Apicurio 3.1.8 Helm Readme

# Default values for apicurio-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

global:
  # -- The domain of the Kubernetes cluster. The vast majority of Kubernetes clusters use the default value.
  clusterDomain: "<k8sClusterDomain>"

  # -- Globally override the registry to pull images from.
  imageRegistry: ""
  # -- Globally override the list of ImagePullSecrets provided.
  imagePullSecrets: []

# -- Override the app name generated by the chart.
nameOverride: ""
# -- Override the fully qualified app name generated by the chart.
fullnameOverride: ""

# -- Number of pods to deploy.
replicaCount: 1

# -- Annotations to add to the Deployment resource.
annotations: {}

image:
  # -- Registry to pull the image from.
  registry: "registry.axual.io"
  # -- Name of the image being deployed.
  repository: "axual/apicurio-registry-kafkasql"
  # -- Override the image tag whose default is the chart `appVersion`.
  tag: "2.6.13.Ax1"
  # -- One of `Always`, `IfNotPresent`, or `Never`.
  pullPolicy: "Always"

keystoreProvider:
  image:
    # -- Registry to pull the image from.
    registry: "registry.axual.io"
    # -- Name of the image being deployed.
    repository: "axual/keystore-provider"
    tag: "0.2.10"
  # -- The [resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for this container.
  resources: {}

tls:
  # -- Name of the Client KeyPair Secret
  # type: kubernetes.io/tls
  clientKeypairSecretName: ""
  # -- Name of the Server KeyPair Secret
  # type: kubernetes.io/tls
  serverKeypairSecretName: ""
  # -- Name of the Truststore Certificates Secret
  # type: Opaque
  truststoreCaSecretName: ""

# -- Environment variables to define for the container.
# See the Kubernetes documentation on [Environment Variables](https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/).
env: []

# -- Configuration passed to the container.
# Contents get injected to a ConfigMap, which gets mounted as an `application.properties` file.
config:
  # ENABLE_CCOMPAT_CANONICAL_HASH_MODE
  registry.ccompat.use-canonical-hash: "true"
  # ENABLE_CCOMPAT_LEGACY_ID_MODE
  registry.ccompat.legacy-id-mode.enabled: "false"
  # REGISTRY_UI_AUTH_TYPE
  registry.ui.config.auth.type: "oidc"
  # REGISTRY_AUTH_ANONYMOUS_READ_ACCESS_ENABLED
  registry.auth.anonymous-read-access.enabled: "true"
  # ROLE_BASED_AUTHZ_ENABLED
  # REGISTRY_AUTH_RBAC_ENABLED
  registry.auth.role-based-authorization: "true"
  # REGISTRY_AUTH_OBAC_ENABLED
  registry.auth.owner-only-authorization: "true"
  # REGISTRY_AUTH_ADMIN_OVERRIDE_ENABLED
  registry.auth.admin-override.enabled: "true"
  # Define the Global Validity
  registry.rules.global.validity: "FULL"
  # Define the Global Compatibility
  registry.rules.global.compatibility: "NONE"
  # Configure json logging
  quarkus.log.console.enable: "true"
  quarkus.log.console.json: "true"
  quarkus.log.console.json.pretty-print: "false"
  quarkus.log.console.json.date-format: "default"
  quarkus.log.console.json.exception-output-type: "formatted"

# -- List of ImagePullSecrets to apply to the service account. If the service account is disabled, it will be applied to the pod instead.
imagePullSecrets: []

# -- Kafka Configuration passed to the Apicurio Registry
kafka:
  # -- Kafka bootstrap servers
  bootstrapServers: ""
  # -- Fully resolved name of topic used to store topics (typically _{tenant}-{instance}-apicurio-schemas) -deployed by kafka init container
  schemasTopic: ""
  # -- Override group prefix to give access to (typically {tenant}.{instance}.apicurio) If you'd like a custom group prefix, you can specify an override here.
  groupPatternOverride: ""

# -- The configuration related to authentication and authorization of users to the registry
# Note: In order for any other authentication feature to work,
# security.authentication.enabled needs to be enabled
security:
  authentication:
    enabled: false
    basicAuthEnabled: false

  # -- Attributes that are required for Apicurio to access the keycloak instance
  # required only when security.authentication.enabled is true
  keycloak:
    # -- Keycloak Authentication URL
    authUrl: ""
    # -- Keycloak Realm used for Apicurio permissions and users
    realm: ""
    # -- Client ID for the Apicurio UI
    webClientId: ""
    # -- Apicurio UI URL
    webRedirectUrl: ""

