REST Proxy Helm Readme

# Default values for rest-proxy.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

global:
  # -- Globally override the registry to pull images from.
  imageRegistry: ""
  # -- Globally override the list of ImagePullSecrets provided.
  imagePullSecrets: []

### Properties defined for instance services
instance: {}

# -- Properties defined for bootstrapping tenant creation
tenant: {}

# -- Override the app name generated by the chart.
nameOverride: ""
# -- Override the fully qualified app name generated by the chart.
fullnameOverride: ""

# -- Number of pods to deploy.
replicaCount: 1

keystoreProvider:
  # -- Registry to pull the image from
  imageRegistry: "registry.axual.io"
  # -- Name of the image being deployed
  repository: "axual/keystore-provider"
  # -- Name of the image being deployed
  tag: "0.2.6"

# -- Properties defined for initializing kafka acls prior to running REST Proxy
kafkaInitContainer:
  # -- Registry to pull the image from
  imageRegistry: "registry.axual.io"
  # -- Name of the image being deployed
  repository: "axual/streaming/strimzi/kafka"
  # -- Name of the image being deployed
  tag: "0.43.0-kafka-3.8.0"

  # -- Kafka bootstrap servers to initialize
  bootstrapServers: ""
  # -- Principal common name to give access to (should match tls.clientCertificatePem)
  principal: ""
  # -- Group prefix to give access to (typically {tenant}.{instance})
  groupPattern: ""
  # -- Topic prefix to give access to (typically {tenant}-{instance})
  topicPattern: ""
  tls:
    # -- Existing Keypair secret name
    keypairSecretName: ""
    # -- Existing Keypair key name
    keypairSecretKeyName: ""
    # -- Existing Keypair certificate name
    keypairSecretCertName: ""
    # -- Existing Truststore secret name
    truststoreCaSecretName: ""
    # -- Existing Truststore certificate name
    truststoreCaSecretCertName: ""

image:
  # -- Registry to pull the image from.
  registry: "registry.axual.io"
  # -- Name of the image being deployed.
  repository: "axual/rest-proxy"
  # -- Override the image tag whose default is the chart `appVersion`.
  tag: ""
  # -- One of `Always`, `IfNotPresent`, or `Never`.
  pullPolicy: "Always"

mtls:
  # -- mTLS is not implemented yet
  kind: "not-implemented"

tls:
  # -- Existing server Keypair secret name
  serverKeypairSecretName: ""
  # -- Existing client Keypair secret name
  clientKeypairSecretName: ""
  # -- Existing truststore secret name
  truststoreCaSecretName: ""

  # -- Creates server keypair from PEM
  createServerKeypairSecret: false
  # -- PEM used to generate the server keypair if `createServerKeypairSecret` is true
  serverCertificatePem: ""
  # -- PEM used to generate the server keypair if `createServerKeypairSecret` is true
  serverKeyPem: ""
  # -- Creates client keypair from PEM
  createClientKeypairSecret: false
  # -- PEM used to generate the client keypair if `createClientKeypairSecret` is true. Currently, RP needs client TLS so this needs to be true
  clientCertificatePem: ""
  # -- PEM used to generate the client keypair if `createClientKeypairSecret` is true
  clientKeyPem: ""
  # -- Creates truststore from PEMs
  createTruststoreCaSecret: false
  # -- Set of PEMs used to generate the truststore if `createTruststoreCaSecret` is true
  caCerts: {}

# -- Environment variables to define for the container.
# See the Kubernetes documentation on [Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/).
env: []

# -- Debug Configuration passed to the container.
# Enable a remote port in the deployment.yaml
debug: {}

# -- Configuration passed to the container.
# Contents get injected to a ConfigMap, which gets mounted as an `application.yml` file.
config: {}


# -- (multi-line) String that is put into a configmap, mounted in the pod and used as the logback config for the application. If present, configuration under `logging` is ignored.
logbackConfig: ""

