Axual Connect 0.2.1 Helm Readme

This chart bootstraps a deployment of a Axual Connect

Prerequisites

Axual Connect needs a functioning Axual Platform installation, deployed with helm charts. For more information on deployment of the platform refer to the docs

Install Axual Connect on a local Docker-Desktop environment

From the project root directory execute:

helm dependency update
helm install axual-connect . -f ./values.docker-desktop.yaml -n kafka

This will install Axual Connect with Axual Dummy certificates valid for local development.

Connectors maintenance on a local Docker-Desktop environment

Currently, Axual Connect download connector plugins JARs from a hosted S3 bucket on the AxualCloud.

In case we want to change the available connector plugins JARs for an Axual Connect installation we would need to run a local FileServer that will serve a set of JARs.

  1. Gather the connector plugins JARs you want to include as part of your Axual Connect

    1.    wget -P "${DOWNLOAD_LOCATION}" "http://artifacts.axual.cloud.s3-website.eu-central-1.amazonaws.com/Axual-Connect/axual-connect-plugins-1.0.0.tgz"
   # download additional connect plugins
   # extract all connect plugins from their archives, leaving only directories and JARs

  2. Bundle all connector plugins JARs into a single Tarball Archive

    1. move to the location where all plugins are in JAR format

    2.    tar --disable-copyfile \
   -czf "${FILESERVER_ROOT}/my-axual-connect-plugins.tgz" \
    *

  3. Download the connector common resources as Tarball Archive

    1.    wget -O "${FILESERVER_ROOT}/my-axual-connect-commons.tgz" \
         "http://artifacts.axual.cloud.s3-website.eu-central-1.amazonaws.com/Axual-Connect/axual-connect-common-resources-1.0.0.tgz"

  4. Start a local FileServer serving the connector plugins and connector common resources

    1.    docker run -it --rm --name mylocalfileserver \
   -p 8000:8000                             \
   -v "${FILESERVER_ROOT}:/public-files"    \
   'python:3.9.13-slim'                     \
   sh -c 'cd /public-files; python -m http.server 8000'

  5. Change the downloadPlugins configuration to load plugins and common resources from the local FileServer

    1.    helm upgrade --install -n kafka axual-connect \
     --set downloadPlugins.artifactsBaseUrl='http://platform.local:8000'      \
     --set downloadPlugins.connectPluginsFile='my-axual-connect-plugins.tgz'  \
     --set downloadPlugins.commonResourcesFile='my-axual-connect-commons.tgz' \
     -f ./values.docker-desktop.yaml                                          \
     .

This will upgrade Axual Connect with the Plugins JARs you have bundled in the my-axual-connect-plugins.tgz

Configure Vault

Parameter Description Default

connect-vault.enabled

Whether dedicated Vault is enabled.

false

connect-vault.ui.enabled

Whether UI for Vault is enabled.

true

connect-vault.ui.serviceType

K8s service type

LoadBalancer

connect-vault.ui.externalPort

External port where Vault UI is accessible.

8200

connect-vault.server.dataStorage.storageClass

storageClass used by PV and PVC.

hostpath

connect-vault.injector.enabled

If injector should be started.

false

By default, the Vault start with standalone mode which requires the Operator to initialize and unseal the Vault the first time.

  1. Access the Vault UI via http://platform.local:8200/ui

  2. Follow steps to initialize the Vault (save the RootToken and the UnsealKeys)

    1. Provide the number of Key shares (1 for local, at least 3 for production)

    2. Provide the number of Key threshold (1 for local, at least 2 for production)

    3. Press Initialize button

    4. Save (or download) the RootToken and UnsealKeys

  3. Unseal the Vault with the generated UnsealKeys

Access the Vault UI with the generated RootToken

  1. Press on the Access menu to enable AppRole

    1. Click on Enable new method + button

    2. Select AppRole authentication method and press Next button

    3. Keep the default approle path

    4. Press Enable Method button

  2. Press on the Secrets engines menu to create connectors secrets

    1. Click on Enable new engine + button

    2. Select KV secrets engine and press Next button

    3. Change the path to connectors

    4. Press Enable Engine button

  3. Press on the Policies menu to create Connectors policy

    1. Click on Create ACL policy + button

    2. Write connectors as the Name

    3. Put this content as the Policy

      path "connectors/data/{tenant-short-name}/{instance-short-name}/*" {
capabilities = ["read", "create", "update", "delete"]
}

    4. Press Create policy button

Now that we have defined the KV Secrets and the Connectors Policy, we need to generate a roleId and secretId for the Platform Manager.

From the Vault UI, open the terminal

  1. Add the Connectors Policy to the Connectors AppRole vault write auth/approle/role/connectors token_policies="connectors"

  2. Retrieve the roleId for the Connectors Policy

    vault read auth/approle/role/connectors/role-id

    Output:

    Key     Value
role_id [role-id-to-store]

  3. Retrieve the secretId for the Connectors Policy

    vault write auth/approle/role/connectors/secret-id -f

    Output:

    Key                Value
secret_id          [secret-id-to-store]
secret_id_accessor [not-used]
secret_id_num_uses 0
secret_id_ttl      0

Everything will be persisted in the PVC since it’s a standlone installation. Only unseal is required after each Vault pod restart

Provide the roleId and secretId to Connect config in order to let it speak with Vault.

Install Axual Connect

From the project root directory execute:

helm dependency update
helm install axual-connect . -n kafka

This will perform following: - Check availability of Cluster API. - Create base connect topics for a configuration, status and offsets and register ACLs. - Create Persistent-Volume and Persistent-Volume-claim to store connect plugins & common libraries. - Download the plugins from amazon S3 and volumeMounts inside pods using PVC. - Start Connect.

Installed Components

You can use helm status <release name> -n <namespace> to view the status.

For example:

$ helm status axual-connect -n kafka

NAME: axual-connect
LAST DEPLOYED: Fri Nov 20 16:36:51 2020
NAMESPACE: kafka
STATUS: deployed
REVISION: 5
TEST SUITE: None
NOTES:
This chart installs Axual Connect

This will install following components: 1. Deployment <tenant>-<instance>-axual-connect which contains 3 Axual Connect Pods. 2. Service axual-connect for clients to connect to Axual Connect REST endpoint. 3. Secrets sensitive data used by Pods. 4. ConfigMap configuration used by Pods. 5. Persistent Volume persists connect plugins & common-resources. 6. Persistent Volume Claim volume mount inside Pods to persist and use connect plugins & common-resources.

Configuration

You can specify each parameter using the --set key=value[,key=value] argument to helm install.

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

helm install --name my-axual-connect -f my-values.yaml .

Note: a default values.yaml which is suitable for a local k8s deployment, is provided.

The Default column in the table below is referring to values for a local setup.

Kafka Connect Deployment

The configuration parameters in this section control the resources requested and utilized by the axual-connect chart.

Parameter Description Default

replicaCount

The number of Axual Connect Servers.

3

Image

Parameter Description Default

image

Docker Image of Axual Connect.

registry.axual.io/axual/connect

imageTag

Docker Image Tag of Axual Connect.

3.0.1

imagePullPolicy

Image pull policy.

IfNotPresent

imagePullSecrets

Secrets to be used for private docker registries.

see values.yaml for details

Port

Parameter Description Default

service.type

Service type enables its network access to a pod or set of pods

LoadBalancer

service.port

The port on which the Axual Connect will be available and serving requests.

11000

Prometheus

Parameter Description Default

prometheusService.port

Prometheus port on which Axual Connect metrics will be available

5555

prometheusService.type

Prometheus service type

ClusterIP

prometheusService.annotations

Prometheus service annotations

{}

Axual Connect Platform Configuration

Parameter Description Default

axual.managed

Runs as client service, with internal topics

true

axual.distributed

Runs connect in distributed mode and requires topics for config, offset & status

true

axual.tenant

Name of the tenant under which Axual Connect is running.

axual

axual.instance

Name of the instance under which Axual Connect is running.

local

axual.environment

Name of the environment under which Axual Connect is running. Only use in case axual.managed = false

system

axual.applicationId

Axual Connect client applicationId

my-axual-connect

axual.applicationVersion

Axual Connect client application version

0.0.1

axual.configTopic

Axual Connect Configuration topic name

connect-config

axual.offsetTopic

Axual Connect Offset topic name

connect-offset

axual.statusTopic

Axual Connect Status topic name

connect-status

axual.offsetFile

Stores offset. Only used when distributed is set to false

/tmp/offsets

axual.staticConfig.tenant

Name of tenant (used for resolving)

`+

\'axual.staticConfig.instance\'

Name of instance (used for resolving)

+`

axual.staticConfig.cluster

Name of cluster (used for resolving)

`+

\'axual.staticConfig.bootstrapServers\'

Bootstrap server url to read messages from

+`

axual.staticConfig.schema.registry.url

Schema Registry url

``+

`axual.staticConfig.group.id.pattern`

Pattern to use to resolve group.ids

`\{tenant}-\{instance}-\{environment}-\{group}`

`axual.staticConfig.topic.pattern`

Pattern to use to resolve topics

`\{tenant}-\{instance}-\{environment}-\{topic}`

`axual.staticConfig.transactional.id.pattern`

Pattern to use to transactional ids

`\{tenant}-\{instance}-\{environment}-\{transactional.id}`

`axual.connectorClientConfigOverridePolicy `

Restricts the connector producer/consumer/adminclients configuration overrides to a safe subset defined in+org.apache.kafka.connect.axual.AxualConnectorClientConfigOverridePolicy+

+Axual

Axual Connect Lineage Generation

With these settings the lineage header generation can be controlled.

*Note:* Enabling all lineage can have a severe impact on throughput but are enabled by default for compatibility

Parameter Description Default

axual.lineage.enabled

Generate lineage headers for records produced and consumed by connectors

true

axual.lineage.addApplicationId

Add the connectors application id and version to each record as a header

true

axual.lineage.addMessageId

Create a unique message identifier header for each produced record

true

axual.lineage.addTimestamps

Add a serialisation and deserialisation timestamp header to records

true

axual.lineage.addSystemData

Add the Axual deployment metadata as header, like tenant, instance, environment, cluster

true

axual.lineage.removeExistingHeaders

Remove predefined and conflicting Axual headers that are available

true

Axual Connect Security Configuration

Parameter Description Default

axual.security.protocol

Security protocol to be used

SSL

axual.security.enabledProtocols

The list of protocols enabled for SSL connections.