# -- Log Level configuration passed as REGISTRY_LOG_LEVEL
logLevel: info

# -- Debug Configuration passed to the container(s).
# Enable `5005` port in the deployment.yaml
debug:
  enabled: false

serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template.
  name: ""

# -- Extra annotations to add to the Pods.
podAnnotations: {}

# -- Pod-level security attributes and common container settings.
podSecurityContext: {}
#   fsGroup: 2000

livenessProbe:
  # -- Minimum consecutive failures for the probe to be considered failed after having succeeded.
  # A failed livenessProbe will cause the container to be restarted.
  failureThreshold: 3
  # -- Number of seconds after the container has started before liveness probes are initiated.
  initialDelaySeconds: 10
  # -- How often (in seconds) to perform the probe.
  periodSeconds: 10
  # -- Minimum consecutive successes for the probe to be considered successful after having failed.
  successThreshold: 1
  # -- Number of seconds after which the probe times out.
  timeoutSeconds: 1

readinessProbe:
  # -- Minimum consecutive failures for the probe to be considered failed after having succeeded.
  # A failed readinessProbe will cause the container to move to the `NotReady` state.
  failureThreshold: 3
  # -- Number of seconds after the container has started before readiness probes are initiated.
  initialDelaySeconds: 0
  # -- How often (in seconds) to perform the probe.
  periodSeconds: 10
  # -- Minimum consecutive successes for the probe to be considered successful after having failed.
  successThreshold: 1
  # -- Number of seconds after which the probe times out.
  timeoutSeconds: 1

# -- Defines the security options the container should be run with.
# If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext.
# @default -- See `values.yaml` file.
securityContext:
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  privileged: false
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000

# -- Additional init containers, e. g. for configuring java-security
extraInitContainers: ""

# -- Add additional volumes, e. g. for java-security
extraVolumes: ""

# -- Add additional volumes mounts, e. g. for java-security
extraVolumeMounts: ""

# -- Additional sidecar containers, e. g. for a database proxy, such as Google's cloudsql-proxy
extraContainers: ""


service:
  # -- Annotations to add to the Service resource.
  annotations: { }
  # -- Determines how the Service is exposed.
  type: ClusterIP
  # -- The port that will be exposed by the service.
  # Note: this is independent of the ports opened on the container.
  httpsPort: 21500
  httpPort: 20500

ingress:
  # -- Enable creation of the Ingress resource to expose this service.
  enabled: false
  # -- The name of the IngressClass cluster resource.
  # The associated IngressClass defines which controller will implement the resource.
  className: ""
  # -- Annotations to add to the Ingress resource.
  annotations: {}
  hosts:
    - # -- The fully qualified domain name of a network host.
      host: "<hostDomainName>"
      paths:
        - # -- Matched against the path of an incoming request.
          path: "/"
          # -- Determines the interpretation of the Path matching.
          # Can be one of the following values: `Exact`, `Prefix`, `ImplementationSpecific`.
          pathType: "ImplementationSpecific"
  # -- TLS configuration for this Ingress.
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

# -- Ingress configuration for direct access to Apicurio, bypassing the Auth Proxy.
# When enabled, /ui and /apis traffic is routed directly to Apicurio on a separate hostname.
# Requires authProxy.enabled to also be true.
ingressWithoutAuthProxy:
  # -- Enable creation of a dedicated Ingress resource for operator access
  enabled: false
  # -- The name of the IngressClass cluster resource
  className: ""
  # -- Annotations to add to the Operator Ingress resource
  annotations: {}
  hosts:
    - # -- A different hostname from authProxy.ingress to avoid CORS issues
      host: "chart-example-operator.local"
  # -- TLS configuration for Operator Ingress
  tls: []
  #  - secretName: operator-tls
  #    hosts:
  #      - chart-example-operator.local

route:
  # -- Enable creation of an OpenShift Route resource to expose this service.
  enabled: false
  # -- Annotations to add to the Route.
  annotations: {}
  # -- Labels to add to the route.
  labels: {}
  # -- An alias/DNS that points to the service. Optional. If not specified, a route name will typically be automatically chosen.
  host: ""
  # -- Subdomain is a DNS subdomain requested within the ingress controller’s domain (as a subdomain). If host is set this field is ignored.
  subdomain: ""
  # -- Path that the router watches for, to route traffic for to the service.
  path: "/"
  # -- Target pod port used by the Router
  targetPort: https
  tls:
    # -- The Certificate Authority certificate contents.
    caCertificate: ""
    # -- Certificate contents. This should be a single serving certificate, not a certificate chain. Do not include a CA certificate.
    certificate: ""
    # -- Key file contents.
    key: ""
    # -- Indicates termination type. One of: `edge`, `passthrough`, or `reencrypt`.
    termination: "passthrough"
    # -- The CA certificate of the final destination.
    # When using reencrypt termination, this file should be provided
    # in order to have routers use it for health checks on the secure connection.
    destinationCACertificate: ""

