backend.podLabels | object | ``{}`` | Additional labels for the backend pod. Evaluated as a template | +| backend.podAnnotations | object | ``{}`` | Additional annotations for the backend pod. Evaluated as a template | +| backend.extraOptionsSpec | object | ``{"replicas":3}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| backend.extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | +| backend.extraEnvVars | list | ``[]`` | Extra environment variables to set on the backend pod | +| backend.extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| backend.extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| backend.extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| backend.extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Backend: Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| backend.podSecurityContext.fsGroup | int | ``101`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | +| backend.containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| backend.containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| backend.containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| backend.containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| backend.containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Backend: Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Backend: Startup Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.startupProbe.enabled | bool | ``false`` | Enable startup probe | +| backend.startupProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for startup probe | +| backend.startupProbe.httpGet.port | string | ``"{{ .Values.backend.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080 | +| backend.startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| backend.startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| backend.startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| backend.startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| backend.startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Backend: Readiness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| backend.readinessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for readiness probe | +| backend.readinessProbe.httpGet.port | string | ``"{{ .Values.backend.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080 | +| backend.readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| backend.readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| backend.readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| backend.readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| backend.readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Backend: Liveness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| backend.livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| backend.livenessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for liveness probe | +| backend.livenessProbe.httpGet.port | string | ``"{{ .Values.backend.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080 | +| backend.livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| backend.livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| backend.livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| backend.livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| backend.livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Frontend: Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.image.registry | string | ``""`` | Frontend container image registry | +| frontend.image.repository | string | ``"private/nf-tower-enterprise/frontend"`` | Frontend container image repository | +| frontend.image.tag | string | ``"{{ .chart.AppVersion }}-unprivileged"`` | Specify a tag to override the version defined in .Chart.appVersion | +| frontend.image.digest | string | ``""`` | Frontend container image digest in the format `sha256:1234abcdef` | +| frontend.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the frontend container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| frontend.image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Frontend: Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.service.type | string | ``"ClusterIP"`` | Frontend Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| frontend.service.http.name | string | ``"http"`` | Service name to use | +| frontend.service.http.port | int | ``80`` | Service port | +| frontend.service.http.targetPort | int | ``8083`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| frontend.service.http.nodePort | int | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| frontend.service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| frontend.service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Frontend: Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.initContainers | list | ``[]`` | Additional init containers for the frontend pod. Evaluated as a template | +| frontend.command | list | ``[]`` | Override default container command (useful when using custom images) | +| frontend.args | list | ``[]`` | Override default container args (useful when using custom images) | +| frontend.podLabels | object | ``{}`` | Additional labels for the frontend pod. Evaluated as a template | +| frontend.podAnnotations | object | ``{}`` | Additional annotations for the frontend pod. Evaluated as a template | +| frontend.extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (e.g. revisionHistoryLimit, etc). Evaluated as a template. Note: the cron deployment can only run a single replica and use Recreate strategy | +| frontend.extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy). Evaluated as a template | +| frontend.extraEnvVars | list | ``[]`` | Extra environment variables to set on the frontend pod | +| frontend.extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| frontend.extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| frontend.extraVolumes | list | ``[]`` | Extra volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| frontend.extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Frontend: Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| frontend.podSecurityContext.fsGroup | int | ``101`` | GID that Kubernetes applies to mounted volumes and created files so processes in the pod can share group-owned access | +| frontend.containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| frontend.containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| frontend.containerSecurityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| frontend.containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| frontend.containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Frontend: Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Frontend: Startup Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.startupProbe.enabled | bool | ``false`` | Enable startup probe | +| frontend.startupProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for startup probe | +| frontend.startupProbe.httpGet.port | string | ``"{{ .Values.frontend.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| frontend.startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| frontend.startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| frontend.startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| frontend.startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| frontend.startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Frontend: Readiness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| frontend.readinessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for readiness probe | +| frontend.readinessProbe.httpGet.port | string | ``"{{ .Values.frontend.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| frontend.readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| frontend.readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| frontend.readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| frontend.readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| frontend.readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Frontend: Liveness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| frontend.livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| frontend.livenessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for liveness probe | +| frontend.livenessProbe.httpGet.port | string | ``"{{ .Values.frontend.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| frontend.livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| frontend.livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| frontend.livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| frontend.livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| frontend.livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Cron: Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.image.registry | string | ``""`` | Cron container image registry | +| cron.image.repository | string | ``"private/nf-tower-enterprise/backend"`` | Cron container image repository | +| cron.image.tag | string | ``"{{ .chart.AppVersion }}"`` | Cron container image tag | +| cron.image.digest | string | ``""`` | Cron container image digest in the format `sha256:1234abcdef` | +| cron.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the cron container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| cron.image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Cron: Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.micronautEnvironments | list | ``["prod","redis","cron"]`` | List of Micronaut Environments to enable on the cron pod | +| cron.service.type | string | ``"ClusterIP"`` | Cron Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| cron.service.http.name | string | ``"http"`` | Service name to use | +| cron.service.http.port | int | ``8080`` | Service port | +| cron.service.http.targetPort | int | ``8082`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| cron.service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| cron.service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| cron.service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Cron: Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.initContainers | list | ``[]`` | Additional init containers for the cron pod. Evaluated as a template | +| cron.command | list | ``[]`` | Override default container command (useful when using custom images) | +| cron.args | list | ``[]`` | Override default container args (useful when using custom images) | +| cron.podLabels | object | ``{}`` | Additional labels for the cron pod. Evaluated as a template | +| cron.podAnnotations | object | ``{}`` | Additional annotations for the cron pod. Evaluated as a template | +| cron.extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (for example, revisionHistoryLimit). Evaluated as a template Note that cron deployment needs to have a single replica with Recreate strategy | +| cron.extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy) Evaluated as a template | +| cron.extraEnvVars | list | ``[]`` | Extra environment variables to set on the cron pod | +| cron.extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| cron.extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| cron.extraVolumes | list | ``[]`` | Extra volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| cron.extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Cron: Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| cron.podSecurityContext.fsGroup | int | ``101`` | GID that Kubernetes applies to mounted volumes and created files so processes in the pod can share group-owned access | +| cron.containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| cron.containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| cron.containerSecurityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| cron.containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| cron.containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Cron: Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Cron: Startup Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.startupProbe.enabled | bool | ``false`` | Enable startup probe | +| cron.startupProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for startup probe | +| cron.startupProbe.httpGet.port | string | ``"{{ .Values.cron.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| cron.startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| cron.startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| cron.startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| cron.startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| cron.startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Cron: Readiness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| cron.readinessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for readiness probe | +| cron.readinessProbe.httpGet.port | string | ``"{{ .Values.cron.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| cron.readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| cron.readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| cron.readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| cron.readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| cron.readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Cron: Liveness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| cron.livenessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for liveness probe | +| cron.livenessProbe.httpGet.port | string | ``"{{ .Values.cron.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| cron.livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| cron.livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| cron.livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| cron.livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| cron.livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Cron: DB Migration Init Container + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| cron.dbMigrationInitContainer.image.registry | string | ``""`` | Database migration container image registry | +| cron.dbMigrationInitContainer.image.repository | string | ``"private/nf-tower-enterprise/migrate-db"`` | Database migration container image repository | +| cron.dbMigrationInitContainer.image.tag | string | ``"{{ .chart.AppVersion }}"`` | Specify a tag to override the version defined in .Chart.appVersion | +| cron.dbMigrationInitContainer.image.digest | string | ``""`` | Database migration container image digest in the format `sha256:1234abcdef` | +| cron.dbMigrationInitContainer.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the database migration init container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| cron.dbMigrationInitContainer.image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | +| cron.dbMigrationInitContainer.command | list | ``["/bin/sh","-c","/migrate-db.sh"]`` | Override default container command (useful when using custom images) | +| cron.dbMigrationInitContainer.args | list | ``[]`` | Override default container args (useful when using custom images) | +| cron.dbMigrationInitContainer.extraEnvVars | list | ``[]`` | Extra environment variables to set on the cron pod | +| cron.dbMigrationInitContainer.extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| cron.dbMigrationInitContainer.extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| cron.dbMigrationInitContainer.extraVolumes | list | ``[]`` | Extra volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| cron.dbMigrationInitContainer.extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | +| cron.dbMigrationInitContainer.containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| cron.dbMigrationInitContainer.containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| cron.dbMigrationInitContainer.containerSecurityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| cron.dbMigrationInitContainer.containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| cron.dbMigrationInitContainer.containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| cron.dbMigrationInitContainer.resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Init Container Dependencies + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.enabled | bool | ``true`` | Enable init containers that coordinate startup dependencies between Platform components (for example, wait for database readiness before cron starts, wait for cron before backend starts, etc) | + +### Init Container Dependencies: Wait For MySQL + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForMySQL.enabled | bool | ``true`` | Enable wait for MySQL init container before starting backend and cron | +| initContainerDependencies.waitForMySQL.image.registry | string | ``""`` | Override default wait for MySQL init container image | +| initContainerDependencies.waitForMySQL.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForMySQL.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForMySQL.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForMySQL.extraEnvVars | list | ``[]`` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | +| initContainerDependencies.waitForMySQL.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | + +### Init Container Dependencies: Wait For Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForRedis.enabled | bool | ``true`` | Enable wait for Redis init container before starting backend and cron | +| initContainerDependencies.waitForRedis.image.registry | string | ``""`` | Override default wait for Redis init container image | +| initContainerDependencies.waitForRedis.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForRedis.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForRedis.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForRedis.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForRedis.extraEnvVars | list | ``[]`` | Additional environment variables for the init container | +| initContainerDependencies.waitForRedis.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | + +### Init Container Dependencies: Wait For Cron + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForCron.enabled | bool | ``true`` | Enable wait for Platform cron init container before starting backend | +| initContainerDependencies.waitForCron.image.registry | string | ``""`` | Override default wait for cron init container image | +| initContainerDependencies.waitForCron.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForCron.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| initContainerDependencies.waitForCron.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForCron.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForCron.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForCron.extraEnvVars | list | ``[]`` | Additional environment variables for the init container | +| initContainerDependencies.waitForCron.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | + +### Service Account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount.name | string | ``""`` | Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name | +| serviceAccount.annotations | object | ``{}`` | Additional annotations for the ServiceAccount to generate | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``false`` | Automount service account token when the service account is generated | + +### Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress.enabled | bool | ``false`` | Enable ingress for Platform | +| ingress.path | string | ``""`` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | +| ingress.contentPath | string | ``"/"`` | Path for the content domain ingress rule | +| ingress.defaultPathType | string | ``""`` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | +| ingress.defaultBackend | object | ``{}`` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | +| ingress.extraHosts | list | ``[]`` | Additional hosts you want to include. Evaluated as a template | +| ingress.annotations | object | ``{}`` | Ingress annotations specific to your load balancer. Evaluated as a template | +| ingress.extraLabels | object | ``{}`` | Additional labels for the ingress object. Evaluated as a template | +| ingress.ingressClassName | string | ``""`` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | +| ingress.tls | list | ``[]`` | TLS configuration. Evaluated as a template | + +### Common + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | + +### Subcharts: Studios + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| studios.enabled | bool | ``true`` | Enable Studios feature. Refer to the subchart README for more details and the full list of configuration options | + +### Subcharts: Pipeline Optimization + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| pipeline-optimization.enabled | bool | ``true`` | Enable pipeline optimization feature. Refer to the subchart README for more details and the full list of configuration options | + +### Subcharts: MCP + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| mcp.enabled | bool | ``true`` | Enable the Seqera Model Context Protocol (MCP) service. Refer to the subchart README for more details and the full list of configuration options | + +### Subcharts: Agent Backend + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| agent-backend.enabled | bool | ``true`` | Enable agent backend feature used by seqera cli ai command. Refer to the subchart README for more details and the full list of configuration options | + +### Subcharts: Portal Web + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| portal-web.enabled | bool | ``true`` | Enable portal web frontend. Refer to the subchart README for more details and the full list of configuration options | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.platformExternalDomain | string | `"example.com"` | Domain where Seqera Platform listens | -| global.contentDomain | string | `"{{ printf \"user-data.%s\" .Values.global.platformExternalDomain }}"` | Domain where user-created Platform reports are exposed, to avoid Cross-Site Scripting (XSS) attacks. If unset, data is served through the main domain `.global.platformExternalDomain`. Evaluated as a template | -| global.platformServiceAddress | string | `"{{ printf \"%s-platform-backend\" .Release.Name | lower }}"` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template | -| global.platformServicePort | int | `8080` | Seqera Platform Service port | -| global.studiosDomain | string | `"{{ printf \"studios.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Studios service listens. Make sure the TLS certificate covers this and its wildcard subdomains. Evaluated as a template | -| global.studiosConnectionUrl | string | `"{{ printf \"https://connect.%s\" (tpl .Values.global.studiosDomain $) }}"` | Base URL for Studios connections: can be any value, since each session will use a unique subdomain under `.global.studiosDomain` anyway to connect. Evaluated as a template | -| global.waveDomain | string | `"{{ printf \"wave.%s\" .Values.global.platformExternalDomain }}"` | Domain where Wave listens. Evaluated as a template | -| global.mcpDomain | string | `"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"` | Domain where Seqera MCP listens. Evaluated as a template | -| global.agentBackendDomain | string | `"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Agent Backend service listens. Evaluated as a template | -| global.portalWebDomain | string | `"{{ printf \"ai.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Portal Web frontend listens. Evaluated as a template | -| global.ingress.enabled | bool | `false` | Enable Ingress for the parent chart and every subchart that exposes one. Each chart's local `ingress.enabled` is OR'd with this — set this to `true` to turn on all Ingresses in one switch | -| global.ingress.path | string | `"/"` | Default path applied to ingress rules when a chart's local `ingress.path` is not set. AWS ALB users should override to `/*`. | -| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when a chart's local `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. Override to `ImplementationSpecific` only if your controller requires it (e.g. older GKE). | -| global.ingress.ingressClassName | string | `""` | Default ingress class name applied to ingress rules when a chart's local `ingress.ingressClassName` is not set. Replaces the deprecated `kubernetes.io/ingress.class` annotation | -| global.ingress.annotations | object | `{}` | Annotations merged into every chart's Ingress (e.g. cert-manager issuer, NGINX `proxy-body-size`, ALB SSL config). Local `ingress.annotations` wins on key collision. Evaluated as a template | -| global.ingress.extraLabels | object | `{}` | Extra labels merged into every chart's Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | -| global.ingress.tls | list | `[]` | TLS entries concatenated with each chart's local `ingress.tls`. Useful for a single wildcard cert that covers all services. Evaluated as a template | -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| global.azure.images.platformBackend.registry | string | `nil` | Image registry for the Platform backend image deployed on Azure. Example: `myregistry.azurecr.io`. Evaluated as a template | -| global.azure.images.platformBackend.image | string | `nil` | Image repository for the Platform backend image deployed on Azure. Example: `myteam/platform-backend`. Evaluated as a template | -| global.azure.images.platformBackend.tag | string | `nil` | Image tag for the Platform backend on Azure. Defaults to the application version defined in the Chart.yaml file. Evaluated as a template | -| global.azure.images.platformBackend.digest | string | `nil` | Image digest for the Platform backend on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | -| global.azure.images.platformFrontend.registry | string | `nil` | Image registry for the Platform frontend image deployed on Azure. Evaluated as a template | -| global.azure.images.platformFrontend.image | string | `nil` | Image repository for the Platform frontend image deployed on Azure. Evaluated as a template | -| global.azure.images.platformFrontend.tag | string | `nil` | Image tag for the Platform frontend on Azure. Defaults to the application version defined in the Chart.yaml file. Evaluated as a template | -| global.azure.images.platformFrontend.digest | string | `nil` | Image digest for the Platform frontend on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | -| global.azure.images.platformCronMigrateDB.registry | string | `nil` | Image registry for the Platform cron migrate-db init container image deployed on Azure. Evaluated as a template | -| global.azure.images.platformCronMigrateDB.image | string | `nil` | Image repository for the Platform cron migrate-db init container image deployed on Azure. Evaluated as a template | -| global.azure.images.platformCronMigrateDB.tag | string | `nil` | Image tag for the Platform cron migrate-db init container on Azure. Defaults to the application version defined in the Chart.yaml file. Evaluated as a template | -| global.azure.images.platformCronMigrateDB.digest | string | `nil` | Image digest for the Platform cron migrate-db init container on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | -| global.azure.images.studiosProxy.registry | string | `nil` | Image registry for the Studios proxy image deployed on Azure. Evaluated as a template | -| global.azure.images.studiosProxy.image | string | `nil` | Image repository for the Studios proxy image deployed on Azure. Evaluated as a template | -| global.azure.images.studiosProxy.tag | string | `nil` | Image tag for the Studios proxy on Azure. Evaluated as a template | -| global.azure.images.studiosProxy.digest | string | `nil` | Image digest for the Studios proxy on Azure. Evaluated as a template | -| global.azure.images.studiosServer.registry | string | `nil` | Image registry for the Studios server image deployed on Azure. Evaluated as a template | -| global.azure.images.studiosServer.image | string | `nil` | Image repository for the Studios server image deployed on Azure. Evaluated as a template | -| global.azure.images.studiosServer.tag | string | `nil` | Image tag for the Studios server on Azure. Evaluated as a template | -| global.azure.images.studiosServer.digest | string | `nil` | Image digest for the Studios server on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimization.registry | string | `nil` | Image registry for the Pipeline Optimization image deployed on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimization.image | string | `nil` | Image repository for the Pipeline Optimization image deployed on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimization.tag | string | `nil` | Image tag for the Pipeline Optimization on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimization.digest | string | `nil` | Image digest for the Pipeline Optimization on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimizationMigrateDB.registry | string | `nil` | Image registry for the Pipeline Optimization migrate-db init container image deployed on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimizationMigrateDB.image | string | `nil` | Image repository for the Pipeline Optimization migrate-db init container image deployed on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimizationMigrateDB.tag | string | `nil` | Image tag for the Pipeline Optimization migrate-db init container on Azure. Evaluated as a template | -| global.azure.images.pipelineOptimizationMigrateDB.digest | string | `nil` | Image digest for the Pipeline Optimization migrate-db init container on Azure, in the format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template | -| global.azure.images.agentBackend.registry | string | `nil` | Image registry for the Agent Backend image deployed on Azure. Evaluated as a template | -| global.azure.images.agentBackend.image | string | `nil` | Image repository for the Agent Backend image deployed on Azure. Evaluated as a template | -| global.azure.images.agentBackend.tag | string | `nil` | Image tag for the Agent Backend on Azure. Evaluated as a template | -| global.azure.images.agentBackend.digest | string | `nil` | Image digest for the Agent Backend on Azure. Evaluated as a template | -| global.azure.images.waitForCron.registry | string | `nil` | Image registry for the wait-for-cron init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForCron.image | string | `nil` | Image repository for the wait-for-cron init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForCron.tag | string | `nil` | Image tag for the wait-for-cron init container on Azure. Evaluated as a template | -| global.azure.images.waitForCron.digest | string | `nil` | Image digest for the wait-for-cron init container on Azure. Evaluated as a template | -| global.azure.images.waitForPlatform.registry | string | `nil` | Image registry for the wait-for-platform init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForPlatform.image | string | `nil` | Image repository for the wait-for-platform init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForPlatform.tag | string | `nil` | Image tag for the wait-for-platform init container on Azure. Evaluated as a template | -| global.azure.images.waitForPlatform.digest | string | `nil` | Image digest for the wait-for-platform init container on Azure. Evaluated as a template | -| global.azure.images.waitForMySQL.registry | string | `nil` | Image registry for the wait-for-MySQL init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForMySQL.image | string | `nil` | Image repository for the wait-for-MySQL init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForMySQL.tag | string | `nil` | Image tag for the wait-for-MySQL init container on Azure. Evaluated as a template | -| global.azure.images.waitForMySQL.digest | string | `nil` | Image digest for the wait-for-MySQL init container on Azure. Evaluated as a template | -| global.azure.images.waitForRedis.registry | string | `nil` | Image registry for the wait-for-Redis init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForRedis.image | string | `nil` | Image repository for the wait-for-Redis init container image deployed on Azure. Evaluated as a template | -| global.azure.images.waitForRedis.tag | string | `nil` | Image tag for the wait-for-Redis init container on Azure. Evaluated as a template | -| global.azure.images.waitForRedis.digest | string | `nil` | Image digest for the wait-for-Redis init container on Azure. Evaluated as a template | -| platformDatabase.host | string | `""` | Platform MySQL database hostname | -| platformDatabase.port | int | `3306` | Platform MySQL database port | -| platformDatabase.name | string | `""` | Platform MySQL database name | -| platformDatabase.username | string | `""` | Platform MySQL database username | -| platformDatabase.password | string | `""` | Platform MySQL database password | -| platformDatabase.existingSecretName | string | `""` | Name of an existing Secret containing credentials for the Platform MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platformDatabase.existingSecretKey | string | `"TOWER_DB_PASSWORD"` | Key in the existing Secret containing the password for the Platform MySQL database | -| platformDatabase.driver | string | `"mariadb"` | Database driver. Possible options: "mariadb" (or its alias "mysql") | -| platformDatabase.connectionOptions | object | `{"mariadb":["permitMysqlScheme=true"]}` | Connection options to compose in the driver URL according to the driver used. The only driver that can be set is 'mariadb' | -| platformDatabase.connectionOptions.mariadb | list | `["permitMysqlScheme=true"]` | Connection options to use with the MariaDB driver. For the full list of supported options see: https://mariadb.com/docs/connectors/mariadb-connector-j/about-mariadb-connector-j | -| platformDatabase.dialect | string | `"mysql-8"` | Hibernate dialect to use, depending on the database version. Possible options: mysql-8 (default), mariadb-10 | -| platformDatabase.minPoolSize | string | `"2"` | Connection pool minimum size | -| platformDatabase.maxPoolSize | string | `"10"` | Connection pool maximum size | -| platformDatabase.maxLifetime | string | `"180000"` | Connection pool maximum lifetime | -| platform.YAMLConfigFileContent | string | `""` | Content to insert into the tower.yml file (you can use `\|-` YAML multilines). See https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview | -| platform.contactEmail | string | `"support@example.com"` | Sender email address for user support | -| platform.jwtSeedString | string | `""` | JWT seed, defined as string, used to sign authentication tokens. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random 35-character string. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | -| platform.jwtSeedSecretName | string | `""` | Name of an existing Secret containing the JWT seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platform.jwtSeedSecretKey | string | `"TOWER_JWT_SECRET"` | Key in the existing Secret containing the JWT seed | -| platform.cryptoSeedString | string | `""` | Crypto seed, defined as string, used to encrypt sensitive data in the database. Note: this needs to be a stable value that doesn't change between deployments, otherwise encrypted data in the database will become inaccessible. Either define the value as a String or a Secret, not both at the same time. If neither is defined, a random 35 characters long string will be generated by Helm WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | -| platform.cryptoSeedSecretName | string | `""` | Name of an existing Secret containing the crypto seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platform.cryptoSeedSecretKey | string | `"TOWER_CRYPTO_SECRETKEY"` | Key in the existing Secret containing the crypto seed | -| platform.executionBackends | list | `["altair-platform","awsbatch-platform","awscloud-platform","azbatch-platform","azcloud-platform","eks-platform","gke-platform","googlebatch-platform","googlecloud-platform","k8s-platform","lsf-platform","moab-platform","slurm-platform","uge-platform"]` | List of execution backends to enable. At least one is required. See https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#compute-environments | -| platform.licenseString | string | `""` | Platform license key. A license key is a long alphanumeric string provided by your Seqera account manager. Define the value as a String or a Secret, not both at the same time | -| platform.licenseSecretName | string | `""` | Name of an existing Secret containing the Platform license key, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platform.licenseSecretKey | string | `"TOWER_LICENSE"` | Key in the existing Secret containing the Platform license key | -| platform.oidcPrivateKeyBase64 | string | `""` | OIDC private key in PEM format, base64-encoded. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random private key. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | -| platform.oidcPrivateKeySecretName | string | `""` | Name of an existing Secret containing the OIDC private key in PEM format, as an alternative to the base64-encoded string field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platform.oidcPrivateKeySecretKey | string | `"oidc.pem"` | Key in the existing Secret containing the OIDC private key in PEM format | -| platform.oidcClientRegistrationToken | string | `""` | OIDC client registration token as a string. Used by Studios and MCP to dynamically register OAuth clients with Seqera Platform's OIDC provider. If neither this nor oidcClientRegistrationTokenSecretName is set, a random value is generated. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | -| platform.oidcClientRegistrationTokenSecretName | string | `""` | Name of an existing Secret containing the OIDC client registration token, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platform.oidcClientRegistrationTokenSecretKey | string | `"MCP_OAUTH_INITIAL_ACCESS_TOKEN"` | Key in the existing Secret containing the OIDC client registration token | -| platform.smtp.host | string | `""` | SMTP server hostname to let users authenticate through email, and to send email notifications for events | -| platform.smtp.port | string | `""` | SMTP server port | -| platform.smtp.user | string | `""` | SMTP server username | -| platform.smtp.password | string | `""` | SMTP server password | -| platform.smtp.existingSecretName | string | `""` | Name of an existing secret containing the SMTP password | -| platform.smtp.existingSecretKey | string | `"TOWER_SMTP_PASSWORD"` | Key in the existing Secret containing the SMTP password | -| platform.waveServerUrl | string | `"https://wave.seqera.io"` | URL of the Wave service Platform uses. Evaluated as a template. The Wave service provided by Seqera is `https://wave.seqera.io` | -| platform.dataExplorer.enabled | bool | `false` | Enable the Data Explorer feature: https://docs.seqera.io/platform-enterprise/data/data-explorer | -| platform.studios.customImageRegistry | string | `""` | Image registry where Wave (defined at `.platform.waveServerUrl`) will push custom Studios images built for user sessions. Credentials to the registry/repository must be defined in each Platform Workspace. Example: `myregistry.example.com` | -| platform.studios.customImageRepository | string | `""` | Image repository where Wave (defined at `.platform.waveServerUrl`) will push custom Studios images built for user sessions. Example: `myteam/studios-container-repo` | -| platform.studios.tools | object | `{"jupyter":{"deprecated":"public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.8","recommended":"public.cr.seqera.io/platform/data-studio-jupyter:4.2.5-0.11","tool":"jupyter"},"rstudio":{"deprecated":"public.cr.seqera.io/platform/data-studio-ride:2025.04.1-0.8","recommended":"public.cr.seqera.io/platform/data-studio-ride:2025.04.1-0.11","tool":"rstudio"},"vscode":{"deprecated":"public.cr.seqera.io/platform/data-studio-vscode:1.101.2-0.8","recommended":"public.cr.seqera.io/platform/data-studio-vscode:1.101.2-0.11","tool":"vscode"},"xpra":{"deprecated":"public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.8","recommended":"public.cr.seqera.io/platform/data-studio-xpra:6.2.0-r2-1-0.11","tool":"xpra"}}` | Map of tools to make available in Studios. Recommended and deprecated versions can be specified for each tool to allow upgrading from an older version. Refer to the documentation for more details: https://docs.seqera.io/platform-enterprise/studios/managing#migrate-a-studio-from-an-earlier-container-image-template | -| platform.configMapLabels | object | `{}` | Additional labels for the ConfigMap objects. Evaluated as a template | -| platform.secretLabels | object | `{}` | Additional labels for the Secret objects. Evaluated as a template | -| platform.serviceLabels | object | `{}` | Additional labels for the Service objects. Evaluated as a template | -| platform.configMapAnnotations | object | `{}` | Additional annotations for the ConfigMap objects. Evaluated as a template | -| platform.secretAnnotations | object | `{}` | Additional annotations for the Secret objects. Evaluated as a template | -| platform.serviceAnnotations | object | `{}` | Additional annotations for the Service objects. Evaluated as a template | -| redis.host | string | `""` | Redis hostname | -| redis.port | int | `6379` | Redis port | -| redis.password | string | `""` | Redis password if the installation requires it | -| redis.existingSecretName | string | `""` | Name of an existing Secret containing credentials for Redis, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| redis.existingSecretKey | string | `"TOWER_REDIS_PASSWORD"` | Key in the existing Secret containing the password for Redis | -| redis.enableTls | bool | `false` | Enable TLS when connecting to Redis | -| backend.image.registry | string | `""` | Backend container image registry | -| backend.image.repository | string | `"private/nf-tower-enterprise/backend"` | Backend container image repository | -| backend.image.tag | string | `"{{ .chart.AppVersion }}"` | Backend container image tag | -| backend.image.digest | string | `""` | Backend container image digest in the format `sha256:1234abcdef` | -| backend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the backend container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| backend.image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| backend.micronautEnvironments | list | `["prod","redis","ha"]` | List of Micronaut Environments to enable on the backend pod | -| backend.service.type | string | `"ClusterIP"` | Backend Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| backend.service.http.name | string | `"http"` | Service name to use | -| backend.service.http.targetPort | int | `8080` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port). Platform v25.3+ only; previous versions were hardcoded to 8080 | -| backend.service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| backend.service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| backend.service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| backend.initContainers | list | `[]` | Additional init containers for the backend pod. Evaluated as a template | -| backend.command | list | `[]` | Override default container command (useful when using custom images) | -| backend.args | list | `[]` | Override default container args (useful when using custom images) | -| backend.podLabels | object | `{}` | Additional labels for the backend pod. Evaluated as a template | -| backend.podAnnotations | object | `{}` | Additional annotations for the backend pod. Evaluated as a template | -| backend.extraOptionsSpec | object | `{"replicas":3}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| backend.extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| backend.extraEnvVars | list | `[]` | Extra environment variables to set on the backend pod | -| backend.extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| backend.extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| backend.extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| backend.extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| backend.podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| backend.podSecurityContext.fsGroup | int | `101` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| backend.containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| backend.containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| backend.containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| backend.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| backend.containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| backend.resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| backend.startupProbe.enabled | bool | `false` | Enable startup probe | -| backend.startupProbe.httpGet.path | string | `"/health"` | HTTP GET path for startup probe | -| backend.startupProbe.httpGet.port | string | `"{{ .Values.backend.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080 | -| backend.startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| backend.startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| backend.startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| backend.startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| backend.startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| backend.readinessProbe.enabled | bool | `true` | Enable readiness probe | -| backend.readinessProbe.httpGet.path | string | `"/health"` | HTTP GET path for readiness probe | -| backend.readinessProbe.httpGet.port | string | `"{{ .Values.backend.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080 | -| backend.readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| backend.readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| backend.readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| backend.readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| backend.readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| backend.livenessProbe.enabled | bool | `true` | Enable liveness probe | -| backend.livenessProbe.httpGet.path | string | `"/health"` | HTTP GET path for liveness probe | -| backend.livenessProbe.httpGet.port | string | `"{{ .Values.backend.