# -- Logging configuration object used when the logbackConfig is not set. Allows for configuring pattern and per package log levels.
logging:
  # -- Log pattern (when logbackConfig is not defined)
  pattern: "%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX, UTC} ${LOG_LEVEL_PATTERN:-%5p} ${PID:- } --- [%15.15t] [traceId=%X{traceId}, spanId=%X{spanId}] %-40.40logger{39} : %m%n}"
  # -- Root log level used (when logbackConfig is not defined)
  rootLoglevel: INFO
  # -- Log level per package (when logbackConfig is not defined)
  loggers:
    # -- Log level for rest-proxy root (when logbackConfig is not defined)
    io.axual.proxy.rest: INFO


security:
  ciphers: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA'

# -- Secrets passed to the container.
# Contents get injected to a Secret, which gets mounted as an `application-secrets.yml` file.
secrets: {}

# -- The name of an existing Kubernetes Secret. The key in the Secret must be `application-secrets.yml`.
# The contents get mounted into the container.
existingSecretName: ""

# -- List of ImagePullSecrets to apply to the service account. If the service account is disabled, it will be applied to the pod instead.
imagePullSecrets: []

serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template.
  name: ""

# -- Extra annotations to add to the Pods.
podAnnotations: {}

# -- Pod-level security attributes and common container settings.
#podSecurityContext:
#   fsGroup: 2000

livenessProbe:
  # -- Minimum consecutive failures for the probe to be considered failed after having succeeded.
  # A failed livenessProbe will cause the container to be restarted.
  failureThreshold: 3
  # -- Number of seconds after the container has started before liveness probes are initiated.
  initialDelaySeconds: 10
  # -- How often (in seconds) to perform the probe.
  periodSeconds: 10
  # -- Minimum consecutive successes for the probe to be considered successful after having failed.
  successThreshold: 1
  # -- Number of seconds after which the probe times out.
  timeoutSeconds: 1

readinessProbe:
  # -- Minimum consecutive failures for the probe to be considered failed after having succeeded.
  # A failed readinessProbe will cause the container to move to the `NotReady` state.
  failureThreshold: 3
  # -- Number of seconds after the container has started before readiness probes are initiated.
  initialDelaySeconds: 0
  # -- How often (in seconds) to perform the probe.
  periodSeconds: 10
  # -- Minimum consecutive successes for the probe to be considered successful after having failed.
  successThreshold: 1
  # -- Number of seconds after which the probe times out.
  timeoutSeconds: 1

# -- Defines the security options the container should be run with.
# If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
# @default -- See `values.yaml` file.
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  privileged: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000

podLabels: {}

service:
  # -- Determines how the Service is exposed.
  type: LoadBalancer
  # -- The port that will be exposed by the service.
  # Note: this is independent of the ports opened on the container.
  port: 18111

ingress:
  # -- Enable creation of the Ingress resource to expose this service.
  enabled: false
  # -- The name of the IngressClass cluster resource.
  # The associated IngressClass defines which controller will implement the resource.
  className: ""
  # -- Annotations to add to the Ingress resource.
  annotations: {}
  hosts:
    - # -- The fully qualified domain name of a network host.
      host: "chart-example.local"
      paths:
        - # -- Matched against the path of an incoming request.
          path: "/api"
          # -- Determines the interpretation of the Path matching.
          # Can be one of the following values: `Exact`, `Prefix`, `ImplementationSpecific`.
          pathType: "ImplementationSpecific"
  # -- TLS configuration for this Ingress.
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