routeWithoutAuthProxy:
  # -- Enable creation of a dedicated OpenShift Route resource for operator access without auth proxy.
  enabled: false
  # -- Annotations to add to the Route.
  annotations: {}
  # -- Labels to add to the route.
  labels: {}
  # -- An alias/DNS that points to the service. Optional.
  host: ""
  # -- Subdomain is a DNS subdomain requested within the ingress controller's domain (as a subdomain). If host is set this field is ignored.
  subdomain: ""
  # -- Path that the router watches for, to route traffic for to the service.
  path: "/"
  # -- Target pod port used by the Router
  targetPort: https
  tls:
    # -- The Certificate Authority certificate contents.
    caCertificate: ""
    # -- Certificate contents. This should be a single serving certificate, not a certificate chain. Do not include a CA certificate.
    certificate: ""
    # -- Key file contents.
    key: ""
    # -- Indicates termination type. One of: `edge`, `passthrough`, or `reencrypt`.
    termination: "passthrough"
    # -- The CA certificate of the final destination.
    # When using reencrypt termination, this file should be provided
    # in order to have routers use it for health checks on the secure connection.
    destinationCACertificate: ""

# -- The [resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for this container.
resources:
  requests:
    cpu: 30m
    memory: 128Mi
  limits:
    memory: 512Mi

autoscaling:
  # -- Enables the creation of a HorizontalPodAutoscaler.
  enabled: false
  # -- Lower limit for the number of replicas to which the autoscaler can scale down.
  minReplicas: 1
  # -- Upper limit for the number of replicas to which the autoscaler can scale up. Cannot be less that minReplicas.
  maxReplicas: 10
  # -- Percentage of CPU utilization that the autoscaler will try to meet.
  targetCPUUtilizationPercentage: 80
  # -- (int) Percentage of memory utilization that the autoscaler will try to meet.
  targetMemoryUtilizationPercentage: 80

podDisruptionBudget:
  # -- Enables creation of the PodDisruptionBudget. Ignored if replicaCount is 1.
  enabled: true
  # -- (int) An eviction is allowed if at most "maxUnavailable" pods are unavailable after eviction. Mutually exclusive with minAvailable.
  maxUnavailable: 1
  # -- (int) An eviction is allowed if at least "minAvailable" pods will still be available after the eviction. Mutually exclusive with maxUnavailable.
  minAvailable:

# -- Assigns a PriorityClass to the Pod. See Kubernetes documentation on [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/).
priorityClass: ""

# -- Optional list of hosts and IPs that will be injected into the pod's hosts file.
hostAliases: []

# -- Selector which must match a node's labels for the pod to be scheduled on that node.
nodeSelector: {}

# -- The tolerations on this pod. See the Kubernetes documentation on [Taints and Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/).
tolerations: []

# -- The pod's scheduling constraints. See the Kubernetes documentation on [Affinity and Anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
affinity: {}

# -- Describes how a group of pods ought to spread across topology domains. See the Kubernetes documentation on [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/).
topologySpreadConstraints: []

serviceMonitor:
  # -- Enables creation of Prometheus Operator [ServiceMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.ServiceMonitor).
  enabled: true
  # -- Interval at which metrics should be scraped.
  interval: 30s
  # -- Timeout after which the scrape is ended.
  scrapeTimeout: 10s
  # -- Additional labels for the ServiceMonitor
  labels: { }

prometheusRule:
  # -- Enables creation of Prometheus Operator [PrometheusRule](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PrometheusRule).
  enabled: true
  # -- Determines how often rules in the group are evaluated.
  interval: ""
  # -- Additional labels for the PrometheusRule
  labels: { }
  defaultRule:
    # -- Customize the labels to the default prometheusRule
    labels:
      severity: medium
      target: business
  # -- A list alerting or recording rules to include on top of the defaults. These fields are templated.
  extraRules:
    []
#    # - alert: MyAlertName
#    #   annotations:
#    #     summary: Summary of my alert
#    #     description: Longer description of my alert that goes into a bit more detail
#    #   expr: up{service="{{ include "apicurio-registry.fullname" . }}"} == 0
#    #   for: 5m
#    #   labels:
#    #     severity: medium
#    #     target: business