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template. Note: before v25.3 this was hardcoded to 8080 | -| backend.livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| backend.livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| backend.livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| backend.livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| backend.livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| frontend.image.registry | string | `""` | Frontend container image registry | -| frontend.image.repository | string | `"private/nf-tower-enterprise/frontend"` | Frontend container image repository | -| frontend.image.tag | string | `"{{ .chart.AppVersion }}-unprivileged"` | Specify a tag to override the version defined in .Chart.appVersion | -| frontend.image.digest | string | `""` | Frontend container image digest in the format `sha256:1234abcdef` | -| frontend.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the frontend container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| frontend.image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| frontend.service.type | string | `"ClusterIP"` | Frontend Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| frontend.service.http.name | string | `"http"` | Service name to use | -| frontend.service.http.port | int | `80` | Service port | -| frontend.service.http.targetPort | int | `8083` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| frontend.service.http.nodePort | int | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| frontend.service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| frontend.service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| frontend.initContainers | list | `[]` | Additional init containers for the frontend pod. Evaluated as a template | -| frontend.command | list | `[]` | Override default container command (useful when using custom images) | -| frontend.args | list | `[]` | Override default container args (useful when using custom images) | -| frontend.podLabels | object | `{}` | Additional labels for the frontend pod. Evaluated as a template | -| frontend.podAnnotations | object | `{}` | Additional annotations for the frontend pod. Evaluated as a template | -| frontend.extraOptionsSpec | object | `{}` | Extra options to place under .spec (e.g. revisionHistoryLimit, etc). Evaluated as a template. Note: the cron deployment can only run a single replica and use Recreate strategy | -| frontend.extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy). Evaluated as a template | -| frontend.extraEnvVars | list | `[]` | Extra environment variables to set on the frontend pod | -| frontend.extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| frontend.extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| frontend.extraVolumes | list | `[]` | Extra volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| frontend.extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| frontend.podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| frontend.podSecurityContext.fsGroup | int | `101` | GID that Kubernetes applies to mounted volumes and created files so processes in the pod can share group-owned access | -| frontend.containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| frontend.containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| frontend.containerSecurityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| frontend.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| frontend.containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| frontend.resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| frontend.startupProbe.enabled | bool | `false` | Enable startup probe | -| frontend.startupProbe.httpGet.path | string | `"/health"` | HTTP GET path for startup probe | -| frontend.startupProbe.httpGet.port | string | `"{{ .Values.frontend.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| frontend.startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| frontend.startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| frontend.startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| frontend.startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| frontend.startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| frontend.readinessProbe.enabled | bool | `true` | Enable readiness probe | -| frontend.readinessProbe.httpGet.path | string | `"/health"` | HTTP GET path for readiness probe | -| frontend.readinessProbe.httpGet.port | string | `"{{ .Values.frontend.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| frontend.readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| frontend.readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| frontend.readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| frontend.readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| frontend.readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| frontend.livenessProbe.enabled | bool | `true` | Enable liveness probe | -| frontend.livenessProbe.httpGet.path | string | `"/health"` | HTTP GET path for liveness probe | -| frontend.livenessProbe.httpGet.port | string | `"{{ .Values.frontend.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| frontend.livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| frontend.livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| frontend.livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| frontend.livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| frontend.livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| cron.image.registry | string | `""` | Cron container image registry | -| cron.image.repository | string | `"private/nf-tower-enterprise/backend"` | Cron container image repository | -| cron.image.tag | string | `"{{ .chart.AppVersion }}"` | Cron container image tag | -| cron.image.digest | string | `""` | Cron container image digest in the format `sha256:1234abcdef` | -| cron.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the cron container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| cron.image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| cron.micronautEnvironments | list | `["prod","redis","cron"]` | List of Micronaut Environments to enable on the cron pod | -| cron.service.type | string | `"ClusterIP"` | Cron Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| cron.service.http.name | string | `"http"` | Service name to use | -| cron.service.http.port | int | `8080` | Service port | -| cron.service.http.targetPort | int | `8082` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| cron.service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| cron.service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| cron.service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| cron.initContainers | list | `[]` | Additional init containers for the cron pod. Evaluated as a template | -| cron.command | list | `[]` | Override default container command (useful when using custom images) | -| cron.args | list | `[]` | Override default container args (useful when using custom images) | -| cron.podLabels | object | `{}` | Additional labels for the cron pod. Evaluated as a template | -| cron.podAnnotations | object | `{}` | Additional annotations for the cron pod. Evaluated as a template | -| cron.extraOptionsSpec | object | `{}` | Extra options to place under .spec (for example, revisionHistoryLimit). Evaluated as a template Note that cron deployment needs to have a single replica with Recreate strategy | -| cron.extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy) Evaluated as a template | -| cron.extraEnvVars | list | `[]` | Extra environment variables to set on the cron pod | -| cron.extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| cron.extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| cron.extraVolumes | list | `[]` | Extra volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| cron.extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| cron.podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| cron.podSecurityContext.fsGroup | int | `101` | GID that Kubernetes applies to mounted volumes and created files so processes in the pod can share group-owned access | -| cron.containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| cron.containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| cron.containerSecurityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| cron.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| cron.containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| cron.resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| cron.startupProbe.enabled | bool | `false` | Enable startup probe | -| cron.startupProbe.httpGet.path | string | `"/health"` | HTTP GET path for startup probe | -| cron.startupProbe.httpGet.port | string | `"{{ .Values.cron.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| cron.startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| cron.startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| cron.startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| cron.startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| cron.startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| cron.readinessProbe.enabled | bool | `true` | Enable readiness probe | -| cron.readinessProbe.httpGet.path | string | `"/health"` | HTTP GET path for readiness probe | -| cron.readinessProbe.httpGet.port | string | `"{{ .Values.cron.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| cron.readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| cron.readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| cron.readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| cron.readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| cron.readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| cron.livenessProbe.enabled | bool | `true` | Enable liveness probe | -| cron.livenessProbe.httpGet.path | string | `"/health"` | HTTP GET path for liveness probe | -| cron.livenessProbe.httpGet.port | string | `"{{ .Values.cron.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| cron.livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| cron.livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| cron.livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| cron.livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| cron.livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| cron.dbMigrationInitContainer.image.registry | string | `""` | Database migration container image registry | -| cron.dbMigrationInitContainer.image.repository | string | `"private/nf-tower-enterprise/migrate-db"` | Database migration container image repository | -| cron.dbMigrationInitContainer.image.tag | string | `"{{ .chart.AppVersion }}"` | Specify a tag to override the version defined in .Chart.appVersion | -| cron.dbMigrationInitContainer.image.digest | string | `""` | Database migration container image digest in the format `sha256:1234abcdef` | -| cron.dbMigrationInitContainer.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the database migration init container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| cron.dbMigrationInitContainer.image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| cron.dbMigrationInitContainer.command | list | `["/bin/sh","-c","/migrate-db.sh"]` | Override default container command (useful when using custom images) | -| cron.dbMigrationInitContainer.args | list | `[]` | Override default container args (useful when using custom images) | -| cron.dbMigrationInitContainer.extraEnvVars | list | `[]` | Extra environment variables to set on the cron pod | -| cron.dbMigrationInitContainer.extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| cron.dbMigrationInitContainer.extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| cron.dbMigrationInitContainer.extraVolumes | list | `[]` | Extra volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| cron.dbMigrationInitContainer.extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| cron.dbMigrationInitContainer.containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| cron.dbMigrationInitContainer.containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| cron.dbMigrationInitContainer.containerSecurityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| cron.dbMigrationInitContainer.containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| cron.dbMigrationInitContainer.containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| cron.dbMigrationInitContainer.resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.enabled | bool | `true` | Enable init containers that coordinate startup dependencies between Platform components (for example, wait for database readiness before cron starts, wait for cron before backend starts, etc) | -| initContainerDependencies.waitForMySQL.enabled | bool | `true` | Enable wait for MySQL init container before starting backend and cron | -| initContainerDependencies.waitForMySQL.image.registry | string | `""` | Override default wait for MySQL init container image | -| initContainerDependencies.waitForMySQL.image.repository | string | `"mysql"` | | -| initContainerDependencies.waitForMySQL.image.tag | string | `"9"` | | -| initContainerDependencies.waitForMySQL.image.digest | string | `""` | | -| initContainerDependencies.waitForMySQL.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForMySQL.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForMySQL.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForMySQL.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForMySQL.extraEnvVars | list | `[]` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | -| initContainerDependencies.waitForMySQL.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | -| initContainerDependencies.waitForRedis.enabled | bool | `true` | Enable wait for Redis init container before starting backend and cron | -| initContainerDependencies.waitForRedis.image.registry | string | `""` | Override default wait for Redis init container image | -| initContainerDependencies.waitForRedis.image.repository | string | `"redis"` | | -| initContainerDependencies.waitForRedis.image.tag | string | `"7-alpine"` | | -| initContainerDependencies.waitForRedis.image.digest | string | `""` | | -| initContainerDependencies.waitForRedis.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForRedis.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForRedis.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForRedis.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForRedis.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForRedis.extraEnvVars | list | `[]` | Additional environment variables for the init container | -| initContainerDependencies.waitForRedis.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | -| initContainerDependencies.waitForCron.enabled | bool | `true` | Enable wait for Platform cron init container before starting backend | -| initContainerDependencies.waitForCron.image.registry | string | `""` | Override default wait for cron init container image | -| initContainerDependencies.waitForCron.image.repository | string | `"curlimages/curl"` | | -| initContainerDependencies.waitForCron.image.tag | string | `"latest"` | | -| initContainerDependencies.waitForCron.image.digest | string | `""` | | -| initContainerDependencies.waitForCron.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForCron.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForCron.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| initContainerDependencies.waitForCron.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForCron.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForCron.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForCron.extraEnvVars | list | `[]` | Additional environment variables for the init container | -| initContainerDependencies.waitForCron.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | -| serviceAccount.name | string | `""` | Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name | -| serviceAccount.annotations | object | `{}` | Additional annotations for the ServiceAccount to generate | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `false` | Automount service account token when the service account is generated | -| ingress.enabled | bool | `false` | Enable ingress for Platform | -| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | -| ingress.contentPath | string | `"/"` | Path for the content domain ingress rule | -| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | -| ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | -| ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template | -| ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template | -| ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template | -| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | -| ingress.tls | list | `[]` | TLS configuration. Evaluated as a template | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| studios.enabled | bool | `true` | Enable Studios feature. Refer to the subchart README for more details and the full list of configuration options | -| studios.proxy.oidcClientRegistrationTokenSecretName | string | `"{{ printf \"%s-platform-backend\" .Release.Name }}"` | | -| studios.proxy.oidcClientRegistrationTokenSecretKey | string | `"OIDC_CLIENT_REGISTRATION_TOKEN"` | | -| pipeline-optimization.enabled | bool | `true` | Enable pipeline optimization feature. Refer to the subchart README for more details and the full list of configuration options | -| mcp.enabled | bool | `true` | Enable the Seqera Model Context Protocol (MCP) service. Refer to the subchart README for more details and the full list of configuration options | -| mcp.oidcToken.existingSecretName | string | `"{{ printf \"%s-platform-backend\" .Release.Name }}"` | | -| mcp.oidcToken.existingSecretKey | string | `"OIDC_CLIENT_REGISTRATION_TOKEN"` | | -| agent-backend.enabled | bool | `true` | Enable agent backend feature used by seqera cli ai command. Refer to the subchart README for more details and the full list of configuration options | -| portal-web.enabled | bool | `true` | Enable portal web frontend. Refer to the subchart README for more details and the full list of configuration options | +| initContainerDependencies.waitForMySQL.image.repository | string | ``"mysql"`` | | +| initContainerDependencies.waitForMySQL.image.tag | string | ``"9"`` | | +| initContainerDependencies.waitForMySQL.image.digest | string | ``""`` | | +| initContainerDependencies.waitForMySQL.image.pullPolicy | string | ``"IfNotPresent"`` | | +| initContainerDependencies.waitForRedis.image.repository | string | ``"redis"`` | | +| initContainerDependencies.waitForRedis.image.tag | string | ``"7-alpine"`` | | +| initContainerDependencies.waitForRedis.image.digest | string | ``""`` | | +| initContainerDependencies.waitForRedis.image.pullPolicy | string | ``"IfNotPresent"`` | | +| initContainerDependencies.waitForCron.image.repository | string | ``"curlimages/curl"`` | | +| initContainerDependencies.waitForCron.image.tag | string | ``"latest"`` | | +| initContainerDependencies.waitForCron.image.digest | string | ``""`` | | +| initContainerDependencies.waitForCron.image.pullPolicy | string | ``"IfNotPresent"`` | | +| studios.proxy.oidcClientRegistrationTokenSecretName | string | ``"{{ printf \"%s-platform-backend\" .Release.Name }}"`` | | +| studios.proxy.oidcClientRegistrationTokenSecretKey | string | ``"OIDC_CLIENT_REGISTRATION_TOKEN"`` | | +| mcp.oidcToken.existingSecretName | string | ``"{{ printf \"%s-platform-backend\" .Release.Name }}"`` | | +| mcp.oidcToken.existingSecretKey | string | ``"OIDC_CLIENT_REGISTRATION_TOKEN"`` | | ## Licensing diff --git a/charts/platform/README.md.gotmpl b/charts/platform/README.md.gotmpl index d41eed9..1ebf95c 100644 --- a/charts/platform/README.md.gotmpl +++ b/charts/platform/README.md.gotmpl @@ -59,7 +59,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/agent-backend/CHANGELOG.md b/charts/platform/charts/agent-backend/CHANGELOG.md index cbd32ae..93e396e 100644 --- a/charts/platform/charts/agent-backend/CHANGELOG.md +++ b/charts/platform/charts/agent-backend/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [0.5.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/agent-backend/README.md b/charts/platform/charts/agent-backend/README.md index 7f80824..a6caab0 100644 --- a/charts/platform/charts/agent-backend/README.md +++ b/charts/platform/charts/agent-backend/README.md @@ -14,7 +14,6 @@ The chart does not automatically define `cr.seqera.io` as the registry where to The required values to set in order to have a working installation are: - The `.image` section to point to your container registry. -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that the Agent Backend communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The database connection details for the MySQL database under the `.database` section. - The redis connection details under the `.redis` section. - The Bedrock AgentCore runtime ARN under the `.bedrockAgentCoreArn` section. @@ -59,165 +58,302 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.platformExternalDomain | string | ``"example.com"`` | Domain where Seqera Platform listens | +| global.platformServiceAddress | string | ``""`` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.platformServicePort | string | ``""`` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.agentBackendDomain | string | ``"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Agent Backend service listens. Evaluated as a template | +| global.mcpDomain | string | ``"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"`` | Domain where Seqera MCP listens. Evaluated as a template | + +### Global: Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.ingress.enabled | bool | ``false`` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | +| global.ingress.path | string | ``"/"`` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | +| global.ingress.defaultPathType | string | ``"Prefix"`` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | +| global.ingress.ingressClassName | string | ``""`` | Default ingress class name applied when `ingress.ingressClassName` is not set | +| global.ingress.annotations | object | ``{}`` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | +| global.ingress.extraLabels | object | ``{}`` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | +| global.ingress.tls | list | ``[]`` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | + +### Global: Image Credentials + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### Database + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| database.host | string | ``""`` | MySQL database hostname | +| database.port | int | ``3306`` | MySQL database port | +| database.name | string | ``""`` | MySQL database name | +| database.username | string | ``""`` | MySQL database username | +| database.password | string | ``""`` | MySQL database password | +| database.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for the MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| database.existingSecretKey | string | ``"AGENT_BACKEND_DB_PASSWORD"`` | Key in the existing Secret containing the password for the MySQL database | +| database.enableTls | bool | ``false`` | Enable TLS for the MySQL database connection | +| database.tlsCaVerify | bool | ``true`` | Verify the CA certificate when connecting via TLS (set to false to skip verification, insecure - for development/testing only) | +| database.sslCa | string | ``""`` | Path to a CA certificate file for server certificate verification | + +### Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| redis.host | string | ``""`` | Redis hostname | +| redis.port | int | ``6379`` | Redis port | +| redis.db | int | ``0`` | Redis database index | +| redis.enableTls | bool | ``false`` | Enable TLS when connecting to Redis | +| redis.password | string | ``""`` | Redis password | +| redis.existingSecretName | string | ``""`` | Name of an existing Secret containing the Redis password, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| redis.existingSecretKey | string | ``"AGENT_BACKEND_REDIS_PASSWORD"`` | Key in the existing Secret containing the Redis password | + +### Bedrock + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| bedrockAgentCoreArn | string | ``""`` | AWS Bedrock AgentCore runtime ARN for sandbox sessions | +| bedrockAssumeRoleArn | string | ``""`` | Optional IAM role ARN that the Agent Backend assumes for cross-account Bedrock access. Leave empty to let the pod directly use the AWS credentials provided to it (single-account setup). | +| bedrockAnthropicModel | string | ``""`` | Override the Anthropic model used on Bedrock by specifying an inference profile ARN. You can create a custom inference profile that uses the Anthropic model you want or use the default inference profile for the model provided by AWS. When doing cross-account access with `bedrockAssumeRoleArn`, you may want to specify an inference profile ARN on the account where the hop role is defined | + +### Embeddings + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| embeddings.bedrock.region | string | ``""`` | AWS region where the Bedrock model is hosted | +| embeddings.bedrock.modelId | string | ``"amazon.titan-embed-text-v2:0"`` | Bedrock model ID used for embeddings | +| embeddings.bedrock.dimensions | string | ``"1024"`` | Embedding vector dimensions expected from the configured Bedrock model | + +### Nextflow Docs + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| nextflowDocs.useRedisIndex | bool | ``false`` | Use a Redis-backed vector index for the Nextflow documentation knowledge base. Disabled by default. | + +### Anthropic API Key + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| anthropicApiKey | string | ``""`` | Anthropic API key. Define the value as a String or a Secret, not both at the same time | +| anthropicApiKeyExistingSecretName | string | ``""`` | Name of an existing Secret containing the Anthropic API key. Note: the Secret must already exist in the same namespace at the time of deployment | +| anthropicApiKeyExistingSecretKey | string | ``"ANTHROPIC_API_KEY"`` | Key in the existing Secret containing the Anthropic API key | + +### Token Encryption Key + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| tokenEncryptionKey | string | ``""`` | Token encryption key (must be a valid Fernet key). Define the value as a String or a Secret, not both at the same time. If not defined, a random Fernet key will be auto-generated at each deployment. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | +| tokenEncryptionKeyExistingSecretName | string | ``""`` | Name of an existing Secret containing the token encryption key. Note: the Secret must already exist in the same namespace at the time of deployment | +| tokenEncryptionKeyExistingSecretKey | string | ``"AGENT_BACKEND_TOKEN_ENCRYPTION_KEY"`` | Key in the existing Secret containing the token encryption key | + +### Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.registry | string | ``""`` | Container image registry | +| image.repository | string | ``"private/nf-tower-enterprise/agent-backend"`` | Container image repository | +| image.tag | string | ``"{{ .chart.AppVersion }}"`` | Container image tag | +| image.digest | string | ``""`` | Container image digest in the format `sha256:1234abcdef` | +| image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Deployment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| logLevel | string | ``"INFO"`` | Log level (one of CRITICAL, ERROR, WARNING, INFO, DEBUG) | +| initContainers | list | ``[]`` | Additional init containers for the pod. Evaluated as a template | +| command | list | ``[]`` | Override default container command (useful when using custom images) | +| args | list | ``[]`` | Override default container args (useful when using custom images) | +| podLabels | object | ``{}`` | Additional labels for the pod. Evaluated as a template | +| podAnnotations | object | ``{}`` | Additional annotations for the pod. Evaluated as a template | +| extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | +| extraEnvVars | list | ``[]`` | Extra environment variables | +| extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | +| resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| service | object | ``{"extraOptions":{},"extraServices":[],"http":{"name":"http","nodePort":null,"port":80,"targetPort":8002},"type":"ClusterIP"}`` | Service configuration | +| service.type | string | ``"ClusterIP"`` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| service.http.name | string | ``"http"`` | Service name to use | +| service.http.port | int | ``80`` | Service port | +| service.http.targetPort | int | ``8002`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### DB Migration Init Container + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| dbMigrationInitContainer.command | list | ``["./init.sh"]`` | Command to run in the init container performing DB migrations | +| dbMigrationInitContainer.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | + +### DB Migration Init Container: Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| dbMigrationInitContainer.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| dbMigrationInitContainer.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| dbMigrationInitContainer.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| dbMigrationInitContainer.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Pod Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| podSecurityContext.fsGroup | int | ``101`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | + +### Container Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Init Container Dependencies + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.enabled | bool | ``true`` | Enable init containers that coordinate startup dependencies | + +### Init Container Dependencies: Wait For Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForRedis.enabled | bool | ``true`` | Enable wait for Redis init container before starting the main container | +| initContainerDependencies.waitForRedis.image.registry | string | ``""`` | Override default wait for Redis init container image | +| initContainerDependencies.waitForRedis.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForRedis.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID is 0) | +| initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForRedis.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForRedis.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForRedis.extraEnvVars | list | ``[]`` | Additional environment variables for the init container | +| initContainerDependencies.waitForRedis.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | + +### Init Container Dependencies: Wait For MySQL + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForMySQL.enabled | bool | ``true`` | Enable wait for MySQL init container before starting the main container | +| initContainerDependencies.waitForMySQL.image.registry | string | ``""`` | Override default wait for MySQL init container image | +| initContainerDependencies.waitForMySQL.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID is 0) | +| initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForMySQL.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForMySQL.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForMySQL.extraEnvVars | list | ``[]`` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | +| initContainerDependencies.waitForMySQL.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | + +### Startup Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| startupProbe.enabled | bool | ``false`` | Enable startup probe | +| startupProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for startup probe | +| startupProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Readiness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| readinessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for readiness probe | +| readinessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Liveness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| livenessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for liveness probe | +| livenessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Service Account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount | object | ``{"annotations":{},"automountServiceAccountToken":true,"imagePullSecretNames":[],"name":""}`` | Service account configuration | +| serviceAccount.name | string | ``""`` | Service account name | +| serviceAccount.annotations | object | ``{}`` | Service account annotations | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``true`` | Automatically mount service account token | + +### Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress.enabled | bool | ``false`` | Enable ingress for Agent Backend | +| ingress.path | string | ``""`` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | +| ingress.defaultPathType | string | ``""`` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | +| ingress.defaultBackend | object | ``{}`` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | +| ingress.extraHosts | list | ``[]`` | Additional hosts you want to include. Evaluated as a template | +| ingress.annotations | object | ``{}`` | Ingress annotations specific to your load balancer. Evaluated as a template | +| ingress.extraLabels | object | ``{}`` | Additional labels for the ingress object. Evaluated as a template | +| ingress.ingressClassName | string | ``""`` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | +| ingress.tls | list | ``[]`` | TLS configuration. Evaluated as a template | + +### Extra Deploy + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | + +### Common Metadata + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | +| secretLabels | object | ``{}`` | Additional labels for the Secret objects. Evaluated as a template | +| secretAnnotations | object | ``{}`` | Additional annotations for the Secret objects. Evaluated as a template | +| configMapLabels | object | ``{}`` | Additional labels for the ConfigMap objects. Evaluated as a template | +| configMapAnnotations | object | ``{}`` | Additional annotations for the ConfigMap objects. Evaluated as a template | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.platformExternalDomain | string | `"example.com"` | Domain where Seqera Platform listens | -| global.platformServiceAddress | string | `""` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.platformServicePort | string | `""` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.agentBackendDomain | string | `"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Agent Backend service listens. Evaluated as a template | -| global.mcpDomain | string | `"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"` | Domain where Seqera MCP listens. Evaluated as a template | -| global.ingress.enabled | bool | `false` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | -| global.ingress.path | string | `"/"` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | -| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | -| global.ingress.ingressClassName | string | `""` | Default ingress class name applied when `ingress.ingressClassName` is not set | -| global.ingress.annotations | object | `{}` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | -| global.ingress.extraLabels | object | `{}` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | -| global.ingress.tls | list | `[]` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| database.host | string | `""` | MySQL database hostname | -| database.port | int | `3306` | MySQL database port | -| database.name | string | `""` | MySQL database name | -| database.username | string | `""` | MySQL database username | -| database.password | string | `""` | MySQL database password | -| database.existingSecretName | string | `""` | Name of an existing Secret containing credentials for the MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| database.existingSecretKey | string | `"AGENT_BACKEND_DB_PASSWORD"` | Key in the existing Secret containing the password for the MySQL database | -| database.enableTls | bool | `false` | Enable TLS for the MySQL database connection | -| database.tlsCaVerify | bool | `true` | Verify the CA certificate when connecting via TLS (set to false to skip verification, insecure - for development/testing only) | -| database.sslCa | string | `""` | Path to a CA certificate file for server certificate verification | -| redis.host | string | `""` | Redis hostname | -| redis.port | int | `6379` | Redis port | -| redis.db | int | `0` | Redis database index | -| redis.enableTls | bool | `false` | Enable TLS when connecting to Redis | -| redis.password | string | `""` | Redis password | -| redis.existingSecretName | string | `""` | Name of an existing Secret containing the Redis password, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| redis.existingSecretKey | string | `"AGENT_BACKEND_REDIS_PASSWORD"` | Key in the existing Secret containing the Redis password | -| bedrockAgentCoreArn | string | `""` | AWS Bedrock AgentCore runtime ARN for sandbox sessions | -| bedrockAssumeRoleArn | string | `""` | Optional IAM role ARN that the Agent Backend assumes for cross-account Bedrock access. Leave empty to let the pod directly use the AWS credentials provided to it (single-account setup). | -| bedrockAnthropicModel | string | `""` | Override the Anthropic model used on Bedrock by specifying an inference profile ARN. You can create a custom inference profile that uses the Anthropic model you want or use the default inference profile for the model provided by AWS. When doing cross-account access with `bedrockAssumeRoleArn`, you may want to specify an inference profile ARN on the account where the hop role is defined | -| embeddings.bedrock.region | string | `""` | AWS region where the Bedrock model is hosted | -| embeddings.bedrock.modelId | string | `"amazon.titan-embed-text-v2:0"` | Bedrock model ID used for embeddings | -| embeddings.bedrock.dimensions | string | `"1024"` | Embedding vector dimensions expected from the configured Bedrock model | -| nextflowDocs.useRedisIndex | bool | `false` | Use a Redis-backed vector index for the Nextflow documentation knowledge base. Disabled by default. | -| anthropicApiKey | string | `""` | Anthropic API key. Define the value as a String or a Secret, not both at the same time | -| anthropicApiKeyExistingSecretName | string | `""` | Name of an existing Secret containing the Anthropic API key. Note: the Secret must already exist in the same namespace at the time of deployment | -| anthropicApiKeyExistingSecretKey | string | `"ANTHROPIC_API_KEY"` | Key in the existing Secret containing the Anthropic API key | -| tokenEncryptionKey | string | `""` | Token encryption key (must be a valid Fernet key). Define the value as a String or a Secret, not both at the same time. If not defined, a random Fernet key will be auto-generated at each deployment. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | -| tokenEncryptionKeyExistingSecretName | string | `""` | Name of an existing Secret containing the token encryption key. Note: the Secret must already exist in the same namespace at the time of deployment | -| tokenEncryptionKeyExistingSecretKey | string | `"AGENT_BACKEND_TOKEN_ENCRYPTION_KEY"` | Key in the existing Secret containing the token encryption key | -| image.registry | string | `""` | Container image registry | -| image.repository | string | `"private/nf-tower-enterprise/agent-backend"` | Container image repository | -| image.tag | string | `"{{ .chart.AppVersion }}"` | Container image tag | -| image.digest | string | `""` | Container image digest in the format `sha256:1234abcdef` | -| image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| logLevel | string | `"INFO"` | Log level (one of CRITICAL, ERROR, WARNING, INFO, DEBUG) | -| service | object | `{"extraOptions":{},"extraServices":[],"http":{"name":"http","nodePort":null,"port":80,"targetPort":8002},"type":"ClusterIP"}` | Service configuration | -| service.type | string | `"ClusterIP"` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| service.http.name | string | `"http"` | Service name to use | -| service.http.port | int | `80` | Service port | -| service.http.targetPort | int | `8002` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| dbMigrationInitContainer.command | list | `["./init.sh"]` | Command to run in the init container performing DB migrations | -| dbMigrationInitContainer.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| dbMigrationInitContainer.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| dbMigrationInitContainer.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| dbMigrationInitContainer.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| dbMigrationInitContainer.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainers | list | `[]` | Additional init containers for the pod. Evaluated as a template | -| command | list | `[]` | Override default container command (useful when using custom images) | -| args | list | `[]` | Override default container args (useful when using custom images) | -| podLabels | object | `{}` | Additional labels for the pod. Evaluated as a template | -| podAnnotations | object | `{}` | Additional annotations for the pod. Evaluated as a template | -| extraOptionsSpec | object | `{}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| extraEnvVars | list | `[]` | Extra environment variables | -| extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| podSecurityContext.fsGroup | int | `101` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.enabled | bool | `true` | Enable init containers that coordinate startup dependencies | -| initContainerDependencies.waitForRedis.enabled | bool | `true` | Enable wait for Redis init container before starting the main container | -| initContainerDependencies.waitForRedis.image.registry | string | `""` | Override default wait for Redis init container image | -| initContainerDependencies.waitForRedis.image.repository | string | `"redis"` | | -| initContainerDependencies.waitForRedis.image.tag | string | `"7-alpine"` | | -| initContainerDependencies.waitForRedis.image.digest | string | `""` | | -| initContainerDependencies.waitForRedis.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForRedis.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForRedis.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID is 0) | -| initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForRedis.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForRedis.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForRedis.extraEnvVars | list | `[]` | Additional environment variables for the init container | -| initContainerDependencies.waitForRedis.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | -| initContainerDependencies.waitForMySQL.enabled | bool | `true` | Enable wait for MySQL init container before starting the main container | -| initContainerDependencies.waitForMySQL.image.registry | string | `""` | Override default wait for MySQL init container image | -| initContainerDependencies.waitForMySQL.image.repository | string | `"mysql"` | | -| initContainerDependencies.waitForMySQL.image.tag | string | `"9"` | | -| initContainerDependencies.waitForMySQL.image.digest | string | `""` | | -| initContainerDependencies.waitForMySQL.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForMySQL.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID is 0) | -| initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForMySQL.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForMySQL.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForMySQL.extraEnvVars | list | `[]` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | -| initContainerDependencies.waitForMySQL.