TLSv1.2

axual.security.cipherSuites

The list of cipher suites enabled for SSL connections.

axual.tls.clientEnabled

Client authentication

true

axual.tls.serverEnabled

Server authentication

true

axual.tls.clientKeystore

Base64 encoded client keystore used for the Kafka Clients

axual.tls.clientTruststore

Base64 encoded client truststore used for the Kafka Clients

axual.tls.clientKeyPassword

Client keystore key password

axual.tls.clientKeystorePassword

Client keystore password

axual.tls.clientTruststorePassword

Client truststore password

axual.tls.serverKeystore

Base64 encoded server keystore used for the Connect REST API

axual.tls.serverTruststore

Base64 encoded server truststore used for the Connect REST API

axual.tls.serverKeyPassword

Server keystore key password

axual.tls.serverKeystorePassword

Server keystore password

axual.tls.serverTruststorePassword

Server truststore password

axual.tls.vaultTruststore

Base64 encoded server truststore created at /security/vault-truststore.jks

axual.basicAuth.enabled

Basic authentication to access Connect Rest endpoints

false

axual.basicAuth.username

Basic authentication to access Connect Rest endpoints

axual.basicAuth.password

Basic authentication to access Connect Rest endpoints

Axual Cluster Configuration

Parameter Description Default

global.cluster.name

Axual platform Cluster name

local

global.instance.enabled

Tenant instance is enabled to run connect

true

global.instance.fullName

Instance full name (<tenant>-<instance>) for which connect service will run

axual-local

Service Monitor

Parameter Description Default

serviceMonitor.enabled

Enable Prometheus service discovery

false

Secrets

Parameter Description Default

credentials.keystores

Secrets to be mounted in the /credentials/

general-app-3.jks: /u3+7QAAAAIA...

credentials.secrets

Secret with one or more key:value pairs

see values.yaml for details

Logging Configuration

Updating logging configuration will not restart the containers, the changes are loaded to a config map mount. This file is scanned every 15 seconds to load any configuration changes.

Parameter Description Default

logging.rootLoglevel

Root logging level

warn

logging.loggers

Logging level for individual Package/Class

see values.yaml for details

logging.pattern

Format of the logging can be changed here

see values.yaml for default

Routing connector logging to Kafka topics

It is possible to switch on routing of connector logs to Kafka (one specific topic per connector). In order to do this, make sure to add a jar file containing the Axual routing appender to the common resources tarball. The section routedLogging is optional, if it’s not present in values.yaml the feature is disabled.

Parameter Description Default

routedLogging.enabled

Indicates if routing of logs to Kafka is enabled.

false

routedLogging.suppressEnvironment

Indicates if the Axual environment should be ignored as part of the log topic name.

false

routedLogging.pattern

Format for log messages routed to Kafka

no default, see values.docker-desktop-static.yaml for an example.

routedLogging.debugMode

Show extra information about internal processing; not for production use

false

routedLogging.disableHostnameVerification

Disable SSL hostname verification to the broker, in cases where this is necessary

false

Persistent Volume & Persistent Volume Claim

Parameter Description Default

persistPlugins.enabled

If enabled, it will use PV & PVC that will be used to persist connect plugins and common-resources. If disabled, will use emptyDir ephemeral volume. Data will be lost on restart of pod.

false

persistPlugins.createPersistentVolume

If enabled, it will create PV & PVC that will be used to persist connect plugins and common-resources. If disabled with the PV & PVC must have been created already

false

persistPlugins.storageClassName

storageClassName used by PV and PVC

hostpath

persistPlugins.persistentVolumeHostpath

Host machine path used by PV to store connect plugins

/var/lib/connect-data

persistPlugins.persistentVolumeName

Persistent Volume name

connect-plugin-pv

persistPlugins.persistentVolumeClaimName

Persistent Volume Claim name that will be used by Volume

connect-plugin-pv-claim

persistPlugins.commonResourcesDirectoryPath

Path of connect common-resource inside pods

/usr/share/common

persistPlugins.pluginsDirectoryPath

Path of connect plugins inside pods

/usr/share/plugins

Init Containers

Parameter Description Default

kafkaInitContainer

Deploys connect topics (connect-config, connect-offset & connect-status) and apply ACLs

see values.yaml for full configuration

downloadPlugins

If enabled, downloads the default connector Plugins and Common-resources from Amazon S3 and persist them using PersistentVolumeClaim and mounts the path inside Connect worker pods

see values.yaml for full configuration

Vault Configuration

Parameter Description Default

vault.address

The URL of the HashiCorp Vault server

https://platform.local:8200

vault.authMethod

Vault authentication Method

APPROLE

vault.approleRoleId

The Role ID for your Axual Connect instance

vault.approleSecretId

The Secret ID for your Axual Connect instance

vault.testPath

The Vault path to connect during initialisation to verify connectivity

vault.namespace

The Vault namespace where connect retrieves secrets from

vault.ssl.verify

Perform an SSL verification of the certificate provided by the Vault server

true

vault.ssl.truststoreLocation

The path to vault truststore

/security/vault-truststore.jks

vault.ssl.truststorePassword

Vault truststore password

notsecret

vault.secretProvider.enabled

If set to true, the Vault Config Provider will be added to the configuration. This provider can provide any secrets stored in a HashiCorp Vault KeyValue store

true

vault.secretProvider.class

The class implementing the configuration provider

io.axual.utilities.config.providers.VaultConfigProvider

vault.keystoreProvider.enabled

If set to true, the Keystore Config Provider will be added to the configuration. This provider can generate keystore from private keys and certificate chains stored in a HashiCorp Vault KeyValue store

true

vault.keystoreProvider.class

The class implementing the configuration provider

io.axual.utilities.config.providers.VaultKeyStoreProvider

vault.keystoreProvider.truststoreLocation

The path to Connect client truststore

/security/client-truststore.jks

vault.keystoreProvider.truststorePassword

Connect client truststore password

notsecret

vault.keystoreProvider.certificateChainKeyname

Keystore provider certificate chain key name

certificate.chain

vault.keystoreProvider.privateKeyKeyname

Keystore provider privateKey key name

private.key

Axual Connect Worker Configurations

Parameter Description Default

configurationOverrides

Kafka Connect configuration overrides in the dictionary format.

see values.yaml for details

customEnv

Custom environmental variables

{}

Volumes

Parameter Description Default

volumes

Volumes for connect-server container

see values.yaml for details

volumeMounts

Volume mounts for connect-server container

see values.yaml for details

extraVolumes

Additional Volumes for connect-server container

see values.yaml for details

extraVolumeMounts

Additional Volume mounts for connect-server container

see values.yaml for details

Kafka Connect JVM Heap Options

Parameter Description Default

heapOptions

The JVM Heap Options for Kafka Connect

"-Xms512M -Xmx1024M"

Resources

Parameter Description Default

resources.requests.cpu

The amount of CPUs to request.

{}

resources.requests.memory

The amount of memory to request.

{}

resources.requests.limit

The upper limit CPU usage for a Kafka Connect Pod.

{}

resources.requests.limit

The upper limit memory usage for a Kafka Connect Pod.

{}

Pod spec

Parameter Description Default

podAnnotations

Map of custom annotations to attach to the pod spec.

{}

podLabels

Map of custom labels to attach to the pod spec.

{}

Running Custom Scripts

Parameter Description Default

customEnv.CUSTOM_SCRIPT_PATH

Path to external bash script to run inside the container

see values.yaml for details

livenessProbe

Requirement of livenessProbe depends on the custom script to be run

see values.yaml for details

Deployment Topology

Parameter Description Default

nodeSelector

Dictionary containing key-value-pairs to match labels on nodes. When defined pods will only be scheduled on nodes, that have each of the indicated key-value pairs as labels. Further information can be found in the Kubernetes documentation

{}

tolerations

Array containing taint references. When defined, pods can run on nodes, which would otherwise deny scheduling. Further information can be found in the Kubernetes documentation

{}

affinity

Array containing affinity references. Affinity and anti-affinity expands the types of constraints you can define. Further information can be found in the Kubernetes documentation

{}

topologySpreadConstraints

Array containing topology spread constraints. Used o control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, or among any other topology domains that you define. Further information can be found in the Kubernetes documentation

{}

Security Context

Parameter Description Default

securityContext

Defines privilege and access control settings (securityContext) for the axual-connect-server container

{}

Additional Worker Configuration

Parameter Description Default

additionalWorkerConfig

Specify custom configurations for the Axual Connect worker instances

{}

Reference Helm VALUES.YAML for Axual Connect

# Default values for axual-connect.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

podDisruptionBudget:
  enabled: false
  maxUnavailable: 1
  
## Image Info
## ref: https://hub.docker.com/r/confluentinc/cp-kafka/
image: registry.axual.io/axual/connect
imageTag: 3.0.1

## Specify a imagePullPolicy
## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
imagePullPolicy: IfNotPresent

## Specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
imagePullSecrets:
  - name: axualdockercred

service:
  type: LoadBalancer
  port: 11000
  annotations: {}

prometheusService:
  type: ClusterIP
  port: 5555
  annotations: {}

axual:
  # Default true, runs as client service, with internal topics
  managed: true
  # Default true, requires configTopic, offsetTopic, statusTopic
  distributed: true
  # The configuration which creates worker.properties file in connect container
  staticConfig: {}

  endpoint: "https://platform.local:29000"
  tenant: "axual"
  instance: "local"
  environment: "system"
  applicationId: "my-axual-connect"
  applicationVersion: "0.0.1"
  configTopic: "connect-config"
  offsetTopic: "connect-offset"
  statusTopic: "connect-status"

  # Lineage header settings, enabling all has a significant impact on throughput
  lineage:
    enabled: true
    # Adds the application id and version header to the record
    addApplicationId: true
    # Generates a unique message id header for each record
    addMessageId: true
    # Adds a serialized timestamp header to produced records, and a deserialized time header to consumed records
    addTimestamps: true
    # Adds the to Axual system data to records, like tenant, instance, environment, system and cluster name
    addSystemData: true
    # Remove pre existing illegal Axual headers before adding the correct values
    removeExistingHeaders: true

  # Only used when distributed is set to false
#  offsetFile: "/tmp/offsets"
  security:
    protocol: SSL
    enabledProtocols: TLSv1.2
    # By-default its empty means will use all available ciphers
    cipherSuites:

  tls:
    clientEnabled: true
    serverEnabled: true
    # Generic-App-3
#    clientKeystore: /u3+7QAAAAIAAAABAAAAAQAVZ2VuZXJpYyBhcHBsaWNhdGlvbiAzAAABcTcCqUcAAAUCMIIE/jAOBgorBgEEASoCEQEBBQAEggTqaDwVEOot5Yk1ye86AD3l9akNMBHGs2fH0kBUyoqIAsBhXTwHhItMbe9YriUdZCgdwQv2USuf0GF8dypxvp37BCJlTggAJqUadxxEFHZfsVnhDtZESjZG/bGMslhrbM1jiNzuVcNXxORbNZRY1JaalO2ZyA75hf2WjFaZW+wS9wuaodkFt+fmomJsAD3nn7VWCr/GzgTYu0vltQnG0yTCbga3MP2pJbyCIhAbU3q1ayDMn0kD6Nq+Wp1Y0XJMYwigYEzhJBLEmD/BBqk6QXtAdvItZk8U6daTltSGPyy+W2ED9/b/a3PJb4Vclo07/3XSeJiZOYt3BfKt/2OHW3SF8JmcEvZ0/zXISJUJJXODq7hJhxKwRqeoesLos+WUVUnRDFFOYSHwyU1TpC+NrCilVew25eza5NOnZq28vnqiMz0ygPReQbBaPrmc8hkdOmti7Gje82Ko/QrDiilVGFpdxgrsSQ3YQYX5e/VDzgdslwBRVTHb4/uuw1HYoI+WZ7CwoGYaQguvkVtmpCtvNa8k8oy+RQzO6wlktw0qo+yQp9rDvVIdf7b0eKK8DXfkCHoRY/IesGNlP7gCr0raaydUpW4attkTLlzTCHzsKuPIhgsFTJhNd3v16ke+BKHM9pKHf5hhGJvETuc2cIVtF2knTbJgoxMzHnhb6eJYXxiIyiRqPR08sA8h50c37gvhV23Da3kTV0ewSZ9er6VGtgHwjvqFFdZJtv2QtoJwy1WvwfO5rDqWPM2RTYDJzr/rVQ6nXUC+u8zjHi9YcG7M9N2AZMZRvJY4FpYthPLbsKnmJUeZ0SBwCrNwO3hf1Mrtjnvv65R4e4izbxWgYDC025IQjC9rAJW+M4ZyPr76RfUoekBVjG82b1X8PQN2EFkx8Is/1lq5C3LoO4Jcj3xeLTZ/0tzqlFQs7pvBZpVSAqeP/4p4hJz4DLqflJyMZt1MyEbqfPb/XOise/52z/g7uqrNWWSH2nPXwgsxNKW0v7hvfjvUz653cw5RI8caL45DaYLrA8G+4bJDq0tmiN+idn+ICBtPQWs8282kAIFIm8lmC+HNRVjsuDfFWpWe9s/kcELwlDczlj4P5NRht4G4ChHDdXl1Y76JSMAgzNWbUGu2SjmCw332Ij98GaakCn14dmAOwcJKb5ItJO/0hzMxrfLdk8WrfUe9xKr6rE1xCbt4pwZDNN6n1H/HgZ9vZw/synqYggXLI6YVrKMlpqLoywoEH7sdPT+PUAovGEp7sLCD7CnUkKaOI+EAiTbliXXnlnmmbf1F9Sn5qd168VSgnKyUkthTF29Sj73JY54GPAAfo9gpI/IYlZ2DMVb9YE5M/LBYyZg6NYBJsIMtc4TDpxmR8IJMOOL3H30TEUkzXm68+dMrMQhxLhrK5KsLUfBcEglHVmt+ssU3S9WzP31zNylITxppj9g++i0SjQrwRAjm1UD4NYtMO8bvPPx/PKMte3KdPU1rOHCPfvYJkC12dPDC+ozxQupFfiWa5CitCCdAcWmIChG9kOQ2Xhgf5l7brs9rpptpzeelfi65jeyShc3daR/g7R/P9uoeVV589fkdUjU5Dibe9nr4HqorANniiCNLfveMqNC738Q37v2Hh+U5phrJ74Wb35dPQKmZt5alTrQFhigXHRJdAMMIOEbGJJXY29xp5z5lQg2/TAAAAAMABVguNTA5AAAEszCCBK8wggKXoAMCAQICEQDO8oJNj3d0nvmtloy50aFpMA0GCSqGSIb3DQEBCwUAMCsxKTAnBgNVBAMMIEF4dWFsIER1bW15IEludGVybWVkaWF0ZSAyMDE4IDAxMB4XDTIwMDQwMTEyMzQwNFoXDTI1MDMzMTEyMzQwNFowVDELMAkGA1UEBhMCTkwxEDAOBgNVBAcMB1V0cmVjaHQxEzARBgNVBAoMCkF4dWFsIEIuVi4xHjAcBgNVBAMMFUdlbmVyaWMgQXBwbGljYXRpb24gMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJYYZGHQkwG+8qvPMskU9BVgl0Ox7bPpVPo3cqekbjUxLpNqF/G5iZD2ddHcSpDL6C67ijo6EF8k0Ux3F8xh03OUb6orvFRzA8k5rlPQO90mCx2smVGDkpytTwlkVmZhZOXFNQvtvDcCMxkPWPyeOk46kpftA3G21Lkuy0RU7Qf3/IO5zdt9hfoIZYYOd+U8qZjJvcjyvojtXjV2yXDFA5KfEv5dvjNaRll9GsTzDxSWkVU31tQh1TApq+4fxrHbcHAQ+6dlEhedRzMMlTJ0jqxCU15SChEZlOD6ResMWwRRjvSgb0pivI1uCxMHMRX+1luEkpJ306loxkwrr4vPnikCAwEAAaOBpDCBoTAJBgNVHRMEAjAAMB0GA1UdDgQWBBRFh5m8Wi7gRZsEH6oobd62ta1qSDBJBgNVHSMEQjBAgBRr0ilXi1I2LAUKxle5GnR4rBMfZqEkpCIwIDEeMBwGA1UEAwwVQXh1YWwgRHVtbXkgUm9vdCAyMDE4ggIQADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4ICAQByF5m0UbRf1r8gNXN0I1QDybi8kTwa5vp4lBrkd9IfVb/7KOVCDXT/tYarpWVXCzFaEQxIlS+yzI7CR5aoIzEc67wMPpYuplzaTjRLrg8VtRIHwX7QVipEhOTh1NKbFF4IMrTK82qQW8e1Porw3Z+0CffrgpU2aKz12Y1Fs8io1WpMXTOL/taeQaW+r11NFKv0grzl39GGV7533Pl6UpCBTEx7yH9OYFyFg6Fy0aFAMDNGJrTjuqyeUMemgbto1Wy7k/GkXnuhw3bx8ZGBI3Q4cncnouQMFZ+hDv0FUC9LxYAsCBiOFUvQd1r0R942/0wl5KJmjCiSnFoCvgUdh4XrecBnFd1O12kvt9uHWHqOypxSfS03sPQGYxcgsLdrc4u8MZ7MPw/AJ6eD7m1Izk98DXgqlOA9UFYJOfTWP5bcoTo7BJPTf824BjHn+cvKHMmy83xykkPVc4Odm5KQvBerKac4OF9dOQarFlQ+WuENoxxXuEEWC5D3KPkZype1csWfImyQgsSQ5/qi1o0oY9ziFOIon8uypdOZoKwVrGWvrE14L6g40QpaQWyINU0MANGwDSRLFPOdF9clZlHboPGb4JN7gV+1aA5+VEnHbvZFQOJSq63m3Bg9eF8C1URwmEFDFkP97NMnc/HG0Pw9x5W0fPPy+cHLZxZS59gATlQdZgAFWC41MDkAAAUxMIIFLTCCAxWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAwwVQXh1YWwgRHVtbXkgUm9vdCAyMDE4MB4XDTE4MDUyOTExMDEzNFoXDTI4MDUyNjExMDEzNFowKzEpMCcGA1UEAwwgQXh1YWwgRHVtbXkgSW50ZXJtZWRpYXRlIDIwMTggMDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9uOuzJekmeo3hl8fjQlKSHApS3llcliq1YrXpkMbHAA9StHaMHPW+Dzr2/+cdfBAmN3sujCY8Paq15QI+TDOqKA5SByCBQKXx2qulBPcZs3mDMt+KxAaeWfwR4Nj0NNKbmw2HjDddo77joeVOuOX24o1wXzmAAolVMIcRYA11EMWNUtYrHCzBa7RfYht2G5dE69ckrgfw1Nxs01Sbg+xPsK9aK/LHPUalYZNY+76x7vabEpzaPfpyKzDTWA20SPk0WfTf9/+K3o+urzDG8O/qw9xbBOzWohGmRyA/z841p1SD7inpZcyO/KeW1yTP2WyFxADwUrv2mEYXnma/GdnaG62IQYk/UMex9W8pT6tfwrg/36sSwr88yPR5dJxzjHUE+w/rYG3k+K+EqvZ5qOC532AJ9BS2nbNuGpmRU1qoMCwpL7B2E/CKJLIdFcf/qmcnWJEXo+u34+fQZg8XaDCIXhUqAHz6YkjCiFGd/JwL1IqsfxFsV9wHTUbW2AumglU65ZrjhXrrzE7Hk9ng1spJdOwfBihBNjnr0mKHY9leJ3chJ9HQ55/fEgcRNrj8EC69QCeAtpY5yOAjKpA03UvFgrDt8CIyIehNUwTXIhQSHZU4eZ0rzWf0vvMbhL2FvKtphbpnNKoXeNLv2IMZpT4BVwsqLqaIkl/I4FPpYBoSYwIDAQABo2YwZDAdBgNVHQ4EFgQUa9IpV4tSNiwFCsZXuRp0eKwTH2YwHwYDVR0jBBgwFoAUdKOPDqSFQ6Bfk0I/asBkByt5gsUwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAKoNIqiOdjlUBNg7cvR9Su4KgGrsZf78pG1H2MlNxJjFM/80EiWEfze/EG2MLxFq8vToIHDjb0kVetYpdmfHNXTTlaaroBlXwyUYToPzQ985qr3LD8RhYZFAsiZCTtpJ4FT6sh/mccTyx8G8+ZS6mn/le2WPj/t6beNLgbdl5n8fghdQcmT/TqGXE50UftWtHSx3fsq2aKuNdVzhKzTin50IbiE9DV1dKo6B+ipOy/Dz5GMv3Z/3ntLTvxabCMOl7s7WsUE7VPABRSifUS80Z9Ai38faLSu+Ouzx40ceXwvlFQtJ2LYQ8Ru5Q63k2wB3EOE6cgAhiYExrz3fDDtUkui9vIfWfTPMnXR7xQ8YqK4Qqld2ESxvMQU2jzbZKSf+3sWnPvN4HTg0cfysmOdLGZwf3u8A9tMtxhUEtxUx7r76M4ekSKdNv1Nf5u5N/h7bAbEqSp1XADTxkE448i7hNJzn2Ce6JtFya231Ni0xyYKQIajP18jNypAw1eABYFkN53vQTUfqcbtcrCios1xRdDqfgkYaKZv7p63aoObFTf/mmG7sFjGAEPQscagOukwNwnkjCVifVbk5qJUaUWSLeYziI+HYkEA9P/h4o83nbf0YgBtOFoc0XWKmKagHifZNSEJ9kRCWzYaL2ChiL6jHGh26WT/hbNKeAlcxPnT4u/l1AAVYLjUwOQAABSowggUmMIIDDqADAgECAgkAg24CKt+dFTowDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAwwVQXh1YWwgRHVtbXkgUm9vdCAyMDE4MB4XDTE4MDUyOTEwMzQxNFoXDTM4MDUyNDEwMzQxNFowIDEeMBwGA1UEAwwVQXh1YWwgRHVtbXkgUm9vdCAyMDE4MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxUONuGrdMa5Dog1Nn52FIiCx1urDafEXebKtLu/z1tw3EzIvKlZhOZHg4BhFdEGdbgpfqxO5s/IveiA/PqFeZ+Y98DP5f/8dMiLJsvd7erDGpamGnT34lPq94Sn97/AQSNIyPmezGQMSOP0kRBa7/UH435Vc4mRNgXLTlmB5amWTIvBPvWbIXTjtohIrbtr5V5sExo+m+961JxsxLDEBuTnVwZVQLiCnC+e+xun8JG4xXR1jOR5ObGCfzrSXezz7upQmg6u2I7RwOm/3tIr0KT15/WRHooW23PFv+754wWLdFQSsQbATw/e2FOx5dGSnmEzBzJpJC/TB8trCXBw0UY7OwHF8lLtBQhSkTLNGqPk+mBqPnfQA/FuCK0s59UtnYO9wFyadCezo4T67DKa68CPwW2PoAUlcfaWazAcuXm4P2Qg7CalmDg1ks/ZC/5Y5PocuAjsq/XPQ5XYftSVYDuHBBeWhDp8nZgsSFP4Yz3Econ4NALG+Na+0ZRJv8OTSP9H2alIV8e9UmAT/FX7sXtWXLDn9wOkXcZk5MZD8wXLhGpGtO2OdnDb9tlnIn5dvvjc55CEAEVR1p2HxybJ6EOt6C2tqUfG2MrELGtPnk4cJiFsKjPqcSdBREPsQ9CFTmm5QpqVGrYCkOS94iTy6PQdCZCYrJG41fszq8KhaenECAwEAAaNjMGEwHQYDVR0OBBYEFHSjjw6khUOgX5NCP2rAZAcreYLFMB8GA1UdIwQYMBaAFHSjjw6khUOgX5NCP2rAZAcreYLFMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQBslqepHg+avTkDIC7y+WsuyV5cDxUA8OJpphK1gflwh0EFaRojFqcsUOZvJDAqQp2QdBZX1fzU/narj1P1GygGwQ6bB2JoJjY8RTPtjdsVbRR4z6TrlWUeVdbLBEzr47Ta3hOslccXqHu8+ifTU7CGBb1iKX8qv7LJkrnQhz6mbhSEea3Fj3fZw1pEJ1p7m0qyNpuw/tmt0CSwuJryZOn4cAORknW44PHIOHRLVYwoHkmgdgGua1SvU1guBELpKKeErivutuIRa66sTrTk2b/+O/cLN3LyASwwO1ctlhjSKoacPXUwAkVfJDo8bZ6rVxdywk1GiObwPiKl9D7Phun10NVHYPNXJNh7jK6Fm4h7amE6E9zwqQFpdBEwd9UrJ4SbOoQUtoyR9oNmRGysxlKqH4omjEMbeHxSqywKFf5y5l2yNGE1ZGp9sHbQj1SnBr5eijIJTgQSRjIVMxyG29thkQ39e+U9+ErkkH14nmutwTyEqw/eB+1yFZaoIN50q6C9lb+3lWSVz7PgiOIkWdEN9yvhnlXYemx7KejcAQrtpR0mWa4+fGgiYVd9DiNSC4z/DOckeXte/1PShoFUczsF3o+URLTg6GjQpldLo2vJOxmf0YVXioZmPmUR45WXXkA594iM/8iiQDa5Qf9m4mVH8ESapsu3kdY9E1P8aAt89t77kdPOrKe/yfX+vROGh+9opxOx
    # Demo service
    clientKeystore: ""
    clientTruststore: ""
    clientKeyPassword: ""
    clientKeystorePassword: ""
    clientTruststorePassword: ""
    serverKeystore: ""
    serverTruststore: ""
    serverKeyPassword: ""
    serverKeystorePassword: ""
    serverTruststorePassword: ""
    vaultTruststore: ""