kafkaInitContainer:
  # -- Registry to pull the image from
  imageRegistry: "registry.axual.io"
  # -- Name of the image being deployed
  repository: "axual/streaming/strimzi/kafka"
  # -- Tag of the image being deployed
  tag: "0.43.0-kafka-3.8.0"
  # -- The principal common name used to produce and consume from schemas topic (should match the one on REGISTRY_KAFKA_COMMON_SSL_KEYSTORE_LOCATION)
  # If Kafka is configured to validate ACLs over the full principal chain, please provide the principal chain as this example: [0] CN=Root CA, [1] CN=Intermediate CA, [3] CN=schema-registry
  # Otherwise, just provide the common name prefixed with `CN:`
  apicurioPrincipal: ""
  # -- (Optional) Principal common name used to produce and consume from schemas topic by Distributor
  distributorPrincipal: ""
  # -- Replication factor of topic used to store topics
  replicationFactor: ""
  # -- min.isr of topic used to store topics
  minIsr: ""
  tls:
    # -- Existing Keypair secret name
    keypairSecretName: ""
    # -- Existing Keypair key name
    keypairSecretKeyName: ""
    # -- Existing Keypair certificate name
    keypairSecretCertName: ""
    # -- Existing Truststore secret name
    truststoreCaSecretName: ""
    # -- Existing Truststore certificate name
    truststoreCaSecretCertName: ""
  # -- The [resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for this container.
  resources: {}

# -- Apicurio Keycloak MySQL Components toggles
apicurioKeycloakMysql:
  enabled: false
  image:
    registry: docker.io
    repository: bitnamilegacy/mysql

# -- Apicurio Keycloak Instance
apicurioKeycloak:
  # -- Keycloak Components toggles
  enabled: false
  # -- Apicurio realm name
  realm: ""
  # Needed since Keycloak 25.0.1
  # -- Keycloak Proxy configuration
  proxy:
    mode: xforwarded
    http:
      enabled: true


# ============================================================================
# Auth Proxy Configuration
# ============================================================================
# Auth Proxy provides JWT validation and Basic Auth conversion for Apicurio Registry.
# When enabled, it runs as a sidecar container and handles authentication/authorization.
# ============================================================================
authProxy:
  # -- Enable Auth Proxy sidecar container
  enabled: false
  image:
    # -- Registry to pull the image from.
    registry: "registry.axual.io"
    # -- Name of the image being deployed.
    repository: "axual/auth-proxy"
    # -- Image tag for the Auth Proxy.
    tag: "0.1.0"
    # -- One of `Always`, `IfNotPresent`, or `Never`.
    pullPolicy: "Always"
  # -- Port on which the Auth Proxy listens for incoming requests
  # NOTE: Must be different from Apicurio's port (8080) to avoid port conflicts in the same pod
  port: 8081
  # -- Auth Proxy application.yml configuration
  # Full YAML structure that will be mounted as /config/application.yml
  # Minimal configuration - only override essential values that differ from Auth Proxy defaults
  config:
    server:
      # -- Port override (must differ from Apicurio's 8080)
      port: 8081
    auth-proxy:
      # -- JWT issuer URI for validation (e.g., https://axual.cloud/auth/realms/tenant1). REQUIRED.
      valid-issuer-uri: ""
      # -- JWKS endpoint URI for fetching public keys. REQUIRED.
      jwks-endpoint-uri: ""
      # -- Expected client ID / audience value for JWT validation
      client-id: ""
      # -- Backend service URL to proxy requests to (routes to Apicurio in the same pod)
      backend-service: "http://localhost:8080"
    # Uncomment to enable OpenTelemetry distributed tracing
    # management:
    #   otlp:
    #     tracing:
    #       endpoint: "http://jaeger-collector:4318/v1/traces"
    # spring:
    #   application:
    #     name: "my-auth-proxy"
    # deployment:
    #   environment: "production"
  # -- Secrets configuration for Auth Proxy
  # Full YAML structure that will be mounted as /config/secrets/secrets.yml
  secrets: {}
    # Example:
    # auth-proxy:
  #   client-secret-salt: "your-secure-random-salt"
  # -- Secret management
    # -- The name of an existing Kubernetes Secret. The key in the Secret must be `secrets.yml`.
    # The contents get mounted into the container.
  existingSecretName: ""