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | -| startupProbe.enabled | bool | `false` | Enable startup probe | -| startupProbe.httpGet.path | string | `"/health"` | HTTP GET path for startup probe | -| startupProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| readinessProbe.enabled | bool | `true` | Enable readiness probe | -| readinessProbe.httpGet.path | string | `"/health"` | HTTP GET path for readiness probe | -| readinessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| livenessProbe.enabled | bool | `true` | Enable liveness probe | -| livenessProbe.httpGet.path | string | `"/health"` | HTTP GET path for liveness probe | -| livenessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":true,"imagePullSecretNames":[],"name":""}` | Service account configuration | -| serviceAccount.name | string | `""` | Service account name | -| serviceAccount.annotations | object | `{}` | Service account annotations | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `true` | Automatically mount service account token | -| ingress.enabled | bool | `false` | Enable ingress for Agent Backend | -| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | -| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | -| ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | -| ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template | -| ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template | -| ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template | -| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | -| ingress.tls | list | `[]` | TLS configuration. Evaluated as a template | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| secretLabels | object | `{}` | Additional labels for the Secret objects. Evaluated as a template | -| secretAnnotations | object | `{}` | Additional annotations for the Secret objects. Evaluated as a template | -| configMapLabels | object | `{}` | Additional labels for the ConfigMap objects. Evaluated as a template | -| configMapAnnotations | object | `{}` | Additional annotations for the ConfigMap objects. Evaluated as a template | +| initContainerDependencies.waitForRedis.image.repository | string | ``"redis"`` | | +| initContainerDependencies.waitForRedis.image.tag | string | ``"7-alpine"`` | | +| initContainerDependencies.waitForRedis.image.digest | string | ``""`` | | +| initContainerDependencies.waitForRedis.image.pullPolicy | string | ``"IfNotPresent"`` | | +| initContainerDependencies.waitForMySQL.image.repository | string | ``"mysql"`` | | +| initContainerDependencies.waitForMySQL.image.tag | string | ``"9"`` | | +| initContainerDependencies.waitForMySQL.image.digest | string | ``""`` | | +| initContainerDependencies.waitForMySQL.image.pullPolicy | string | ``"IfNotPresent"`` | | ## Licensing diff --git a/charts/platform/charts/agent-backend/README.md.gotmpl b/charts/platform/charts/agent-backend/README.md.gotmpl index e3eab02..6582683 100644 --- a/charts/platform/charts/agent-backend/README.md.gotmpl +++ b/charts/platform/charts/agent-backend/README.md.gotmpl @@ -13,7 +13,6 @@ The chart does not automatically define `cr.seqera.io` as the registry where to The required values to set in order to have a working installation are: - The `.image` section to point to your container registry. -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that the Agent Backend communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The database connection details for the MySQL database under the `.database` section. - The redis connection details under the `.redis` section. - The Bedrock AgentCore runtime ARN under the `.bedrockAgentCoreArn` section. @@ -51,7 +50,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap b/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap index 3717331..8f0d622 100644 --- a/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/platform/charts/agent-backend/tests/__snapshot__/deployment_test.yaml.snap @@ -129,7 +129,7 @@ should render a Deployment with default values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' with password (if set) '$REDISCLI_AUTH'"; until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/charts/agent-backend/values.yaml b/charts/platform/charts/agent-backend/values.yaml index 2e868c6..1f39f08 100644 --- a/charts/platform/charts/agent-backend/values.yaml +++ b/charts/platform/charts/agent-backend/values.yaml @@ -19,22 +19,27 @@ # .Values.global.*: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ global: # -- Domain where Seqera Platform listens + # @section -- Global platformExternalDomain: example.com # -- Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress # hostname. Evaluated as a template. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServiceAddress: "" # -- Seqera Platform Service port. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServicePort: "" # -- Domain where the Agent Backend service listens. Evaluated as a template + # @section -- Global agentBackendDomain: '{{ printf "ai-api.%s" .Values.global.platformExternalDomain }}' # -- Domain where Seqera MCP listens. Evaluated as a template + # @section -- Global mcpDomain: '{{ printf "mcp.%s" .Values.global.platformExternalDomain }}' # Ingress defaults shared across the parent chart and all subcharts. Each subchart's local @@ -42,26 +47,34 @@ global: ingress: # -- Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so # setting this once at the parent enables all subchart Ingresses. + # @section -- Global: Ingress enabled: false # -- Default path applied to ingress rules when `ingress.path` is not set. # AWS ALB users should override to `/*`. + # @section -- Global: Ingress path: "/" # -- Default path type applied to ingress rules when `ingress.defaultPathType` is not set. # `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. + # @section -- Global: Ingress defaultPathType: "Prefix" # -- Default ingress class name applied when `ingress.ingressClassName` is not set + # @section -- Global: Ingress ingressClassName: "" # -- Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress annotations: {} # -- Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress extraLabels: {} # -- TLS entries concatenated with the local `ingress.tls`. Evaluated as a template + # @section -- Global: Ingress tls: [] # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentials: [] # imageCredentials: # - registry: "" @@ -71,6 +84,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -82,53 +96,72 @@ global: database: # -- MySQL database hostname + # @section -- Database host: "" # -- MySQL database port + # @section -- Database port: 3306 # -- MySQL database name + # @section -- Database name: "" # -- MySQL database username + # @section -- Database username: "" # -- MySQL database password + # @section -- Database password: "" # -- Name of an existing Secret containing credentials for the MySQL database, as an alternative # to the password field. Note: the Secret must already exist in the same namespace at the time of # deployment + # @section -- Database existingSecretName: "" # -- Key in the existing Secret containing the password for the MySQL database # @default -- `"AGENT_BACKEND_DB_PASSWORD"` + # @section -- Database existingSecretKey: "" # -- Enable TLS for the MySQL database connection + # @section -- Database enableTls: false # -- Verify the CA certificate when connecting via TLS (set to false to skip verification, # insecure - for development/testing only) + # @section -- Database tlsCaVerify: true # -- Path to a CA certificate file for server certificate verification + # @section -- Database sslCa: "" redis: # -- Redis hostname + # @section -- Redis host: "" # -- Redis port + # @section -- Redis port: 6379 # -- Redis database index + # @section -- Redis db: 0 # -- Enable TLS when connecting to Redis + # @section -- Redis enableTls: false # -- Redis password + # @section -- Redis password: "" # -- Name of an existing Secret containing the Redis password, as an alternative to the password # field. Note: the Secret must already exist in the same namespace at the time of deployment + # @section -- Redis existingSecretName: "" # -- Key in the existing Secret containing the Redis password # @default -- `"AGENT_BACKEND_REDIS_PASSWORD"` + # @section -- Redis existingSecretKey: "" # -- AWS Bedrock AgentCore runtime ARN for sandbox sessions +# @section -- Bedrock bedrockAgentCoreArn: "" # -- Optional IAM role ARN that the Agent Backend assumes for cross-account Bedrock access. # Leave empty to let the pod directly use the AWS credentials provided to it (single-account setup). +# @section -- Bedrock bedrockAssumeRoleArn: "" # -- Override the Anthropic model used on Bedrock by specifying an inference profile ARN. You can @@ -136,29 +169,37 @@ bedrockAssumeRoleArn: "" # inference profile for the model provided by AWS. When doing cross-account access with # `bedrockAssumeRoleArn`, you may want to specify an inference profile ARN on the account where the # hop role is defined +# @section -- Bedrock bedrockAnthropicModel: "" embeddings: bedrock: # -- AWS region where the Bedrock model is hosted + # @section -- Embeddings region: "" # -- Bedrock model ID used for embeddings + # @section -- Embeddings modelId: "amazon.titan-embed-text-v2:0" # -- Embedding vector dimensions expected from the configured Bedrock model + # @section -- Embeddings dimensions: "1024" nextflowDocs: # -- Use a Redis-backed vector index for the Nextflow documentation knowledge base. # Disabled by default. + # @section -- Nextflow Docs useRedisIndex: false # -- Anthropic API key. Define the value as a String or a Secret, not both at the same time +# @section -- Anthropic API Key anthropicApiKey: "" # -- Name of an existing Secret containing the Anthropic API key. # Note: the Secret must already exist in the same namespace at the time of deployment +# @section -- Anthropic API Key anthropicApiKeyExistingSecretName: "" # -- Key in the existing Secret containing the Anthropic API key # @default -- `"ANTHROPIC_API_KEY"` +# @section -- Anthropic API Key anthropicApiKeyExistingSecretKey: "" # -- Token encryption key (must be a valid Fernet key). Define the value as a String or a Secret, @@ -168,56 +209,73 @@ anthropicApiKeyExistingSecretKey: "" # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade +# @section -- Token Encryption Key tokenEncryptionKey: "" # -- Name of an existing Secret containing the token encryption key. # Note: the Secret must already exist in the same namespace at the time of deployment +# @section -- Token Encryption Key tokenEncryptionKeyExistingSecretName: "" # -- Key in the existing Secret containing the token encryption key # @default -- `"AGENT_BACKEND_TOKEN_ENCRYPTION_KEY"` +# @section -- Token Encryption Key tokenEncryptionKeyExistingSecretKey: "" image: # -- Container image registry + # @section -- Image registry: "" # -- Container image repository + # @section -- Image repository: private/nf-tower-enterprise/agent-backend # -- Container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Image tag: "" # -- Container image digest in the format `sha256:1234abcdef` + # @section -- Image digest: "" # -- imagePullPolicy for the container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- Log level (one of CRITICAL, ERROR, WARNING, INFO, DEBUG) +# @section -- Deployment logLevel: INFO # -- Service configuration +# @section -- Service service: # -- Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Service type: ClusterIP http: # -- Service name to use + # @section -- Service name: http # -- Service port + # @section -- Service port: 80 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Service targetPort: 8002 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Service extraServices: [] # extraServices: # - name: myspecialservice @@ -227,25 +285,32 @@ service: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Service extraOptions: {} dbMigrationInitContainer: # -- Command to run in the init container performing DB migrations + # @section -- DB Migration Init Container command: ['./init.sh'] securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- DB Migration Init Container: Security Context runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID 0) + # @section -- DB Migration Init Container: Security Context runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- DB Migration Init Container: Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- DB Migration Init Container: Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- DB Migration Init Container resources: requests: cpu: "0.5" @@ -254,20 +319,26 @@ dbMigrationInitContainer: memory: "100Mi" # -- Additional init containers for the pod. Evaluated as a template +# @section -- Deployment initContainers: [] # -- Override default container command (useful when using custom images) +# @section -- Deployment command: [] # -- Override default container args (useful when using custom images) +# @section -- Deployment args: [] # -- Additional labels for the pod. Evaluated as a template +# @section -- Deployment podLabels: {} # -- Additional annotations for the pod. Evaluated as a template +# @section -- Deployment podAnnotations: {} # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template +# @section -- Deployment extraOptionsSpec: {} # extraOptionsSpec: # strategy: @@ -280,26 +351,32 @@ extraOptionsSpec: {} # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template +# @section -- Deployment extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables +# @section -- Deployment extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars +# @section -- Deployment extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars +# @section -- Deployment extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` +# @section -- Deployment extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` +# @section -- Deployment extraVolumeMounts: [] # Configure Pods Security Context. @@ -307,28 +384,36 @@ extraVolumeMounts: [] # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Pod Security Context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Pod Security Context fsGroup: 101 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Container Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Container Security Context runAsUser: 101 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Container Security Context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Container Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Container Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory +# @section -- Deployment resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -346,13 +431,16 @@ resources: {} initContainerDependencies: # -- Enable init containers that coordinate startup dependencies + # @section -- Init Container Dependencies enabled: true waitForRedis: # -- Enable wait for Redis init container before starting the main container + # @section -- Init Container Dependencies: Wait For Redis enabled: true image: # -- Override default wait for Redis init container image + # @section -- Init Container Dependencies: Wait For Redis registry: "" repository: redis tag: 7-alpine @@ -362,17 +450,22 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait For Redis runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID is 0) + # @section -- Init Container Dependencies: Wait For Redis runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait For Redis readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait For Redis capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait For Redis resources: requests: cpu: "0.5" @@ -381,15 +474,19 @@ initContainerDependencies: memory: "100Mi" # -- Additional environment variables for the init container + # @section -- Init Container Dependencies: Wait For Redis extraEnvVars: [] # -- Additional volume mounts for the init container (e.g. to mount a CA certificate) + # @section -- Init Container Dependencies: Wait For Redis extraVolumeMounts: [] waitForMySQL: # -- Enable wait for MySQL init container before starting the main container + # @section -- Init Container Dependencies: Wait For MySQL enabled: true image: # -- Override default wait for MySQL init container image + # @section -- Init Container Dependencies: Wait For MySQL registry: "" repository: mysql tag: "9" @@ -399,17 +496,22 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait For MySQL runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID is 0) + # @section -- Init Container Dependencies: Wait For MySQL runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait For MySQL readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait For MySQL capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait For MySQL resources: requests: cpu: "0.5" @@ -426,98 +528,133 @@ initContainerDependencies: # extraEnvVars: # - name: MYSQL_EXTRA_ARGS # value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" + # @section -- Init Container Dependencies: Wait For MySQL extraEnvVars: [] # -- Additional volume mounts for the init container. Use this to mount CA certificates # (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that # `MYSQL_EXTRA_ARGS` can reference them. + # @section -- Init Container Dependencies: Wait For MySQL extraVolumeMounts: [] # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Startup Probe enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Startup Probe path: "/health" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Startup Probe port: "{{ .Values.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Startup Probe initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Startup Probe periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Startup Probe timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Startup Probe failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Startup Probe successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Readiness Probe enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Readiness Probe path: "/health" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Readiness Probe port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Readiness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Readiness Probe periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Readiness Probe timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Readiness Probe failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Readiness Probe successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Liveness Probe enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Liveness Probe path: "/health" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Liveness Probe port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Liveness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Liveness Probe periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Liveness Probe timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Liveness Probe failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Liveness Probe successThreshold: 1 # -- Service account configuration +# @section -- Service Account serviceAccount: # -- Service account name + # @section -- Service Account name: "" # -- Service account annotations + # @section -- Service Account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service Account imagePullSecretNames: [] # -- Automatically mount service account token + # @section -- Service Account automountServiceAccountToken: true ingress: # -- Enable ingress for Agent Backend + # @section -- Ingress enabled: false # -- Path for the main ingress rule. When empty, falls back to `global.ingress.path` + # @section -- Ingress path: "" # -- Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` + # @section -- Ingress defaultPathType: "" # -- Configure the default service for the ingress (evaluated as template) # Important: make sure only one defaultBackend is defined across the k8s cluster: if the # ingress doesn't reconcile successfully, 'describe ingress ' will report problems + # @section -- Ingress defaultBackend: {} # defaultBackend: # service: @@ -526,6 +663,7 @@ ingress: # number: '{{ .Values.frontend.service.http.port }}' # -- Additional hosts you want to include. Evaluated as a template + # @section -- Ingress extraHosts: [] # extraHosts: # - host: '{{ printf "api.%s" .Values.global.platformExternalDomain }}' @@ -542,13 +680,17 @@ ingress: # portNumber: '{{ .Values.frontend.service.http.port }}' # -- Ingress annotations specific to your load balancer. Evaluated as a template + # @section -- Ingress annotations: {} # -- Additional labels for the ingress object. Evaluated as a template + # @section -- Ingress extraLabels: {} # -- Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). # When empty, falls back to `global.ingress.ingressClassName` + # @section -- Ingress ingressClassName: "" # -- TLS configuration. Evaluated as a template + # @section -- Ingress tls: [] # tls: # - hosts: @@ -557,6 +699,7 @@ ingress: # secretName: my-tls # -- Array of extra objects to deploy with the release +# @section -- Extra Deploy extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -567,14 +710,20 @@ extraDeploy: [] # ... # -- Annotations to add to all deployed objects +# @section -- Common Metadata commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common Metadata commonLabels: {} # -- Additional labels for the Secret objects. Evaluated as a template +# @section -- Common Metadata secretLabels: {} # -- Additional annotations for the Secret objects. Evaluated as a template +# @section -- Common Metadata secretAnnotations: {} # -- Additional labels for the ConfigMap objects. Evaluated as a template +# @section -- Common Metadata configMapLabels: {} # -- Additional annotations for the ConfigMap objects. Evaluated as a template +# @section -- Common Metadata configMapAnnotations: {} diff --git a/charts/platform/charts/mcp/CHANGELOG.md b/charts/platform/charts/mcp/CHANGELOG.md index 6eacbff..420a136 100644 --- a/charts/platform/charts/mcp/CHANGELOG.md +++ b/charts/platform/charts/mcp/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [0.4.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/mcp/README.md b/charts/platform/charts/mcp/README.md index e549b75..ac1663e 100644 --- a/charts/platform/charts/mcp/README.md +++ b/charts/platform/charts/mcp/README.md @@ -16,7 +16,6 @@ The chart does not automatically define `cr.seqera.io` as the registry where to The required values to set in order to have a working installation are: - The domain where Seqera Platform is accessible, set under `.global.platformExternalDomain`. The MCP domain defaults to `mcp.` but can be overridden with `.global.mcpDomain`. -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that MCP communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The OIDC client registration token under `.oidcToken.tokenString` (or reference an existing Secret with `.oidcToken.existingSecretName`). When deploying as part of the platform parent chart this is set automatically; when deploying standalone it must match the value configured in the platform backend. - A stable JWT seed for signing authentication tokens under `.oauth.jwtSeedString` (or reference an existing Secret with `.oauth.jwtSeedSecretName`). If not set a random value is generated, which is incompatible with Kustomize-based upgrades. - Container registry credentials under the `.global.imageCredentials` section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). @@ -58,126 +57,238 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.platformExternalDomain | string | ``"example.com"`` | Domain where Seqera Platform listens | +| global.platformServiceAddress | string | ``""`` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.platformServicePort | string | ``""`` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.mcpDomain | string | ``"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"`` | Domain where Seqera MCP listens. Evaluated as a template. Note: The OAuth redirect URL is automatically derived by appending /oauth/callback to the domain | + +### Global: Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.ingress.enabled | bool | ``false`` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | +| global.ingress.path | string | ``"/"`` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | +| global.ingress.defaultPathType | string | ``"Prefix"`` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | +| global.ingress.ingressClassName | string | ``""`` | Default ingress class name applied when `ingress.ingressClassName` is not set | +| global.ingress.annotations | object | ``{}`` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | +| global.ingress.extraLabels | object | ``{}`` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | +| global.ingress.tls | list | ``[]`` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | + +### Global: Image credentials + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### MCP application + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| micronautEnvironments | list | ``["oauth-platform"]`` | List of Micronaut environments to enable. Evaluated as a template | +| hubApiEndpoint | string | ``"https://hub.seqera.io"`` | API endpoint of Seqera Hub. | +| waveApiEndpoint | string | ``"https://wave.seqera.io"`` | API endpoint of Seqera Wave. | +| registryApiEndpoint | string | ``"https://registry.nextflow.io"`` | API endpoint of Seqera Nextflow Registry. | + +### OIDC token + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| oidcToken.tokenString | string | ``""`` | OIDC client registration token as a string. Used to dynamically register an OAuth client with Seqera Platform's OIDC provider. If neither this nor existingSecretName is set, a random value is generated. When deployed via the platform parent chart, this is automatically defined with the value of the OIDC client registration token from the platform backend secret, so it should not be set in that case. When deploying independently of the platform parent chart, this must be set to the same value defined in the platform backend secret. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade, which will break authentication | +| oidcToken.existingSecretName | string | ``""`` | Name of an existing Secret containing the OIDC client registration token, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment. | +| oidcToken.existingSecretKey | string | ``"MCP_OAUTH_INITIAL_ACCESS_TOKEN"`` | Key in the existing Secret containing the OIDC client registration token. | + +### OAuth + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| oauth.issuerUrl | string | ``""`` | OAuth provider URL used by MCP to authenticate and obtain tokens. Defaults to the Platform API endpoint when 'oauth-platform' is configured in `.micronautEnvironments` (default behavior). Must be set explicitly when 'oauth' is configured in `.micronautEnvironments`. | +| oauth.audience | string | ``"platform"`` | OAuth audience for MCP to authenticate with. This is the expected audience claim in the tokens issued by the OAuth provider. When using Seqera Platform as the OAuth provider, this should be set to "platform" to match the audience of the internal client that Platform creates for MCP. When using a custom OAuth provider, this should match the audience configured for the client that MCP uses to authenticate with that provider | +| oauth.jwtSeedString | string | ``""`` | JWT seed, defined as string, used to sign authentication tokens. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random 35-character string. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade, which will break authentication | +| oauth.jwtSeedSecretName | string | ``""`` | Name of an existing Secret containing the JWT seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | +| oauth.jwtSeedSecretKey | string | ``"MCP_OAUTH_JWT_SECRET"`` | Key in the existing Secret containing the JWT seed | + +### Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.registry | string | ``""`` | Container image registry | +| image.repository | string | ``"private/nf-tower-enterprise/mcp"`` | Container image repository | +| image.tag | string | ``"{{ .chart.AppVersion }}"`` | Container image tag | +| image.digest | string | ``""`` | Container image digest in the format `sha256:1234abcdef` | +| image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| service | object | ``{"extraOptions":{},"extraServices":[],"http":{"name":"http","nodePort":null,"port":6010,"targetPort":6010},"type":"ClusterIP"}`` | Service configuration | +| service.type | string | ``"ClusterIP"`` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| service.http.name | string | ``"http"`` | Service name to use | +| service.http.port | int | ``6010`` | Service port | +| service.http.targetPort | int | ``6010`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Init containers + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.enabled | bool | ``true`` | Enable init containers that coordinate startup dependencies (for example, wait for Seqera Platform readiness before starting, etc) | +| initContainers | list | ``[]`` | Additional init containers for the pod. Evaluated as a template | + +### Init containers: Wait for Platform + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForPlatform.enabled | bool | ``true`` | Enable wait for Seqera Platform init container before starting the MCP server | +| initContainerDependencies.waitForPlatform.image.registry | string | ``""`` | Wait for Platform init container image registry | +| initContainerDependencies.waitForPlatform.image.repository | string | ``"curlimages/curl"`` | Wait for Platform init container image repository | +| initContainerDependencies.waitForPlatform.image.tag | string | ``"latest"`` | Wait for Platform init container image tag | +| initContainerDependencies.waitForPlatform.image.digest | string | ``""`` | Wait for Platform init container image digest in the format `sha256:1234abcdef` | +| initContainerDependencies.waitForPlatform.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the wait for Platform init container | +| initContainerDependencies.waitForPlatform.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForPlatform.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| initContainerDependencies.waitForPlatform.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForPlatform.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForPlatform.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.1","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForPlatform.extraEnvVars | list | ``[]`` | Additional environment variables for the init container | +| initContainerDependencies.waitForPlatform.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | + +### Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| command | list | ``[]`` | Override default container command (useful when using custom images) | +| args | list | ``[]`` | Override default container args (useful when using custom images) | +| podLabels | object | ``{}`` | Additional labels for the pod. Evaluated as a template | +| podAnnotations | object | ``{}`` | Additional annotations for the pod. Evaluated as a template | +| extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | + +### Pod: Environment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraEnvVars | list | ``[]`` | Extra environment variables | +| extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | + +### Pod: Volumes + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Pod: Security context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| podSecurityContext.fsGroup | int | ``101`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | + +### Container: Security context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Container: Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Probes: Startup + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| startupProbe.enabled | bool | ``false`` | Enable startup probe | +| startupProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for startup probe | +| startupProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Probes: Readiness + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| readinessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for readiness probe | +| readinessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Probes: Liveness + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| livenessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for liveness probe | +| livenessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Service account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount | object | ``{"annotations":{},"automountServiceAccountToken":true,"imagePullSecretNames":[],"name":""}`` | Service account configuration | +| serviceAccount.name | string | ``""`` | Service account name | +| serviceAccount.annotations | object | ``{}`` | Service account annotations | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``true`` | Automatically mount service account token | + +### Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress.enabled | bool | ``false`` | Enable ingress for MCP | +| ingress.path | string | ``""`` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | +| ingress.defaultPathType | string | ``""`` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | +| ingress.defaultBackend | object | ``{}`` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | +| ingress.extraHosts | list | ``[]`` | Additional hosts you want to include. Evaluated as a template | +| ingress.annotations | object | ``{}`` | Ingress annotations specific to your load balancer. Evaluated as a template | +| ingress.extraLabels | object | ``{}`` | Additional labels for the ingress object. Evaluated as a template | +| ingress.ingressClassName | string | ``""`` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | +| ingress.tls | list | ``[]`` | TLS configuration. Evaluated as a template | + +### Extra deployment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | + +### Common metadata + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.platformExternalDomain | string | `"example.com"` | Domain where Seqera Platform listens | -| global.platformServiceAddress | string | `""` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.platformServicePort | string | `""` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.mcpDomain | string | `"{{ printf \"mcp.%s\" .Values.global.platformExternalDomain }}"` | Domain where Seqera MCP listens. Evaluated as a template. Note: The OAuth redirect URL is automatically derived by appending /oauth/callback to the domain | -| global.ingress.enabled | bool | `false` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | -| global.ingress.path | string | `"/"` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | -| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | -| global.ingress.ingressClassName | string | `""` | Default ingress class name applied when `ingress.ingressClassName` is not set | -| global.ingress.annotations | object | `{}` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | -| global.ingress.extraLabels | object | `{}` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | -| global.ingress.tls | list | `[]` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| micronautEnvironments | list | `["oauth-platform"]` | List of Micronaut environments to enable. Evaluated as a template | -| hubApiEndpoint | string | `"https://hub.seqera.io"` | API endpoint of Seqera Hub. | -| waveApiEndpoint | string | `"https://wave.seqera.io"` | API endpoint of Seqera Wave. | -| registryApiEndpoint | string | `"https://registry.nextflow.io"` | API endpoint of Seqera Nextflow Registry. | -| oidcToken.tokenString | string | `""` | OIDC client registration token as a string. Used to dynamically register an OAuth client with Seqera Platform's OIDC provider. If neither this nor existingSecretName is set, a random value is generated. When deployed via the platform parent chart, this is automatically defined with the value of the OIDC client registration token from the platform backend secret, so it should not be set in that case. When deploying independently of the platform parent chart, this must be set to the same value defined in the platform backend secret. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade, which will break authentication | -| oidcToken.existingSecretName | string | `""` | Name of an existing Secret containing the OIDC client registration token, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment. | -| oidcToken.existingSecretKey | string | `"MCP_OAUTH_INITIAL_ACCESS_TOKEN"` | Key in the existing Secret containing the OIDC client registration token. | -| oauth.issuerUrl | string | `""` | OAuth provider URL used by MCP to authenticate and obtain tokens. Defaults to the Platform API endpoint when 'oauth-platform' is configured in `.micronautEnvironments` (default behavior). Must be set explicitly when 'oauth' is configured in `.micronautEnvironments`. | -| oauth.audience | string | `"platform"` | OAuth audience for MCP to authenticate with. This is the expected audience claim in the tokens issued by the OAuth provider. When using Seqera Platform as the OAuth provider, this should be set to "platform" to match the audience of the internal client that Platform creates for MCP. When using a custom OAuth provider, this should match the audience configured for the client that MCP uses to authenticate with that provider | -| oauth.jwtSeedString | string | `""` | JWT seed, defined as string, used to sign authentication tokens. Define the value as a String or a Secret, not both at the same time. If neither is defined, Helm generates a random 35-character string. WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade, which will break authentication | -| oauth.jwtSeedSecretName | string | `""` | Name of an existing Secret containing the JWT seed, as an alternative to the string field. Note: the Secret must already exist in the same namespace at the time of deployment | -| oauth.jwtSeedSecretKey | string | `"MCP_OAUTH_JWT_SECRET"` | Key in the existing Secret containing the JWT seed | -| image.registry | string | `""` | Container image registry | -| image.repository | string | `"private/nf-tower-enterprise/mcp"` | Container image repository | -| image.tag | string | `"{{ .chart.AppVersion }}"` | Container image tag | -| image.digest | string | `""` | Container image digest in the format `sha256:1234abcdef` | -| image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| service | object | `{"extraOptions":{},"extraServices":[],"http":{"name":"http","nodePort":null,"port":6010,"targetPort":6010},"type":"ClusterIP"}` | Service configuration | -| service.type | string | `"ClusterIP"` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| service.http.name | string | `"http"` | Service name to use | -| service.http.port | int | `6010` | Service port | -| service.http.targetPort | int | `6010` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| initContainerDependencies.enabled | bool | `true` | Enable init containers that coordinate startup dependencies (for example, wait for Seqera Platform readiness before starting, etc) | -| initContainerDependencies.waitForPlatform.enabled | bool | `true` | Enable wait for Seqera Platform init container before starting the MCP server | -| initContainerDependencies.waitForPlatform.image.registry | string | `""` | Wait for Platform init container image registry | -| initContainerDependencies.waitForPlatform.image.repository | string | `"curlimages/curl"` | Wait for Platform init container image repository | -| initContainerDependencies.waitForPlatform.image.tag | string | `"latest"` | Wait for Platform init container image tag | -| initContainerDependencies.waitForPlatform.image.digest | string | `""` | Wait for Platform init container image digest in the format `sha256:1234abcdef` | -| initContainerDependencies.waitForPlatform.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the wait for Platform init container | -| initContainerDependencies.waitForPlatform.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForPlatform.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| initContainerDependencies.waitForPlatform.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForPlatform.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForPlatform.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.1","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForPlatform.extraEnvVars | list | `[]` | Additional environment variables for the init container | -| initContainerDependencies.waitForPlatform.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | -| initContainers | list | `[]` | Additional init containers for the pod. Evaluated as a template | -| command | list | `[]` | Override default container command (useful when using custom images) | -| args | list | `[]` | Override default container args (useful when using custom images) | -| podLabels | object | `{}` | Additional labels for the pod. Evaluated as a template | -| podAnnotations | object | `{}` | Additional annotations for the pod. Evaluated as a template | -| extraOptionsSpec | object | `{}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| extraEnvVars | list | `[]` | Extra environment variables | -| extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| podSecurityContext.fsGroup | int | `101` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| startupProbe.enabled | bool | `false` | Enable startup probe | -| startupProbe.httpGet.path | string | `"/health"` | HTTP GET path for startup probe | -| startupProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| readinessProbe.enabled | bool | `true` | Enable readiness probe | -| readinessProbe.httpGet.path | string | `"/health"` | HTTP GET path for readiness probe | -| readinessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| livenessProbe.enabled | bool | `true` | Enable liveness probe | -| livenessProbe.httpGet.path | string | `"/health"` | HTTP GET path for liveness probe | -| livenessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":true,"imagePullSecretNames":[],"name":""}` | Service account configuration | -| serviceAccount.name | string | `""` | Service account name | -| serviceAccount.annotations | object | `{}` | Service account annotations | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `true` | Automatically mount service account token | -| ingress.enabled | bool | `false` | Enable ingress for MCP | -| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | -| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | -| ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | -| ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template | -| ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template | -| ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template | -| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | -| ingress.tls | list | `[]` | TLS configuration. Evaluated as a template | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| secretLabels | object | `{}` | Additional labels for the Secret objects. Evaluated as a template | -| secretAnnotations | object | `{}` | Additional annotations for the Secret objects. Evaluated as a template | -| configMapLabels | object | `{}` | Additional labels for the ConfigMap objects. Evaluated as a template | -| configMapAnnotations | object | `{}` | Additional annotations for the ConfigMap objects. Evaluated as a template | +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | +| secretLabels | object | ``{}`` | Additional labels for the Secret objects. Evaluated as a template | +| secretAnnotations | object | ``{}`` | Additional annotations for the Secret objects. Evaluated as a template | +| configMapLabels | object | ``{}`` | Additional labels for the ConfigMap objects. Evaluated as a template | +| configMapAnnotations | object | ``{}`` | Additional annotations for the ConfigMap objects. Evaluated as a template | ## Licensing diff --git a/charts/platform/charts/mcp/README.md.gotmpl b/charts/platform/charts/mcp/README.md.gotmpl index dba245f..4b61df0 100644 --- a/charts/platform/charts/mcp/README.md.gotmpl +++ b/charts/platform/charts/mcp/README.md.gotmpl @@ -13,7 +13,6 @@ The chart does not automatically define `cr.seqera.io` as the registry where to The required values to set in order to have a working installation are: - The domain where Seqera Platform is accessible, set under `.global.platformExternalDomain`. The MCP domain defaults to `mcp.` but can be overridden with `.global.mcpDomain`. -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that MCP communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The OIDC client registration token under `.oidcToken.tokenString` (or reference an existing Secret with `.oidcToken.existingSecretName`). When deploying as part of the platform parent chart this is set automatically; when deploying standalone it must match the value configured in the platform backend. - A stable JWT seed for signing authentication tokens under `.oauth.jwtSeedString` (or reference an existing Secret with `.oauth.jwtSeedSecretName`). If not set a random value is generated, which is incompatible with Kustomize-based upgrades. - Container registry credentials under the `.global.imageCredentials` section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). @@ -48,7 +47,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/mcp/values.yaml b/charts/platform/charts/mcp/values.yaml index 9754a55..825bce1 100644 --- a/charts/platform/charts/mcp/values.yaml +++ b/charts/platform/charts/mcp/values.yaml @@ -19,20 +19,24 @@ # .Values.global.*: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ global: # -- Domain where Seqera Platform listens + # @section -- Global platformExternalDomain: example.com # -- Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress # hostname. Evaluated as a template. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServiceAddress: "" # -- Seqera Platform Service port. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServicePort: "" # -- Domain where Seqera MCP listens. Evaluated as a template. # Note: The OAuth redirect URL is automatically derived by appending /oauth/callback to the domain + # @section -- Global mcpDomain: '{{ printf "mcp.