    # feature-flag for automated keystore management
    automatedKeystores: false

    createServerKeypairSecret: true
    # if createServerKeypairSecret is false, set the secret name that should pre-exist
    # serverKeypairSecretName: xxx
    # if createServerKeypairSecret is true, set the cert and key below
    serverCertificatePem: |
      -----BEGIN CERTIFICATE-----
      MIIIBzCCBe+gAwIBAgIRAO11WMNnIUg026GFSMvE370wDQYJKoZIhvcNAQELBQAw
      KzEpMCcGA1UEAwwgQXh1YWwgRHVtbXkgSW50ZXJtZWRpYXRlIDIwMTggMDEwHhcN
      MjIwNTMxMTExMzAzWhcNMjcwODEzMTExMzAzWjB5MQswCQYDVQQGEwJOTDEQMA4G
      A1UECAwHVXRyZWNodDEQMA4GA1UEBwwHVXRyZWNodDETMBEGA1UECgwKQXh1YWwg
      Qi5WLjETMBEGA1UECwwKQXh1YWwgQi5WLjEcMBoGA1UEAwwTRGVtbyBIVFRQUyBT
      ZXJ2aWNlczCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKg0ZjNJNwDK
      gZLSc4WI9vo/mcrorMsf7KI3tjiEzVcGF1s3g1i+Z48KMK9pXG7oosJ1xSOttUVa
      YYYhX8EHq+6od7/5INgX1SByuIstQRzb39YcUhg/prszKaIUP+QCnR7XrhPp9u4/
      WkipjS8Ru4SFNCNx8qJVWSQkj9/ZdLTigbOxMD5ytmU1Q2FavqiYr9qR5UXqIBiJ
      DmrOl3Vb9vjogaM0z2JbDYZx/rjCBe5VFer4+asojxDXF68c8FNxR7QWi+SsuRAt
      6pxdEc3WMN7SYZroMApN0/j5J0Uv98ahTIB889R2ZoyehGyn8N5IyA75C1yctNVs
      dnRShUsoUvRYhZAM3+iCaLlffsp6YVIp9U4jwzPfXos2FD+tkpnt2lmGiLE6i6BA
      He1BmR9o1+we55hIJvPjvCFwYzsgR80aL8bXptmk3PudX2Kr4V1UrD/UXuGAhozR
      TNfJwaE6uBm8WikxMbtoPNpIwXkI9o0Ux5nuS/MAQHKFWOvasYroH94zm4EawO3f
      G7w+5yDEo7MoAc3hKjTzd2EHMW0rwMw7ua2ttfxcXcdPcuCBoUNXN7FjX2qEG09P
      OyLv1WLie+fjDEcAJU0ldMnXr8zqTLsWU3q2zN6cuE9QzwukER2GMhMwK7axz4S9
      JcIiOxbc+idAe0ROaMq8aJEV1zDnd8CNAgMBAAGjggLWMIIC0jAJBgNVHRMEAjAA
      MB0GA1UdDgQWBBTXM/O30LmVhvLJ2pTv6uBTQhb07jBJBgNVHSMEQjBAgBRr0ilX
      i1I2LAUKxle5GnR4rBMfZqEkpCIwIDEeMBwGA1UEAwwVQXh1YWwgRHVtbXkgUm9v
      dCAyMDE4ggIQADALBgNVHQ8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG
      AQUFBwMBMIICLQYDVR0RBIICJDCCAiCCE2F4dWFsLWxvY2FsLWNvbm5lY3SCGWF4
      dWFsLWxvY2FsLWRpc2NvdmVyeS1hcGmCGGF4dWFsLWxvY2FsLWluc3RhbmNlLWFw
      aYIWYXh1YWwtbG9jYWwtcmVzdC1wcm94eYIiYXh1YWwtbG9jYWwtc2NoZW1hLXJl
      Z2lzdHJ5LW1hc3RlcoIhYXh1YWwtbG9jYWwtc2NoZW1hLXJlZ2lzdHJ5LXNsYXZl
      ghNkb2N1bWVudGF0aW9uLmxvY2FsghFsb2NhbC1jbHVzdGVyLWFwaYIUbG9jYWwt
      Y2x1c3Rlci1icm93c2WCCWxvY2FsaG9zdIIOcGxhdGZvcm0ubG9jYWyCD3NlbGZz
      ZXJ2aWNlLWFvbYIPc2VsZnNlcnZpY2UtYXBpghNzZWxmc2VydmljZS1iaWxsaW5n
      ghlzZWxmc2VydmljZS1rZXljbG9hay1odHRwghNzZWxmc2VydmljZS1tYXJpYWRi
      ghlzZWxmc2VydmljZS1zdHJlYW0tYnJvd3Nlgi5zZWxmc2VydmljZS12YXVsdC0w
      LnNlbGZzZXJ2aWNlLXZhdWx0LWludGVybmFsgi5zZWxmc2VydmljZS12YXVsdC0x
      LnNlbGZzZXJ2aWNlLXZhdWx0LWludGVybmFsgi5zZWxmc2VydmljZS12YXVsdC0y
      LnNlbGZzZXJ2aWNlLXZhdWx0LWludGVybmFshwR/AAABhwTAqGNkMA0GCSqGSIb3
      DQEBCwUAA4ICAQB5ah9N2m3zN2XHSeAe8toPSHMQ1jS12/P6OdroUF2nEgVn4UZo
      F/CgDkIYNpqx8X8hdkkICFS3yuzflq1+Ux9wZtKuCb2fuDndojnvBMN5XEPYYBb3
      BhKXpfhP/3aba6Sbh9OLzdqJ4F9osZblKhpvZGCKkb2UYEFABMzkuhCooalSTTCv
      TA37PIsk5AXrj9zfZsw5yiluYVsl6sUtjJu4+WHAnDt3BOqc6Iv1ifbN0rCRPIvN
      o+eYAX7goXjaChwRiK0/vOQ+tb4XfkxBjG0gDkMUMI9sRNOsZgdQopYTD1VAoius
      aXSVw+bbz2AzQJMS2il3aowUXBk5gFxDPI8SsfSWReWChyfe8FbLjwlHQ4yXW/4J
      Mchu7oEKwVaXf+wZEim59QQQZPhMYmE5vmbT5BvrDQIZargpxyYg78/obaRugG0x
      SmjpV8BoUH/uExOL6+IRwTy0HakSK54mWyQWvqqXUbk8LD5lzjEcDfeFwxJ3zXBO
      nu+XNRFio45XrBJdEKwYAKWglu+bcErkQOC/xrqlv817tPGdzIrl28hNSUU18iQ1
      5nsioJK/5KjdihO9eZV6t6xajYRvBpp98lINKxgzEWpuyZRwklMyy0joNUR7uebI
      31PozSnDnRWl7NuiHqYAisVxGSdTQqi9gjewAnkKQ5NXlcdpClj1KpYOBA==
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIFLTCCAxWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAwwVQXh1
      YWwgRHVtbXkgUm9vdCAyMDE4MB4XDTE4MDUyOTExMDEzNFoXDTI4MDUyNjExMDEz
      NFowKzEpMCcGA1UEAwwgQXh1YWwgRHVtbXkgSW50ZXJtZWRpYXRlIDIwMTggMDEw
      ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9uOuzJekmeo3hl8fjQlKS
      HApS3llcliq1YrXpkMbHAA9StHaMHPW+Dzr2/+cdfBAmN3sujCY8Paq15QI+TDOq
      KA5SByCBQKXx2qulBPcZs3mDMt+KxAaeWfwR4Nj0NNKbmw2HjDddo77joeVOuOX2
      4o1wXzmAAolVMIcRYA11EMWNUtYrHCzBa7RfYht2G5dE69ckrgfw1Nxs01Sbg+xP
      sK9aK/LHPUalYZNY+76x7vabEpzaPfpyKzDTWA20SPk0WfTf9/+K3o+urzDG8O/q
      w9xbBOzWohGmRyA/z841p1SD7inpZcyO/KeW1yTP2WyFxADwUrv2mEYXnma/Gdna
      G62IQYk/UMex9W8pT6tfwrg/36sSwr88yPR5dJxzjHUE+w/rYG3k+K+EqvZ5qOC5
      32AJ9BS2nbNuGpmRU1qoMCwpL7B2E/CKJLIdFcf/qmcnWJEXo+u34+fQZg8XaDCI
      XhUqAHz6YkjCiFGd/JwL1IqsfxFsV9wHTUbW2AumglU65ZrjhXrrzE7Hk9ng1spJ
      dOwfBihBNjnr0mKHY9leJ3chJ9HQ55/fEgcRNrj8EC69QCeAtpY5yOAjKpA03UvF
      grDt8CIyIehNUwTXIhQSHZU4eZ0rzWf0vvMbhL2FvKtphbpnNKoXeNLv2IMZpT4B
      VwsqLqaIkl/I4FPpYBoSYwIDAQABo2YwZDAdBgNVHQ4EFgQUa9IpV4tSNiwFCsZX
      uRp0eKwTH2YwHwYDVR0jBBgwFoAUdKOPDqSFQ6Bfk0I/asBkByt5gsUwEgYDVR0T
      AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIB
      AKoNIqiOdjlUBNg7cvR9Su4KgGrsZf78pG1H2MlNxJjFM/80EiWEfze/EG2MLxFq
      8vToIHDjb0kVetYpdmfHNXTTlaaroBlXwyUYToPzQ985qr3LD8RhYZFAsiZCTtpJ
      4FT6sh/mccTyx8G8+ZS6mn/le2WPj/t6beNLgbdl5n8fghdQcmT/TqGXE50UftWt
      HSx3fsq2aKuNdVzhKzTin50IbiE9DV1dKo6B+ipOy/Dz5GMv3Z/3ntLTvxabCMOl
      7s7WsUE7VPABRSifUS80Z9Ai38faLSu+Ouzx40ceXwvlFQtJ2LYQ8Ru5Q63k2wB3
      EOE6cgAhiYExrz3fDDtUkui9vIfWfTPMnXR7xQ8YqK4Qqld2ESxvMQU2jzbZKSf+
      3sWnPvN4HTg0cfysmOdLGZwf3u8A9tMtxhUEtxUx7r76M4ekSKdNv1Nf5u5N/h7b
      AbEqSp1XADTxkE448i7hNJzn2Ce6JtFya231Ni0xyYKQIajP18jNypAw1eABYFkN
      53vQTUfqcbtcrCios1xRdDqfgkYaKZv7p63aoObFTf/mmG7sFjGAEPQscagOukwN
      wnkjCVifVbk5qJUaUWSLeYziI+HYkEA9P/h4o83nbf0YgBtOFoc0XWKmKagHifZN
      SEJ9kRCWzYaL2ChiL6jHGh26WT/hbNKeAlcxPnT4u/l1
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIFJjCCAw6gAwIBAgIJAINuAirfnRU6MA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
      BAMMFUF4dWFsIER1bW15IFJvb3QgMjAxODAeFw0xODA1MjkxMDM0MTRaFw0zODA1
      MjQxMDM0MTRaMCAxHjAcBgNVBAMMFUF4dWFsIER1bW15IFJvb3QgMjAxODCCAiIw
      DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVDjbhq3TGuQ6INTZ+dhSIgsdbq
      w2nxF3myrS7v89bcNxMyLypWYTmR4OAYRXRBnW4KX6sTubPyL3ogPz6hXmfmPfAz
      +X//HTIiybL3e3qwxqWphp09+JT6veEp/e/wEEjSMj5nsxkDEjj9JEQWu/1B+N+V
      XOJkTYFy05ZgeWplkyLwT71myF047aISK27a+VebBMaPpvvetScbMSwxAbk51cGV
      UC4gpwvnvsbp/CRuMV0dYzkeTmxgn860l3s8+7qUJoOrtiO0cDpv97SK9Ck9ef1k
      R6KFttzxb/u+eMFi3RUErEGwE8P3thTseXRkp5hMwcyaSQv0wfLawlwcNFGOzsBx
      fJS7QUIUpEyzRqj5Ppgaj530APxbgitLOfVLZ2DvcBcmnQns6OE+uwymuvAj8Ftj
      6AFJXH2lmswHLl5uD9kIOwmpZg4NZLP2Qv+WOT6HLgI7Kv1z0OV2H7UlWA7hwQXl
      oQ6fJ2YLEhT+GM9xHKJ+DQCxvjWvtGUSb/Dk0j/R9mpSFfHvVJgE/xV+7F7Vlyw5
      /cDpF3GZOTGQ/MFy4RqRrTtjnZw2/bZZyJ+Xb743OeQhABFUdadh8cmyehDregtr
      alHxtjKxCxrT55OHCYhbCoz6nEnQURD7EPQhU5puUKalRq2ApDkveIk8uj0HQmQm
      KyRuNX7M6vCoWnpxAgMBAAGjYzBhMB0GA1UdDgQWBBR0o48OpIVDoF+TQj9qwGQH
      K3mCxTAfBgNVHSMEGDAWgBR0o48OpIVDoF+TQj9qwGQHK3mCxTAPBgNVHRMBAf8E
      BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAbJanqR4P
      mr05AyAu8vlrLsleXA8VAPDiaaYStYH5cIdBBWkaIxanLFDmbyQwKkKdkHQWV9X8
      1P52q49T9RsoBsEOmwdiaCY2PEUz7Y3bFW0UeM+k65VlHlXWywRM6+O02t4TrJXH
      F6h7vPon01OwhgW9Yil/Kr+yyZK50Ic+pm4UhHmtxY932cNaRCdae5tKsjabsP7Z
      rdAksLia8mTp+HADkZJ1uODxyDh0S1WMKB5JoHYBrmtUr1NYLgRC6SinhK4r7rbi
      EWuurE605Nm//jv3Czdy8gEsMDtXLZYY0iqGnD11MAJFXyQ6PG2eq1cXcsJNRojm
      8D4ipfQ+z4bp9dDVR2DzVyTYe4yuhZuIe2phOhPc8KkBaXQRMHfVKyeEmzqEFLaM
      kfaDZkRsrMZSqh+KJoxDG3h8UqssChX+cuZdsjRhNWRqfbB20I9Upwa+XooyCU4E
      EkYyFTMchtvbYZEN/XvlPfhK5JB9eJ5rrcE8hKsP3gftchWWqCDedKugvZW/t5Vk
      lc+z4IjiJFnRDfcr4Z5V2Hpseyno3AEK7aUdJlmuPnxoImFXfQ4jUguM/wznJHl7
      Xv9T0oaBVHM7Bd6PlES04Oho0KZXS6NryTsZn9GFV4qGZj5lEeOVl15AOfeIjP/I
      okA2uUH/ZuJlR/BEmqbLt5HWPRNT/GgLfPY=
      -----END CERTIFICATE-----

