1# This file has been modified by Chainguard, Inc.
3# Copyright Chainguard, Inc. All Rights Reserved.
4# Chainguard, Inc. modifications are subject to the license
5# available at: https://www.chainguard.dev/legal/software-license-agreement
7# Copyright Broadcom, Inc. All Rights Reserved.
8# SPDX-License-Identifier: APACHE-2.0
10## @section Global parameters
11## Global Docker image parameters
12## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
16## @param global.imageRegistry Global Docker image registry
17## @param global.imagePullSecrets Global Docker registry secret names as an array
18## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
25 ## - myRegistryKeySecretName
28 defaultStorageClass: ""
30 ## Security parameters
33 ## @param global.security.allowInsecureImages Allows skipping image verification
34 allowInsecureImages: false
35 ## Compatibility adaptations for Kubernetes platforms
38 ## Compatibility adaptations for Openshift
41 ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
43 adaptSecurityContext: disabled
45## @section Common parameters
48## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
51## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
54## @param fullnameOverride String to fully override common.names.fullname template
57## @param commonLabels Add labels to all the deployed resources
60## @param commonAnnotations Add annotations to all the deployed resources
63## @param clusterDomain Kubernetes Cluster Domain
65clusterDomain: cluster.local
66## @param extraDeploy Array of extra objects to deploy with the release
69## @param usePasswordFiles Mount credentials as files instead of using environment variables
72## @section Tomcat parameters
75## Iamguarded Tomcat image version
76## @param image.registry [default: REGISTRY_NAME] Tomcat image registry
77## @param image.repository [default: REPOSITORY_NAME/tomcat] Tomcat image repository
78## @skip image.tag Tomcat image tag (immutable tags are recommended)
79## @param image.digest Tomcat image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
80## @param image.pullPolicy Tomcat image pull policy
81## @param image.pullSecrets Specify docker-registry secret names as an array
82## @param image.debug Specify if debug logs should be enabled
86 repository: chainguard-private/tomcat-iamguarded
89 ## Specify a imagePullPolicy
90 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
92 pullPolicy: IfNotPresent
93 ## Optionally specify an array of imagePullSecrets.
94 ## Secrets must be manually created in the namespace.
95 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
98 ## - myRegistryKeySecretName
101 ## Set to true if you would like to see extra information on logs
104## @param automountServiceAccountToken Mount Service Account token in pod
106automountServiceAccountToken: false
107## @param hostAliases Deployment pod host aliases
108## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
111## @param tomcatUsername Tomcat admin user
114## @param tomcatPassword Tomcat admin password
117## @param existingSecret Use existing secret for credentials details (`tomcatUsername` and `tomcatPassword` will be ignored and picked up from this secret)
120## @param secretKeys.adminUsernameKey Name of key in existing secret to use instead of default `tomcat-username` key to provide Tomcat admin username (overrides `tomcatUsername`). Only used when `existingSecret` is set
121## @param secretKeys.adminPasswordKey Name of key in existing secret to use instead of default `tomcat-password` key to provide Tomcat admin password (overrides `tomcatPassword`). Only used when `existingSecret` is set
126## @param tomcatAllowRemoteManagement Enable remote access to management interface
128tomcatAllowRemoteManagement: 0
129## @param catalinaOpts Java runtime option used by tomcat JVM
132## @param command Override default container command (useful when using custom images)
135## @param args Override default container args (useful when using custom images)
138## @param extraEnvVars Extra environment variables to be set on Tomcat container
145## @param extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
148## @param extraEnvVarsSecret Name of existing Secret containing extra environment variables
150extraEnvVarsSecret: ""
151## @section Tomcat deployment parameters
154## @param replicaCount Specify number of Tomcat replicas
160 ## @param deployment.type Use Deployment or StatefulSet
163## Strategy to use to update Pods
166 ## @param updateStrategy.type StrategyType
167 ## Can be set to RollingUpdate or OnDelete
170## @param containerPorts.http HTTP port to expose at container level
174## @param containerExtraPorts Extra ports to expose at container level
177## containerExtraPorts:
179## containerPort: 8081
181containerExtraPorts: []
182## Tomcat pods' Security Context
183## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
184## @param podSecurityContext.enabled Enable Tomcat pods' Security Context
185## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
186## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
187## @param podSecurityContext.supplementalGroups Set filesystem extra groups
188## @param podSecurityContext.fsGroup Set Tomcat pod's Security Context fsGroup
192 fsGroupChangePolicy: Always
194 supplementalGroups: []
196## Tomcat containers' SecurityContext
197## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
198## @param containerSecurityContext.enabled Enabled containers' Security Context
199## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
200## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
201## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
202## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
203## @param containerSecurityContext.privileged Set container's Security Context privileged
204## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
205## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
206## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
207## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
209containerSecurityContext:
216 readOnlyRootFilesystem: true
217 allowPrivilegeEscalation: false
221 type: "RuntimeDefault"
222## Tomcat containers' resource requests and limits
223## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
224## We usually recommend not to specify default resources and to leave this as a conscious
225## choice for the user. This also increases chances charts run on environments with little
226## resources, such as Minikube. If you do want to specify resources, uncomment the following
227## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
228## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
230resourcesPreset: "micro"
231## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
242## Configure extra options for liveness probe
243## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
244## @param livenessProbe.enabled Enable livenessProbe
245## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
246## @param livenessProbe.periodSeconds Period seconds for livenessProbe
247## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
248## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
249## @param livenessProbe.successThreshold Success threshold for livenessProbe
253 initialDelaySeconds: 120
258## Configure extra options for readiness probe
259## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
260## @param readinessProbe.enabled Enable readinessProbe
261## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
262## @param readinessProbe.periodSeconds Period seconds for readinessProbe
263## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
264## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
265## @param readinessProbe.successThreshold Success threshold for readinessProbe
269 initialDelaySeconds: 30
274## Configure extra options for startup probe
275## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-startup-probes/#configure-probes
276## @param startupProbe.enabled Enable startupProbe
277## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
278## @param startupProbe.periodSeconds Period seconds for startupProbe
279## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
280## @param startupProbe.failureThreshold Failure threshold for startupProbe
281## @param startupProbe.successThreshold Success threshold for startupProbe
285 initialDelaySeconds: 30
290## @param customLivenessProbe Override default liveness probe
292customLivenessProbe: {}
293## @param customReadinessProbe Override default readiness probe
295customReadinessProbe: {}
296## @param customStartupProbe Override default startup probe
298customStartupProbe: {}
299## @param podLabels Extra labels for Tomcat pods
300## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
303## @param podAnnotations Annotations for Tomcat pods
304## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
307## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
308## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
311## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
312## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
314podAntiAffinityPreset: soft
315## Node affinity preset
316## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
319 ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
322 ## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
324 ## key: "kubernetes.io/e2e-az-name"
327 ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
334## @param affinity Affinity for pod assignment. Evaluated as a template.
335## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
336## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
339## @param nodeSelector Node labels for pod assignment. Evaluated as a template.
340## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
343## @param schedulerName Alternative scheduler
344## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
347## @param lifecycleHooks [object] Override default etcd container hooks
350## @param podManagementPolicy podManagementPolicy to manage scaling operation of pods (only in StatefulSet mode)
351## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
353podManagementPolicy: ""
354## @param tolerations Tolerations for pod assignment. Evaluated as a template.
355## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
358## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
359## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
361topologySpreadConstraints: []
362## @param extraPodSpec Optionally specify extra PodSpec
365## @param extraVolumes Optionally specify extra list of additional volumes for Tomcat pods in Deployment
368## @param extraVolumeClaimTemplates Optionally specify extra list of additional volume claim templates for Tomcat pods in StatefulSet
370extraVolumeClaimTemplates: []
371## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Tomcat container(s)
374## @param initContainers Add init containers to the Tomcat pods.