%s" .Values.global.platformExternalDomain }}' # Ingress defaults shared across the parent chart and all subcharts. Each subchart's local @@ -40,26 +44,34 @@ global: ingress: # -- Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so # setting this once at the parent enables all subchart Ingresses. + # @section -- Global: Ingress enabled: false # -- Default path applied to ingress rules when `ingress.path` is not set. # AWS ALB users should override to `/*`. + # @section -- Global: Ingress path: "/" # -- Default path type applied to ingress rules when `ingress.defaultPathType` is not set. # `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. + # @section -- Global: Ingress defaultPathType: "Prefix" # -- Default ingress class name applied when `ingress.ingressClassName` is not set + # @section -- Global: Ingress ingressClassName: "" # -- Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress annotations: {} # -- Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress extraLabels: {} # -- TLS entries concatenated with the local `ingress.tls`. Evaluated as a template + # @section -- Global: Ingress tls: [] # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global: Image credentials imageCredentials: [] # imageCredentials: # - registry: "" @@ -69,6 +81,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global: Image credentials imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -79,6 +92,7 @@ global: # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line # -- List of Micronaut environments to enable. Evaluated as a template +# @section -- MCP application micronautEnvironments: # The 'oauth-platform' environment enables built-in support for using Seqera Platform as the OAuth # provider, including auto-registration of an internal client with the correct permissions for MCP @@ -86,10 +100,13 @@ micronautEnvironments: - oauth-platform # -- API endpoint of Seqera Hub. +# @section -- MCP application hubApiEndpoint: https://hub.seqera.io # -- API endpoint of Seqera Wave. +# @section -- MCP application waveApiEndpoint: https://wave.seqera.io # -- API endpoint of Seqera Nextflow Registry. +# @section -- MCP application registryApiEndpoint: https://registry.nextflow.io oidcToken: @@ -103,25 +120,30 @@ oidcToken: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade, which will break authentication + # @section -- OIDC token tokenString: "" # -- Name of an existing Secret containing the OIDC client registration token, as an alternative # to the string field. Note: the Secret must already exist in the same namespace at the time of # deployment. + # @section -- OIDC token existingSecretName: "" # -- Key in the existing Secret containing the OIDC client registration token. # @default -- `"MCP_OAUTH_INITIAL_ACCESS_TOKEN"` + # @section -- OIDC token existingSecretKey: "" oauth: # -- OAuth provider URL used by MCP to authenticate and obtain tokens. Defaults to the Platform # API endpoint when 'oauth-platform' is configured in `.micronautEnvironments` (default # behavior). Must be set explicitly when 'oauth' is configured in `.micronautEnvironments`. + # @section -- OAuth issuerUrl: "" # -- OAuth audience for MCP to authenticate with. This is the expected audience claim in the # tokens issued by the OAuth provider. When using Seqera Platform as the OAuth provider, this # should be set to "platform" to match the audience of the internal client that Platform creates # for MCP. When using a custom OAuth provider, this should match the audience configured for the # client that MCP uses to authenticate with that provider + # @section -- OAuth audience: platform # -- JWT seed, defined as string, used to sign authentication tokens. @@ -131,53 +153,69 @@ oauth: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade, which will break authentication + # @section -- OAuth jwtSeedString: "" # -- Name of an existing Secret containing the JWT seed, as an alternative to the string field. # Note: the Secret must already exist in the same namespace at the time of deployment + # @section -- OAuth jwtSeedSecretName: "" # -- Key in the existing Secret containing the JWT seed # @default -- `"MCP_OAUTH_JWT_SECRET"` + # @section -- OAuth jwtSeedSecretKey: "" image: # -- Container image registry + # @section -- Image registry: "" # -- Container image repository + # @section -- Image repository: private/nf-tower-enterprise/mcp # -- Container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Image tag: "" # -- Container image digest in the format `sha256:1234abcdef` + # @section -- Image digest: "" # -- imagePullPolicy for the container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- Service configuration +# @section -- Service service: # -- Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Service type: ClusterIP http: # -- Service name to use + # @section -- Service name: http # -- Service port + # @section -- Service port: 6010 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Service targetPort: 6010 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Service extraServices: [] # extraServices: # - name: myspecialservice @@ -187,41 +225,54 @@ service: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Service extraOptions: {} initContainerDependencies: # -- Enable init containers that coordinate startup dependencies (for example, wait for Seqera # Platform readiness before starting, etc) + # @section -- Init containers enabled: true waitForPlatform: # -- Enable wait for Seqera Platform init container before starting the MCP server + # @section -- Init containers: Wait for Platform enabled: true image: # -- Wait for Platform init container image registry + # @section -- Init containers: Wait for Platform registry: "" # -- Wait for Platform init container image repository + # @section -- Init containers: Wait for Platform repository: curlimages/curl # -- Wait for Platform init container image tag + # @section -- Init containers: Wait for Platform tag: latest # -- Wait for Platform init container image digest in the format `sha256:1234abcdef` + # @section -- Init containers: Wait for Platform digest: "" # -- imagePullPolicy for the wait for Platform init container + # @section -- Init containers: Wait for Platform pullPolicy: IfNotPresent securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init containers: Wait for Platform runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Init containers: Wait for Platform runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init containers: Wait for Platform readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init containers: Wait for Platform capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init containers: Wait for Platform resources: requests: cpu: "0.1" @@ -230,25 +281,33 @@ initContainerDependencies: memory: "100Mi" # -- Additional environment variables for the init container + # @section -- Init containers: Wait for Platform extraEnvVars: [] # -- Additional volume mounts for the init container (e.g. to mount a CA certificate) + # @section -- Init containers: Wait for Platform extraVolumeMounts: [] # -- Additional init containers for the pod. Evaluated as a template +# @section -- Init containers initContainers: [] # -- Override default container command (useful when using custom images) +# @section -- Pod command: [] # -- Override default container args (useful when using custom images) +# @section -- Pod args: [] # -- Additional labels for the pod. Evaluated as a template +# @section -- Pod podLabels: {} # -- Additional annotations for the pod. Evaluated as a template +# @section -- Pod podAnnotations: {} # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template +# @section -- Pod extraOptionsSpec: {} # extraOptionsSpec: # strategy: @@ -261,26 +320,32 @@ extraOptionsSpec: {} # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template +# @section -- Pod extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables +# @section -- Pod: Environment extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars +# @section -- Pod: Environment extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars +# @section -- Pod: Environment extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` +# @section -- Pod: Volumes extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` +# @section -- Pod: Volumes extraVolumeMounts: [] # Configure Pods Security Context. @@ -288,28 +353,36 @@ extraVolumeMounts: [] # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Pod: Security context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Pod: Security context fsGroup: 101 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Container: Security context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Container: Security context runAsUser: 101 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Container: Security context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Container: Security context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Container: Security context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory +# @section -- Container: Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -328,89 +401,122 @@ resources: {} # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Probes: Startup enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Probes: Startup path: "/health" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Probes: Startup port: "{{ .Values.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Probes: Startup initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Probes: Startup periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Probes: Startup timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Probes: Startup failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Probes: Startup successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Probes: Readiness enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Probes: Readiness path: "/health" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Probes: Readiness port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Probes: Readiness initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Probes: Readiness periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Probes: Readiness timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Probes: Readiness failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Probes: Readiness successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Probes: Liveness enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Probes: Liveness path: "/health" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Probes: Liveness port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Probes: Liveness initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Probes: Liveness periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Probes: Liveness timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Probes: Liveness failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Probes: Liveness successThreshold: 1 # -- Service account configuration +# @section -- Service account serviceAccount: # -- Service account name + # @section -- Service account name: "" # -- Service account annotations + # @section -- Service account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service account imagePullSecretNames: [] # -- Automatically mount service account token + # @section -- Service account automountServiceAccountToken: true ingress: # -- Enable ingress for MCP + # @section -- Ingress enabled: false # -- Path for the main ingress rule. When empty, falls back to `global.ingress.path` + # @section -- Ingress path: "" # -- Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` + # @section -- Ingress defaultPathType: "" # -- Configure the default service for the ingress (evaluated as template) # Important: make sure only one defaultBackend is defined across the k8s cluster: if the # ingress doesn't reconcile successfully, 'describe ingress ' will report problems + # @section -- Ingress defaultBackend: {} # defaultBackend: # service: @@ -419,6 +525,7 @@ ingress: # number: '{{ .Values.frontend.service.http.port }}' # -- Additional hosts you want to include. Evaluated as a template + # @section -- Ingress extraHosts: [] # extraHosts: # - host: '{{ printf "api.%s" .Values.global.platformExternalDomain }}' @@ -435,13 +542,17 @@ ingress: # portNumber: '{{ .Values.frontend.service.http.port }}' # -- Ingress annotations specific to your load balancer. Evaluated as a template + # @section -- Ingress annotations: {} # -- Additional labels for the ingress object. Evaluated as a template + # @section -- Ingress extraLabels: {} # -- Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). # When empty, falls back to `global.ingress.ingressClassName` + # @section -- Ingress ingressClassName: "" # -- TLS configuration. Evaluated as a template + # @section -- Ingress tls: [] # tls: # - hosts: @@ -450,6 +561,7 @@ ingress: # secretName: my-tls # -- Array of extra objects to deploy with the release +# @section -- Extra deployment extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -460,14 +572,20 @@ extraDeploy: [] # ... # -- Annotations to add to all deployed objects +# @section -- Common metadata commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common metadata commonLabels: {} # -- Additional labels for the Secret objects. Evaluated as a template +# @section -- Common metadata secretLabels: {} # -- Additional annotations for the Secret objects. Evaluated as a template +# @section -- Common metadata secretAnnotations: {} # -- Additional labels for the ConfigMap objects. Evaluated as a template +# @section -- Common metadata configMapLabels: {} # -- Additional annotations for the ConfigMap objects. Evaluated as a template +# @section -- Common metadata configMapAnnotations: {} diff --git a/charts/platform/charts/pipeline-optimization/CHANGELOG.md b/charts/platform/charts/pipeline-optimization/CHANGELOG.md index b5499a7..68d0815 100644 --- a/charts/platform/charts/pipeline-optimization/CHANGELOG.md +++ b/charts/platform/charts/pipeline-optimization/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [2.0.6] - 2026-05-05 ### Changed diff --git a/charts/platform/charts/pipeline-optimization/README.md b/charts/platform/charts/pipeline-optimization/README.md index 1264c84..8d0ce93 100644 --- a/charts/platform/charts/pipeline-optimization/README.md +++ b/charts/platform/charts/pipeline-optimization/README.md @@ -57,122 +57,234 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### Database + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| database.host | string | ``""`` | Pipeline Optimization MySQL database hostname | +| database.port | int | ``3306`` | Pipeline Optimization MySQL database port | +| database.name | string | ``""`` | Pipeline Optimization MySQL database name | +| database.username | string | ``""`` | Pipeline Optimization MySQL database username | +| database.password | string | ``""`` | Pipeline Optimization MySQL database password | +| database.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for the Pipeline Optimization MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| database.existingSecretKey | string | ``"SWELL_DB_PASSWORD"`` | Key in the existing Secret containing the password for the Pipeline Optimization MySQL database | +| database.dialect | string | ``"mysql"`` | Pipeline Optimization database dialect. Currently only 'mysql' is supported | + +### Database: TLS + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| database.enableTls | bool | ``true`` | Enable TLS for the Pipeline Optimization MySQL database connection | +| database.tlsCaVerify | bool | ``true`` | Verify the CA certificate when connecting via TLS (set to false to skip verification, insecure - for development/testing only) | +| database.sslCa | string | ``""`` | Path to a CA certificate file for server certificate verification | +| database.sslCert | string | ``""`` | Path to a client certificate file for mutual TLS authentication | +| database.sslKey | string | ``""`` | Path to a client key file for mutual TLS authentication | + +### Platform Database + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platformDatabase.host | string | ``""`` | Platform MySQL database hostname | +| platformDatabase.port | int | ``3306`` | Platform MySQL database port | +| platformDatabase.name | string | ``""`` | Platform MySQL database name | +| platformDatabase.username | string | ``""`` | Platform MySQL database username. Can be a read-only user, since Platform Optimization does not perform write operations on the Platform database | +| platformDatabase.password | string | ``""`` | Platform MySQL database password | +| platformDatabase.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for the Platform MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| platformDatabase.existingSecretKey | string | ``"TOWER_DB_PASSWORD"`` | Key in the existing Secret containing the password for the Platform MySQL database | + +### Platform Database: TLS + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| platformDatabase.enableTls | bool | ``true`` | Enable TLS for the Platform MySQL database connection | +| platformDatabase.tlsCaVerify | bool | ``true`` | Verify the CA certificate when connecting via TLS (set to false to skip verification, insecure - for development/testing only) | +| platformDatabase.sslCa | string | ``""`` | Path to a CA certificate file for server certificate verification | +| platformDatabase.sslCert | string | ``""`` | Path to a client certificate file for mutual TLS authentication | +| platformDatabase.sslKey | string | ``""`` | Path to a client key file for mutual TLS authentication | + +### Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.registry | string | ``""`` | Pipeline Optimization container image registry | +| image.repository | string | ``"private/nf-tower-enterprise/groundswell"`` | Pipeline Optimization container image repository | +| image.tag | string | ``"{{ .chart.AppVersion }}"`` | Pipeline Optimization container image tag | +| image.digest | string | ``""`` | Pipeline Optimization container image digest in the format `sha256:1234abcdef` | +| image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the Pipeline Optimization container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### DB Migration Init Container + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| dbMigrationInitContainer.image.registry | string | ``""`` | Migrate DB init container image registry | +| dbMigrationInitContainer.image.repository | string | ``"private/nf-tower-enterprise/groundswell"`` | Migrate DB init container image repository | +| dbMigrationInitContainer.image.tag | string | ``"{{ .chart.AppVersion }}"`` | Migrate DB init container image tag | +| dbMigrationInitContainer.image.digest | string | ``""`` | Migrate DB init container image digest in the format `sha256:1234abcdef` | +| dbMigrationInitContainer.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the Migrate DB init container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| dbMigrationInitContainer.command | list | ``["/opt/groundswell/bin/migrate-db.sh"]`` | Command to run to migrate the database schema | +| dbMigrationInitContainer.args | list | ``[]`` | Arguments to pass to the pod command | + +### Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| service.type | string | ``"ClusterIP"`` | Pipeline Optimization Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Service: HTTP + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| service.http.name | string | ``"http"`` | Service name to use | +| service.http.port | int | ``8090`` | Service port number | +| service.http.targetPort | int | ``8090`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port). | +| service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | + +### Deployment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainers | list | ``[]`` | Additional init containers for the pipeline optimization pod. Evaluated as a template | +| command | list | ``[]`` | Override default container command (useful when using custom images) | +| args | list | ``[]`` | Override default container args (useful when using custom images) | +| podLabels | object | ``{}`` | Additional labels for the pipeline optimization pod. Evaluated as a template | +| podAnnotations | object | ``{}`` | Additional annotations for the pipeline optimization pod. Evaluated as a template | +| extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | + +### Common Metadata + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | +| configMapAnnotations | object | ``{}`` | Annotations to add specifically to the ConfigMap | +| configMapLabels | object | ``{}`` | Labels to add specifically to the ConfigMap | + +### Environment & Volumes + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraEnvVars | list | ``[]`` | Extra environment variables to set on the pipeline optimization pod | +| extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Pod Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| podSecurityContext.fsGroup | int | ``1000`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | + +### Container Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| containerSecurityContext.runAsUser | int | ``1000`` | UID the container processes run as (overrides container image default) | +| containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Startup Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| startupProbe.enabled | bool | ``false`` | Enable startup probe | +| startupProbe.httpGet.path | string | ``"/api/v1/health"`` | HTTP GET path for startup probe | +| startupProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Readiness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| readinessProbe.httpGet.path | string | ``"/api/v1/health"`` | HTTP GET path for readiness probe | +| readinessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Liveness Probe + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| livenessProbe.httpGet.path | string | ``"/api/v1/health"`` | HTTP GET path for liveness probe | +| livenessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Init Container Dependencies + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.enabled | bool | ``true`` | Enable init containers that coordinate startup dependencies (for example, wait for database readiness before starting, etc) | + +### Init Container Dependencies: Wait For MySQL + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForMySQL.enabled | bool | ``true`` | Enable wait for MySQL init container before starting pipeline optimization and cron | +| initContainerDependencies.waitForMySQL.image.registry | string | ``""`` | Override default wait for MySQL init container image | +| initContainerDependencies.waitForMySQL.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForMySQL.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForMySQL.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForMySQL.extraEnvVars | list | ``[]`` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | +| initContainerDependencies.waitForMySQL.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | + +### Extra Deploy + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | + +### Service Account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount.name | string | ``""`` | Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name | +| serviceAccount.annotations | object | ``{}`` | Additional annotations for the Platform ServiceAccount to generate | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``false`` | Automount service account token when the server service account is generated | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| database.host | string | `""` | Pipeline Optimization MySQL database hostname | -| database.port | int | `3306` | Pipeline Optimization MySQL database port | -| database.name | string | `""` | Pipeline Optimization MySQL database name | -| database.username | string | `""` | Pipeline Optimization MySQL database username | -| database.password | string | `""` | Pipeline Optimization MySQL database password | -| database.existingSecretName | string | `""` | Name of an existing Secret containing credentials for the Pipeline Optimization MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| database.existingSecretKey | string | `"SWELL_DB_PASSWORD"` | Key in the existing Secret containing the password for the Pipeline Optimization MySQL database | -| database.dialect | string | `"mysql"` | Pipeline Optimization database dialect. Currently only 'mysql' is supported | -| database.enableTls | bool | `true` | Enable TLS for the Pipeline Optimization MySQL database connection | -| database.tlsCaVerify | bool | `true` | Verify the CA certificate when connecting via TLS (set to false to skip verification, insecure - for development/testing only) | -| database.sslCa | string | `""` | Path to a CA certificate file for server certificate verification | -| database.sslCert | string | `""` | Path to a client certificate file for mutual TLS authentication | -| database.sslKey | string | `""` | Path to a client key file for mutual TLS authentication | -| platformDatabase.host | string | `""` | Platform MySQL database hostname | -| platformDatabase.port | int | `3306` | Platform MySQL database port | -| platformDatabase.name | string | `""` | Platform MySQL database name | -| platformDatabase.username | string | `""` | Platform MySQL database username. Can be a read-only user, since Platform Optimization does not perform write operations on the Platform database | -| platformDatabase.password | string | `""` | Platform MySQL database password | -| platformDatabase.existingSecretName | string | `""` | Name of an existing Secret containing credentials for the Platform MySQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| platformDatabase.existingSecretKey | string | `"TOWER_DB_PASSWORD"` | Key in the existing Secret containing the password for the Platform MySQL database | -| platformDatabase.enableTls | bool | `true` | Enable TLS for the Platform MySQL database connection | -| platformDatabase.tlsCaVerify | bool | `true` | Verify the CA certificate when connecting via TLS (set to false to skip verification, insecure - for development/testing only) | -| platformDatabase.sslCa | string | `""` | Path to a CA certificate file for server certificate verification | -| platformDatabase.sslCert | string | `""` | Path to a client certificate file for mutual TLS authentication | -| platformDatabase.sslKey | string | `""` | Path to a client key file for mutual TLS authentication | -| image.registry | string | `""` | Pipeline Optimization container image registry | -| image.repository | string | `"private/nf-tower-enterprise/groundswell"` | Pipeline Optimization container image repository | -| image.tag | string | `"{{ .chart.AppVersion }}"` | Pipeline Optimization container image tag | -| image.digest | string | `""` | Pipeline Optimization container image digest in the format `sha256:1234abcdef` | -| image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Pipeline Optimization container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| dbMigrationInitContainer.image.registry | string | `""` | Migrate DB init container image registry | -| dbMigrationInitContainer.image.repository | string | `"private/nf-tower-enterprise/groundswell"` | Migrate DB init container image repository | -| dbMigrationInitContainer.image.tag | string | `"{{ .chart.AppVersion }}"` | Migrate DB init container image tag | -| dbMigrationInitContainer.image.digest | string | `""` | Migrate DB init container image digest in the format `sha256:1234abcdef` | -| dbMigrationInitContainer.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Migrate DB init container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| dbMigrationInitContainer.command | list | `["/opt/groundswell/bin/migrate-db.sh"]` | Command to run to migrate the database schema | -| dbMigrationInitContainer.args | list | `[]` | Arguments to pass to the pod command | -| service.type | string | `"ClusterIP"` | Pipeline Optimization Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| service.http.name | string | `"http"` | Service name to use | -| service.http.port | int | `8090` | Service port number | -| service.http.targetPort | int | `8090` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port). | -| service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| initContainers | list | `[]` | Additional init containers for the pipeline optimization pod. Evaluated as a template | -| command | list | `[]` | Override default container command (useful when using custom images) | -| args | list | `[]` | Override default container args (useful when using custom images) | -| podLabels | object | `{}` | Additional labels for the pipeline optimization pod. Evaluated as a template | -| podAnnotations | object | `{}` | Additional annotations for the pipeline optimization pod. Evaluated as a template | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| configMapAnnotations | object | `{}` | Annotations to add specifically to the ConfigMap | -| configMapLabels | object | `{}` | Labels to add specifically to the ConfigMap | -| extraOptionsSpec | object | `{}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| extraEnvVars | list | `[]` | Extra environment variables to set on the pipeline optimization pod | -| extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| podSecurityContext.fsGroup | int | `1000` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| containerSecurityContext.runAsUser | int | `1000` | UID the container processes run as (overrides container image default) | -| containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| startupProbe.enabled | bool | `false` | Enable startup probe | -| startupProbe.httpGet.path | string | `"/api/v1/health"` | HTTP GET path for startup probe | -| startupProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| readinessProbe.enabled | bool | `true` | Enable readiness probe | -| readinessProbe.httpGet.path | string | `"/api/v1/health"` | HTTP GET path for readiness probe | -| readinessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| livenessProbe.enabled | bool | `true` | Enable liveness probe | -| livenessProbe.httpGet.path | string | `"/api/v1/health"` | HTTP GET path for liveness probe | -| livenessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| initContainerDependencies.enabled | bool | `true` | Enable init containers that coordinate startup dependencies (for example, wait for database readiness before starting, etc) | -| initContainerDependencies.waitForMySQL.enabled | bool | `true` | Enable wait for MySQL init container before starting pipeline optimization and cron | -| initContainerDependencies.waitForMySQL.image.registry | string | `""` | Override default wait for MySQL init container image | -| initContainerDependencies.waitForMySQL.image.repository | string | `"mysql"` | | -| initContainerDependencies.waitForMySQL.image.tag | string | `"9"` | | -| initContainerDependencies.waitForMySQL.image.digest | string | `""` | | -| initContainerDependencies.waitForMySQL.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForMySQL.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForMySQL.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| initContainerDependencies.waitForMySQL.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForMySQL.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForMySQL.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForMySQL.extraEnvVars | list | `[]` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | -| initContainerDependencies.waitForMySQL.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| serviceAccount.name | string | `""` | Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name | -| serviceAccount.annotations | object | `{}` | Additional annotations for the Platform ServiceAccount to generate | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `false` | Automount service account token when the server service account is generated | +| initContainerDependencies.waitForMySQL.image.repository | string | ``"mysql"`` | | +| initContainerDependencies.waitForMySQL.image.tag | string | ``"9"`` | | +| initContainerDependencies.waitForMySQL.image.digest | string | ``""`` | | +| initContainerDependencies.waitForMySQL.image.pullPolicy | string | ``"IfNotPresent"`` | | ## Licensing diff --git a/charts/platform/charts/pipeline-optimization/README.md.gotmpl b/charts/platform/charts/pipeline-optimization/README.md.gotmpl index f1cc7f2..3ca71d0 100644 --- a/charts/platform/charts/pipeline-optimization/README.md.gotmpl +++ b/charts/platform/charts/pipeline-optimization/README.md.gotmpl @@ -49,7 +49,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/pipeline-optimization/values.yaml b/charts/platform/charts/pipeline-optimization/values.yaml index 995b408..a9a8e21 100644 --- a/charts/platform/charts/pipeline-optimization/values.yaml +++ b/charts/platform/charts/pipeline-optimization/values.yaml @@ -28,6 +28,7 @@ global: # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global imageCredentials: [] # imageCredentials: # - registry: "" @@ -37,6 +38,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -49,88 +51,119 @@ global: # MySQL database configuration storing the Platform Optimization service data. database: # -- Pipeline Optimization MySQL database hostname + # @section -- Database host: "" # -- Pipeline Optimization MySQL database port + # @section -- Database port: 3306 # -- Pipeline Optimization MySQL database name + # @section -- Database name: "" # -- Pipeline Optimization MySQL database username + # @section -- Database username: "" # -- Pipeline Optimization MySQL database password + # @section -- Database password: "" # -- Name of an existing Secret containing credentials for the Pipeline Optimization MySQL # database, as an alternative to the password field. Note: the Secret must already exist in the # same namespace at the time of deployment + # @section -- Database existingSecretName: "" # -- Key in the existing Secret containing the password for the Pipeline Optimization MySQL # database # @default -- `"SWELL_DB_PASSWORD"` + # @section -- Database existingSecretKey: "" # -- Pipeline Optimization database dialect. Currently only 'mysql' is supported + # @section -- Database dialect: mysql # -- Enable TLS for the Pipeline Optimization MySQL database connection + # @section -- Database: TLS enableTls: true # -- Verify the CA certificate when connecting via TLS (set to false to skip verification, # insecure - for development/testing only) + # @section -- Database: TLS tlsCaVerify: true # -- Path to a CA certificate file for server certificate verification + # @section -- Database: TLS sslCa: "" # -- Path to a client certificate file for mutual TLS authentication + # @section -- Database: TLS sslCert: "" # -- Path to a client key file for mutual TLS authentication + # @section -- Database: TLS sslKey: "" # Platform Optimization communicates with the main Platform database to read pipeline and job # details to optimize. Only read-only access is required. platformDatabase: # -- Platform MySQL database hostname + # @section -- Platform Database host: "" # -- Platform MySQL database port + # @section -- Platform Database port: 3306 # -- Platform MySQL database name + # @section -- Platform Database name: "" # -- Platform MySQL database username. Can be a read-only user, since Platform Optimization does # not perform write operations on the Platform database + # @section -- Platform Database username: "" # -- Platform MySQL database password + # @section -- Platform Database password: "" # -- Name of an existing Secret containing credentials for the Platform MySQL database, as an # alternative to the password field. Note: the Secret must already exist in the same namespace at # the time of deployment + # @section -- Platform Database existingSecretName: "" # -- Key in the existing Secret containing the password for the Platform MySQL database # @default -- `"TOWER_DB_PASSWORD"` + # @section -- Platform Database existingSecretKey: "" # -- Enable TLS for the Platform MySQL database connection + # @section -- Platform Database: TLS enableTls: true # -- Verify the CA certificate when connecting via TLS (set to false to skip verification, # insecure - for development/testing only) + # @section -- Platform Database: TLS tlsCaVerify: true # -- Path to a CA certificate file for server certificate verification + # @section -- Platform Database: TLS sslCa: "" # -- Path to a client certificate file for mutual TLS authentication + # @section -- Platform Database: TLS sslCert: "" # -- Path to a client key file for mutual TLS authentication + # @section -- Platform Database: TLS sslKey: "" image: # -- Pipeline Optimization container image registry + # @section -- Image registry: "" # -- Pipeline Optimization container image repository + # @section -- Image repository: private/nf-tower-enterprise/groundswell # -- Pipeline Optimization container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Image tag: "" # -- Pipeline Optimization container image digest in the format `sha256:1234abcdef` + # @section -- Image digest: "" # -- imagePullPolicy for the Pipeline Optimization container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName @@ -138,41 +171,54 @@ image: dbMigrationInitContainer: image: # -- Migrate DB init container image registry + # @section -- DB Migration Init Container registry: "" # -- Migrate DB init container image repository + # @section -- DB Migration Init Container repository: private/nf-tower-enterprise/groundswell # -- Migrate DB init container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- DB Migration Init Container tag: "" # -- Migrate DB init container image digest in the format `sha256:1234abcdef` + # @section -- DB Migration Init Container digest: "" # -- imagePullPolicy for the Migrate DB init container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- DB Migration Init Container pullPolicy: IfNotPresent # -- Command to run to migrate the database schema + # @section -- DB Migration Init Container command: ['/opt/groundswell/bin/migrate-db.sh'] # -- Arguments to pass to the pod command + # @section -- DB Migration Init Container args: [] service: # -- Pipeline Optimization Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Service type: ClusterIP http: # -- Service name to use + # @section -- Service: HTTP name: http # -- Service port number + # @section -- Service: HTTP port: 8090 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port). + # @section -- Service: HTTP targetPort: 8090 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Service: HTTP nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Service extraServices: [] # extraServices: # - name: myspecialservice @@ -182,33 +228,44 @@ service: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Service extraOptions: {} # -- Additional init containers for the pipeline optimization pod. Evaluated as a template +# @section -- Deployment initContainers: [] # -- Override default container command (useful when using custom images) +# @section -- Deployment command: [] # -- Override default container args (useful when using custom images) +# @section -- Deployment args: [] # -- Additional labels for the pipeline optimization pod. Evaluated as a template +# @section -- Deployment podLabels: {} # -- Additional annotations for the pipeline optimization pod. Evaluated as a template +# @section -- Deployment podAnnotations: {} # -- Annotations to add to all deployed objects +# @section -- Common Metadata commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common Metadata commonLabels: {} # -- Annotations to add specifically to the ConfigMap +# @section -- Common Metadata configMapAnnotations: {} # -- Labels to add specifically to the ConfigMap +# @section -- Common Metadata configMapLabels: {} # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template +# @section -- Deployment extraOptionsSpec: {} # extraOptionsSpec: # replicas: 2 @@ -219,26 +276,32 @@ extraOptionsSpec: {} # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template +# @section -- Deployment extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables to set on the pipeline optimization pod +# @section -- Environment & Volumes extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars +# @section -- Environment & Volumes extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars +# @section -- Environment & Volumes extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` +# @section -- Environment & Volumes extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` +# @section -- Environment & Volumes extraVolumeMounts: [] # Configure Pods Security Context. @@ -246,28 +309,36 @@ extraVolumeMounts: [] # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Pod Security Context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Pod Security Context fsGroup: 1000 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Container Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Container Security Context runAsUser: 1000 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Container Security Context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Container Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Container Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory +# @section -- Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -286,75 +357,102 @@ resources: {} # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Startup Probe enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Startup Probe path: "/api/v1/health" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Startup Probe port: "{{ .Values.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Startup Probe initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Startup Probe periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Startup Probe timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Startup Probe failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Startup Probe successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Readiness Probe enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Readiness Probe path: "/api/v1/health" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Readiness Probe port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Readiness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Readiness Probe periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Readiness Probe timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Readiness Probe failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Readiness Probe successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Liveness Probe enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Liveness Probe path: "/api/v1/health" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Liveness Probe port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Liveness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Liveness Probe periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Liveness Probe timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Liveness Probe failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Liveness Probe successThreshold: 1 initContainerDependencies: # -- Enable init containers that coordinate startup dependencies (for example, wait for database # readiness before starting, etc) + # @section -- Init Container Dependencies enabled: true waitForMySQL: # -- Enable wait for MySQL init container before starting pipeline optimization and cron + # @section -- Init Container Dependencies: Wait For MySQL enabled: true image: # -- Override default wait for MySQL init container image + # @section -- Init Container Dependencies: Wait For MySQL registry: "" repository: mysql tag: "9" @@ -364,18 +462,23 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait For MySQL runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID # 0) + # @section -- Init Container Dependencies: Wait For MySQL runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait For MySQL readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait For MySQL capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait For MySQL resources: requests: cpu: "0.5" @@ -392,13 +495,16 @@ initContainerDependencies: # extraEnvVars: # - name: MYSQL_EXTRA_ARGS # value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" + # @section -- Init Container Dependencies: Wait For MySQL extraEnvVars: [] # -- Additional volume mounts for the init container. Use this to mount CA certificates # (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that # `MYSQL_EXTRA_ARGS` can reference them. + # @section -- Init Container Dependencies: Wait For MySQL extraVolumeMounts: [] # -- Array of extra objects to deploy with the release +# @section -- Extra Deploy extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -411,10 +517,14 @@ extraDeploy: [] serviceAccount: # -- Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on # the release name + # @section -- Service Account name: "" # -- Additional annotations for the Platform ServiceAccount to generate + # @section -- Service Account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service Account imagePullSecretNames: [] # -- Automount service account token when the server service account is generated + # @section -- Service Account automountServiceAccountToken: false diff --git a/charts/platform/charts/portal-web/CHANGELOG.md b/charts/platform/charts/portal-web/CHANGELOG.md index 719dd35..d0dd4f8 100644 --- a/charts/platform/charts/portal-web/CHANGELOG.md +++ b/charts/platform/charts/portal-web/CHANGELOG.md @@ -4,6 +4,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [0.3.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/portal-web/README.md b/charts/platform/charts/portal-web/README.md index 7d6fb02..8a859c8 100644 --- a/charts/platform/charts/portal-web/README.md +++ b/charts/platform/charts/portal-web/README.md @@ -14,7 +14,6 @@ The chart does not automatically define `cr.seqera.io` as the registry where to The required values to set in order to have a working installation are: - The `.global.platformExternalDomain` value to point to the domain where Seqera Platform will be exposed. -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that Portal Web communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The `.image` section to point to your container registry. - Container registry credentials under the `.global.imageCredentials` section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). * These credentials will be used by all the subcharts unless overridden in the specific subchart. @@ -52,102 +51,184 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.platformExternalDomain | string | ``"example.com"`` | Domain where Seqera Platform listens | +| global.platformServiceAddress | string | ``""`` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.platformServicePort | string | ``""`` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.agentBackendDomain | string | ``"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Agent Backend service listens. Evaluated as a template | +| global.portalWebDomain | string | ``"{{ printf \"ai.