  # -- Liveness probe configuration for Auth Proxy.
  # Probes /actuator/health/liveness on the management port.
  livenessProbe:
    # -- Minimum consecutive failures for the probe to be considered failed after having succeeded.
    # A failed livenessProbe will cause the container to be restarted.
    failureThreshold: 3
    # -- Number of seconds after the container has started before liveness probes are initiated.
    initialDelaySeconds: 10
    # -- How often (in seconds) to perform the probe.
    periodSeconds: 10
    # -- Minimum consecutive successes for the probe to be considered successful after having failed.
    successThreshold: 1
    # -- Number of seconds after which the probe times out.
    timeoutSeconds: 1
  # -- Readiness probe configuration for Auth Proxy.
  # Probes /actuator/health/readiness on the management port.
  readinessProbe:
    # -- Minimum consecutive failures for the probe to be considered failed after having succeeded.
    # A failed readinessProbe will cause the container to move to the `NotReady` state.
    failureThreshold: 3
    # -- Number of seconds after the container has started before readiness probes are initiated.
    initialDelaySeconds: 5
    # -- How often (in seconds) to perform the probe.
    periodSeconds: 10
    # -- Minimum consecutive successes for the probe to be considered successful after having failed.
    successThreshold: 1
    # -- Number of seconds after which the probe times out.
    timeoutSeconds: 1

  debug: {}
  # -- The [resource requirements](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for Auth Proxy container.
  resources:
    requests:
      cpu: 30m
      memory: 128Mi
    limits:
      memory: 512Mi
  # -- Management/actuator endpoints configuration
  # Auth Proxy uses built-in defaults for most management settings (port 8086, health/metrics endpoints, etc.)
  management:
    # -- Port for Spring Boot Actuator management endpoints (Auth Proxy default: 8086)
    # Used for health probe references and service port definition
    port: 8086
    # -- Enable Prometheus metrics scraping via ServiceMonitor
    metricsEnabled: true
  # -- Ingress configuration for Auth Proxy (separate from Apicurio ingress)
  ingress:
    # -- Enable creation of the Ingress resource for Auth Proxy
    enabled: false
    # -- The name of the IngressClass cluster resource
    className: ""
    # -- Annotations to add to the Auth Proxy Ingress resource
    annotations: {}
    hosts:
      - # -- The fully qualified domain name for Auth Proxy
        host: "chart-example.local"
        paths:
          - # -- Matched against the path of an incoming request
            path: "/"
            # -- Determines the interpretation of the Path matching
            pathType: "ImplementationSpecific"
    # -- TLS configuration for Auth Proxy Ingress
    tls: []
    #  - secretName: auth-proxy-tls
    #    hosts:
    #      - chart-example.local
  # -- OpenShift Route configuration for Auth Proxy (separate from Apicurio route)
  route:
    # -- Enable creation of an OpenShift Route for Auth Proxy
    enabled: false
    # -- Annotations to add to the Auth Proxy Route
    annotations: {}
    # -- Labels to add to the Auth Proxy Route
    labels: {}
    # -- An alias/DNS that points to the service
    host: ""
    # -- Subdomain is a DNS subdomain requested within the ingress controller's domain
    subdomain: ""
    # -- Path that the router watches for
    path: "/"
    # -- Target pod port used by the Router
    targetPort: auth-proxy
    tls:
      # -- The Certificate Authority certificate contents
      caCertificate: ""
      # -- Certificate contents
      certificate: ""
      # -- Key file contents
      key: ""
      # -- Indicates termination type. One of: edge, passthrough, or reencrypt
      termination: "edge"
      # -- The CA certificate of the final destination
      destinationCACertificate: ""
  # -- (multi-line) String that is put into a configmap, mounted in the pod and used as the logback config for Auth Proxy. If present, configuration under `logging` is ignored.
  logbackConfig: ""
  # -- Logging configuration object used when the logbackConfig is not set. Allows for configuring pattern and per package log levels.
  logging:
    # -- Log pattern (when logbackConfig is not defined)
    pattern: "%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX, UTC} ${LOG_LEVEL_PATTERN:-%5p} ${PID:- } --- [%15.15t] [traceid=%X{traceid}, spanid=%X{spanid}] %-40.40logger{39} : %m%n}"
    # -- Root log level used (when logbackConfig is not defined)
    rootLoglevel: INFO
    # -- Log level per package (when logbackConfig is not defined)
    loggers:
      # -- Log level for Auth Proxy (when logbackConfig is not defined)
      io.axual.auth.proxy: INFO
      # -- Log level for Spring Cloud Gateway (when logbackConfig is not defined)
      org.springframework.cloud.gateway: INFO
  # -- Additional environment variables for Auth Proxy container
  # These will be added to the env section of the Auth Proxy container
  env: []
    # Example:
    # - name: CUSTOM_VAR
    #   value: "custom-value"
    # - name: SECRET_VAR
    #   valueFrom:
    #     secretKeyRef:
    #       name: my-secret
  #       key: secret-key