    serverKeyPem: |
      -----BEGIN PRIVATE KEY-----
      MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCoNGYzSTcAyoGS
      0nOFiPb6P5nK6KzLH+yiN7Y4hM1XBhdbN4NYvmePCjCvaVxu6KLCdcUjrbVFWmGG
      IV/BB6vuqHe/+SDYF9UgcriLLUEc29/WHFIYP6a7MymiFD/kAp0e164T6fbuP1pI
      qY0vEbuEhTQjcfKiVVkkJI/f2XS04oGzsTA+crZlNUNhWr6omK/akeVF6iAYiQ5q
      zpd1W/b46IGjNM9iWw2Gcf64wgXuVRXq+PmrKI8Q1xevHPBTcUe0FovkrLkQLeqc
      XRHN1jDe0mGa6DAKTdP4+SdFL/fGoUyAfPPUdmaMnoRsp/DeSMgO+QtcnLTVbHZ0
      UoVLKFL0WIWQDN/ogmi5X37KemFSKfVOI8Mz316LNhQ/rZKZ7dpZhoixOougQB3t
      QZkfaNfsHueYSCbz47whcGM7IEfNGi/G16bZpNz7nV9iq+FdVKw/1F7hgIaM0UzX
      ycGhOrgZvFopMTG7aDzaSMF5CPaNFMeZ7kvzAEByhVjr2rGK6B/eM5uBGsDt3xu8
      PucgxKOzKAHN4So083dhBzFtK8DMO7mtrbX8XF3HT3LggaFDVzexY19qhBtPTzsi
      79Vi4nvn4wxHACVNJXTJ16/M6ky7FlN6tszenLhPUM8LpBEdhjITMCu2sc+EvSXC
      IjsW3PonQHtETmjKvGiRFdcw53fAjQIDAQABAoICAAYCyVwv051dnz/F8YbmHB1Z
      RH+xzOr9WxF4+DQQ2t2vRApoc3Mqarz72j2KgFkeSyKz3rWlsYKm9jE65Bcb1RMU
      RiNAHeJbB6y/LMUceuUzHk6ieHSRYb3y2BwIqTfWuBKwFnJzu/VLokhSds8lzROx
      Rum1WrxeXG8kN1gCh18ncQcg3957bvUy8BN8kK+ptS8UY6MZ+MenrjI268av4KWI
      eYmBi5+yLUuOq1Gi7V9U/xGEkDeDnYk2howldpkkxTE0VQ949KwVV/r6gHZgnyJ3
      VjGY9o6HtXmCPdsFGc+pV/iHfpcrHAMObyEK51qqMywFzlgi6XtvAtSpVkYXTM+L
      r0n+2viACri7Rq1fzw+08UB6Zfdfq46aS/gBCep7+DjFdfj3n3Br7EUup7Np9cK2
      K3ALuwq7rXX3/YjPcu2nka5gljIOvBjBeZ6aXcqvz/MPokCIIVvWXcEQ5xp2mM8L
      p8GTIamofCBJX2bZd8o9s8ueJH04cqhIBCVj1oVFObIkgdO1ytdhhtzVuf17tWcZ
      j1w80ssP/GTqXebcx1xjpWrkifOP+EEiKAke1VIKJ9SPmn4363VlUyELD9nKeums
      y6nopu8kPhYN3/ZL+kl823wNjnT4qNUw80udS1+Ps/scrsueOFZkxMett4/sIsvB
      525td2S/Xlu5L591EeBpAoIBAQDiQtKuRn6X6rXaNWcZtYz1Lv/2wWSjmIa4kIuG
      eqwdlizSVCiL7IdMu4DE51BlbZmO0acrZRWNxUpTqd+GUua1jtdN3BDeVTp7uOtU
      qb3XPZ9nfndLxA/yKDHFQgjUf8oVYbuVowGx/XPOSlWs3UsFfuyJpYZht2Z2YZNg
      BVssNNCbnrzMU4GDEb/Uy8MIXFybTy56PcGjN6VhOLd66LL9qL4/dBSJMykjss32
      6jZs/mLlCWFkLIpKfeIXkGRtkxhM+m0vWgkUYcNfmXu5Ic+b+v6Q99RP7+Hfrib+
      GBedqIoW+LxwqyGRz76Pstal59UpX9sl2Jw5xe3lRAO3aG2XAoIBAQC+UBw7u86W
      aPEoOHvPPkvfoMREWbfhmgu4en0reXvtQ+ABE7HThfOjE5nbsj0DuWNnaB48/l/l
      kvie2u/vPuPvFebDqbPnvj7h/ed+Fn8tkUqN9nofkN2Hvb3+W8+99vvfETdLMKJN
      xcPh57ONN610t88RIHth/e1g5pO53NEZ0VNPaPVRbYN+HdcvbW8KAmKv2D8w0Ary
      vY6/rc751nDMMCN3WNlnoIza8/auvROH3FD1zdtjhUCrfICo81tVIhJLz/hjLMqb
      GxTm7Irp1bfCYgEr5dDmfeVEej7fXGZrUer3UtzZTduBj64J+thnvpooP3I+AdbD
      AZ3GLhr3gs97AoIBAChztAEOf3Gft/WUWKODDvmC9qZiOyD4kxWKWjen1P/RKqBM
      BZfGqQXx+/q4NGp95tde6lla0DixjjFZDKqSRccuC5ZTAv0NFdCq5gAT/OnvjYFO
      XfvAyO0NfKB8xuFfG30pJQWCyDnPS5YVOi4WvmP0JkwRuO3dgUcm+NdQ/dTweF9q
      SOzq/Ru236om5+6lvLTTukaGpgkNWNcB8ePamK27LpBfq5BAAlnsjOBZTXO9I2c5
      fx0OzYa17OcznJDunIieuUie+0KWm/yKj1ExF1IW1M6MUHweMi7wju4c1pQMXuvu
      eppWLkFIeBRu7+tngHfOOHsSuBOoLHkx6Mwwsm8CggEAWBk5mKVN8u7NhDLxjXRn
      JzSC5qkpqDPpbRK20uM/7QvYrGbzkNmXeUxfkwYlnI27aGkYZl/TALFSiicLnxLb
      7ReUZcsvTv4QmgkxmnrLkMqLWsBYtDgZdPbu9sqFloi4/AA6OoJe/+Wm0fKyeZLm
      pvtXzbPdqfUkaBEVHZsM6QivqjkKJxGtJzqlHH1qQ5XrHT/bsLr99nStminZgGo2
      eS9nm53ztjbqPYlmDmnUmrXwfHk5MA7Fax0NaiiNhRFqqtGxSCe5+qdEu8mQXMLk
      eAVqSWnvlGN/OH3mkPtzJgcb4DXpqmaSUJ20kUYf25auQidsuSucwVUENnOtZBqX
      9QKCAQEA04iOSOvcfH7f2CAYlMqq1IARmHq0ZhhpvooaCV0SJc10kXF8Q6vPv0fN
      TevI6SEuLkCWa8RuK6Y4xp78Y6cl1Pn/xns3hYvmnumULL0HE02XYksgH/TFpa3e
      ZkPcsL1+T4YGOjOma4/AqbeG0AT0T24wQpJlR/SVHhowLYdt7lSdaD0KmMLc+Mec
      f9DXtJizjv/iJB5LxgyS/W3QzcIZVimTJUnvqkOyIAym2sz29SLHqn/+7edj4mC4
      mLK1B+1P4SFqbCmbBfE/cc57UGFYSV+CNIWi1Z3KNnfz1NG9paIvfDOoUEsgZt+F
      TbWrH0fMa8W2gZYmDd3NJuu2KRCB9g==
      -----END PRIVATE KEY-----