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Portal Web frontend listens. Evaluated as a template | + +### Global: Ingress defaults + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.ingress.enabled | bool | ``false`` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | +| global.ingress.path | string | ``"/"`` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | +| global.ingress.defaultPathType | string | ``"Prefix"`` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | +| global.ingress.ingressClassName | string | ``""`` | Default ingress class name applied when `ingress.ingressClassName` is not set | +| global.ingress.annotations | object | ``{}`` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | +| global.ingress.extraLabels | object | ``{}`` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | +| global.ingress.tls | list | ``[]`` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | + +### Global: Image credentials + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.registry | string | ``""`` | Container image registry | +| image.repository | string | ``"private/nf-tower-enterprise/portal-web"`` | Container image repository | +| image.tag | string | ``"{{ .chart.AppVersion }}"`` | Container image tag | +| image.digest | string | ``""`` | Container image digest in the format `sha256:1234abcdef` | +| image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| service.type | string | ``"ClusterIP"`` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| service.http.name | string | ``"http"`` | Service name to use | +| service.http.port | int | ``80`` | Service port | +| service.http.targetPort | int | ``3000`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Deployment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| tmpDirSizeLimit | string | ``"500Mi"`` | Size limit for the /tmp emptyDir volume | +| nextjsCacheSizeLimit | string | ``"500Mi"`` | Size limit for the /app/.next/cache emptyDir volume | +| initContainers | list | ``[]`` | Additional init containers for the pod. Evaluated as a template | +| command | list | ``[]`` | Override default container command (useful when using custom images) | +| args | list | ``[]`` | Override default container args (useful when using custom images) | +| podLabels | object | ``{}`` | Additional labels for the pod. Evaluated as a template | +| podAnnotations | object | ``{}`` | Additional annotations for the pod. Evaluated as a template | +| extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | + +### Deployment: Environment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraEnvVars | list | ``[]`` | Extra environment variables | +| extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | +| extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Security Context: Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| podSecurityContext.fsGroup | int | ``1001`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | + +### Security Context: Container + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| containerSecurityContext.runAsUser | int | ``1001`` | UID the container processes run as (overrides container image default) | +| containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| resources | object | ``{"limits":{"memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}}`` | Container requests and limits for different resources like CPU or memory | + +### Probes: Startup + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| startupProbe.enabled | bool | ``false`` | Enable startup probe | +| startupProbe.httpGet.path | string | ``"/"`` | HTTP GET path for startup probe | +| startupProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Probes: Readiness + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| readinessProbe.httpGet.path | string | ``"/"`` | HTTP GET path for readiness probe | +| readinessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| readinessProbe.initialDelaySeconds | int | ``10`` | Delay before first check | +| readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| readinessProbe.failureThreshold | int | ``3`` | Consecutive failures before marking the container Unready (no restart) | +| readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Probes: Liveness + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| livenessProbe.httpGet.path | string | ``"/"`` | HTTP GET path for liveness probe | +| livenessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| livenessProbe.initialDelaySeconds | int | ``30`` | Delay before first check | +| livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| livenessProbe.timeoutSeconds | int | ``5`` | Short timeout to detect hung containers quickly | +| livenessProbe.failureThreshold | int | ``3`` | Consecutive failures before restarting the container | +| livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Service Account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount | object | ``{"annotations":{},"automountServiceAccountToken":false,"imagePullSecretNames":[],"name":""}`` | Service account configuration | +| serviceAccount.name | string | ``""`` | Service account name | +| serviceAccount.annotations | object | ``{}`` | Service account annotations | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``false`` | Automatically mount service account token | + +### Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress.enabled | bool | ``false`` | Enable ingress for Portal Web | +| ingress.path | string | ``""`` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | +| ingress.defaultPathType | string | ``""`` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | +| ingress.defaultBackend | object | ``{}`` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | +| ingress.extraHosts | list | ``[]`` | Additional hosts you want to include. Evaluated as a template | +| ingress.annotations | object | ``{}`` | Ingress annotations specific to your load balancer. Evaluated as a template | +| ingress.extraLabels | object | ``{}`` | Additional labels for the ingress object. Evaluated as a template | +| ingress.ingressClassName | string | ``""`` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | +| ingress.tls | list | ``[]`` | TLS configuration. Evaluated as a template | + +### Extra Deploy + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | + +### Common Metadata + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.platformExternalDomain | string | `"example.com"` | Domain where Seqera Platform listens | -| global.platformServiceAddress | string | `""` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.platformServicePort | string | `""` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.agentBackendDomain | string | `"{{ printf \"ai-api.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Agent Backend service listens. Evaluated as a template | -| global.portalWebDomain | string | `"{{ printf \"ai.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Portal Web frontend listens. Evaluated as a template | -| global.ingress.enabled | bool | `false` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | -| global.ingress.path | string | `"/"` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | -| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | -| global.ingress.ingressClassName | string | `""` | Default ingress class name applied when `ingress.ingressClassName` is not set | -| global.ingress.annotations | object | `{}` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | -| global.ingress.extraLabels | object | `{}` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | -| global.ingress.tls | list | `[]` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| image.registry | string | `""` | Container image registry | -| image.repository | string | `"private/nf-tower-enterprise/portal-web"` | Container image repository | -| image.tag | string | `"{{ .chart.AppVersion }}"` | Container image tag | -| image.digest | string | `""` | Container image digest in the format `sha256:1234abcdef` | -| image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| service.type | string | `"ClusterIP"` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| service.http.name | string | `"http"` | Service name to use | -| service.http.port | int | `80` | Service port | -| service.http.targetPort | int | `3000` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| tmpDirSizeLimit | string | `"500Mi"` | Size limit for the /tmp emptyDir volume | -| nextjsCacheSizeLimit | string | `"500Mi"` | Size limit for the /app/.next/cache emptyDir volume | -| initContainers | list | `[]` | Additional init containers for the pod. Evaluated as a template | -| command | list | `[]` | Override default container command (useful when using custom images) | -| args | list | `[]` | Override default container args (useful when using custom images) | -| podLabels | object | `{}` | Additional labels for the pod. Evaluated as a template | -| podAnnotations | object | `{}` | Additional annotations for the pod. Evaluated as a template | -| extraOptionsSpec | object | `{}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| extraEnvVars | list | `[]` | Extra environment variables | -| extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| podSecurityContext.fsGroup | int | `1001` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| containerSecurityContext.runAsUser | int | `1001` | UID the container processes run as (overrides container image default) | -| containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| resources | object | `{"limits":{"memory":"500Mi"},"requests":{"cpu":"100m","memory":"500Mi"}}` | Container requests and limits for different resources like CPU or memory | -| startupProbe.enabled | bool | `false` | Enable startup probe | -| startupProbe.httpGet.path | string | `"/"` | HTTP GET path for startup probe | -| startupProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| readinessProbe.enabled | bool | `true` | Enable readiness probe | -| readinessProbe.httpGet.path | string | `"/"` | HTTP GET path for readiness probe | -| readinessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| readinessProbe.initialDelaySeconds | int | `10` | Delay before first check | -| readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| readinessProbe.failureThreshold | int | `3` | Consecutive failures before marking the container Unready (no restart) | -| readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| livenessProbe.enabled | bool | `true` | Enable liveness probe | -| livenessProbe.httpGet.path | string | `"/"` | HTTP GET path for liveness probe | -| livenessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| livenessProbe.initialDelaySeconds | int | `30` | Delay before first check | -| livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| livenessProbe.timeoutSeconds | int | `5` | Short timeout to detect hung containers quickly | -| livenessProbe.failureThreshold | int | `3` | Consecutive failures before restarting the container | -| livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":false,"imagePullSecretNames":[],"name":""}` | Service account configuration | -| serviceAccount.name | string | `""` | Service account name | -| serviceAccount.annotations | object | `{}` | Service account annotations | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `false` | Automatically mount service account token | -| ingress.enabled | bool | `false` | Enable ingress for Portal Web | -| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | -| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | -| ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | -| ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template | -| ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template | -| ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template | -| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | -| ingress.tls | list | `[]` | TLS configuration. Evaluated as a template | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| secretLabels | object | `{}` | Additional labels for the Secret objects. Evaluated as a template | -| secretAnnotations | object | `{}` | Additional annotations for the Secret objects. Evaluated as a template | -| configMapLabels | object | `{}` | Additional labels for the ConfigMap objects. Evaluated as a template | -| configMapAnnotations | object | `{}` | Additional annotations for the ConfigMap objects. Evaluated as a template | +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | +| secretLabels | object | ``{}`` | Additional labels for the Secret objects. Evaluated as a template | +| secretAnnotations | object | ``{}`` | Additional annotations for the Secret objects. Evaluated as a template | +| configMapLabels | object | ``{}`` | Additional labels for the ConfigMap objects. Evaluated as a template | +| configMapAnnotations | object | ``{}`` | Additional annotations for the ConfigMap objects. Evaluated as a template | ## Licensing diff --git a/charts/platform/charts/portal-web/README.md.gotmpl b/charts/platform/charts/portal-web/README.md.gotmpl index 5440ad1..89f00a7 100644 --- a/charts/platform/charts/portal-web/README.md.gotmpl +++ b/charts/platform/charts/portal-web/README.md.gotmpl @@ -13,7 +13,6 @@ The chart does not automatically define `cr.seqera.io` as the registry where to The required values to set in order to have a working installation are: - The `.global.platformExternalDomain` value to point to the domain where Seqera Platform will be exposed. -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that Portal Web communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The `.image` section to point to your container registry. - Container registry credentials under the `.global.imageCredentials` section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). * These credentials will be used by all the subcharts unless overridden in the specific subchart. @@ -44,7 +43,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/portal-web/values.yaml b/charts/platform/charts/portal-web/values.yaml index 3a3612b..7d77cfe 100644 --- a/charts/platform/charts/portal-web/values.yaml +++ b/charts/platform/charts/portal-web/values.yaml @@ -19,22 +19,27 @@ # .Values.global.*: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ global: # -- Domain where Seqera Platform listens + # @section -- Global platformExternalDomain: example.com # -- Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress # hostname. Evaluated as a template. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServiceAddress: "" # -- Seqera Platform Service port. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServicePort: "" # -- Domain where the Agent Backend service listens. Evaluated as a template + # @section -- Global agentBackendDomain: '{{ printf "ai-api.%s" .Values.global.platformExternalDomain }}' # -- Domain where the Portal Web frontend listens. Evaluated as a template + # @section -- Global portalWebDomain: '{{ printf "ai.%s" .Values.global.platformExternalDomain }}' # Ingress defaults shared across the parent chart and all subcharts. Each subchart's local @@ -42,26 +47,34 @@ global: ingress: # -- Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so # setting this once at the parent enables all subchart Ingresses. + # @section -- Global: Ingress defaults enabled: false # -- Default path applied to ingress rules when `ingress.path` is not set. # AWS ALB users should override to `/*`. + # @section -- Global: Ingress defaults path: "/" # -- Default path type applied to ingress rules when `ingress.defaultPathType` is not set. # `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. + # @section -- Global: Ingress defaults defaultPathType: "Prefix" # -- Default ingress class name applied when `ingress.ingressClassName` is not set + # @section -- Global: Ingress defaults ingressClassName: "" # -- Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress defaults annotations: {} # -- Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress defaults extraLabels: {} # -- TLS entries concatenated with the local `ingress.tls`. Evaluated as a template + # @section -- Global: Ingress defaults tls: [] # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global: Image credentials imageCredentials: [] # imageCredentials: # - registry: "" @@ -71,6 +84,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global: Image credentials imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -82,20 +96,26 @@ global: image: # -- Container image registry + # @section -- Image registry: "" # -- Container image repository + # @section -- Image repository: private/nf-tower-enterprise/portal-web # -- Container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Image tag: "" # -- Container image digest in the format `sha256:1234abcdef` + # @section -- Image digest: "" # -- imagePullPolicy for the container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName @@ -103,21 +123,27 @@ image: service: # -- Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Service type: ClusterIP http: # -- Service name to use + # @section -- Service name: http # -- Service port + # @section -- Service port: 80 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Service targetPort: 3000 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Service extraServices: [] # extraServices: # - name: myspecialservice @@ -127,29 +153,38 @@ service: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Service extraOptions: {} # -- Size limit for the /tmp emptyDir volume +# @section -- Deployment tmpDirSizeLimit: "500Mi" # -- Size limit for the /app/.next/cache emptyDir volume +# @section -- Deployment nextjsCacheSizeLimit: "500Mi" # -- Additional init containers for the pod. Evaluated as a template +# @section -- Deployment initContainers: [] # -- Override default container command (useful when using custom images) +# @section -- Deployment command: [] # -- Override default container args (useful when using custom images) +# @section -- Deployment args: [] # -- Additional labels for the pod. Evaluated as a template +# @section -- Deployment podLabels: {} # -- Additional annotations for the pod. Evaluated as a template +# @section -- Deployment podAnnotations: {} # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template +# @section -- Deployment extraOptionsSpec: {} # extraOptionsSpec: # strategy: @@ -159,26 +194,32 @@ extraOptionsSpec: {} # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template +# @section -- Deployment extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables +# @section -- Deployment: Environment extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars +# @section -- Deployment: Environment extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars +# @section -- Deployment: Environment extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` +# @section -- Deployment: Environment extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` +# @section -- Deployment: Environment extraVolumeMounts: [] # Configure Pods Security Context. @@ -186,28 +227,36 @@ extraVolumeMounts: [] # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Security Context: Pod enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Security Context: Pod fsGroup: 1001 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Security Context: Container enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Security Context: Container runAsUser: 1001 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Security Context: Container runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Security Context: Container readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Security Context: Container capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory +# @section -- Resources resources: requests: cpu: "100m" @@ -222,92 +271,126 @@ resources: # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Probes: Startup enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Probes: Startup path: "/" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Probes: Startup port: "{{ .Values.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Probes: Startup initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Probes: Startup periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Probes: Startup timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Probes: Startup failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Probes: Startup successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Probes: Readiness enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Probes: Readiness path: "/" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Probes: Readiness port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check + # @section -- Probes: Readiness initialDelaySeconds: 10 # -- Regular check interval during normal operation + # @section -- Probes: Readiness periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Probes: Readiness timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Probes: Readiness failureThreshold: 3 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Probes: Readiness successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Probes: Liveness enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Probes: Liveness path: "/" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Probes: Liveness port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check + # @section -- Probes: Liveness initialDelaySeconds: 30 # -- Regular check interval during normal operation + # @section -- Probes: Liveness periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Probes: Liveness timeoutSeconds: 5 # -- Consecutive failures before restarting the container + # @section -- Probes: Liveness failureThreshold: 3 # -- Typically 1 (usually ignored) + # @section -- Probes: Liveness successThreshold: 1 # -- Service account configuration +# @section -- Service Account serviceAccount: # -- Service account name + # @section -- Service Account name: "" # -- Service account annotations + # @section -- Service Account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service Account imagePullSecretNames: [] # -- Automatically mount service account token + # @section -- Service Account automountServiceAccountToken: false ingress: # -- Enable ingress for Portal Web + # @section -- Ingress enabled: false # -- Path for the main ingress rule. When empty, falls back to `global.ingress.path` + # @section -- Ingress path: "" # -- Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` + # @section -- Ingress defaultPathType: "" # -- Configure the default service for the ingress (evaluated as template) # Important: make sure only one defaultBackend is defined across the k8s cluster: if the # ingress doesn't reconcile successfully, 'describe ingress ' will report problems + # @section -- Ingress defaultBackend: {} # -- Additional hosts you want to include. Evaluated as a template + # @section -- Ingress extraHosts: [] # extraHosts: # - host: '{{ printf "portal2.%s" .Values.global.platformExternalDomain }}' @@ -318,13 +401,17 @@ ingress: # portNumber: '{{ .Values.service.http.port }}' # -- Ingress annotations specific to your load balancer. Evaluated as a template + # @section -- Ingress annotations: {} # -- Additional labels for the ingress object. Evaluated as a template + # @section -- Ingress extraLabels: {} # -- Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). # When empty, falls back to `global.ingress.ingressClassName` + # @section -- Ingress ingressClassName: "" # -- TLS configuration. Evaluated as a template + # @section -- Ingress tls: [] # tls: # - hosts: @@ -332,6 +419,7 @@ ingress: # secretName: my-tls # -- Array of extra objects to deploy with the release +# @section -- Extra Deploy extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -339,14 +427,20 @@ extraDeploy: [] # ... # -- Annotations to add to all deployed objects +# @section -- Common Metadata commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common Metadata commonLabels: {} # -- Additional labels for the Secret objects. Evaluated as a template +# @section -- Common Metadata secretLabels: {} # -- Additional annotations for the Secret objects. Evaluated as a template +# @section -- Common Metadata secretAnnotations: {} # -- Additional labels for the ConfigMap objects. Evaluated as a template +# @section -- Common Metadata configMapLabels: {} # -- Additional annotations for the ConfigMap objects. Evaluated as a template +# @section -- Common Metadata configMapAnnotations: {} diff --git a/charts/platform/charts/studios/CHANGELOG.md b/charts/platform/charts/studios/CHANGELOG.md index c33b88c..80a5c24 100644 --- a/charts/platform/charts/studios/CHANGELOG.md +++ b/charts/platform/charts/studios/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [1.3.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/studios/README.md b/charts/platform/charts/studios/README.md index aaeaaed..73ee1ce 100644 --- a/charts/platform/charts/studios/README.md +++ b/charts/platform/charts/studios/README.md @@ -17,7 +17,6 @@ https://docs.seqera.io/platform-enterprise/enterprise/configuration/pipeline_opt The chart does not automatically define `cr.seqera.io` as the registry where to take the images from: instructions are available to [vendor the Seqera container images to your private registry](https://docs.seqera.io/platform-enterprise/enterprise/prerequisites/common#vendoring-seqera-container-images-to-your-own-registry). The required values to set in order to have a working installation are: -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that Studios communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The OIDC client registration token under `.proxy.oidcClientRegistrationToken` (or reference an existing Secret with `.proxy.oidcClientRegistrationTokenSecretName`). When deploying as part of the platform parent chart this is set automatically; when deploying standalone it must match the value configured in the platform backend. - The `.image` and the `.dbMigrationInitContainer.image` sections to point to your container registry. - Container registry credentials under the `.global.imageCredentials` section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). @@ -67,139 +66,261 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.platformExternalDomain | string | ``"example.com"`` | Domain where Seqera Platform listens | +| global.platformServiceAddress | string | ``""`` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | +| global.platformServicePort | string | ``""`` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | + +### Global: Studios + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.studiosDomain | string | ``"{{ printf \"studios.%s\" .Values.global.platformExternalDomain }}"`` | Domain where the Studios service listens. Make sure the TLS certificate covers this and its wildcard subdomains. Evaluated as a template | +| global.studiosConnectionUrl | string | ``"{{ printf \"https://connect.%s\" (tpl .Values.global.studiosDomain $) }}"`` | Base URL for Studios connections: can be any value, since each session will use a unique subdomain under `.global.studiosDomain` anyway to connect. Evaluated as a template | + +### Global: Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.ingress.enabled | bool | ``false`` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | +| global.ingress.path | string | ``"/"`` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | +| global.ingress.defaultPathType | string | ``"Prefix"`` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | +| global.ingress.ingressClassName | string | ``""`` | Default ingress class name applied when `ingress.ingressClassName` is not set | +| global.ingress.annotations | object | ``{}`` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | +| global.ingress.extraLabels | object | ``{}`` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | +| global.ingress.tls | list | ``[]`` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | + +### Global: Image Credentials + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| redis.host | string | ``""`` | Redis hostname | +| redis.port | int | ``6379`` | Redis port | +| redis.database | int | ``0`` | Redis database number | +| redis.password | string | ``""`` | Redis password if the installation requires it | +| redis.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for Redis, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| redis.existingSecretKey | string | ``"CONNECT_REDIS_PASSWORD"`` | Key in the existing Secret containing the password for Redis | +| redis.enableTls | bool | ``false`` | Enable TLS when connecting to Redis | +| redis.prefix | string | ``"connect:session"`` | Key prefix to use when storing Studios sessions in Redis | + +### Proxy: Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.image.registry | string | ``""`` | Proxy container image registry | +| proxy.image.repository | string | ``"private/nf-tower-enterprise/data-studio/connect-proxy"`` | Proxy container image repository | +| proxy.image.tag | string | ``"{{ .chart.AppVersion }}"`` | Proxy container image tag | +| proxy.image.digest | string | ``""`` | Proxy container image digest in the format `sha256:1234abcdef` | +| proxy.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the Proxy container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| proxy.image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Proxy: OIDC + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.oidcClientRegistrationToken | string | ``""`` | Initial access token to share with Seqera Platform to restrict registration requests to only authorized OIDC clients. The token can be provided as a string of random chars or as an external k8s Secret: in the latter case, a key can also be provided. If neither a string nor a Secret is provided, the chart will generate a random token WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | +| proxy.oidcClientRegistrationTokenSecretName | string | ``""`` | Name of an existing Secret containing the OIDC client registration token as an alternative to the oidcClientRegistrationToken field. Note: the Secret must already exist in the same namespace at the time of deployment | +| proxy.oidcClientRegistrationTokenSecretKey | string | ``"CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN"`` | Key in the existing Secret containing the OIDC client registration token | + +### Proxy + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.localCacheTTL | string | ``"2m"`` | TTL for local cache of Redis keys used for resiliency against Redis failures | + +### Proxy: Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.service.type | string | ``"ClusterIP"`` | Proxy Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| proxy.service.http.name | string | ``"http"`` | Service name to use | +| proxy.service.http.port | int | ``80`` | Service port | +| proxy.service.http.targetPort | int | ``8081`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| proxy.service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| proxy.service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| proxy.service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | +| proxy.serviceLabels | object | ``{}`` | Additional labels for the Service objects. Evaluated as a template | +| proxy.serviceAnnotations | object | ``{}`` | Additional annotations for the Service objects. Evaluated as a template | + +### Proxy: Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.initContainers | list | ``[]`` | Additional init containers for the proxy pod. Evaluated as a template | +| proxy.command | list | ``[]`` | Override default container command (useful when using custom images) | +| proxy.args | list | ``[]`` | Override default container args (useful when using custom images) | +| proxy.podLabels | object | ``{}`` | Additional labels for the proxy pod. Evaluated as a template | +| proxy.podAnnotations | object | ``{}`` | Additional annotations for the proxy pod. Evaluated as a template | +| proxy.extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| proxy.extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | +| proxy.extraOptionsSpec | object | ``{"replicas":2}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| proxy.extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | + +### Proxy: Environment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.extraEnvVars | list | ``[]`` | Extra environment variables to set on the proxy pod | +| proxy.extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| proxy.extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | + +### Proxy: Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| proxy.podSecurityContext.fsGroup | int | ``65532`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | +| proxy.containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| proxy.containerSecurityContext.runAsUser | int | ``65532`` | UID the container processes run as (overrides container image default) | +| proxy.containerSecurityContext.runAsGroup | int | ``65532`` | GID the container processes run as (overrides container image default) | +| proxy.containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| proxy.containerSecurityContext.readOnlyRootFilesystem | bool | ``false`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| proxy.containerSecurityContext.capabilities | object | ``{"add":["NET_BIND_SERVICE"],"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Proxy: Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| proxy.resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Server: Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.image.registry | string | ``""`` | Server container image registry | +| server.image.repository | string | ``"private/nf-tower-enterprise/data-studio/connect-server"`` | Server container image repository | +| server.image.tag | string | ``"{{ .chart.AppVersion }}"`` | Server container image tag | +| server.image.digest | string | ``""`` | Server container image digest in the format `sha256:1234abcdef` | +| server.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the Server container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| server.image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Server + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.tunnelPort | int | ``7070`` | Port that proxy contacts the server at to create a new tunnel | +| server.listenerPort | int | ``7777`` | Port where the server listens for connections from the Studios clients | +| server.logLevel | string | ``"info"`` | Server log level, one of: `trace`, `debug`, `info`, `warn`, `error`, `fatal` | + +### Server: Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.service.type | string | ``"ClusterIP"`` | Server Service type. There should be no need to expose the Studios Server service outside of the cluster, since traffic goes through the proxy | +| server.service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| server.service.extraOptions | object | ``{"clusterIP":"None"}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | +| server.serviceLabels | object | ``{}`` | Additional labels for the Service objects. Evaluated as a template | +| server.serviceAnnotations | object | ``{}`` | Additional annotations for the Service objects. Evaluated as a template | + +### Server: Pod + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.initContainers | list | ``[]`` | Additional init containers for the server pod. Evaluated as a template | +| server.command | list | ``[]`` | Override default container command (useful when using custom images) | +| server.args | list | ``[]`` | Override default container args (useful when using custom images) | +| server.podLabels | object | ``{}`` | Additional labels for the server pod. Evaluated as a template | +| server.podAnnotations | object | ``{}`` | Additional annotations for the server pod. Evaluated as a template | +| server.extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| server.extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | +| server.extraOptionsSpec | object | ``{"replicas":2}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| server.extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | + +### Server: Environment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.extraEnvVars | list | ``[]`` | Extra environment variables to set on the server pod | +| server.extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| server.extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | + +### Server: Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| server.podSecurityContext.fsGroup | int | ``65532`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | +| server.containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| server.containerSecurityContext.runAsUser | int | ``65532`` | UID the container processes run as (overrides container image default) | +| server.containerSecurityContext.runAsGroup | int | ``65532`` | GID the container processes run as (overrides container image default) | +| server.containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| server.containerSecurityContext.readOnlyRootFilesystem | bool | ``false`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| server.containerSecurityContext.capabilities | object | ``{"add":["NET_BIND_SERVICE"],"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Server: Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| server.resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Init Container Dependencies + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.enabled | bool | ``true`` | Enable init containers that coordinate startup dependencies (for example, wait for Seqera Platform readiness before starting, etc) | + +### Init Container Dependencies: Wait for Platform + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForPlatform.enabled | bool | ``true`` | Enable wait for Seqera Platform init container before starting the proxy | +| initContainerDependencies.waitForPlatform.image.registry | string | ``""`` | Wait for Platform init container image registry | +| initContainerDependencies.waitForPlatform.image.repository | string | ``"curlimages/curl"`` | Wait for Platform init container image repository | +| initContainerDependencies.waitForPlatform.image.tag | string | ``"latest"`` | Wait for Platform init container image tag | +| initContainerDependencies.waitForPlatform.image.digest | string | ``""`` | Wait for Platform init container image digest in the format `sha256:1234abcdef` | +| initContainerDependencies.waitForPlatform.image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the wait for Platform init container | +| initContainerDependencies.waitForPlatform.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForPlatform.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID 0) | +| initContainerDependencies.waitForPlatform.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForPlatform.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForPlatform.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.1","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForPlatform.extraEnvVars | list | ``[]`` | Additional environment variables for the init container | +| initContainerDependencies.waitForPlatform.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | + +### Service Account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount.name | string | ``""`` | Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name | +| serviceAccount.annotations | object | ``{}`` | Additional annotations for the ServiceAccount to generate | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``true`` | Automount service account token when the ServiceAccount is generated | + +### Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress.enabled | bool | ``false`` | Enable ingress for Studios Proxy | +| ingress.path | string | ``""`` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | +| ingress.defaultPathType | string | ``""`` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | +| ingress.defaultBackend | object | ``{}`` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | +| ingress.extraHosts | list | ``[]`` | Additional hosts you want to include. Evaluated as a template | +| ingress.annotations | object | ``{}`` | Ingress annotations specific to your load balancer. Evaluated as a template | +| ingress.extraLabels | object | ``{}`` | Additional labels for the ingress object. Evaluated as a template | +| ingress.ingressClassName | string | ``""`` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | +| ingress.tls | list | ``[]`` | TLS configuration. Evaluated as a template | + +### Common + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.platformExternalDomain | string | `"example.com"` | Domain where Seqera Platform listens | -| global.platformServiceAddress | string | `""` | Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress hostname. Evaluated as a template. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.platformServicePort | string | `""` | Seqera Platform Service port. Required when deploying this subchart standalone. When deploying as part of the parent `platform` umbrella chart, this value is inherited from the parent chart's `global` section | -| global.studiosDomain | string | `"{{ printf \"studios.%s\" .Values.global.platformExternalDomain }}"` | Domain where the Studios service listens. Make sure the TLS certificate covers this and its wildcard subdomains. Evaluated as a template | -| global.studiosConnectionUrl | string | `"{{ printf \"https://connect.%s\" (tpl .Values.global.studiosDomain $) }}"` | Base URL for Studios connections: can be any value, since each session will use a unique subdomain under `.global.studiosDomain` anyway to connect. Evaluated as a template | -| global.ingress.enabled | bool | `false` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | -| global.ingress.path | string | `"/"` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | -| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | -| global.ingress.ingressClassName | string | `""` | Default ingress class name applied when `ingress.ingressClassName` is not set | -| global.ingress.annotations | object | `{}` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | -| global.ingress.extraLabels | object | `{}` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | -| global.ingress.tls | list | `[]` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| redis.host | string | `""` | Redis hostname | -| redis.port | int | `6379` | Redis port | -| redis.database | int | `0` | Redis database number | -| redis.password | string | `""` | Redis password if the installation requires it | -| redis.existingSecretName | string | `""` | Name of an existing Secret containing credentials for Redis, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| redis.existingSecretKey | string | `"CONNECT_REDIS_PASSWORD"` | Key in the existing Secret containing the password for Redis | -| redis.enableTls | bool | `false` | Enable TLS when connecting to Redis | -| redis.prefix | string | `"connect:session"` | Key prefix to use when storing Studios sessions in Redis | -| proxy.image.registry | string | `""` | Proxy container image registry | -| proxy.image.repository | string | `"private/nf-tower-enterprise/data-studio/connect-proxy"` | Proxy container image repository | -| proxy.image.tag | string | `"{{ .chart.AppVersion }}"` | Proxy container image tag | -| proxy.image.digest | string | `""` | Proxy container image digest in the format `sha256:1234abcdef` | -| proxy.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Proxy container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| proxy.image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| proxy.oidcClientRegistrationToken | string | `""` | Initial access token to share with Seqera Platform to restrict registration requests to only authorized OIDC clients. The token can be provided as a string of random chars or as an external k8s Secret: in the latter case, a key can also be provided. If neither a string nor a Secret is provided, the chart will generate a random token WARNING: Always explicitly set this value or use an existing secret when using Kustomize. Auto-generated random values are incompatible with Kustomize. When upgrading releases via Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to regenerate a new random value on each upgrade | -| proxy.oidcClientRegistrationTokenSecretName | string | `""` | Name of an existing Secret containing the OIDC client registration token as an alternative to the oidcClientRegistrationToken field. Note: the Secret must already exist in the same namespace at the time of deployment | -| proxy.oidcClientRegistrationTokenSecretKey | string | `"CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN"` | Key in the existing Secret containing the OIDC client registration token | -| proxy.localCacheTTL | string | `"2m"` | TTL for local cache of Redis keys used for resiliency against Redis failures | -| proxy.service.type | string | `"ClusterIP"` | Proxy Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| proxy.service.http.name | string | `"http"` | Service name to use | -| proxy.service.http.port | int | `80` | Service port | -| proxy.service.http.targetPort | int | `8081` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| proxy.service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| proxy.service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| proxy.service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| proxy.initContainers | list | `[]` | Additional init containers for the proxy pod. Evaluated as a template | -| proxy.command | list | `[]` | Override default container command (useful when using custom images) | -| proxy.args | list | `[]` | Override default container args (useful when using custom images) | -| proxy.podLabels | object | `{}` | Additional labels for the proxy pod. Evaluated as a template | -| proxy.podAnnotations | object | `{}` | Additional annotations for the proxy pod. Evaluated as a template | -| proxy.serviceLabels | object | `{}` | Additional labels for the Service objects. Evaluated as a template | -| proxy.serviceAnnotations | object | `{}` | Additional annotations for the Service objects. Evaluated as a template | -| proxy.extraEnvVars | list | `[]` | Extra environment variables to set on the proxy pod | -| proxy.extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| proxy.extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| proxy.extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| proxy.extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| proxy.extraOptionsSpec | object | `{"replicas":2}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| proxy.extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| proxy.podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| proxy.podSecurityContext.fsGroup | int | `65532` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| proxy.containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| proxy.containerSecurityContext.runAsUser | int | `65532` | UID the container processes run as (overrides container image default) | -| proxy.containerSecurityContext.runAsGroup | int | `65532` | GID the container processes run as (overrides container image default) | -| proxy.containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| proxy.