route:
  # -- Enable creation of an OpenShift Route resource to expose this service.
  enabled: false
  # -- Annotations to add to the Route.
  annotations: {}
  # -- Labels to add to the route.
  labels: {}
  # -- An alias/DNS that points to the service. Optional. If not specified a route name will typically be automatically chosen.
  host: ""
  # -- subdomain is a DNS subdomain that is requested within the ingress controller’s domain (as a subdomain). If host is set this field is ignored.
  subdomain: ""
  # -- Path that the router watches for, to route traffic for to the service.
  path: "/api"
  tls:
    # -- The Certertificate Authority certificate contents.
    caCertificate: ""
    # -- Certificate contents. This should be a single serving certificate, not a certificate chain. Do not include a CA certificate.
    certificate: ""
    # -- Key file contents.
    key: ""
    # -- Indicates termination type. One of: `edge`, `passthrough`, or `reencrypt`.
    termination: "passthrough"
    # --The CA certificate of the final destination. When using reencrypt termination this file should be provided
    # in order to have routers use it for health checks on the secure connection.
    destinationCACertificate: ""

# -- The [resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for this container.
resources:
  requests:
    cpu: 30m
    memory: 200Mi
  limits:
    memory: 768Mi

autoscaling:
  # -- Enables the creation of a HorizontalPodAutoscaler.
  enabled: false
  # -- Lower limit for the number of replicas to which the autoscaler can scale down.
  minReplicas: 1
  # -- Upper limit for the number of replicas to which the autoscaler can scale up. Cannot be less that minReplicas.
  maxReplicas: 10
  # -- Percentage of CPU utilization that the autoscaler will try to meet.
  targetCPUUtilizationPercentage: 80
  # -- (int) Percentage of memory utilization that the autoscaler will try to meet.
  targetMemoryUtilizationPercentage:

podDisruptionBudget:
  # -- Enables creation of the PodDisruptionBudget. Ignored if replicaCount is 1.
  enabled: true
  # -- (int) An eviction is allowed if at most "maxUnavailable" pods are unavailable after eviction. Mutually exclusive with minAvailable.
  maxUnavailable: 1
  # -- (int) An eviction is allowed if at least "minAvailable" pods will still be available after the eviction. Mutually exclusive with maxUnavailable.
  minAvailable:

# -- Assigns a PriorityClass to the Pod. See Kubernetes documentation on [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/).
priorityClass: ""

# -- Optional list of hosts and IPs that will be injected into the pod's hosts file.
hostAliases: []

# -- Selector which must match a node's labels for the pod to be scheduled on that node.
nodeSelector: {}

# -- The tolerations on this pod. See the Kubernetes documentation on [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
tolerations: []

# -- The pod's scheduling constraints. See the Kubernetes documentation on [Affinity and Anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
affinity: {}

# -- Describes how a group of pods ought to spread across topology domains. See the Kubernetes documentation on [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/).
topologySpreadConstraints: []

serviceMonitor:
  # -- Enables creation of Prometheus Operator [ServiceMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.ServiceMonitor).
  # Ignored if API `monitoring.coreos.com/v1` is not available.
  enabled: true
  # -- Interval at which metrics should be scraped.
  interval: 30s
  # -- Timeout after which the scrape is ended.
  scrapeTimeout: 10s
  # -- Additional labels for the ServiceMonitor
  labels: {}

prometheusRule:
  # -- Enables creation of Prometheus Operator [PrometheusRule](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PrometheusRule).
  # Ignored if API `monitoring.coreos.com/v1` is not available.
  enabled: true
  # -- Determines how often rules in the group are evaluated.
  interval: ""
  # -- Additional labels for the PrometheusRule
  labels: {}
  defaultRule:
    # -- Customize the labels to the default prometheusRule
    labels:
      severity: medium
      target: business
  # -- A list alerting or recording rules to include on top of the defaults. These fields are templated.
  extraRules:
    []
    # - alert: MyAlertName
    #   annotations:
    #     summary: Summary of my alert
    #     description: Longer description of my alert that goes into a bit more detail
    #   expr: up{service="{{ include "rest-proxy.fullname" . }}"} == 0
    #   for: 5m
    #   labels:
    #     severity: medium
  #     target: business