    createClientKeypairSecret: true
    # if createClientKeypairSecret is false, set the secret name that should pre-exist
    # clientKeypairSecretName: xxx
    # if createClientKeypairSecret is true, set the cert and key below
    clientCertificatePem: |
      -----BEGIN CERTIFICATE-----
      MIIEwzCCAqugAwIBAgIQaZA4yVYjXRxy8RojSwEfxjANBgkqhkiG9w0BAQsFADAr
      MSkwJwYDVQQDDCBBeHVhbCBEdW1teSBJbnRlcm1lZGlhdGUgMjAxOCAwMTAeFw0y
      MDA0MDExMjMzMTlaFw0yNTAzMzExMjMzMTlaMGkxCzAJBgNVBAYTAk5MMRAwDgYD
      VQQIDAdVdHJlY2h0MRAwDgYDVQQHDAdVdHJlY2h0MRMwEQYDVQQKDApBeHVhbCBC
      LlYuMSEwHwYDVQQDDBhEZW1vIEludGVyc2VydmljZSBDbGllbnQwggEiMA0GCSqG
      SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/p/uwG57kTUcUpjUU0VYs5WYqZnuPOJ7P
      lbyhdcKkreUkF60vzWRHEYFygbfewRJsHUcKkPYCMPJH8VwORp0PRCtpDIV6wNrS
      21exhTzrmFgy4X0GwxWSMmFVJYbKb0omy4ihsAjCqqm5Db/e0+Uq3oASKtxJPDAv
      2Cpe3GUEQF2a/+qGkFNWmqKdhz/1jMCugdVMNQh2cZnnZnJtv/8s1iQVuver+992
      t7OHflctu6h/ggdAasP0soHSIpWHv2panacUyPfq7w6/ICkwWdZBYkWblPefa7/0
      GWfT9wpElD4cRR5zUhetSVmveFY/taEGZoczA+uHq0GvlFWamRx/AgMBAAGjgaQw
      gaEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUrWvurC8mUQubqbHeS3ZQlJmMqpswSQYD
      VR0jBEIwQIAUa9IpV4tSNiwFCsZXuRp0eKwTH2ahJKQiMCAxHjAcBgNVBAMMFUF4
      dWFsIER1bW15IFJvb3QgMjAxOIICEAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQG
      CCsGAQUFBwMCBggrBgEFBQcDATANBgkqhkiG9w0BAQsFAAOCAgEAH+mC72Rr1oU9
      G/Uj1UpS46IMnLR2HgE49gSapr8ruLPPgHQMful8KSmKvduW7nLtnoTHrLAhwWjj
      JsdMNx+JmIfpzoqtge7PbHbs++F3tLxBEzskA5q1GzJ6jv2j2+HvHZBscbfs1uTD
      6NOSmcI0nLZqpZlh5Zqev5zYlnfTkXmnu4MaXW3T6nYGvRkJlaWgdu+X6/Wn3R6D
      dY1SzcWtGsRGmSTgIaRb2UXtPC3VuvPpuUfN0tTuPRWMvkqADVk4+zKpuXLObCEW
      sALBH0CkaN9znxYtvRyLKg+/k2ljeVcBBOSojOh/+ph7Ji7P5/Rmo78NPbz8bt1t
      loJtL7CiIQXEkKHAk6aOTcX19B7xZrpoliyZLlQwwfSMb6lpUSQ/nHCrdgM1Vcqy
      Uo2RrUouxltvyKZZM/3PPhjmQAxPc7DyyxxNYaKJb+YNWmLnHL1+SFrxJZ4cbH/W
      MqgttU0TnJqUXkyZDMS3eZY3Tp83pDnZ5TEqDqT6CjWZ/oFgA4FO6JeFDMrBByFh
      2RxXPB/nvv5Wgh8iJtFlXznEIC6E2yyfVsdPdXS6aXd5hZ/BVeBgsDGukRwwYhPs
      gb/BDcOHehpaG0iEuV4qBNhdGDUzJ8SUlFmB41x9lC9Bfjr9RrpukeFUCj+DpbZP
      6PeyyBI3TQjw6eDRljSNTJg3pGa/Ncs=
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIFLTCCAxWgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAwwVQXh1
      YWwgRHVtbXkgUm9vdCAyMDE4MB4XDTE4MDUyOTExMDEzNFoXDTI4MDUyNjExMDEz
      NFowKzEpMCcGA1UEAwwgQXh1YWwgRHVtbXkgSW50ZXJtZWRpYXRlIDIwMTggMDEw
      ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC9uOuzJekmeo3hl8fjQlKS
      HApS3llcliq1YrXpkMbHAA9StHaMHPW+Dzr2/+cdfBAmN3sujCY8Paq15QI+TDOq
      KA5SByCBQKXx2qulBPcZs3mDMt+KxAaeWfwR4Nj0NNKbmw2HjDddo77joeVOuOX2
      4o1wXzmAAolVMIcRYA11EMWNUtYrHCzBa7RfYht2G5dE69ckrgfw1Nxs01Sbg+xP
      sK9aK/LHPUalYZNY+76x7vabEpzaPfpyKzDTWA20SPk0WfTf9/+K3o+urzDG8O/q
      w9xbBOzWohGmRyA/z841p1SD7inpZcyO/KeW1yTP2WyFxADwUrv2mEYXnma/Gdna
      G62IQYk/UMex9W8pT6tfwrg/36sSwr88yPR5dJxzjHUE+w/rYG3k+K+EqvZ5qOC5
      32AJ9BS2nbNuGpmRU1qoMCwpL7B2E/CKJLIdFcf/qmcnWJEXo+u34+fQZg8XaDCI
      XhUqAHz6YkjCiFGd/JwL1IqsfxFsV9wHTUbW2AumglU65ZrjhXrrzE7Hk9ng1spJ
      dOwfBihBNjnr0mKHY9leJ3chJ9HQ55/fEgcRNrj8EC69QCeAtpY5yOAjKpA03UvF
      grDt8CIyIehNUwTXIhQSHZU4eZ0rzWf0vvMbhL2FvKtphbpnNKoXeNLv2IMZpT4B
      VwsqLqaIkl/I4FPpYBoSYwIDAQABo2YwZDAdBgNVHQ4EFgQUa9IpV4tSNiwFCsZX
      uRp0eKwTH2YwHwYDVR0jBBgwFoAUdKOPDqSFQ6Bfk0I/asBkByt5gsUwEgYDVR0T
      AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIB
      AKoNIqiOdjlUBNg7cvR9Su4KgGrsZf78pG1H2MlNxJjFM/80EiWEfze/EG2MLxFq
      8vToIHDjb0kVetYpdmfHNXTTlaaroBlXwyUYToPzQ985qr3LD8RhYZFAsiZCTtpJ
      4FT6sh/mccTyx8G8+ZS6mn/le2WPj/t6beNLgbdl5n8fghdQcmT/TqGXE50UftWt
      HSx3fsq2aKuNdVzhKzTin50IbiE9DV1dKo6B+ipOy/Dz5GMv3Z/3ntLTvxabCMOl
      7s7WsUE7VPABRSifUS80Z9Ai38faLSu+Ouzx40ceXwvlFQtJ2LYQ8Ru5Q63k2wB3
      EOE6cgAhiYExrz3fDDtUkui9vIfWfTPMnXR7xQ8YqK4Qqld2ESxvMQU2jzbZKSf+
      3sWnPvN4HTg0cfysmOdLGZwf3u8A9tMtxhUEtxUx7r76M4ekSKdNv1Nf5u5N/h7b
      AbEqSp1XADTxkE448i7hNJzn2Ce6JtFya231Ni0xyYKQIajP18jNypAw1eABYFkN
      53vQTUfqcbtcrCios1xRdDqfgkYaKZv7p63aoObFTf/mmG7sFjGAEPQscagOukwN
      wnkjCVifVbk5qJUaUWSLeYziI+HYkEA9P/h4o83nbf0YgBtOFoc0XWKmKagHifZN
      SEJ9kRCWzYaL2ChiL6jHGh26WT/hbNKeAlcxPnT4u/l1
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIFJjCCAw6gAwIBAgIJAINuAirfnRU6MA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
      BAMMFUF4dWFsIER1bW15IFJvb3QgMjAxODAeFw0xODA1MjkxMDM0MTRaFw0zODA1
      MjQxMDM0MTRaMCAxHjAcBgNVBAMMFUF4dWFsIER1bW15IFJvb3QgMjAxODCCAiIw
      DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVDjbhq3TGuQ6INTZ+dhSIgsdbq
      w2nxF3myrS7v89bcNxMyLypWYTmR4OAYRXRBnW4KX6sTubPyL3ogPz6hXmfmPfAz
      +X//HTIiybL3e3qwxqWphp09+JT6veEp/e/wEEjSMj5nsxkDEjj9JEQWu/1B+N+V
      XOJkTYFy05ZgeWplkyLwT71myF047aISK27a+VebBMaPpvvetScbMSwxAbk51cGV
      UC4gpwvnvsbp/CRuMV0dYzkeTmxgn860l3s8+7qUJoOrtiO0cDpv97SK9Ck9ef1k
      R6KFttzxb/u+eMFi3RUErEGwE8P3thTseXRkp5hMwcyaSQv0wfLawlwcNFGOzsBx
      fJS7QUIUpEyzRqj5Ppgaj530APxbgitLOfVLZ2DvcBcmnQns6OE+uwymuvAj8Ftj
      6AFJXH2lmswHLl5uD9kIOwmpZg4NZLP2Qv+WOT6HLgI7Kv1z0OV2H7UlWA7hwQXl
      oQ6fJ2YLEhT+GM9xHKJ+DQCxvjWvtGUSb/Dk0j/R9mpSFfHvVJgE/xV+7F7Vlyw5
      /cDpF3GZOTGQ/MFy4RqRrTtjnZw2/bZZyJ+Xb743OeQhABFUdadh8cmyehDregtr
      alHxtjKxCxrT55OHCYhbCoz6nEnQURD7EPQhU5puUKalRq2ApDkveIk8uj0HQmQm
      KyRuNX7M6vCoWnpxAgMBAAGjYzBhMB0GA1UdDgQWBBR0o48OpIVDoF+TQj9qwGQH
      K3mCxTAfBgNVHSMEGDAWgBR0o48OpIVDoF+TQj9qwGQHK3mCxTAPBgNVHRMBAf8E
      BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAbJanqR4P
      mr05AyAu8vlrLsleXA8VAPDiaaYStYH5cIdBBWkaIxanLFDmbyQwKkKdkHQWV9X8
      1P52q49T9RsoBsEOmwdiaCY2PEUz7Y3bFW0UeM+k65VlHlXWywRM6+O02t4TrJXH
      F6h7vPon01OwhgW9Yil/Kr+yyZK50Ic+pm4UhHmtxY932cNaRCdae5tKsjabsP7Z
      rdAksLia8mTp+HADkZJ1uODxyDh0S1WMKB5JoHYBrmtUr1NYLgRC6SinhK4r7rbi
      EWuurE605Nm//jv3Czdy8gEsMDtXLZYY0iqGnD11MAJFXyQ6PG2eq1cXcsJNRojm
      8D4ipfQ+z4bp9dDVR2DzVyTYe4yuhZuIe2phOhPc8KkBaXQRMHfVKyeEmzqEFLaM
      kfaDZkRsrMZSqh+KJoxDG3h8UqssChX+cuZdsjRhNWRqfbB20I9Upwa+XooyCU4E
      EkYyFTMchtvbYZEN/XvlPfhK5JB9eJ5rrcE8hKsP3gftchWWqCDedKugvZW/t5Vk
      lc+z4IjiJFnRDfcr4Z5V2Hpseyno3AEK7aUdJlmuPnxoImFXfQ4jUguM/wznJHl7
      Xv9T0oaBVHM7Bd6PlES04Oho0KZXS6NryTsZn9GFV4qGZj5lEeOVl15AOfeIjP/I
      okA2uUH/ZuJlR/BEmqbLt5HWPRNT/GgLfPY=
      -----END CERTIFICATE-----
    clientKeyPem: |
      -----BEGIN PRIVATE KEY-----
      MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC/p/uwG57kTUcU
      pjUU0VYs5WYqZnuPOJ7PlbyhdcKkreUkF60vzWRHEYFygbfewRJsHUcKkPYCMPJH
      8VwORp0PRCtpDIV6wNrS21exhTzrmFgy4X0GwxWSMmFVJYbKb0omy4ihsAjCqqm5
      Db/e0+Uq3oASKtxJPDAv2Cpe3GUEQF2a/+qGkFNWmqKdhz/1jMCugdVMNQh2cZnn
      ZnJtv/8s1iQVuver+992t7OHflctu6h/ggdAasP0soHSIpWHv2panacUyPfq7w6/
      ICkwWdZBYkWblPefa7/0GWfT9wpElD4cRR5zUhetSVmveFY/taEGZoczA+uHq0Gv
      lFWamRx/AgMBAAECggEAE60jBDKMaTNHL+cxyJWxUOIAT4FpVWE3v2dyZT/aIDQQ
      3q1mRLkZKXQHo9eOJrAQZx8eXbGs6rlXC8HLdKpqki2qfe92KLhx/syGv/KbjYh8
      zZnOzzSUxgdRbNTHIN4KG9ow3dYHyuHgk4obf7ymE3T3wGW8FfINnxaEoGvkxxRz
      EBM6yIIkbzffvmRsmtuHzDoFQbapR1yAzrNevJdGXVeoVDv6vEB5OlsaQLSznSol
      vwtVb3QTKZF4/auqvEevA/S2t0oBFvFExJnugZ4XPba2IoyxNJFso1MEmYIVvDNJ
      wcNqYtVtmWd+8aiBeHX0Vh/XcC2668H7yZqfK4mzaQKBgQDqB+QDY55LKNFAfBeo
      UxJEqKw2+tbfMaWTaazewZCMeOL+86hKMu7xfzeMr9NGezcHYgti0Nl30X6aPCri
      jpd1tGD3dAcX6D4M277YGLyEZTdSwsYd53Fvn+vm5/4CyRge8VibzWUZwzaVQbfH
      wCVVWpM7V+8I6QbL7omg51MzbQKBgQDRpcRL2NSl+c0gTB6TT9U6wRaphtqUIdbP
      2Kpqxb2SaVlxgyjsmTSyZxh8VL8hNxyo+9aux8GYUsOXQst8CK0p0PMwj14JBAJt
      tWq15hDgiPVeuoQBr0Dl1EX1biWs+wVjWQtS1m5wsvNjx+Iy6vuF0Xx2QNQPa/dO
      0jyVML9wGwKBgQCloeYHXAbZLM9EM09PC1Qfkb0owEk499s2xJDbquUR9jC5vlr6
      AKhJ9P6srHf8JxJgQEzMqAFxoqxWnoS/iam6XWpPWCf5DJ513URpjsBFd5k7EqzC
      113aYbXE26ZT9F0E8U0EH88Q96923WcjkWMa0JrpYifEB6COzolLfszM1QKBgA3A
      jPbYu2JD16PVum+5XehjwCPQt8fdzGSH9u3YGM5g4MAkdWvHxQAq6R1Gxd7c6aFg
      G74NVnKygygJ9qUlQI6sqTc3QFjhDXO64cwa0mKYOVhEbeJaZ6xr10b5Obl2Ie1Z
      ave9HzN/WZ3i/8CNT4CAtGRhbkewsmFWQykaMISfAoGAQnvTerjGWjZ8Ql74IMGc
      /s6jsx492VxoYWR4Ucf3HRhTwS91f+UOoG5nDOI+KVHDnP80QpTr+BXoZ7RWjXug
      yFW1Plt4N2BmqZ14ED2CyucmC5Fc3B0YsYMm9rgEQS8nKeMuzXn/wJgyYqk+AQ54
      slVMIdpdPOB902tRq5BgsQY=
      -----END PRIVATE KEY-----