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| proxy.containerSecurityContext.capabilities | object | `{"add":["NET_BIND_SERVICE"],"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| proxy.resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| server.image.registry | string | `""` | Server container image registry | -| server.image.repository | string | `"private/nf-tower-enterprise/data-studio/connect-server"` | Server container image repository | -| server.image.tag | string | `"{{ .chart.AppVersion }}"` | Server container image tag | -| server.image.digest | string | `""` | Server container image digest in the format `sha256:1234abcdef` | -| server.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the Server container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| server.image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| server.tunnelPort | int | `7070` | Port that proxy contacts the server at to create a new tunnel | -| server.listenerPort | int | `7777` | Port where the server listens for connections from the Studios clients | -| server.service.type | string | `"ClusterIP"` | Server Service type. There should be no need to expose the Studios Server service outside of the cluster, since traffic goes through the proxy | -| server.service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| server.service.extraOptions | object | `{"clusterIP":"None"}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| server.logLevel | string | `"info"` | Server log level, one of: `trace`, `debug`, `info`, `warn`, `error`, `fatal` | -| server.initContainers | list | `[]` | Additional init containers for the server pod. Evaluated as a template | -| server.command | list | `[]` | Override default container command (useful when using custom images) | -| server.args | list | `[]` | Override default container args (useful when using custom images) | -| server.podLabels | object | `{}` | Additional labels for the server pod. Evaluated as a template | -| server.podAnnotations | object | `{}` | Additional annotations for the server pod. Evaluated as a template | -| server.serviceLabels | object | `{}` | Additional labels for the Service objects. Evaluated as a template | -| server.serviceAnnotations | object | `{}` | Additional annotations for the Service objects. Evaluated as a template | -| server.extraEnvVars | list | `[]` | Extra environment variables to set on the server pod | -| server.extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| server.extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| server.extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| server.extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| server.extraOptionsSpec | object | `{"replicas":2}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| server.extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| server.podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| server.podSecurityContext.fsGroup | int | `65532` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| server.containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| server.containerSecurityContext.runAsUser | int | `65532` | UID the container processes run as (overrides container image default) | -| server.containerSecurityContext.runAsGroup | int | `65532` | GID the container processes run as (overrides container image default) | -| server.containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| server.containerSecurityContext.readOnlyRootFilesystem | bool | `false` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| server.containerSecurityContext.capabilities | object | `{"add":["NET_BIND_SERVICE"],"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| server.resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.enabled | bool | `true` | Enable init containers that coordinate startup dependencies (for example, wait for Seqera Platform readiness before starting, etc) | -| initContainerDependencies.waitForPlatform.enabled | bool | `true` | Enable wait for Seqera Platform init container before starting the proxy | -| initContainerDependencies.waitForPlatform.image.registry | string | `""` | Wait for Platform init container image registry | -| initContainerDependencies.waitForPlatform.image.repository | string | `"curlimages/curl"` | Wait for Platform init container image repository | -| initContainerDependencies.waitForPlatform.image.tag | string | `"latest"` | Wait for Platform init container image tag | -| initContainerDependencies.waitForPlatform.image.digest | string | `""` | Wait for Platform init container image digest in the format `sha256:1234abcdef` | -| initContainerDependencies.waitForPlatform.image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the wait for Platform init container | -| initContainerDependencies.waitForPlatform.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForPlatform.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID 0) | -| initContainerDependencies.waitForPlatform.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForPlatform.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForPlatform.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.1","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForPlatform.extraEnvVars | list | `[]` | Additional environment variables for the init container | -| initContainerDependencies.waitForPlatform.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | -| serviceAccount.name | string | `""` | Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on the release name | -| serviceAccount.annotations | object | `{}` | Additional annotations for the ServiceAccount to generate | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `true` | Automount service account token when the ServiceAccount is generated | -| ingress.enabled | bool | `false` | Enable ingress for Studios Proxy | -| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | -| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | -| ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | -| ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template | -| ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template | -| ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template | -| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | -| ingress.tls | list | `[]` | TLS configuration. Evaluated as a template | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| secretLabels | object | `{}` | Additional labels for the Secret objects. Evaluated as a template | -| secretAnnotations | object | `{}` | Additional annotations for the Secret objects. Evaluated as a template | -| configMapLabels | object | `{}` | Additional labels for the ConfigMap objects. Evaluated as a template | -| configMapAnnotations | object | `{}` | Additional annotations for the ConfigMap objects. Evaluated as a template | +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | +| secretLabels | object | ``{}`` | Additional labels for the Secret objects. Evaluated as a template | +| secretAnnotations | object | ``{}`` | Additional annotations for the Secret objects. Evaluated as a template | +| configMapLabels | object | ``{}`` | Additional labels for the ConfigMap objects. Evaluated as a template | +| configMapAnnotations | object | ``{}`` | Additional annotations for the ConfigMap objects. Evaluated as a template | ## Licensing diff --git a/charts/platform/charts/studios/README.md.gotmpl b/charts/platform/charts/studios/README.md.gotmpl index dfaf7cc..e482018 100644 --- a/charts/platform/charts/studios/README.md.gotmpl +++ b/charts/platform/charts/studios/README.md.gotmpl @@ -16,7 +16,6 @@ https://docs.seqera.io/platform-enterprise/enterprise/configuration/pipeline_opt The chart does not automatically define `cr.seqera.io` as the registry where to take the images from: instructions are available to [vendor the Seqera container images to your private registry](https://docs.seqera.io/platform-enterprise/enterprise/prerequisites/common#vendoring-seqera-container-images-to-your-own-registry). The required values to set in order to have a working installation are: -- The Seqera Platform Service connection details under `.global.platformServiceAddress` and `.global.platformServicePort`. These point to the Platform backend service that Studios communicates with. When deploying this subchart as part of the parent `platform` umbrella chart, these values are inherited automatically from the parent chart's `global` section. - The OIDC client registration token under `.proxy.oidcClientRegistrationToken` (or reference an existing Secret with `.proxy.oidcClientRegistrationTokenSecretName`). When deploying as part of the platform parent chart this is set automatically; when deploying standalone it must match the value configured in the platform backend. - The `.image` and the `.dbMigrationInitContainer.image` sections to point to your container registry. - Container registry credentials under the `.global.imageCredentials` section (can be the credentials for cr.seqera.io or your private registry where you vendored the images to). @@ -59,7 +58,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/studios/values.yaml b/charts/platform/charts/studios/values.yaml index fc391df..5dc7d1e 100644 --- a/charts/platform/charts/studios/values.yaml +++ b/charts/platform/charts/studios/values.yaml @@ -19,23 +19,28 @@ # .Values.global.*: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ global: # -- Domain where Seqera Platform listens + # @section -- Global platformExternalDomain: example.com # -- Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress # hostname. Evaluated as a template. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServiceAddress: "" # -- Seqera Platform Service port. # Required when deploying this subchart standalone. When deploying as part of the parent # `platform` umbrella chart, this value is inherited from the parent chart's `global` section + # @section -- Global platformServicePort: "" # -- Domain where the Studios service listens. Make sure the TLS certificate covers this and its # wildcard subdomains. Evaluated as a template + # @section -- Global: Studios studiosDomain: '{{ printf "studios.%s" .Values.global.platformExternalDomain }}' # -- Base URL for Studios connections: can be any value, since each session will use a unique # subdomain under `.global.studiosDomain` anyway to connect. Evaluated as a template + # @section -- Global: Studios studiosConnectionUrl: '{{ printf "https://connect.%s" (tpl .Values.global.studiosDomain $) }}' # Ingress defaults shared across the parent chart and all subcharts. Each subchart's local @@ -43,26 +48,34 @@ global: ingress: # -- Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so # setting this once at the parent enables all subchart Ingresses. + # @section -- Global: Ingress enabled: false # -- Default path applied to ingress rules when `ingress.path` is not set. # AWS ALB users should override to `/*`. + # @section -- Global: Ingress path: "/" # -- Default path type applied to ingress rules when `ingress.defaultPathType` is not set. # `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. + # @section -- Global: Ingress defaultPathType: "Prefix" # -- Default ingress class name applied when `ingress.ingressClassName` is not set + # @section -- Global: Ingress ingressClassName: "" # -- Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress annotations: {} # -- Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress extraLabels: {} # -- TLS entries concatenated with the local `ingress.tls`. Evaluated as a template + # @section -- Global: Ingress tls: [] # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentials: [] # imageCredentials: # - registry: "" @@ -72,6 +85,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -85,45 +99,59 @@ global: # provided by an external provider. redis: # -- Redis hostname + # @section -- Redis host: "" # -- Redis port + # @section -- Redis port: 6379 # -- Redis database number + # @section -- Redis database: 0 # -- Redis password if the installation requires it + # @section -- Redis password: "" # -- Name of an existing Secret containing credentials for Redis, as an alternative to the # password field. Note: the Secret must already exist in the same namespace at the time of # deployment + # @section -- Redis existingSecretName: "" # -- Key in the existing Secret containing the password for Redis # @default -- `"CONNECT_REDIS_PASSWORD"` + # @section -- Redis existingSecretKey: "" # -- Enable TLS when connecting to Redis + # @section -- Redis enableTls: false # -- Key prefix to use when storing Studios sessions in Redis + # @section -- Redis prefix: "connect:session" # Options for the Studios Proxy component proxy: image: # -- Proxy container image registry + # @section -- Proxy: Image registry: "" # -- Proxy container image repository + # @section -- Proxy: Image repository: private/nf-tower-enterprise/data-studio/connect-proxy # -- Proxy container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Proxy: Image tag: "" # -- Proxy container image digest in the format `sha256:1234abcdef` + # @section -- Proxy: Image digest: "" # -- imagePullPolicy for the Proxy container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Proxy: Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Proxy: Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName @@ -136,35 +164,45 @@ proxy: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade + # @section -- Proxy: OIDC oidcClientRegistrationToken: "" # -- Name of an existing Secret containing the OIDC client registration token # as an alternative to the oidcClientRegistrationToken field. Note: the Secret must already exist # in the same namespace at the time of deployment + # @section -- Proxy: OIDC oidcClientRegistrationTokenSecretName: "" # -- Key in the existing Secret containing the OIDC client registration token # @default -- `"CONNECT_OIDC_CLIENT_REGISTRATION_TOKEN"` + # @section -- Proxy: OIDC oidcClientRegistrationTokenSecretKey: "" # -- TTL for local cache of Redis keys used for resiliency against Redis failures + # @section -- Proxy localCacheTTL: "2m" service: # -- Proxy Service type. Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Proxy: Service type: ClusterIP http: # -- Service name to use + # @section -- Proxy: Service name: http # -- Service port + # @section -- Proxy: Service port: 80 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Proxy: Service targetPort: 8081 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Proxy: Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Proxy: Service extraServices: [] # extraServices: # - name: myspecialservice @@ -174,45 +212,59 @@ proxy: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Proxy: Service extraOptions: {} # -- Additional init containers for the proxy pod. Evaluated as a template + # @section -- Proxy: Pod initContainers: [] # -- Override default container command (useful when using custom images) + # @section -- Proxy: Pod command: [] # -- Override default container args (useful when using custom images) + # @section -- Proxy: Pod args: [] # -- Additional labels for the proxy pod. Evaluated as a template + # @section -- Proxy: Pod podLabels: {} # -- Additional annotations for the proxy pod. Evaluated as a template + # @section -- Proxy: Pod podAnnotations: {} # -- Additional labels for the Service objects. Evaluated as a template + # @section -- Proxy: Service serviceLabels: {} # -- Additional annotations for the Service objects. Evaluated as a template + # @section -- Proxy: Service serviceAnnotations: {} # -- Extra environment variables to set on the proxy pod + # @section -- Proxy: Environment extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars + # @section -- Proxy: Environment extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars + # @section -- Proxy: Environment extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` + # @section -- Proxy: Pod extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` + # @section -- Proxy: Pod extraVolumeMounts: [] # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template + # @section -- Proxy: Pod extraOptionsSpec: replicas: 2 # extraOptionsSpec: @@ -223,6 +275,7 @@ proxy: # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template + # @section -- Proxy: Pod extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: @@ -233,25 +286,33 @@ proxy: # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Proxy: Security Context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Proxy: Security Context fsGroup: 65532 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Proxy: Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Proxy: Security Context runAsUser: 65532 # -- GID the container processes run as (overrides container image default) + # @section -- Proxy: Security Context runAsGroup: 65532 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Proxy: Security Context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Proxy: Security Context readOnlyRootFilesystem: false # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Proxy: Security Context capabilities: drop: - ALL @@ -262,6 +323,7 @@ proxy: # - NET_ADMIN # -- Container requests and limits for different resources like CPU or memory + # @section -- Proxy: Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -279,38 +341,48 @@ proxy: server: image: # -- Server container image registry + # @section -- Server: Image registry: "" # -- Server container image repository + # @section -- Server: Image repository: private/nf-tower-enterprise/data-studio/connect-server # -- Server container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Server: Image tag: "" # -- Server container image digest in the format `sha256:1234abcdef` + # @section -- Server: Image digest: "" # -- imagePullPolicy for the Server container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Server: Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Server: Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- Port that proxy contacts the server at to create a new tunnel + # @section -- Server tunnelPort: 7070 # -- Port where the server listens for connections from the Studios clients + # @section -- Server listenerPort: 7777 service: # -- Server Service type. There should be no need to expose the Studios Server service outside # of the cluster, since traffic goes through the proxy + # @section -- Server: Service type: ClusterIP # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Server: Service extraServices: [] # extraServices: # - name: myspecialservice @@ -320,51 +392,66 @@ server: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Server: Service extraOptions: # A headless ClusterIP service is ideal for server because there could be multiple Studios # server pods, which will be discovered by DNS and contacted directly, not through the Service clusterIP: None # -- Server log level, one of: `trace`, `debug`, `info`, `warn`, `error`, `fatal` + # @section -- Server logLevel: "info" # -- Additional init containers for the server pod. Evaluated as a template + # @section -- Server: Pod initContainers: [] # -- Override default container command (useful when using custom images) + # @section -- Server: Pod command: [] # -- Override default container args (useful when using custom images) + # @section -- Server: Pod args: [] # -- Additional labels for the server pod. Evaluated as a template + # @section -- Server: Pod podLabels: {} # -- Additional annotations for the server pod. Evaluated as a template + # @section -- Server: Pod podAnnotations: {} # -- Additional labels for the Service objects. Evaluated as a template + # @section -- Server: Service serviceLabels: {} # -- Additional annotations for the Service objects. Evaluated as a template + # @section -- Server: Service serviceAnnotations: {} # -- Extra environment variables to set on the server pod + # @section -- Server: Environment extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars + # @section -- Server: Environment extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars + # @section -- Server: Environment extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` + # @section -- Server: Pod extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` + # @section -- Server: Pod extraVolumeMounts: [] # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template + # @section -- Server: Pod extraOptionsSpec: replicas: 2 # extraOptionsSpec: @@ -375,6 +462,7 @@ server: # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template + # @section -- Server: Pod extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: @@ -385,25 +473,33 @@ server: # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Server: Security Context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Server: Security Context fsGroup: 65532 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Server: Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Server: Security Context runAsUser: 65532 # -- GID the container processes run as (overrides container image default) + # @section -- Server: Security Context runAsGroup: 65532 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Server: Security Context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Server: Security Context readOnlyRootFilesystem: false # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Server: Security Context capabilities: drop: - ALL @@ -411,6 +507,7 @@ server: - NET_BIND_SERVICE # -- Container requests and limits for different resources like CPU or memory + # @section -- Server: Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -428,36 +525,48 @@ server: initContainerDependencies: # -- Enable init containers that coordinate startup dependencies (for example, wait for Seqera # Platform readiness before starting, etc) + # @section -- Init Container Dependencies enabled: true waitForPlatform: # -- Enable wait for Seqera Platform init container before starting the proxy + # @section -- Init Container Dependencies: Wait for Platform enabled: true image: # -- Wait for Platform init container image registry + # @section -- Init Container Dependencies: Wait for Platform registry: "" # -- Wait for Platform init container image repository + # @section -- Init Container Dependencies: Wait for Platform repository: curlimages/curl # -- Wait for Platform init container image tag + # @section -- Init Container Dependencies: Wait for Platform tag: latest # -- Wait for Platform init container image digest in the format `sha256:1234abcdef` + # @section -- Init Container Dependencies: Wait for Platform digest: "" # -- imagePullPolicy for the wait for Platform init container + # @section -- Init Container Dependencies: Wait for Platform pullPolicy: IfNotPresent securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait for Platform runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Init Container Dependencies: Wait for Platform runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait for Platform readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait for Platform capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait for Platform resources: requests: cpu: "0.1" @@ -466,34 +575,44 @@ initContainerDependencies: memory: "100Mi" # -- Additional environment variables for the init container + # @section -- Init Container Dependencies: Wait for Platform extraEnvVars: [] # -- Additional volume mounts for the init container (e.g. to mount a CA certificate) + # @section -- Init Container Dependencies: Wait for Platform extraVolumeMounts: [] serviceAccount: # -- Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on # the release name + # @section -- Service Account name: "" # -- Additional annotations for the ServiceAccount to generate + # @section -- Service Account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service Account imagePullSecretNames: [] # -- Automount service account token when the ServiceAccount is generated + # @section -- Service Account automountServiceAccountToken: true ingress: # -- Enable ingress for Studios Proxy + # @section -- Ingress enabled: false # -- Path for the main ingress rule. When empty, falls back to `global.ingress.path` + # @section -- Ingress path: "" # -- Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` + # @section -- Ingress defaultPathType: "" # -- Configure the default service for the ingress (evaluated as template) # Important: make sure only one defaultBackend is defined across the k8s cluster: if the # ingress doesn't reconcile successfully, 'describe ingress ' will report problems + # @section -- Ingress defaultBackend: {} # defaultBackend: # service: @@ -502,6 +621,7 @@ ingress: # number: '{{ .Values.frontend.service.http.port }}' # -- Additional hosts you want to include. Evaluated as a template + # @section -- Ingress extraHosts: [] # extraHosts: # - host: '{{ printf "api.%s" .Values.global.platformExternalDomain }}' @@ -518,13 +638,17 @@ ingress: # portNumber: '{{ .Values.frontend.service.http.port }}' # -- Ingress annotations specific to your load balancer. Evaluated as a template + # @section -- Ingress annotations: {} # -- Additional labels for the ingress object. Evaluated as a template + # @section -- Ingress extraLabels: {} # -- Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). # When empty, falls back to `global.ingress.ingressClassName` + # @section -- Ingress ingressClassName: "" # -- TLS configuration. Evaluated as a template + # @section -- Ingress tls: [] # tls: # - hosts: @@ -533,6 +657,7 @@ ingress: # secretName: my-tls # -- Array of extra objects to deploy with the release +# @section -- Common extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -543,14 +668,20 @@ extraDeploy: [] # ... # -- Annotations to add to all deployed objects +# @section -- Common commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common commonLabels: {} # -- Additional labels for the Secret objects. Evaluated as a template +# @section -- Common secretLabels: {} # -- Additional annotations for the Secret objects. Evaluated as a template +# @section -- Common secretAnnotations: {} # -- Additional labels for the ConfigMap objects. Evaluated as a template +# @section -- Common configMapLabels: {} # -- Additional annotations for the ConfigMap objects. Evaluated as a template +# @section -- Common configMapAnnotations: {} diff --git a/charts/platform/charts/wave/CHANGELOG.md b/charts/platform/charts/wave/CHANGELOG.md index df4ce88..82012fb 100644 --- a/charts/platform/charts/wave/CHANGELOG.md +++ b/charts/platform/charts/wave/CHANGELOG.md @@ -5,6 +5,12 @@ All notable changes to this chart will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Changed + +- Annotated `values.yaml` with `# @section` markers and switched `README.md.gotmpl` to a per-section Markdown loop, grouping the generated values table by area instead of one flat list. + ## [0.2.0] - 2026-05-05 - **Enhancement**: allow global configuration of Ingress options. A new `global.ingress` block (`enabled`, `path`, `defaultPathType`, `ingressClassName`, `annotations`, `extraLabels`, `tls`) lets cluster-wide Ingress defaults be set once at the parent and propagate to every subchart, removing the need to repeat controller-wide config per subchart. `enabled` is OR-merged; scalar fields fall back to global when local is unset; `annotations` and `extraLabels` are merged with local winning on key collision; `tls` is concatenated (useful for a single wildcard certificate across all services). diff --git a/charts/platform/charts/wave/README.md b/charts/platform/charts/wave/README.md index 4b49174..6c0b1c9 100644 --- a/charts/platform/charts/wave/README.md +++ b/charts/platform/charts/wave/README.md @@ -55,142 +55,259 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md ## Values +### Global + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.platformExternalDomain | string | ``"example.com"`` | Domain where Seqera Platform listens | +| global.waveDomain | string | ``"{{ printf \"wave.%s\" .Values.global.platformExternalDomain }}"`` | Domain where Wave listens. Evaluated as a template | + +### Global: Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.ingress.enabled | bool | ``false`` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | +| global.ingress.path | string | ``"/"`` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | +| global.ingress.defaultPathType | string | ``"Prefix"`` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | +| global.ingress.ingressClassName | string | ``""`` | Default ingress class name applied when `ingress.ingressClassName` is not set | +| global.ingress.annotations | object | ``{}`` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | +| global.ingress.extraLabels | object | ``{}`` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | +| global.ingress.tls | list | ``[]`` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | + +### Global: Image Credentials + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.imageCredentials | list | ``[]`` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | +| global.imageCredentialsSecrets | list | ``[]`` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | + +### Application + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| micronautEnvironments | list | ``["postgres","redis","lite"]`` | List of Micronaut environments to enable | + +### Database + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| database.host | string | ``""`` | PostgreSQL database hostname | +| database.port | int | ``5432`` | PostgreSQL database port | +| database.name | string | ``""`` | PostgreSQL database name | +| database.username | string | ``""`` | PostgreSQL database username | +| database.password | string | ``""`` | PostgreSQL database password | +| database.existingSecretName | string | ``""`` | Name of an existing Secret containing credentials for the PostgreSQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| database.existingSecretKey | string | ``"WAVE_DB_PASSWORD"`` | Key in the existing Secret containing the password for the PostgreSQL database | +| database.enableTls | bool | ``false`` | Enable TLS for the PostgreSQL database connection | + +### Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| redis.host | string | ``""`` | Redis hostname | +| redis.port | int | ``6379`` | Redis port | +| redis.db | int | ``0`` | Redis database index | +| redis.enableTls | bool | ``false`` | Enable TLS when connecting to Redis | +| redis.password | string | ``""`` | Redis password | +| redis.existingSecretName | string | ``""`` | Name of an existing Secret containing the Redis password, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | +| redis.existingSecretKey | string | ``"REDIS_PASSWORD"`` | Key in the existing Secret containing the Redis password | + +### Image + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| image.registry | string | ``""`` | Container image registry | +| image.repository | string | ``"private/nf-tower-enterprise/wave"`` | Container image repository | +| image.tag | string | ``"{{ .chart.AppVersion }}"`` | Container image tag | +| image.digest | string | ``""`` | Container image digest in the format `sha256:1234abcdef` | +| image.pullPolicy | string | ``"IfNotPresent"`` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | +| image.pullSecrets | list | ``[]`` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | + +### Service + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| service | object | ``{"extraOptions":{},"extraServices":[],"http":{"name":"http","nodePort":null,"port":9090,"targetPort":9090},"type":"ClusterIP"}`` | Service configuration | +| service.type | string | ``"ClusterIP"`` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | +| service.http.name | string | ``"http"`` | Service name to use | +| service.http.port | int | ``9090`` | Service port | +| service.http.targetPort | int | ``9090`` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | +| service.http.nodePort | string | ``nil`` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | +| service.extraServices | list | ``[]`` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | +| service.extraOptions | object | ``{}`` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | + +### Deployment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainers | list | ``[]`` | Additional init containers for the pod. Evaluated as a template | +| command | list | ``[]`` | Override default container command (useful when using custom images) | +| args | list | ``[]`` | Override default container args (useful when using custom images) | +| workingDir | string | ``"/work"`` | Working directory for the main container process. Evaluated as a template | +| podLabels | object | ``{}`` | Additional labels for the pod. Evaluated as a template | +| podAnnotations | object | ``{}`` | Additional annotations for the pod. Evaluated as a template | +| extraOptionsSpec | object | ``{}`` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | +| extraOptionsTemplateSpec | object | ``{}`` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | + +### Deployment: Environment + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraEnvVars | list | ``[]`` | Extra environment variables | +| extraEnvVarsCMs | list | ``[]`` | List of ConfigMaps containing extra env vars | +| extraEnvVarsSecrets | list | ``[]`` | List of Secrets containing extra env vars | + +### Deployment: Volumes + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraVolumes | list | ``[]`` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | +| extraVolumeMounts | list | ``[]`` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | + +### Security Context + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| podSecurityContext.enabled | bool | ``true`` | Enable pod Security Context | +| podSecurityContext.fsGroup | int | ``101`` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | +| containerSecurityContext.enabled | bool | ``true`` | Enable container Security Context | +| containerSecurityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| containerSecurityContext.runAsNonRoot | bool | ``true`` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | +| containerSecurityContext.readOnlyRootFilesystem | bool | ``true`` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | +| containerSecurityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | + +### Resources + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| resources | object | ``{}`` | Container requests and limits for different resources like CPU or memory | + +### Init Container Dependencies + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.enabled | bool | ``true`` | Enable init containers that coordinate startup dependencies | + +### Init Container Dependencies: Wait for Redis + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForRedis.enabled | bool | ``true`` | Enable wait for Redis init container before starting the main container | +| initContainerDependencies.waitForRedis.image.registry | string | ``""`` | Override default wait for Redis init container image | +| initContainerDependencies.waitForRedis.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForRedis.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID is 0) | +| initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForRedis.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForRedis.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForRedis.extraEnvVars | list | ``[]`` | Additional environment variables for the init container | +| initContainerDependencies.waitForRedis.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | + +### Init Container Dependencies: Wait for PostgreSQL + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| initContainerDependencies.waitForPostgres.enabled | bool | ``true`` | Enable wait for PostgreSQL init container before starting the main container | +| initContainerDependencies.waitForPostgres.image.registry | string | ``""`` | Override default wait for PostgreSQL init container image | +| initContainerDependencies.waitForPostgres.securityContext.runAsUser | int | ``101`` | UID the container processes run as (overrides container image default) | +| initContainerDependencies.waitForPostgres.securityContext.runAsNonRoot | bool | ``true`` | Require the container to run as a non-root UID (prevents starting if UID is 0) | +| initContainerDependencies.waitForPostgres.securityContext.readOnlyRootFilesystem | bool | ``true`` | Mount the container root filesystem read-only to prevent in-place writes or tampering | +| initContainerDependencies.waitForPostgres.securityContext.capabilities | object | ``{"drop":["ALL"]}`` | Fine-grained Linux kernel privileges to add or drop for the container | +| initContainerDependencies.waitForPostgres.resources | object | ``{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}`` | Container requests and limits for different resources like CPU or memory | +| initContainerDependencies.waitForPostgres.extraEnvVars | list | ``[]`` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | +| initContainerDependencies.waitForPostgres.extraVolumeMounts | list | ``[]`` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | + +### Probes: Startup + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| startupProbe.enabled | bool | ``false`` | Enable startup probe | +| startupProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for startup probe | +| startupProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for startup probe. Evaluated as a template | +| startupProbe.initialDelaySeconds | int | ``5`` | Longer initial wait to accommodate slow-starting apps | +| startupProbe.periodSeconds | int | ``10`` | Often set longer to avoid frequent checks while starting | +| startupProbe.timeoutSeconds | int | ``3`` | Can be longer to allow slow initialization responses | +| startupProbe.failureThreshold | int | ``5`` | Consecutive failures during startup before killing the container (instead of immediate restarts) | +| startupProbe.successThreshold | int | ``1`` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | + +### Probes: Readiness + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| readinessProbe.enabled | bool | ``true`` | Enable readiness probe | +| readinessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for readiness probe | +| readinessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for readiness probe. Evaluated as a template | +| readinessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| readinessProbe.periodSeconds | int | ``5`` | Regular check interval during normal operation | +| readinessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect unresponsive containers for readiness | +| readinessProbe.failureThreshold | int | ``5`` | Consecutive failures before marking the container Unready (no restart) | +| readinessProbe.successThreshold | int | ``1`` | Number of consecutive successes required to mark the container Ready after failures | + +### Probes: Liveness + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| livenessProbe.enabled | bool | ``true`` | Enable liveness probe | +| livenessProbe.httpGet.path | string | ``"/health"`` | HTTP GET path for liveness probe | +| livenessProbe.httpGet.port | string | ``"{{ .Values.service.http.targetPort }}"`` | HTTP GET port for liveness probe. Evaluated as a template | +| livenessProbe.initialDelaySeconds | int | ``5`` | Delay before first check (normal start timing) | +| livenessProbe.periodSeconds | int | ``10`` | Regular check interval during normal operation | +| livenessProbe.timeoutSeconds | int | ``3`` | Short timeout to detect hung containers quickly | +| livenessProbe.failureThreshold | int | ``10`` | Consecutive failures before restarting the container | +| livenessProbe.successThreshold | int | ``1`` | Typically 1 (usually ignored) | + +### Service Account + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| serviceAccount | object | ``{"annotations":{},"automountServiceAccountToken":true,"imagePullSecretNames":[],"name":""}`` | Service account configuration | +| serviceAccount.name | string | ``""`` | Service account name | +| serviceAccount.annotations | object | ``{}`` | Service account annotations | +| serviceAccount.imagePullSecretNames | list | ``[]`` | Names of Secrets containing credentials to pull images from registries | +| serviceAccount.automountServiceAccountToken | bool | ``true`` | Automatically mount service account token | + +### Ingress + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| ingress.enabled | bool | ``false`` | Enable ingress for Wave | +| ingress.path | string | ``""`` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | +| ingress.defaultPathType | string | ``""`` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | +| ingress.defaultBackend | object | ``{}`` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | +| ingress.extraHosts | list | ``[]`` | Additional hosts you want to include. Evaluated as a template | +| ingress.annotations | object | ``{}`` | Ingress annotations specific to your load balancer. Evaluated as a template | +| ingress.extraLabels | object | ``{}`` | Additional labels for the ingress object. Evaluated as a template | +| ingress.ingressClassName | string | ``""`` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | +| ingress.tls | list | ``[]`` | TLS configuration. Evaluated as a template | + +### Extra Deploy + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| extraDeploy | list | ``[]`` | Array of extra objects to deploy with the release | + +### Common Metadata + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | ``{}`` | Annotations to add to all deployed objects | +| commonLabels | object | ``{}`` | Labels to add to all deployed objects | +| secretLabels | object | ``{}`` | Additional labels for the Secret objects. Evaluated as a template | +| secretAnnotations | object | ``{}`` | Additional annotations for the Secret objects. Evaluated as a template | +| configMapLabels | object | ``{}`` | Additional labels for the ConfigMap objects. Evaluated as a template | +| configMapAnnotations | object | ``{}`` | Additional annotations for the ConfigMap objects. Evaluated as a template | + +### Other Values + | Key | Type | Default | Description | |-----|------|---------|-------------| -| global.platformExternalDomain | string | `"example.com"` | Domain where Seqera Platform listens | -| global.waveDomain | string | `"{{ printf \"wave.%s\" .Values.global.platformExternalDomain }}"` | Domain where Wave listens. Evaluated as a template | -| global.ingress.enabled | bool | `false` | Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so setting this once at the parent enables all subchart Ingresses. | -| global.ingress.path | string | `"/"` | Default path applied to ingress rules when `ingress.path` is not set. AWS ALB users should override to `/*`. | -| global.ingress.defaultPathType | string | `"Prefix"` | Default path type applied to ingress rules when `ingress.defaultPathType` is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. | -| global.ingress.ingressClassName | string | `""` | Default ingress class name applied when `ingress.ingressClassName` is not set | -| global.ingress.annotations | object | `{}` | Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. Evaluated as a template | -| global.ingress.extraLabels | object | `{}` | Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. Evaluated as a template | -| global.ingress.tls | list | `[]` | TLS entries concatenated with the local `ingress.tls`. Evaluated as a template | -| global.imageCredentials | list | `[]` | Optional credentials to log in and fetch images from a private registry. These credentials are shared with all the subcharts automatically | -| global.imageCredentialsSecrets | list | `[]` | Optional list of existing Secrets containing image pull credentials to use for pulling images from private registries. These Secrets are shared with all the subcharts automatically | -| micronautEnvironments | list | `["postgres","redis","lite"]` | List of Micronaut environments to enable | -| database.host | string | `""` | PostgreSQL database hostname | -| database.port | int | `5432` | PostgreSQL database port | -| database.name | string | `""` | PostgreSQL database name | -| database.username | string | `""` | PostgreSQL database username | -| database.password | string | `""` | PostgreSQL database password | -| database.existingSecretName | string | `""` | Name of an existing Secret containing credentials for the PostgreSQL database, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| database.existingSecretKey | string | `"WAVE_DB_PASSWORD"` | Key in the existing Secret containing the password for the PostgreSQL database | -| database.enableTls | bool | `false` | Enable TLS for the PostgreSQL database connection | -| redis.host | string | `""` | Redis hostname | -| redis.port | int | `6379` | Redis port | -| redis.db | int | `0` | Redis database index | -| redis.enableTls | bool | `false` | Enable TLS when connecting to Redis | -| redis.password | string | `""` | Redis password | -| redis.existingSecretName | string | `""` | Name of an existing Secret containing the Redis password, as an alternative to the password field. Note: the Secret must already exist in the same namespace at the time of deployment | -| redis.existingSecretKey | string | `"REDIS_PASSWORD"` | Key in the existing Secret containing the Redis password | -| image.registry | string | `""` | Container image registry | -| image.repository | string | `"private/nf-tower-enterprise/wave"` | Container image repository | -| image.tag | string | `"{{ .chart.AppVersion }}"` | Container image tag | -| image.digest | string | `""` | Container image digest in the format `sha256:1234abcdef` | -| image.pullPolicy | string | `"IfNotPresent"` | imagePullPolicy for the container Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images | -| image.pullSecrets | list | `[]` | List of imagePullSecrets Secrets must be created in the same namespace, for example using the .extraDeploy array Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ | -| service | object | `{"extraOptions":{},"extraServices":[],"http":{"name":"http","nodePort":null,"port":9090,"targetPort":9090},"type":"ClusterIP"}` | Service configuration | -| service.type | string | `"ClusterIP"` | Service type. Note: ingresses using AWS ALB require the service to be NodePort | -| service.http.name | string | `"http"` | Service name to use | -| service.http.port | int | `9090` | Service port | -| service.http.targetPort | int | `9090` | Port on the pod/container that the Service forwards traffic to (can be a number or named port, distinct from the Service's external port) | -| service.http.nodePort | string | `nil` | Service node port, only used when service.type is Nodeport or LoadBalancer Choose port between 30000-32767, unless the cluster was configured differently than default | -| service.extraServices | list | `[]` | Other services that should live in the Service object https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service | -| service.extraOptions | object | `{}` | Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, externalTrafficPolicy, externalIPs). Evaluated as a template | -| initContainers | list | `[]` | Additional init containers for the pod. Evaluated as a template | -| command | list | `[]` | Override default container command (useful when using custom images) | -| args | list | `[]` | Override default container args (useful when using custom images) | -| workingDir | string | `"/work"` | Working directory for the main container process. Evaluated as a template | -| podLabels | object | `{}` | Additional labels for the pod. Evaluated as a template | -| podAnnotations | object | `{}` | Additional annotations for the pod. Evaluated as a template | -| extraOptionsSpec | object | `{}` | Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). Evaluated as a template | -| extraOptionsTemplateSpec | object | `{}` | Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, etc). Evaluated as a template | -| extraEnvVars | list | `[]` | Extra environment variables | -| extraEnvVarsCMs | list | `[]` | List of ConfigMaps containing extra env vars | -| extraEnvVarsSecrets | list | `[]` | List of Secrets containing extra env vars | -| extraVolumes | list | `[]` | List of volumes to add to the deployment (evaluated as template). Requires setting `extraVolumeMounts` | -| extraVolumeMounts | list | `[]` | List of volume mounts to add to the container (evaluated as template). Normally used with `extraVolumes` | -| podSecurityContext.enabled | bool | `true` | Enable pod Security Context | -| podSecurityContext.fsGroup | int | `101` | Sets the GID that Kubernetes will apply to mounted volumes and created files so processes in the pod can share group-owned access | -| containerSecurityContext.enabled | bool | `true` | Enable container Security Context | -| containerSecurityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| containerSecurityContext.runAsNonRoot | bool | `true` | Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) | -| containerSecurityContext.readOnlyRootFilesystem | bool | `true` | Mounts the container root filesystem read-only to prevent in-place writes or tampering | -| containerSecurityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| resources | object | `{}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.enabled | bool | `true` | Enable init containers that coordinate startup dependencies | -| initContainerDependencies.waitForRedis.enabled | bool | `true` | Enable wait for Redis init container before starting the main container | -| initContainerDependencies.waitForRedis.image.registry | string | `""` | Override default wait for Redis init container image | -| initContainerDependencies.waitForRedis.image.repository | string | `"redis"` | | -| initContainerDependencies.waitForRedis.image.tag | string | `"7-alpine"` | | -| initContainerDependencies.waitForRedis.image.digest | string | `""` | | -| initContainerDependencies.waitForRedis.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForRedis.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForRedis.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID is 0) | -| initContainerDependencies.waitForRedis.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForRedis.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForRedis.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForRedis.extraEnvVars | list | `[]` | Additional environment variables for the init container | -| initContainerDependencies.waitForRedis.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container (e.g. to mount a CA certificate) | -| initContainerDependencies.waitForPostgres.enabled | bool | `true` | Enable wait for PostgreSQL init container before starting the main container | -| initContainerDependencies.waitForPostgres.image.registry | string | `""` | Override default wait for PostgreSQL init container image | -| initContainerDependencies.waitForPostgres.image.repository | string | `"postgres"` | | -| initContainerDependencies.waitForPostgres.image.tag | string | `"16-alpine"` | | -| initContainerDependencies.waitForPostgres.image.digest | string | `""` | | -| initContainerDependencies.waitForPostgres.image.pullPolicy | string | `"IfNotPresent"` | | -| initContainerDependencies.waitForPostgres.securityContext.runAsUser | int | `101` | UID the container processes run as (overrides container image default) | -| initContainerDependencies.waitForPostgres.securityContext.runAsNonRoot | bool | `true` | Require the container to run as a non-root UID (prevents starting if UID is 0) | -| initContainerDependencies.waitForPostgres.securityContext.readOnlyRootFilesystem | bool | `true` | Mount the container root filesystem read-only to prevent in-place writes or tampering | -| initContainerDependencies.waitForPostgres.securityContext.capabilities | object | `{"drop":["ALL"]}` | Fine-grained Linux kernel privileges to add or drop for the container | -| initContainerDependencies.waitForPostgres.resources | object | `{"limits":{"memory":"100Mi"},"requests":{"cpu":"0.5","memory":"50Mi"}}` | Container requests and limits for different resources like CPU or memory | -| initContainerDependencies.waitForPostgres.extraEnvVars | list | `[]` | Additional environment variables for the init container. The special variable `MYSQL_EXTRA_ARGS` is appended verbatim to the `mysql` readiness check command, and can be used to pass TLS flags when connecting to managed MySQL services such as AWS RDS or Azure Database for MySQL that require certificate verification. Pair with `extraVolumeMounts` to mount the CA certificate into the container. Example (TLS with CA certificate mounted from a volume): extraEnvVars: - name: MYSQL_EXTRA_ARGS value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" | -| initContainerDependencies.waitForPostgres.extraVolumeMounts | list | `[]` | Additional volume mounts for the init container. Use this to mount CA certificates (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that `MYSQL_EXTRA_ARGS` can reference them. | -| startupProbe.enabled | bool | `false` | Enable startup probe | -| startupProbe.httpGet.path | string | `"/health"` | HTTP GET path for startup probe | -| startupProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for startup probe. Evaluated as a template | -| startupProbe.initialDelaySeconds | int | `5` | Longer initial wait to accommodate slow-starting apps | -| startupProbe.periodSeconds | int | `10` | Often set longer to avoid frequent checks while starting | -| startupProbe.timeoutSeconds | int | `3` | Can be longer to allow slow initialization responses | -| startupProbe.failureThreshold | int | `5` | Consecutive failures during startup before killing the container (instead of immediate restarts) | -| startupProbe.successThreshold | int | `1` | Number of consecutive successes required to consider startup complete and enable liveness/readiness | -| readinessProbe.enabled | bool | `true` | Enable readiness probe | -| readinessProbe.httpGet.path | string | `"/health"` | HTTP GET path for readiness probe | -| readinessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for readiness probe. Evaluated as a template | -| readinessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| readinessProbe.periodSeconds | int | `5` | Regular check interval during normal operation | -| readinessProbe.timeoutSeconds | int | `3` | Short timeout to detect unresponsive containers for readiness | -| readinessProbe.failureThreshold | int | `5` | Consecutive failures before marking the container Unready (no restart) | -| readinessProbe.successThreshold | int | `1` | Number of consecutive successes required to mark the container Ready after failures | -| livenessProbe.enabled | bool | `true` | Enable liveness probe | -| livenessProbe.httpGet.path | string | `"/health"` | HTTP GET path for liveness probe | -| livenessProbe.httpGet.port | string | `"{{ .Values.service.http.targetPort }}"` | HTTP GET port for liveness probe. Evaluated as a template | -| livenessProbe.initialDelaySeconds | int | `5` | Delay before first check (normal start timing) | -| livenessProbe.periodSeconds | int | `10` | Regular check interval during normal operation | -| livenessProbe.timeoutSeconds | int | `3` | Short timeout to detect hung containers quickly | -| livenessProbe.failureThreshold | int | `10` | Consecutive failures before restarting the container | -| livenessProbe.successThreshold | int | `1` | Typically 1 (usually ignored) | -| serviceAccount | object | `{"annotations":{},"automountServiceAccountToken":true,"imagePullSecretNames":[],"name":""}` | Service account configuration | -| serviceAccount.name | string | `""` | Service account name | -| serviceAccount.annotations | object | `{}` | Service account annotations | -| serviceAccount.imagePullSecretNames | list | `[]` | Names of Secrets containing credentials to pull images from registries | -| serviceAccount.automountServiceAccountToken | bool | `true` | Automatically mount service account token | -| ingress.enabled | bool | `false` | Enable ingress for Wave | -| ingress.path | string | `""` | Path for the main ingress rule. When empty, falls back to `global.ingress.path` | -| ingress.defaultPathType | string | `""` | Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` | -| ingress.defaultBackend | object | `{}` | Configure the default service for the ingress (evaluated as template) Important: make sure only one defaultBackend is defined across the k8s cluster: if the ingress doesn't reconcile successfully, 'describe ingress ' will report problems | -| ingress.extraHosts | list | `[]` | Additional hosts you want to include. Evaluated as a template | -| ingress.annotations | object | `{}` | Ingress annotations specific to your load balancer. Evaluated as a template | -| ingress.extraLabels | object | `{}` | Additional labels for the ingress object. Evaluated as a template | -| ingress.ingressClassName | string | `""` | Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). When empty, falls back to `global.ingress.ingressClassName` | -| ingress.tls | list | `[]` | TLS configuration. Evaluated as a template | -| extraDeploy | list | `[]` | Array of extra objects to deploy with the release | -| commonAnnotations | object | `{}` | Annotations to add to all deployed objects | -| commonLabels | object | `{}` | Labels to add to all deployed objects | -| secretLabels | object | `{}` | Additional labels for the Secret objects. Evaluated as a template | -| secretAnnotations | object | `{}` | Additional annotations for the Secret objects. Evaluated as a template | -| configMapLabels | object | `{}` | Additional labels for the ConfigMap objects. Evaluated as a template | -| configMapAnnotations | object | `{}` | Additional annotations for the ConfigMap objects. Evaluated as a template | +| initContainerDependencies.waitForRedis.image.repository | string | ``"redis"`` | | +| initContainerDependencies.waitForRedis.image.tag | string | ``"7-alpine"`` | | +| initContainerDependencies.waitForRedis.image.digest | string | ``""`` | | +| initContainerDependencies.waitForRedis.image.pullPolicy | string | ``"IfNotPresent"`` | | +| initContainerDependencies.waitForPostgres.image.repository | string | ``"postgres"`` | | +| initContainerDependencies.waitForPostgres.image.tag | string | ``"16-alpine"`` | | +| initContainerDependencies.waitForPostgres.image.digest | string | ``""`` | | +| initContainerDependencies.waitForPostgres.image.pullPolicy | string | ``"IfNotPresent"`` | | ## Licensing diff --git a/charts/platform/charts/wave/README.md.gotmpl b/charts/platform/charts/wave/README.md.gotmpl index ddd9951..f15696b 100644 --- a/charts/platform/charts/wave/README.md.gotmpl +++ b/charts/platform/charts/wave/README.md.gotmpl @@ -47,7 +47,29 @@ When upgrading between versions, please refer to the [CHANGELOG.md](CHANGELOG.md {{ template "chart.requirementsSection" . }} -{{ template "chart.valuesSection" . }} +## Values + +{{- range .Sections.Sections }} + +### {{ .SectionName }} + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .SectionItems }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} + +{{- with .Sections.DefaultSection.SectionItems }} + +### Other Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range . }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}`{{ .Default }}`{{ else }}`{{ .AutoDefault }}`{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | +{{- end }} +{{- end }} ## Licensing diff --git a/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap b/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap index 1adda70..54d2c69 100644 --- a/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap +++ b/charts/platform/charts/wave/tests/__snapshot__/deployment_test.yaml.snap @@ -130,7 +130,7 @@ should render a Deployment with default values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' with password (if set) '$REDISCLI_AUTH'"; until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/charts/wave/values.yaml b/charts/platform/charts/wave/values.yaml index 0db9017..0b43d72 100644 --- a/charts/platform/charts/wave/values.yaml +++ b/charts/platform/charts/wave/values.yaml @@ -19,9 +19,11 @@ # .Values.global.*: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ global: # -- Domain where Seqera Platform listens + # @section -- Global platformExternalDomain: example.com # -- Domain where Wave listens. Evaluated as a template + # @section -- Global waveDomain: '{{ printf "wave.%s" .Values.global.platformExternalDomain }}' # Ingress defaults shared across the parent chart and all subcharts. Each subchart's local @@ -29,26 +31,34 @@ global: ingress: # -- Enable Ingress for this chart. OR'd with the chart's local `ingress.enabled` so # setting this once at the parent enables all subchart Ingresses. + # @section -- Global: Ingress enabled: false # -- Default path applied to ingress rules when `ingress.path` is not set. # AWS ALB users should override to `/*`. + # @section -- Global: Ingress path: "/" # -- Default path type applied to ingress rules when `ingress.defaultPathType` is not set. # `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. + # @section -- Global: Ingress defaultPathType: "Prefix" # -- Default ingress class name applied when `ingress.ingressClassName` is not set + # @section -- Global: Ingress ingressClassName: "" # -- Annotations merged into the Ingress. Local `ingress.annotations` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress annotations: {} # -- Extra labels merged into the Ingress. Local `ingress.extraLabels` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress extraLabels: {} # -- TLS entries concatenated with the local `ingress.tls`. Evaluated as a template + # @section -- Global: Ingress tls: [] # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentials: [] # imageCredentials: # - registry: "" @@ -58,6 +68,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -68,6 +79,7 @@ global: # https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line # -- List of Micronaut environments to enable +# @section -- Application micronautEnvironments: - postgres - redis @@ -75,83 +87,111 @@ micronautEnvironments: database: # -- PostgreSQL database hostname + # @section -- Database host: "" # -- PostgreSQL database port + # @section -- Database port: 5432 # -- PostgreSQL database name + # @section -- Database name: "" # -- PostgreSQL database username + # @section -- Database username: "" # -- PostgreSQL database password + # @section -- Database password: "" # -- Name of an existing Secret containing credentials for the PostgreSQL database, as an # alternative to the password field. Note: the Secret must already exist in the same namespace at # the time of # deployment + # @section -- Database existingSecretName: "" # -- Key in the existing Secret containing the password for the PostgreSQL database # @default -- `"WAVE_DB_PASSWORD"` + # @section -- Database existingSecretKey: "" # -- Enable TLS for the PostgreSQL database connection + # @section -- Database enableTls: false redis: # -- Redis hostname + # @section -- Redis host: "" # -- Redis port + # @section -- Redis port: 6379 # -- Redis database index + # @section -- Redis db: 0 # -- Enable TLS when connecting to Redis + # @section -- Redis enableTls: false # -- Redis password + # @section -- Redis password: "" # -- Name of an existing Secret containing the Redis password, as an alternative to the password # field. Note: the Secret must already exist in the same namespace at the time of deployment + # @section -- Redis existingSecretName: "" # -- Key in the existing Secret containing the Redis password # @default -- `"REDIS_PASSWORD"` + # @section -- Redis existingSecretKey: "" image: # -- Container image registry + # @section -- Image registry: "" # -- Container image repository + # @section -- Image repository: private/nf-tower-enterprise/wave # -- Container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Image tag: "" # -- Container image digest in the format `sha256:1234abcdef` + # @section -- Image digest: "" # -- imagePullPolicy for the container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- Service configuration +# @section -- Service service: # -- Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Service type: ClusterIP http: # -- Service name to use + # @section -- Service name: http # -- Service port + # @section -- Service port: 9090 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Service targetPort: 9090 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Service extraServices: [] # extraServices: # - name: myspecialservice @@ -161,25 +201,33 @@ service: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Service extraOptions: {} # -- Additional init containers for the pod. Evaluated as a template +# @section -- Deployment initContainers: [] # -- Override default container command (useful when using custom images) +# @section -- Deployment command: [] # -- Override default container args (useful when using custom images) +# @section -- Deployment args: [] # -- Working directory for the main container process. Evaluated as a template +# @section -- Deployment workingDir: /work # -- Additional labels for the pod. Evaluated as a template +# @section -- Deployment podLabels: {} # -- Additional annotations for the pod. Evaluated as a template +# @section -- Deployment podAnnotations: {} # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template +# @section -- Deployment extraOptionsSpec: {} # extraOptionsSpec: # strategy: @@ -192,26 +240,32 @@ extraOptionsSpec: {} # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template +# @section -- Deployment extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables +# @section -- Deployment: Environment extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars +# @section -- Deployment: Environment extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars +# @section -- Deployment: Environment extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` +# @section -- Deployment: Volumes extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` +# @section -- Deployment: Volumes extraVolumeMounts: [] # Configure Pods Security Context. @@ -219,28 +273,36 @@ extraVolumeMounts: [] # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Security Context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Security Context fsGroup: 101 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Security Context runAsUser: 101 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Security Context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory +# @section -- Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -258,13 +320,16 @@ resources: {} initContainerDependencies: # -- Enable init containers that coordinate startup dependencies + # @section -- Init Container Dependencies enabled: true waitForRedis: # -- Enable wait for Redis init container before starting the main container + # @section -- Init Container Dependencies: Wait for Redis enabled: true image: # -- Override default wait for Redis init container image + # @section -- Init Container Dependencies: Wait for Redis registry: "" repository: redis tag: 7-alpine @@ -274,17 +339,22 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait for Redis runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID is 0) + # @section -- Init Container Dependencies: Wait for Redis runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait for Redis readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait for Redis capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait for Redis resources: requests: cpu: "0.5" @@ -293,15 +363,19 @@ initContainerDependencies: memory: "100Mi" # -- Additional environment variables for the init container + # @section -- Init Container Dependencies: Wait for Redis extraEnvVars: [] # -- Additional volume mounts for the init container (e.g. to mount a CA certificate) + # @section -- Init Container Dependencies: Wait for Redis extraVolumeMounts: [] waitForPostgres: # -- Enable wait for PostgreSQL init container before starting the main container + # @section -- Init Container Dependencies: Wait for PostgreSQL enabled: true image: # -- Override default wait for PostgreSQL init container image + # @section -- Init Container Dependencies: Wait for PostgreSQL registry: "" repository: postgres tag: "16-alpine" @@ -311,17 +385,22 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait for PostgreSQL runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID is 0) + # @section -- Init Container Dependencies: Wait for PostgreSQL runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait for PostgreSQL readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait for PostgreSQL capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait for PostgreSQL resources: requests: cpu: "0.5" @@ -338,98 +417,133 @@ initContainerDependencies: # extraEnvVars: # - name: MYSQL_EXTRA_ARGS # value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" + # @section -- Init Container Dependencies: Wait for PostgreSQL extraEnvVars: [] # -- Additional volume mounts for the init container. Use this to mount CA certificates # (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that # `MYSQL_EXTRA_ARGS` can reference them. + # @section -- Init Container Dependencies: Wait for PostgreSQL extraVolumeMounts: [] # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Probes: Startup enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Probes: Startup path: "/health" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Probes: Startup port: "{{ .Values.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Probes: Startup initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Probes: Startup periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Probes: Startup timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Probes: Startup failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Probes: Startup successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Probes: Readiness enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Probes: Readiness path: "/health" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Probes: Readiness port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Probes: Readiness initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Probes: Readiness periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Probes: Readiness timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Probes: Readiness failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Probes: Readiness successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Probes: Liveness enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Probes: Liveness path: "/health" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Probes: Liveness port: "{{ .Values.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Probes: Liveness initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Probes: Liveness periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Probes: Liveness timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Probes: Liveness failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Probes: Liveness successThreshold: 1 # -- Service account configuration +# @section -- Service Account serviceAccount: # -- Service account name + # @section -- Service Account name: "" # -- Service account annotations + # @section -- Service Account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service Account imagePullSecretNames: [] # -- Automatically mount service account token + # @section -- Service Account automountServiceAccountToken: true ingress: # -- Enable ingress for Wave + # @section -- Ingress enabled: false # -- Path for the main ingress rule. When empty, falls back to `global.ingress.path` + # @section -- Ingress path: "" # -- Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` + # @section -- Ingress defaultPathType: "" # -- Configure the default service for the ingress (evaluated as template) # Important: make sure only one defaultBackend is defined across the k8s cluster: if the # ingress doesn't reconcile successfully, 'describe ingress ' will report problems + # @section -- Ingress defaultBackend: {} # defaultBackend: # service: @@ -438,6 +552,7 @@ ingress: # number: '{{ .Values.frontend.service.http.port }}' # -- Additional hosts you want to include. Evaluated as a template + # @section -- Ingress extraHosts: [] # extraHosts: # - host: '{{ printf "api.%s" .Values.global.platformExternalDomain }}' @@ -454,13 +569,17 @@ ingress: # portNumber: '{{ .Values.frontend.service.http.port }}' # -- Ingress annotations specific to your load balancer. Evaluated as a template + # @section -- Ingress annotations: {} # -- Additional labels for the ingress object. Evaluated as a template + # @section -- Ingress extraLabels: {} # -- Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). # When empty, falls back to `global.ingress.ingressClassName` + # @section -- Ingress ingressClassName: "" # -- TLS configuration. Evaluated as a template + # @section -- Ingress tls: [] # tls: # - hosts: @@ -469,6 +588,7 @@ ingress: # secretName: my-tls # -- Array of extra objects to deploy with the release +# @section -- Extra Deploy extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -479,14 +599,20 @@ extraDeploy: [] # ... # -- Annotations to add to all deployed objects +# @section -- Common Metadata commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common Metadata commonLabels: {} # -- Additional labels for the Secret objects. Evaluated as a template +# @section -- Common Metadata secretLabels: {} # -- Additional annotations for the Secret objects. Evaluated as a template +# @section -- Common Metadata secretAnnotations: {} # -- Additional labels for the ConfigMap objects. Evaluated as a template +# @section -- Common Metadata configMapLabels: {} # -- Additional annotations for the ConfigMap objects. Evaluated as a template +# @section -- Common Metadata configMapAnnotations: {} diff --git a/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap b/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap index f6f40c5..e890b57 100644 --- a/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap +++ b/charts/platform/tests/__snapshot__/deployment-backend_test.yaml.snap @@ -123,7 +123,7 @@ should produce a Deployment resource with minimal values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' with password (if set) '$REDISCLI_AUTH'"; until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS @@ -364,7 +364,7 @@ should render the backend deployment with the correct checksums, labels and anno - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' with password (if set) '$REDISCLI_AUTH'"; until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap b/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap index afbeec4..1450110 100644 --- a/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap +++ b/charts/platform/tests/__snapshot__/deployment-cron_test.yaml.snap @@ -118,7 +118,7 @@ should produce a Deployment resource with minimal values: - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' with password (if set) '$REDISCLI_AUTH'"; until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS @@ -355,7 +355,7 @@ should render the cron deployment with the correct checksums, labels and annotat - sh - -c - | - if [ -n "$REDISCLI_AUTH" ]; then echo "$(date): starting check redis '$REDIS_URI' (auth set)"; else echo "$(date): starting check redis '$REDIS_URI' (auth not set)"; fi + echo "$(date): starting check redis '$REDIS_URI' with password (if set) '$REDISCLI_AUTH'"; until redis-cli -u "$REDIS_URI" get hello; do echo "$(date): see you in $SLEEP_PERIOD_SECONDS seconds" sleep $SLEEP_PERIOD_SECONDS diff --git a/charts/platform/values.yaml b/charts/platform/values.yaml index b4ecdc7..b6f5d54 100644 --- a/charts/platform/values.yaml +++ b/charts/platform/values.yaml @@ -33,36 +33,46 @@ # .Values.global.*: https://helm.sh/docs/chart_template_guide/subcharts_and_globals/ global: # -- Domain where Seqera Platform listens + # @section -- Global platformExternalDomain: example.com # -- Domain where user-created Platform reports are exposed, to avoid Cross-Site Scripting (XSS) # attacks. If unset, data is served through the main domain # `.global.platformExternalDomain`. Evaluated as a template + # @section -- Global contentDomain: '{{ printf "user-data.%s" .Values.global.platformExternalDomain }}' # -- Seqera Platform Service name: can be the internal Kubernetes hostname or an external ingress # hostname. Evaluated as a template + # @section -- Global platformServiceAddress: '{{ printf "%s-platform-backend" .Release.Name | lower }}' # -- Seqera Platform Service port + # @section -- Global platformServicePort: 8080 # -- Domain where the Studios service listens. Make sure the TLS certificate covers this and its # wildcard subdomains. Evaluated as a template + # @section -- Global studiosDomain: '{{ printf "studios.%s" .Values.global.platformExternalDomain }}' # -- Base URL for Studios connections: can be any value, since each session will use a unique # subdomain under `.global.studiosDomain` anyway to connect. Evaluated as a template + # @section -- Global studiosConnectionUrl: '{{ printf "https://connect.%s" (tpl .Values.global.studiosDomain $) }}' # -- Domain where Wave listens. Evaluated as a template + # @section -- Global waveDomain: '{{ printf "wave.%s" .Values.global.platformExternalDomain }}' # -- Domain where Seqera MCP listens. Evaluated as a template + # @section -- Global mcpDomain: '{{ printf "mcp.%s" .Values.global.platformExternalDomain }}' # -- Domain where the Agent Backend service listens. Evaluated as a template + # @section -- Global agentBackendDomain: '{{ printf "ai-api.%s" .Values.global.platformExternalDomain }}' # -- Domain where the Portal Web frontend listens. Evaluated as a template + # @section -- Global portalWebDomain: '{{ printf "ai.%s" .Values.global.platformExternalDomain }}' # Ingress defaults shared across the parent chart and all subcharts. Each subchart's local @@ -71,31 +81,39 @@ global: # -- Enable Ingress for the parent chart and every subchart that exposes one. Each chart's # local `ingress.enabled` is OR'd with this — set this to `true` to turn on all Ingresses # in one switch + # @section -- Global: Ingress enabled: false # -- Default path applied to ingress rules when a chart's local `ingress.path` is not set. # AWS ALB users should override to `/*`. + # @section -- Global: Ingress path: "/" # -- Default path type applied to ingress rules when a chart's local `ingress.defaultPathType` # is not set. `Prefix` works for nginx, traefik, AWS ALB, and most modern controllers. # Override to `ImplementationSpecific` only if your controller requires it (e.g. older GKE). + # @section -- Global: Ingress defaultPathType: "Prefix" # -- Default ingress class name applied to ingress rules when a chart's local # `ingress.ingressClassName` is not set. Replaces the deprecated `kubernetes.io/ingress.class` # annotation + # @section -- Global: Ingress ingressClassName: "" # -- Annotations merged into every chart's Ingress (e.g. cert-manager issuer, NGINX # `proxy-body-size`, ALB SSL config). Local `ingress.annotations` wins on key collision. # Evaluated as a template + # @section -- Global: Ingress annotations: {} # -- Extra labels merged into every chart's Ingress. Local `ingress.extraLabels` wins on key # collision. Evaluated as a template + # @section -- Global: Ingress extraLabels: {} # -- TLS entries concatenated with each chart's local `ingress.tls`. Useful for a single # wildcard cert that covers all services. Evaluated as a template + # @section -- Global: Ingress tls: [] # -- Optional credentials to log in and fetch images from a private registry. These credentials # are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentials: [] # imageCredentials: # - registry: "" @@ -105,6 +123,7 @@ global: # -- Optional list of existing Secrets containing image pull credentials to use for pulling # images from private registries. These Secrets are shared with all the subcharts automatically + # @section -- Global: Image Credentials imageCredentialsSecrets: [] # imageCredentialsSecrets: # - myPrivateRegistryKeySecretName @@ -123,163 +142,221 @@ global: platformBackend: # -- Image registry for the Platform backend image deployed on Azure. Example: # `myregistry.azurecr.io`. Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Platform backend image deployed on Azure. Example: # `myteam/platform-backend`. Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Platform backend on Azure. Defaults to the application version # defined in the Chart.yaml file. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Platform backend on Azure, in the format `sha256:1234abcdef`. # Takes precedence over the tag if both are set. Evaluated as a template + # @section -- Global: Azure Images digest: platformFrontend: # -- Image registry for the Platform frontend image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Platform frontend image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Platform frontend on Azure. Defaults to the application version # defined in the Chart.yaml file. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Platform frontend on Azure, in the format `sha256:1234abcdef`. # Takes precedence over the tag if both are set. Evaluated as a template + # @section -- Global: Azure Images digest: platformCronMigrateDB: # -- Image registry for the Platform cron migrate-db init container image deployed on Azure. # Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Platform cron migrate-db init container image deployed on Azure. # Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Platform cron migrate-db init container on Azure. Defaults to the # application version defined in the Chart.yaml file. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Platform cron migrate-db init container on Azure, in the format # `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a template + # @section -- Global: Azure Images digest: studiosProxy: # -- Image registry for the Studios proxy image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Studios proxy image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Studios proxy on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Studios proxy on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: studiosServer: # -- Image registry for the Studios server image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Studios server image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Studios server on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Studios server on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: pipelineOptimization: # -- Image registry for the Pipeline Optimization image deployed on Azure. Evaluated as a # template + # @section -- Global: Azure Images registry: # -- Image repository for the Pipeline Optimization image deployed on Azure. Evaluated as a # template + # @section -- Global: Azure Images image: # -- Image tag for the Pipeline Optimization on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Pipeline Optimization on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: pipelineOptimizationMigrateDB: # -- Image registry for the Pipeline Optimization migrate-db init container image deployed # on Azure. Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Pipeline Optimization migrate-db init container image deployed # on Azure. Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Pipeline Optimization migrate-db init container on Azure. Evaluated # as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Pipeline Optimization migrate-db init container on Azure, in the # format `sha256:1234abcdef`. Takes precedence over the tag if both are set. Evaluated as a # template + # @section -- Global: Azure Images digest: agentBackend: # -- Image registry for the Agent Backend image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the Agent Backend image deployed on Azure. Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the Agent Backend on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the Agent Backend on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: waitForCron: # -- Image registry for the wait-for-cron init container image deployed on Azure. Evaluated # as a template + # @section -- Global: Azure Images registry: # -- Image repository for the wait-for-cron init container image deployed on Azure. Evaluated # as a template + # @section -- Global: Azure Images image: # -- Image tag for the wait-for-cron init container on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the wait-for-cron init container on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: waitForPlatform: # -- Image registry for the wait-for-platform init container image deployed on Azure. # Evaluated as a template + # @section -- Global: Azure Images registry: # -- Image repository for the wait-for-platform init container image deployed on Azure. # Evaluated as a template + # @section -- Global: Azure Images image: # -- Image tag for the wait-for-platform init container on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the wait-for-platform init container on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: waitForMySQL: # -- Image registry for the wait-for-MySQL init container image deployed on Azure. Evaluated # as a template + # @section -- Global: Azure Images registry: # -- Image repository for the wait-for-MySQL init container image deployed on Azure. Evaluated # as a template + # @section -- Global: Azure Images image: # -- Image tag for the wait-for-MySQL init container on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the wait-for-MySQL init container on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: waitForRedis: # -- Image registry for the wait-for-Redis init container image deployed on Azure. Evaluated # as a template + # @section -- Global: Azure Images registry: # -- Image repository for the wait-for-Redis init container image deployed on Azure. Evaluated # as a template + # @section -- Global: Azure Images image: # -- Image tag for the wait-for-Redis init container on Azure. Evaluated as a template + # @section -- Global: Azure Images tag: # -- Image digest for the wait-for-Redis init container on Azure. Evaluated as a template + # @section -- Global: Azure Images digest: platformDatabase: # -- Platform MySQL database hostname + # @section -- Platform Database host: "" # -- Platform MySQL database port + # @section -- Platform Database port: 3306 # -- Platform MySQL database name + # @section -- Platform Database name: "" # -- Platform MySQL database username + # @section -- Platform Database username: "" # -- Platform MySQL database password + # @section -- Platform Database password: "" # -- Name of an existing Secret containing credentials for the Platform MySQL database, as an # alternative to the password field. Note: the Secret must already exist in the same namespace at # the time of deployment + # @section -- Platform Database existingSecretName: "" # -- Key in the existing Secret containing the password for the Platform MySQL database # @default -- `"TOWER_DB_PASSWORD"` + # @section -- Platform Database existingSecretKey: "" # -- Database driver. Possible options: "mariadb" (or its alias "mysql") + # @section -- Platform Database driver: "mariadb" # -- Connection options to compose in the driver URL according to the driver used. The only # driver that can be set is 'mariadb' + # @section -- Platform Database connectionOptions: # -- Connection options to use with the MariaDB driver. For the full list of supported # options see: # https://mariadb.com/docs/connectors/mariadb-connector-j/about-mariadb-connector-j + # @section -- Platform Database mariadb: # permitMysqlScheme=true allows the MariaDB driver to communicate with MySQL databases. - permitMysqlScheme=true @@ -289,21 +366,27 @@ platformDatabase: # - sslMode=verify-ca # -- Hibernate dialect to use, depending on the database version. Possible options: mysql-8 # (default), mariadb-10 + # @section -- Platform Database dialect: "mysql-8" # -- Connection pool minimum size + # @section -- Platform Database minPoolSize: "2" # -- Connection pool maximum size + # @section -- Platform Database maxPoolSize: "10" # -- Connection pool maximum lifetime + # @section -- Platform Database maxLifetime: "180000" platform: # TODO: rename variable? # -- Content to insert into the tower.yml file (you can use `\|-` YAML multilines). See # https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview + # @section -- Platform YAMLConfigFileContent: "" # -- Sender email address for user support + # @section -- Platform contactEmail: support@example.com # -- JWT seed, defined as string, used to sign authentication tokens. @@ -313,12 +396,15 @@ platform: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade + # @section -- Platform: JWT Seed jwtSeedString: "" # -- Name of an existing Secret containing the JWT seed, as an alternative to the string field. # Note: the Secret must already exist in the same namespace at the time of deployment + # @section -- Platform: JWT Seed jwtSeedSecretName: "" # -- Key in the existing Secret containing the JWT seed # @default -- `"TOWER_JWT_SECRET"` + # @section -- Platform: JWT Seed jwtSeedSecretKey: "" # -- Crypto seed, defined as string, used to encrypt sensitive data in the database. @@ -330,16 +416,20 @@ platform: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade + # @section -- Platform: Crypto Seed cryptoSeedString: "" # -- Name of an existing Secret containing the crypto seed, as an alternative to the string field. # Note: the Secret must already exist in the same namespace at the time of deployment + # @section -- Platform: Crypto Seed cryptoSeedSecretName: "" # -- Key in the existing Secret containing the crypto seed # @default -- `"TOWER_CRYPTO_SECRETKEY"` + # @section -- Platform: Crypto Seed cryptoSeedSecretKey: "" # -- List of execution backends to enable. At least one is required. See # https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview#compute-environments + # @section -- Platform: Execution Backends executionBackends: - altair-platform - awsbatch-platform @@ -358,13 +448,16 @@ platform: # -- Platform license key. A license key is a long alphanumeric string provided by your Seqera # account manager. Define the value as a String or a Secret, not both at the same time + # @section -- Platform: License licenseString: "" # -- Name of an existing Secret containing the Platform license key, as an alternative to the # string field. Note: the Secret must already exist in the same namespace at the time of # deployment + # @section -- Platform: License licenseSecretName: "" # -- Key in the existing Secret containing the Platform license key # @default -- `"TOWER_LICENSE"` + # @section -- Platform: License licenseSecretKey: "" # -- OIDC private key in PEM format, base64-encoded. Define the value as a String or a Secret, not @@ -373,13 +466,16 @@ platform: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade + # @section -- Platform: OIDC oidcPrivateKeyBase64: "" # -- Name of an existing Secret containing the OIDC private key in PEM format, as an alternative # to the