    createTruststoreCaSecret: true
    # if createTruststoreCaSecret is false, set the secret name that should pre-exist
    # truststoreCaSecretName: xxx
    # if createTruststoreCaSecret is true, set the CA certs below
    caCerts:
      axual_dummy_root_ca.crt: |
        -----BEGIN CERTIFICATE-----
        MIIFJjCCAw6gAwIBAgIJAINuAirfnRU6MA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
        BAMMFUF4dWFsIER1bW15IFJvb3QgMjAxODAeFw0xODA1MjkxMDM0MTRaFw0zODA1
        MjQxMDM0MTRaMCAxHjAcBgNVBAMMFUF4dWFsIER1bW15IFJvb3QgMjAxODCCAiIw
        DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMVDjbhq3TGuQ6INTZ+dhSIgsdbq
        w2nxF3myrS7v89bcNxMyLypWYTmR4OAYRXRBnW4KX6sTubPyL3ogPz6hXmfmPfAz
        +X//HTIiybL3e3qwxqWphp09+JT6veEp/e/wEEjSMj5nsxkDEjj9JEQWu/1B+N+V
        XOJkTYFy05ZgeWplkyLwT71myF047aISK27a+VebBMaPpvvetScbMSwxAbk51cGV
        UC4gpwvnvsbp/CRuMV0dYzkeTmxgn860l3s8+7qUJoOrtiO0cDpv97SK9Ck9ef1k
        R6KFttzxb/u+eMFi3RUErEGwE8P3thTseXRkp5hMwcyaSQv0wfLawlwcNFGOzsBx
        fJS7QUIUpEyzRqj5Ppgaj530APxbgitLOfVLZ2DvcBcmnQns6OE+uwymuvAj8Ftj
        6AFJXH2lmswHLl5uD9kIOwmpZg4NZLP2Qv+WOT6HLgI7Kv1z0OV2H7UlWA7hwQXl
        oQ6fJ2YLEhT+GM9xHKJ+DQCxvjWvtGUSb/Dk0j/R9mpSFfHvVJgE/xV+7F7Vlyw5
        /cDpF3GZOTGQ/MFy4RqRrTtjnZw2/bZZyJ+Xb743OeQhABFUdadh8cmyehDregtr
        alHxtjKxCxrT55OHCYhbCoz6nEnQURD7EPQhU5puUKalRq2ApDkveIk8uj0HQmQm
        KyRuNX7M6vCoWnpxAgMBAAGjYzBhMB0GA1UdDgQWBBR0o48OpIVDoF+TQj9qwGQH
        K3mCxTAfBgNVHSMEGDAWgBR0o48OpIVDoF+TQj9qwGQHK3mCxTAPBgNVHRMBAf8E
        BTADAQH/MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAbJanqR4P
        mr05AyAu8vlrLsleXA8VAPDiaaYStYH5cIdBBWkaIxanLFDmbyQwKkKdkHQWV9X8
        1P52q49T9RsoBsEOmwdiaCY2PEUz7Y3bFW0UeM+k65VlHlXWywRM6+O02t4TrJXH
        F6h7vPon01OwhgW9Yil/Kr+yyZK50Ic+pm4UhHmtxY932cNaRCdae5tKsjabsP7Z
        rdAksLia8mTp+HADkZJ1uODxyDh0S1WMKB5JoHYBrmtUr1NYLgRC6SinhK4r7rbi
        EWuurE605Nm//jv3Czdy8gEsMDtXLZYY0iqGnD11MAJFXyQ6PG2eq1cXcsJNRojm
        8D4ipfQ+z4bp9dDVR2DzVyTYe4yuhZuIe2phOhPc8KkBaXQRMHfVKyeEmzqEFLaM
        kfaDZkRsrMZSqh+KJoxDG3h8UqssChX+cuZdsjRhNWRqfbB20I9Upwa+XooyCU4E
        EkYyFTMchtvbYZEN/XvlPfhK5JB9eJ5rrcE8hKsP3gftchWWqCDedKugvZW/t5Vk
        lc+z4IjiJFnRDfcr4Z5V2Hpseyno3AEK7aUdJlmuPnxoImFXfQ4jUguM/wznJHl7
        Xv9T0oaBVHM7Bd6PlES04Oho0KZXS6NryTsZn9GFV4qGZj5lEeOVl15AOfeIjP/I
        okA2uUH/ZuJlR/BEmqbLt5HWPRNT/GgLfPY=
        -----END CERTIFICATE-----

  basicAuth:
    enabled: false
    # Only required when `true`
#    username:
#    password:

  # Restricts the connector producer/consumer/adminclients configuration overrides to a safe subset
  # defined in `org.apache.kafka.connect.axual.AxualConnectorClientConfigOverridePolicy`
  # Other supported values include but not limited to: `All`, `None`, `Principal`.
  connectorClientConfigOverridePolicy: "Axual"

global:
  cluster:
    name: local
  instance:
    enabled: true
    fullName: axual-local

#ingress settings
ingress:
  enabled: false
#  className: ""
#  host: axual-local.connect.platform.local
#  annotations:
#    kubernetes.io/ingress.class: nginx
#    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
#  createSecret: true
#  secret:
#    crt: |+
#      -----BEGIN CERTIFICATE-----
#      -----END CERTIFICATE-----
#    key: |+
#      -----BEGIN PRIVATE KEY-----
#      -----END PRIVATE KEY-----

route:
  enabled: false
  labels: {}
  insecureEdgeTermination: None
  # caCertificate:
  # certificate:
  # key:
  # destinationCACertificate required when reencrypting to connect to the backend.
  # destinationCACertificate:

# ServiceMonitor is used for Prometheus Service Discovery
serviceMonitor:
  enabled: false

## Credential secrets to be mounted in the /credentials/
credentials:
  keystores: {}
  secrets: {}

rootLoglevel: info
pattern: '%date{"yyyy-MM-dd''T''HH:mm:ss,SSSXXX", UTC} [%t] [%X{axual.connector.name}] [%X{axual.connector.task}] [%X{axual.connector.scope}] %-5level %logger{36} - %msg%n'
loggers:
  org.apache.kafka.clients.admin.AdminClientConfig: error
  org.apache.kafka.clients.producer.ProducerConfig: error
  org.apache.kafka.clients.consumer.ConsumerConfig: error
  TEST_LOG_SOURCE_CONNECTER: info
  TEST_LOG_SINK_CONNECTER: info
  org.apache.kafka.connect.axual.utils.LogSinkTask: info
  org.apache.kafka.connect.runtime.WorkerConfig: info
  org.apache.kafka.connect.runtime.distributed.DistributedConfig: info
  org.reflections: error
  #  org.apache.kafka.connect: info
  #  io.axual: debug
  #  org.apache.kafka.connect.runtime.rest: debug
  #  org.apache.kafka.connect.runtime.distributed: debug
  #  org.apache.kafka.connect.runtime.isolation: debug

## ----
## init container
## ----
keystoreProvider:
  image: registry.axual.io/axual/keystore-provider
  tag: 0.2.1
  resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  securityContext: {}

# -- Properties defined for initializing kafka acls prior to running Connect
kafkaInitContainer:
  # -- Registry to pull the image from
  imageRegistry: "registry.axual.io"
  # -- Name of the image being deployed
  repository: "axual/streaming/strimzi/kafka"
  # -- Tag of the image being deployed`
  tag: "0.34.0-kafka-3.4.0"
  # -- Kafka bootstrap servers to initialize
  bootstrapServers: ""
  # -- min.isr of topics used to store connect state/offset/config
  minIsr: "1"
  # -- Replication factor of topics used to store connect state/offset/config
  replicationFactor: "1"
  # -- Principal common name used to produce and consume from connect state/offset/config topics (should match the one on axual.tls.clientKeystore)
  principal: ""
  # -- Distributor principal common name used to produce and consume from connect state/offset/config topics
  distributionPrincipal: ""
  tls:
    # -- Existing Keypair secret name
    keypairSecretName: ""
    # -- Existing Keypair key name
    keypairSecretKeyName: ""
    # -- Existing Keypair certificate name
    keypairSecretCertName: ""
    # -- Existing Truststore secret name
    truststoreCaSecretName: ""
    # -- Existing Truststore certificate name
    truststoreCaSecretCertName: ""
  # -- The [resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for this container.
  resources: { }
  securityContext: {}

# If enabled
# creates the PV and PVC for connect Plugins and Common-resources
persistPlugins:
  enabled: false
  createPersistentVolume: false
  storageClassName: hostpath
  persistentVolumeHostpath: /var/lib/connect-data
  persistentVolumeName: connect-plugin-pv
  persistentVolumeClaimName: connect-plugin-pv-claim
  commonResourcesDirectoryPath: "/usr/share/common"
  pluginsDirectoryPath: "/usr/share/plugins"

# If persistPlugins is enabled
# - Downloads the default connector Plugins and Common-resources from Amazon S3.
# - Persist them using PersistentVolume & PersistentVolumeClaim.
# - Use them as volumeMounts inside pods.
downloadPlugins:
  enabled: true
  image: registry.axual.io/axual/connect
  tag: 3.0.0
  #  This is the deprecated name of defining Artifacts Base Url (FileServer)
#  artificateBaseUrl: "http://artifacts.axual.cloud.s3-website.eu-central-1.amazonaws.com"
  artifactsBaseUrl: "https://stpaxualconnect.blob.core.windows.net"
  connectPluginsFile: "axual-0e0tyou2/axual-connect-plugins-1.0.1.tgz"
  commonResourcesFile: "axual-0e0tyou2/axual-connect-common-resources-1.1.0.tgz"
  resourcePath: "/usr/share"
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  resources: {}
  securityContext: {}

# Vault Configuration
vault:
#  address: https://selfservice-vault:8200
  authMethod: APPROLE
  # This is dummy value. Get your connect instance roleId from vault
  approleRoleId: dummy-value
  # This is dummy value, Get your connect instance secretId from vault
  approleSecretId: dummy-value
  testPath:
  namespace: ""
  ssl:
    verify: true
    truststoreLocation: /security/vault-truststore.jks
    truststorePassword: notsecret
  secretProvider:
    enabled: true
    class: io.axual.utilities.config.providers.VaultConfigProvider
  keystoreProvider:
    enabled: true
    class: io.axual.utilities.config.providers.VaultKeyStoreProvider
    truststoreLocation: /security/client-truststore.jks
    truststorePassword: notsecret
    certificateChainKeyname: certificate.chain
    privateKeyKeyname: private.key


## Kafka Connect properties
## ref: https://docs.confluent.io/current/connect/userguide.html#configuring-workers
configurationOverrides:
  "plugin.path": "/usr/share/java,/usr/share/confluent-hub-components,/usr/share/plugins"
  "key.converter": "org.apache.kafka.connect.json.JsonConverter"
  "value.converter": "org.apache.kafka.connect.json.JsonConverter"
  "key.converter.schemas.enable": "false"
  "value.converter.schemas.enable": "false"
  "internal.key.converter": "org.apache.kafka.connect.json.JsonConverter"
  "internal.value.converter": "org.apache.kafka.connect.json.JsonConverter"

## Additional env variables
## CUSTOM_SCRIPT_PATH is the path of the custom shell script to be ran mounted in a volume
customEnv: {}
  # CUSTOM_SCRIPT_PATH: /etc/scripts/create-connectors.sh

## Kafka Connect JVM Heap Option
heapOptions: "-Xms512M -Xmx1024M"

jvmPerformanceOpts: "-server -XX:+UseG1GC -XX:MaxGCPauseMillis=20 -XX:InitiatingHeapOccupancyPercent=35 -XX:+ExplicitGCInvokesConcurrent -Djava.awt.headless=true -Djdk.tls.client.protocols=TLSv1.2 -Dhttps.protocols=TLSv1.2,TLSv1.1,TLSv1"

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #  cpu: 100m
  #  memory: 128Mi
  # requests:
  #  cpu: 100m
#  memory: 128Mi

## Custom pod annotations
podAnnotations: {}

## Custom pod security context
podSecurityContext: {}

## Custom hostAliases (adds hostname-ip mapping in /etc/hosts of the pod)
hostAliases: []
#  - ip: 127.0.0.1
#    hostnames:
#      - hello.world


## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
nodeSelector: {}

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
affinity: {}

## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
topologySpreadConstraints: []

## Taints to tolerate on node assignment:
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []

## These values are used only when "customEnv.CUSTOM_SCRIPT_PATH" is defined.
## "livenessProbe" is required only for the edge cases where the custom script to be ran takes too much time
## and errors by the ENTRYPOINT are ignored by the container
## As an example such a similar script is added to "cp-helm-charts/examples/create-connectors.sh"
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
livenessProbe:
  enabled: true
  initialDelaySeconds: 30
  timeoutSeconds: 3

readinessProbe:
  enabled: true
  initialDelaySeconds: 5
  timeoutSeconds: 3

# Add additional volumes
#extraVolumes: ""

# Add additional volumes mounts
#extraVolumeMounts: ""

# configuration values for RoutingKafkaAppender
routedLogging:
  # indicates if we add the routing Kafka appender to the Logback config
  enabled: false
  # indicates if we take Axual environment in consideration when routing connector logging
  suppressEnvironment: false
  pattern: '%d{yyyy-MM-dd HH:mm:ss.SSS} [%thread] %-5level %logger{36} %msg'

securityContext: {}

additionalWorkerConfig: {}

podLabels: {}

connectVault:
  enabled: false
  injector:
    enabled: false
#  server:
#    ingress:
#      enabled: true
#      activeService: false
#      ingressClassName: "nginx"
#      hosts:
#        - host: "vault.local"
#          paths:
#            - "/"
#    dataStorage:
#      storageClass: "hostpath"