base64-encoded string field. Note: the Secret must already exist in the same namespace at # the time of deployment + # @section -- Platform: OIDC oidcPrivateKeySecretName: "" # -- Key in the existing Secret containing the OIDC private key in PEM format # @default -- `"oidc.pem"` + # @section -- Platform: OIDC oidcPrivateKeySecretKey: "" # -- OIDC client registration token as a string. Used by Studios and MCP to dynamically register @@ -389,38 +485,49 @@ platform: # Auto-generated random values are incompatible with Kustomize. When upgrading releases via # Kustomize, Helm cannot query the cluster to check if a secret already exists, causing it to # regenerate a new random value on each upgrade + # @section -- Platform: OIDC oidcClientRegistrationToken: "" # -- Name of an existing Secret containing the OIDC client registration token, as an alternative # to the string field. Note: the Secret must already exist in the same namespace at the time of # deployment + # @section -- Platform: OIDC oidcClientRegistrationTokenSecretName: "" # -- Key in the existing Secret containing the OIDC client registration token # @default -- `"MCP_OAUTH_INITIAL_ACCESS_TOKEN"` + # @section -- Platform: OIDC oidcClientRegistrationTokenSecretKey: "" smtp: # -- SMTP server hostname to let users authenticate through email, and to send email # notifications for events + # @section -- Platform: SMTP host: "" # -- SMTP server port + # @section -- Platform: SMTP port: "" # -- SMTP server username + # @section -- Platform: SMTP user: "" # -- SMTP server password + # @section -- Platform: SMTP password: "" # -- Name of an existing secret containing the SMTP password + # @section -- Platform: SMTP existingSecretName: "" # -- Key in the existing Secret containing the SMTP password # @default -- `"TOWER_SMTP_PASSWORD"` + # @section -- Platform: SMTP existingSecretKey: "" # -- URL of the Wave service Platform uses. Evaluated as a template. # The Wave service provided by Seqera is `https://wave.seqera.io` + # @section -- Platform: Wave & Data Explorer waveServerUrl: "https://wave.seqera.io" dataExplorer: # -- Enable the Data Explorer feature: # https://docs.seqera.io/platform-enterprise/data/data-explorer + # @section -- Platform: Wave & Data Explorer enabled: false # Seqera Studios configuration @@ -428,15 +535,18 @@ platform: # -- Image registry where Wave (defined at `.platform.waveServerUrl`) will push custom Studios # images built for user sessions. Credentials to the registry/repository must be defined in each # Platform Workspace. Example: `myregistry.example.com` + # @section -- Platform: Studios customImageRegistry: "" # -- Image repository where Wave (defined at `.platform.waveServerUrl`) will push custom Studios # images built for user sessions. Example: `myteam/studios-container-repo` + # @section -- Platform: Studios customImageRepository: "" # -- Map of tools to make available in Studios. Recommended and deprecated versions can be # specified for each tool to allow upgrading from an older version. Refer to the documentation # for more details: # https://docs.seqera.io/platform-enterprise/studios/managing#migrate-a-studio-from-an-earlier-container-image-template + # @section -- Platform: Studios tools: jupyter: tool: jupyter @@ -461,69 +571,90 @@ platform: # field is 'recommended'. # -- Additional labels for the ConfigMap objects. Evaluated as a template + # @section -- Platform: Labels & Annotations configMapLabels: {} # -- Additional labels for the Secret objects. Evaluated as a template + # @section -- Platform: Labels & Annotations secretLabels: {} # -- Additional labels for the Service objects. Evaluated as a template + # @section -- Platform: Labels & Annotations serviceLabels: {} # -- Additional annotations for the ConfigMap objects. Evaluated as a template + # @section -- Platform: Labels & Annotations configMapAnnotations: {} # -- Additional annotations for the Secret objects. Evaluated as a template + # @section -- Platform: Labels & Annotations secretAnnotations: {} # -- Additional annotations for the Service objects. Evaluated as a template + # @section -- Platform: Labels & Annotations serviceAnnotations: {} # Note that Platform currently doesn't support specifying a Redis database within a Redis instance redis: # -- Redis hostname + # @section -- Redis host: "" # -- Redis port + # @section -- Redis port: 6379 # -- Redis password if the installation requires it + # @section -- Redis password: "" # -- Name of an existing Secret containing credentials for Redis, as an alternative to the # password field. Note: the Secret must already exist in the same namespace at the time of # deployment + # @section -- Redis existingSecretName: "" # -- Key in the existing Secret containing the password for Redis # @default -- `"TOWER_REDIS_PASSWORD"` + # @section -- Redis existingSecretKey: "" # -- Enable TLS when connecting to Redis + # @section -- Redis enableTls: false # Options specific to the Platform backend deployment backend: image: # -- Backend container image registry + # @section -- Backend: Image registry: "" # -- Backend container image repository + # @section -- Backend: Image repository: private/nf-tower-enterprise/backend # -- Backend container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Backend: Image tag: "" # -- Backend container image digest in the format `sha256:1234abcdef` + # @section -- Backend: Image digest: "" # -- imagePullPolicy for the backend container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Backend: Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Backend: Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- List of Micronaut Environments to enable on the backend pod + # @section -- Backend: Image micronautEnvironments: [prod, redis, ha] service: # -- Backend Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Backend: Service type: ClusterIP http: # -- Service name to use + # @section -- Backend: Service name: http # The external port is defined as the global variable # `.global.platformServicePort`, so it can be used by subcharts too @@ -531,13 +662,16 @@ backend: # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port). Platform v25.3+ only; previous # versions were hardcoded to 8080 + # @section -- Backend: Service targetPort: 8080 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Backend: Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Backend: Service extraServices: [] # extraServices: # - name: myspecialservice @@ -547,23 +681,30 @@ backend: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Backend: Service extraOptions: {} # -- Additional init containers for the backend pod. Evaluated as a template + # @section -- Backend: Pod initContainers: [] # -- Override default container command (useful when using custom images) + # @section -- Backend: Pod command: [] # -- Override default container args (useful when using custom images) + # @section -- Backend: Pod args: [] # -- Additional labels for the backend pod. Evaluated as a template + # @section -- Backend: Pod podLabels: {} # -- Additional annotations for the backend pod. Evaluated as a template + # @section -- Backend: Pod podAnnotations: {} # -- Extra options to place under .spec (e.g. replicas, strategy, revisionHistoryLimit, etc). # Evaluated as a template + # @section -- Backend: Pod extraOptionsSpec: replicas: 3 # extraOptionsSpec: @@ -575,26 +716,32 @@ backend: # -- Extra options to place under .spec.template.spec (e.g. nodeSelector, affinity, restartPolicy, # etc). Evaluated as a template + # @section -- Backend: Pod extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables to set on the backend pod + # @section -- Backend: Pod extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars + # @section -- Backend: Pod extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars + # @section -- Backend: Pod extraEnvVarsSecrets: [] # -- List of volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` + # @section -- Backend: Pod extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` + # @section -- Backend: Pod extraVolumeMounts: [] # Configure Pods Security Context. @@ -602,28 +749,36 @@ backend: # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Backend: Security Context enabled: true # -- Sets the GID that Kubernetes will apply to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Backend: Security Context fsGroup: 101 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Backend: Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Backend: Security Context runAsUser: 101 # -- Boolean that requires the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Backend: Security Context runAsNonRoot: true # -- Mounts the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Backend: Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Backend: Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Backend: Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -642,88 +797,118 @@ backend: # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Backend: Startup Probe enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Backend: Startup Probe path: "/health" # -- HTTP GET port for startup probe. Evaluated as a template. Note: before v25.3 this was # hardcoded to 8080 + # @section -- Backend: Startup Probe port: '{{ .Values.backend.service.http.targetPort }}' # -- Longer initial wait to accommodate slow-starting apps + # @section -- Backend: Startup Probe initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Backend: Startup Probe periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Backend: Startup Probe timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Backend: Startup Probe failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Backend: Startup Probe successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Backend: Readiness Probe enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Backend: Readiness Probe path: "/health" # -- HTTP GET port for readiness probe. Evaluated as a template. Note: before v25.3 this was # hardcoded to 8080 + # @section -- Backend: Readiness Probe port: '{{ .Values.backend.service.http.targetPort }}' # -- Delay before first check (normal start timing) + # @section -- Backend: Readiness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Backend: Readiness Probe periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Backend: Readiness Probe timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Backend: Readiness Probe failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Backend: Readiness Probe successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Backend: Liveness Probe enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Backend: Liveness Probe path: "/health" # -- HTTP GET port for liveness probe. Evaluated as a template. Note: before v25.3 this was # hardcoded to 8080 + # @section -- Backend: Liveness Probe port: '{{ .Values.backend.service.http.targetPort }}' # -- Delay before first check (normal start timing) + # @section -- Backend: Liveness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Backend: Liveness Probe periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Backend: Liveness Probe timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Backend: Liveness Probe failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Backend: Liveness Probe successThreshold: 1 # Options specific to the Platform frontend deployment frontend: image: # -- Frontend container image registry + # @section -- Frontend: Image registry: "" # -- Frontend container image repository + # @section -- Frontend: Image repository: private/nf-tower-enterprise/frontend # -- Specify a tag to override the version defined in .Chart.appVersion # @default -- `"{{ .chart.AppVersion }}-unprivileged"` + # @section -- Frontend: Image tag: "" # -- Frontend container image digest in the format `sha256:1234abcdef` + # @section -- Frontend: Image digest: "" # -- imagePullPolicy for the frontend container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Frontend: Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Frontend: Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName @@ -731,21 +916,27 @@ frontend: service: # -- Frontend Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Frontend: Service type: ClusterIP http: # -- Service name to use + # @section -- Frontend: Service name: http # -- Service port + # @section -- Frontend: Service port: 80 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Frontend: Service targetPort: 8083 # -- (int) Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Frontend: Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Frontend: Service extraServices: [] # extraServices: # - name: myspecialservice @@ -755,23 +946,30 @@ frontend: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Frontend: Service extraOptions: {} # -- Additional init containers for the frontend pod. Evaluated as a template + # @section -- Frontend: Pod initContainers: [] # -- Override default container command (useful when using custom images) + # @section -- Frontend: Pod command: [] # -- Override default container args (useful when using custom images) + # @section -- Frontend: Pod args: [] # -- Additional labels for the frontend pod. Evaluated as a template + # @section -- Frontend: Pod podLabels: {} # -- Additional annotations for the frontend pod. Evaluated as a template + # @section -- Frontend: Pod podAnnotations: {} # -- Extra options to place under .spec (e.g. revisionHistoryLimit, etc). Evaluated as a template. # Note: the cron deployment can only run a single replica and use Recreate strategy + # @section -- Frontend: Pod extraOptionsSpec: {} # extraOptionsSpec: # replicas: 2 @@ -782,26 +980,32 @@ frontend: # -- Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, # restartPolicy). Evaluated as a template + # @section -- Frontend: Pod extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables to set on the frontend pod + # @section -- Frontend: Pod extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars + # @section -- Frontend: Pod extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars + # @section -- Frontend: Pod extraEnvVarsSecrets: [] # -- Extra volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` + # @section -- Frontend: Pod extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` + # @section -- Frontend: Pod extraVolumeMounts: [] # Configure Pods Security Context. @@ -809,28 +1013,36 @@ frontend: # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Frontend: Security Context enabled: true # -- GID that Kubernetes applies to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Frontend: Security Context fsGroup: 101 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Frontend: Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Frontend: Security Context runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Frontend: Security Context runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Frontend: Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Frontend: Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Frontend: Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -849,110 +1061,147 @@ frontend: # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Frontend: Startup Probe enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Frontend: Startup Probe path: "/health" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Frontend: Startup Probe port: "{{ .Values.frontend.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Frontend: Startup Probe initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Frontend: Startup Probe periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Frontend: Startup Probe timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate # restarts) + # @section -- Frontend: Startup Probe failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable # liveness/readiness + # @section -- Frontend: Startup Probe successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Frontend: Readiness Probe enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Frontend: Readiness Probe path: "/health" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Frontend: Readiness Probe port: "{{ .Values.frontend.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Frontend: Readiness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Frontend: Readiness Probe periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Frontend: Readiness Probe timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Frontend: Readiness Probe failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Frontend: Readiness Probe successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Frontend: Liveness Probe enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Frontend: Liveness Probe path: "/health" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Frontend: Liveness Probe port: "{{ .Values.frontend.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Frontend: Liveness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Frontend: Liveness Probe periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Frontend: Liveness Probe timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Frontend: Liveness Probe failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Frontend: Liveness Probe successThreshold: 1 # Options specific to the Platform cron deployment cron: image: # -- Cron container image registry + # @section -- Cron: Image registry: "" # -- Cron container image repository + # @section -- Cron: Image repository: private/nf-tower-enterprise/backend # -- Cron container image tag # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Cron: Image tag: "" # -- Cron container image digest in the format `sha256:1234abcdef` + # @section -- Cron: Image digest: "" # -- imagePullPolicy for the cron container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Cron: Image pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Cron: Image pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- List of Micronaut Environments to enable on the cron pod + # @section -- Cron: Service micronautEnvironments: [prod, redis, cron] service: # -- Cron Service type. # Note: ingresses using AWS ALB require the service to be NodePort + # @section -- Cron: Service type: ClusterIP http: # -- Service name to use + # @section -- Cron: Service name: http # -- Service port + # @section -- Cron: Service port: 8080 # -- Port on the pod/container that the Service forwards traffic to (can be a number or # named port, distinct from the Service's external port) + # @section -- Cron: Service targetPort: 8082 # -- Service node port, only used when service.type is Nodeport or LoadBalancer # Choose port between 30000-32767, unless the cluster was configured differently than default + # @section -- Cron: Service nodePort: null # -- Other services that should live in the Service object # https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service + # @section -- Cron: Service extraServices: [] # extraServices: # - name: myspecialservice @@ -962,49 +1211,62 @@ cron: # -- Extra Service options to place under .spec (for example, clusterIP, loadBalancerIP, # externalTrafficPolicy, externalIPs). Evaluated as a template + # @section -- Cron: Service extraOptions: {} # -- Additional init containers for the cron pod. Evaluated as a template + # @section -- Cron: Pod initContainers: [] # -- Override default container command (useful when using custom images) + # @section -- Cron: Pod command: [] # -- Override default container args (useful when using custom images) + # @section -- Cron: Pod args: [] # -- Additional labels for the cron pod. Evaluated as a template + # @section -- Cron: Pod podLabels: {} # -- Additional annotations for the cron pod. Evaluated as a template + # @section -- Cron: Pod podAnnotations: {} # -- Extra options to place under .spec (for example, revisionHistoryLimit). Evaluated as a template # Note that cron deployment needs to have a single replica with Recreate strategy + # @section -- Cron: Pod extraOptionsSpec: {} # extraOptionsSpec: # revisionHistoryLimit: 4 # -- Extra options to place under .spec.template.spec (for example, nodeSelector, affinity, restartPolicy) # Evaluated as a template + # @section -- Cron: Pod extraOptionsTemplateSpec: {} # extraOptionsTemplateSpec: # nodeSelector: # service: myspecialnodegroup # -- Extra environment variables to set on the cron pod + # @section -- Cron: Pod extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars + # @section -- Cron: Pod extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars + # @section -- Cron: Pod extraEnvVarsSecrets: [] # -- Extra volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` + # @section -- Cron: Pod extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` + # @section -- Cron: Pod extraVolumeMounts: [] # Configure Pods Security Context. @@ -1012,28 +1274,36 @@ cron: # Empty map to disable Pod Security Context configuration podSecurityContext: # -- Enable pod Security Context + # @section -- Cron: Security Context enabled: true # -- GID that Kubernetes applies to mounted volumes and created files so processes # in the pod can share group-owned access + # @section -- Cron: Security Context fsGroup: 101 # Configure Container Security Context. # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Cron: Security Context enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Cron: Security Context runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Cron: Security Context runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Cron: Security Context readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Cron: Security Context capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Cron: Resources resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -1052,125 +1322,168 @@ cron: # Configure extra options for the startup probe startupProbe: # -- Enable startup probe + # @section -- Cron: Startup Probe enabled: false httpGet: # -- HTTP GET path for startup probe + # @section -- Cron: Startup Probe path: "/health" # -- HTTP GET port for startup probe. Evaluated as a template + # @section -- Cron: Startup Probe port: "{{ .Values.cron.service.http.targetPort }}" # -- Longer initial wait to accommodate slow-starting apps + # @section -- Cron: Startup Probe initialDelaySeconds: 5 # -- Often set longer to avoid frequent checks while starting + # @section -- Cron: Startup Probe periodSeconds: 10 # -- Can be longer to allow slow initialization responses + # @section -- Cron: Startup Probe timeoutSeconds: 3 # -- Consecutive failures during startup before killing the container (instead of immediate restarts) + # @section -- Cron: Startup Probe failureThreshold: 5 # -- Number of consecutive successes required to consider startup complete and enable liveness/readiness + # @section -- Cron: Startup Probe successThreshold: 1 # Configure extra options for the readiness probe readinessProbe: # -- Enable readiness probe + # @section -- Cron: Readiness Probe enabled: true httpGet: # -- HTTP GET path for readiness probe + # @section -- Cron: Readiness Probe path: "/health" # -- HTTP GET port for readiness probe. Evaluated as a template + # @section -- Cron: Readiness Probe port: "{{ .Values.cron.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Cron: Readiness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Cron: Readiness Probe periodSeconds: 5 # -- Short timeout to detect unresponsive containers for readiness + # @section -- Cron: Readiness Probe timeoutSeconds: 3 # -- Consecutive failures before marking the container Unready (no restart) + # @section -- Cron: Readiness Probe failureThreshold: 5 # -- Number of consecutive successes required to mark the container Ready after failures + # @section -- Cron: Readiness Probe successThreshold: 1 # Configure extra options for the liveness probe livenessProbe: # -- Enable liveness probe + # @section -- Cron: Liveness Probe enabled: true httpGet: # -- HTTP GET path for liveness probe + # @section -- Cron: Liveness Probe path: "/health" # -- HTTP GET port for liveness probe. Evaluated as a template + # @section -- Cron: Liveness Probe port: "{{ .Values.cron.service.http.targetPort }}" # -- Delay before first check (normal start timing) + # @section -- Cron: Liveness Probe initialDelaySeconds: 5 # -- Regular check interval during normal operation + # @section -- Cron: Liveness Probe periodSeconds: 10 # -- Short timeout to detect hung containers quickly + # @section -- Cron: Liveness Probe timeoutSeconds: 3 # -- Consecutive failures before restarting the container + # @section -- Cron: Liveness Probe failureThreshold: 10 # -- Typically 1 (usually ignored) + # @section -- Cron: Liveness Probe successThreshold: 1 dbMigrationInitContainer: image: # -- Database migration container image registry + # @section -- Cron: DB Migration Init Container registry: "" # -- Database migration container image repository + # @section -- Cron: DB Migration Init Container repository: private/nf-tower-enterprise/migrate-db # -- Specify a tag to override the version defined in .Chart.appVersion # @default -- `"{{ .chart.AppVersion }}"` + # @section -- Cron: DB Migration Init Container tag: "" # -- Database migration container image digest in the format `sha256:1234abcdef` + # @section -- Cron: DB Migration Init Container digest: "" # -- imagePullPolicy for the database migration init container # Ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images + # @section -- Cron: DB Migration Init Container pullPolicy: IfNotPresent # -- List of imagePullSecrets # Secrets must be created in the same namespace, for example using the .extraDeploy array # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # @section -- Cron: DB Migration Init Container pullSecrets: [] # pullSecrets: # - myRegistryKeySecretName # -- Override default container command (useful when using custom images) + # @section -- Cron: DB Migration Init Container command: ["/bin/sh", "-c", "/migrate-db.sh"] # -- Override default container args (useful when using custom images) + # @section -- Cron: DB Migration Init Container args: [] # -- Extra environment variables to set on the cron pod + # @section -- Cron: DB Migration Init Container extraEnvVars: [] # extraEnvVars: # - name: "CUSTOM_ENV_VAR" # value: "set-a-value-here" # -- List of ConfigMaps containing extra env vars + # @section -- Cron: DB Migration Init Container extraEnvVarsCMs: [] # -- List of Secrets containing extra env vars + # @section -- Cron: DB Migration Init Container extraEnvVarsSecrets: [] # -- Extra volumes to add to the deployment (evaluated as template). Requires setting # `extraVolumeMounts` + # @section -- Cron: DB Migration Init Container extraVolumes: [] # -- List of volume mounts to add to the container (evaluated as template). Normally used with # `extraVolumes` + # @section -- Cron: DB Migration Init Container extraVolumeMounts: [] # Configure Init Container Security Context # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container containerSecurityContext: # -- Enable container Security Context + # @section -- Cron: DB Migration Init Container enabled: true # -- UID the container processes run as (overrides container image default) + # @section -- Cron: DB Migration Init Container runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID 0) + # @section -- Cron: DB Migration Init Container runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Cron: DB Migration Init Container readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Cron: DB Migration Init Container capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Cron: DB Migration Init Container resources: {} # `.requests` are the minimum CPU/memory resources the scheduler uses to place a pod; # the kubelet then guarantees at least these resources to the pod. `.limits` are the @@ -1190,13 +1503,16 @@ initContainerDependencies: # -- Enable init containers that coordinate startup dependencies between Platform components # (for example, wait for database readiness before cron starts, wait for cron before backend # starts, etc) + # @section -- Init Container Dependencies enabled: true waitForMySQL: # -- Enable wait for MySQL init container before starting backend and cron + # @section -- Init Container Dependencies: Wait For MySQL enabled: true image: # -- Override default wait for MySQL init container image + # @section -- Init Container Dependencies: Wait For MySQL registry: "" repository: mysql tag: "9" @@ -1206,18 +1522,23 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait For MySQL runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID # 0) + # @section -- Init Container Dependencies: Wait For MySQL runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait For MySQL readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait For MySQL capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait For MySQL resources: requests: cpu: "0.5" @@ -1234,17 +1555,21 @@ initContainerDependencies: # extraEnvVars: # - name: MYSQL_EXTRA_ARGS # value: "--ssl-ca=/certs/ca.pem --ssl-mode=VERIFY_IDENTITY" + # @section -- Init Container Dependencies: Wait For MySQL extraEnvVars: [] # -- Additional volume mounts for the init container. Use this to mount CA certificates # (e.g. from a Secret or ConfigMap populated by an extraInitContainer) so that # `MYSQL_EXTRA_ARGS` can reference them. + # @section -- Init Container Dependencies: Wait For MySQL extraVolumeMounts: [] waitForRedis: # -- Enable wait for Redis init container before starting backend and cron + # @section -- Init Container Dependencies: Wait For Redis enabled: true image: # -- Override default wait for Redis init container image + # @section -- Init Container Dependencies: Wait For Redis registry: "" repository: redis tag: 7-alpine @@ -1254,18 +1579,23 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait For Redis runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID # 0) + # @section -- Init Container Dependencies: Wait For Redis runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait For Redis readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait For Redis capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait For Redis resources: requests: cpu: "0.5" @@ -1274,15 +1604,19 @@ initContainerDependencies: memory: "100Mi" # -- Additional environment variables for the init container + # @section -- Init Container Dependencies: Wait For Redis extraEnvVars: [] # -- Additional volume mounts for the init container (e.g. to mount a CA certificate) + # @section -- Init Container Dependencies: Wait For Redis extraVolumeMounts: [] waitForCron: # -- Enable wait for Platform cron init container before starting backend + # @section -- Init Container Dependencies: Wait For Cron enabled: true image: # -- Override default wait for cron init container image + # @section -- Init Container Dependencies: Wait For Cron registry: "" repository: curlimages/curl tag: latest @@ -1292,18 +1626,23 @@ initContainerDependencies: securityContext: # -- UID the container processes run as (overrides container image default) + # @section -- Init Container Dependencies: Wait For Cron runAsUser: 101 # -- Require the container to run as a non-root UID (prevents starting if UID # 0) + # @section -- Init Container Dependencies: Wait For Cron runAsNonRoot: true # -- Mount the container root filesystem read-only to prevent in-place writes or tampering + # @section -- Init Container Dependencies: Wait For Cron readOnlyRootFilesystem: true # -- Fine-grained Linux kernel privileges to add or drop for the container + # @section -- Init Container Dependencies: Wait For Cron capabilities: drop: - ALL # -- Container requests and limits for different resources like CPU or memory + # @section -- Init Container Dependencies: Wait For Cron resources: requests: cpu: "0.5" @@ -1312,37 +1651,48 @@ initContainerDependencies: memory: "100Mi" # -- Additional environment variables for the init container + # @section -- Init Container Dependencies: Wait For Cron extraEnvVars: [] # -- Additional volume mounts for the init container (e.g. to mount a CA certificate) + # @section -- Init Container Dependencies: Wait For Cron extraVolumeMounts: [] serviceAccount: # -- Name of an existing ServiceAccount. If not set, a new ServiceAccount is generated based on # the release name + # @section -- Service Account name: "" # -- Additional annotations for the ServiceAccount to generate + # @section -- Service Account annotations: {} # -- Names of Secrets containing credentials to pull images from registries + # @section -- Service Account imagePullSecretNames: [] # -- Automount service account token when the service account is generated + # @section -- Service Account automountServiceAccountToken: false ingress: # -- Enable ingress for Platform + # @section -- Ingress enabled: false # -- Path for the main ingress rule. When empty, falls back to `global.ingress.path` + # @section -- Ingress path: "" # -- Path for the content domain ingress rule + # @section -- Ingress contentPath: "/" # -- Default path type for the Ingress. When empty, falls back to `global.ingress.defaultPathType` + # @section -- Ingress defaultPathType: "" # -- Configure the default service for the ingress (evaluated as template) # Important: make sure only one defaultBackend is defined across the k8s cluster: if the # ingress doesn't reconcile successfully, 'describe ingress ' will report problems + # @section -- Ingress defaultBackend: {} # defaultBackend: # service: @@ -1351,6 +1701,7 @@ ingress: # number: '{{ .Values.frontend.service.http.port }}' # -- Additional hosts you want to include. Evaluated as a template + # @section -- Ingress extraHosts: [] # extraHosts: # - host: '{{ printf "api.%s" .Values.global.platformExternalDomain }}' @@ -1367,13 +1718,17 @@ ingress: # portNumber: '{{ .Values.frontend.service.http.port }}' # -- Ingress annotations specific to your load balancer. Evaluated as a template + # @section -- Ingress annotations: {} # -- Additional labels for the ingress object. Evaluated as a template + # @section -- Ingress extraLabels: {} # -- Name of the ingress class (replaces the deprecated annotation `kubernetes.io/ingress.class`). # When empty, falls back to `global.ingress.ingressClassName` + # @section -- Ingress ingressClassName: "" # -- TLS configuration. Evaluated as a template + # @section -- Ingress tls: [] # tls: # - hosts: @@ -1382,6 +1737,7 @@ ingress: # secretName: my-tls # -- Array of extra objects to deploy with the release +# @section -- Common extraDeploy: [] # extraDeploy: # - apiVersion: v1 @@ -1392,13 +1748,16 @@ extraDeploy: [] # ... # -- Annotations to add to all deployed objects +# @section -- Common commonAnnotations: {} # -- Labels to add to all deployed objects +# @section -- Common commonLabels: {} studios: # -- Enable Studios feature. Refer to the subchart README for more details and the full list of # configuration options + # @section -- Subcharts: Studios enabled: true proxy: # Wire the OIDC registration token to the platform backend secret so all consumers share the @@ -1409,11 +1768,13 @@ studios: pipeline-optimization: # -- Enable pipeline optimization feature. Refer to the subchart README for more details and the # full list of configuration options + # @section -- Subcharts: Pipeline Optimization enabled: true mcp: # -- Enable the Seqera Model Context Protocol (MCP) service. Refer to the subchart README for more # details and the full list of configuration options + # @section -- Subcharts: MCP enabled: true oidcToken: # Wire the OIDC registration token to the platform backend secret so all consumers share the @@ -1424,9 +1785,11 @@ mcp: agent-backend: # -- Enable agent backend feature used by seqera cli ai command. Refer to the subchart README for # more details and the full list of configuration options + # @section -- Subcharts: Agent Backend enabled: true portal-web: # -- Enable portal web frontend. Refer to the subchart README for more details and the full list # of configuration options + # @section -- Subcharts: Portal Web enabled: true diff --git a/docs/conventions/values-yaml.md b/docs/conventions/values-yaml.md new file mode 100644 index 0000000..3f9c69a --- /dev/null +++ b/docs/conventions/values-yaml.md @@ -0,0 +1,277 @@ +# values.yaml Conventions + +How `values.yaml` files are commented and structured across the `platform` +chart and its subcharts. + +The goal is consistency: every chart documents its values the same way so +the generated README tables read uniformly and contributors don't have to +guess at the format. + +## Tooling + +We use [`helm-docs`](https://github.com/norwoodj/helm-docs) to generate the +values table in each chart's `README.md` from `README.md.gotmpl`. This is +run automatically by the pre-commit hook. + +Helm-docs reads `# --` prefixed comments. Plain `#` comments are ignored +by the tool and are for human readers only. + +Each chart's `README.md.gotmpl` uses a **custom Markdown loop** over +`.Sections.Sections` (and `.Sections.DefaultSection`) instead of the +default `chart.valuesSection` (which is flat) or `chart.valuesSectionHtml` +(which emits raw HTML tables). The custom loop renders one Markdown table +per section with proper headings — diff-friendly and readable in plain +text. When adding a new chart, copy the values block from an existing +`README.md.gotmpl` rather than calling `chart.valuesSection` directly. + +We deliberately do **not** use Bitnami's `## @param` / `## @section` +annotation style. That syntax is consumed by +[`readme-generator-for-helm`](https://github.com/bitnami/readme-generator-for-helm), +a different tool. The patterns below adopt Bitnami's _practices_ — +sectioning, inline examples, ref links, conflict notes — but expressed in +helm-docs syntax. + +## Anatomy of a documented value + +```yaml +# -- Domain where Seqera Platform listens +platformExternalDomain: example.com +``` + +Rules: + +- `# --` comment sits **immediately above** the key, no blank line between. +- Description is a single sentence, ends without a period unless multiple + sentences. +- Helm-docs strips the `--` and renders the rest as the description column. + +### Multi-line descriptions + +Continue with a plain `#` on subsequent lines. Helm-docs concatenates them +into one description. + +```yaml +# -- Domain where user-created Platform reports are exposed, to avoid +# Cross-Site Scripting (XSS) attacks. If unset, data is served through the +# main domain `.global.platformExternalDomain`. Evaluated as a template +contentDomain: '{{ printf "user-data.%s" .Values.global.platformExternalDomain }}' +``` + +### Templated values + +When a value is evaluated as a Go template at render time, end the +description with `Evaluated as a template`. This is a load-bearing signal +to operators that they can reference other values inside the string. + +### Default overrides + +When the literal default in the file is misleading (e.g. a sentinel, a +computed value, or `nil` that resolves to something), use `# @default --`: + +```yaml +# -- Image tag for the Platform backend. +# @default -- the chart's `appVersion` +tag: +``` + +### Skipping a key + +To exclude an internal key from the generated table, omit the `# --` +comment entirely, or use `# @ignored` if you still want a human comment. + +## Sectioning + +Helm-docs supports `# @section -- Name` to group values in the README. +**Important:** unlike Bitnami's `## @section`, this is **per-value, not a +boundary**. Every value needs its own annotation or it falls into an +"Other Values" catch-all. + +The rule: **annotate every value**. Yes, it's repetitive. No, there is no +workaround — partial adoption produces a top-heavy "Other Values" bucket +and the table becomes harder to read, not easier. The +[Grafana k8s-monitoring chart](https://github.com/grafana/k8s-monitoring-helm/blob/main/charts/k8s-monitoring/collectors/alloy-values.yaml) +is the canonical example of doing this well in helm-docs. + +```yaml +# -- Number of backend replicas +# @section -- Backend deployment +replicaCount: 2 +``` + +### Section names + +Section names are unquoted and free-form. Quote only if the name contains +characters YAML would otherwise interpret (rare — spaces and colons are +fine unquoted). + +For nesting, use `Parent: Child` naming. Helm-docs has a flat section +model, so this is a convention rather than real hierarchy, but it gives +operators visible grouping in the rendered table: + +```yaml +# -- The URL of the remote config server. +# @section -- Remote Configuration +url: "" + +# -- The username to use for the remote config server. +# @section -- Remote Configuration: Authentication +username: "" +``` + +Let sections grow organically with the chart — don't pre-allocate a fixed +list. When a block of related values reaches ~3 entries, give it a +section. When a sub-area inside that block reaches ~3 entries, give it a +`Parent: Child` sub-section. + +### Section descriptions + +helm-docs (as of v1.14.2) does **not** support per-section descriptions — +the `section` struct exposes only `SectionName` and `SectionItems`. The +`# @sectionDescription` annotation seen in some chart documentation is +not a real feature; ignore it. + +If a chart needs prose orientation above a particular section's table, +hand-write that section block in `README.md.gotmpl` instead of relying on +the auto-loop. Use `{{- range .Values }}{{- if hasPrefix "X" .Key }}` to +filter by key prefix, following the +[SurrealDB pattern](https://github.com/surrealdb/helm-charts/pull/17/files): + +```gotemplate +## Persistence parameters + +Persistent storage configuration. Disabled by default; enable when running +single-replica workloads that need durable state across pod restarts. + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +{{- range .Values }} + {{- if hasPrefix "persistence" .Key }} +| {{ .Key }} | {{ .Type }} | {{ if .Default }}{{ .Default }}{{ else }}{{ .AutoDefault }}{{ end }} | {{ if .Description }}{{ .Description }}{{ else }}{{ .AutoDescription }}{{ end }} | + {{- end }} +{{- end }} +``` + +Reserve this for sections where the section name alone leaves operators +guessing. Most sections (Probes, Resources, Service Account, etc.) don't +need it. + +## Narrative comments + +Plain `#` comments (without `--`) are for human readers of the YAML file +and are ignored by helm-docs. Use them to: + +- Explain the _purpose_ of a block before listing its values +- Link upstream documentation +- Show example shapes + +```yaml +# Ingress defaults shared across the parent chart and all subcharts. Each +# subchart's local `ingress.*` value takes precedence when set; otherwise +# the global is used. +ingress: + # -- Default path applied to ingress rules when a chart's local + # `ingress.path` is not set. AWS ALB users should override to `/*`. + path: "/" +``` + +The narrative block above the map describes the _group_; each child key +gets its own `# --` for the table. + +## Inline examples + +For non-obvious complex types (lists of maps, nested structures), show an +example as commented YAML directly under the value. Bitnami uses `## E.g.` +or `## Example:` — match that. + +```yaml +# -- Optional credentials to log in and fetch images from a private +# registry. These credentials are shared with all the subcharts +# automatically +imageCredentials: [] +# imageCredentials: +# - registry: "" +# username: "" +# password: "" +# email: someone@example.com # Optional +``` + +Examples should be valid YAML that the user could paste in and adjust. + +## Reference links + +When a value mirrors an upstream Kubernetes / library concept, link it +inline using `# ref: ` on the line above the value (or at the top of +the block if it applies to the whole group): + +```yaml +# ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ +ingress: ... +``` + +Keep `ref:` lines as plain `#` so they don't pollute the description +column. + +## Conflict and precedence notes + +When two values interact (one overrides the other, one is ignored when +the other is set, etc.), say so **inside the description**, not in a +separate comment. This keeps the README table self-contained. + +```yaml +# -- Existing Secret containing the database password. When set, +# `mysql.password` is ignored. +existingSecretName: "" +``` + +Bitnami does this consistently and it's the single most useful pattern to +adopt — operators reading the generated table see the relationship +without having to cross-reference the source. + +## Deprecation + +Mark deprecated values inline, prefixed with `DEPRECATED:` and naming the +replacement: + +```yaml +# -- DEPRECATED: use `global.defaultStorageClass` instead +storageClass: "" +``` + +## File structure + +Order keys top-to-bottom by scope, narrowing as you go: + +1. License header (Apache-2.0 boilerplate) +2. File-level narrative — what this chart is, how to use the file +3. `global:` — values shared with subcharts +4. Common parameters (`nameOverride`, `commonLabels`, etc.) +5. Component-specific blocks (backend, frontend, cron, ...) +6. External dependencies (mysql, redis, ...) +7. Subchart values (nested under the subchart name) + +This matches Bitnami's ordering and keeps the generated README scannable. + +## What not to do + +- **Don't mix `## @param` Bitnami annotations into our files.** They will + be silently ignored by helm-docs and the value will be undocumented. +- **Don't put the description after the value.** Helm-docs only reads + comments _above_ the key. +- **Don't put a blank line between the `# --` description and the key.** + The blank line breaks the association. +- **Don't add `# --` to obviously self-describing internal scaffolding.** + If a key has no operator-facing meaning, leave it undocumented rather + than restating its name. +- **Don't duplicate the value name in the description.** "Backend + replicas" beats "The replicaCount value for the backend". + +## Regenerating the README + +```bash +pre-commit run helm-docs --all-files +# or directly +helm-docs --chart-search-root charts/platform +``` + +The hook is wired into pre-commit; CI will fail if a values.yaml change +isn't accompanied by the regenerated README.