377## - name: your-image-name
379## imagePullPolicy: Always
382## containerPort: 1234
385## Pod Disruption Budget configuration
386## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
387## @param pdb.create Enable/disable a Pod Disruption Budget creation
388## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
389## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
395## @param sidecars Add sidecars to the Tomcat pods.
398## - name: your-image-name
400## imagePullPolicy: Always
403## containerPort: 1234
406## Enable persistence using Persistent Volume Claims
407## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
410 ## @param persistence.enabled Enable persistence
413 ## @param persistence.storageClass PVC Storage Class for Tomcat volume
414 ## If defined, storageClassName: <storageClass>
415 ## If set to "-", storageClassName: "", which disables dynamic provisioning
416 ## If undefined (the default) or set to null, no storageClassName spec is
417 ## set, choosing the default provisioner. (gp2 on AWS, standard on
418 ## GKE, AWS & OpenStack)
421 ## @param persistence.annotations Persistent Volume Claim annotations
424 ## @param persistence.accessModes PVC Access Modes for Tomcat volume
428 ## @param persistence.size PVC Storage Request for Tomcat volume
431 ## @param persistence.existingClaim An Existing PVC name for Tomcat volume
434 ## @param persistence.selectorLabels Selector labels to use in volume claim template in statefulset
435 ## Applicable when deployment.type is statefulset
438## Network Policy configuration
439## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
442 ## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
445 ## @param networkPolicy.allowExternal Don't require server label for connections
446 ## The Policy model to apply. When set to false, only pods with the correct
447 ## server label will have network access to the ports server is listening
448 ## on. When true, server will accept connections from any source
449 ## (with the correct destination port).
452 ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
454 allowExternalEgress: true
455 ## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
465 ## - matchExpressions:
471 ## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
481 ## - matchExpressions:
488 ## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
489 ## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
491 ingressNSMatchLabels: {}
492 ingressNSPodMatchLabels: {}
494## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
497 ## @param serviceAccount.create Enable creation of ServiceAccount for Tomcat pod
500 ## @param serviceAccount.name The name of the ServiceAccount to use.
501 ## If not set and create is true, a name is generated using the common.names.fullname template
504 ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
505 ## Can be set to false if pods using this serviceAccount do not need to use K8s API
507 automountServiceAccountToken: false
508 ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
511## @section Traffic Exposure parameters
517 ## @param service.type Kubernetes Service type
518 ## For minikube, set this to NodePort, elsewhere use LoadBalancer
521 ## @param service.ports.http Service HTTP port
525 ## @param service.nodePorts.http Kubernetes http node port
526 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
530 ## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
533 ## @param service.loadBalancerIP Port Use serviceLoadBalancerIP to request a specific static IP, otherwise leave blank
536 ## @param service.clusterIP Service Cluster IP
541 ## @param service.loadBalancerSourceRanges Service Load Balancer sources
542 ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
544 ## loadBalancerSourceRanges:
547 loadBalancerSourceRanges: []
548 ## @param service.externalTrafficPolicy Enable client source IP preservation
549 ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
551 externalTrafficPolicy: Cluster
552 ## @param service.annotations Annotations for Tomcat service
553 ## set the LoadBalancer service type to internal only.
554 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
557 ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
558 ## If "ClientIP", consecutive client requests will be directed to the same Pod
559 ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
561 sessionAffinity: None
562 ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
563 ## sessionAffinityConfig:
565 ## timeoutSeconds: 300
567 sessionAffinityConfig: {}
568 ## Headless service properties
571 ## @param service.headless.annotations Annotations for the headless service.
574## Ingress configuratiom
577 ## @param ingress.enabled Enable ingress controller resource
580 ## DEPRECATED: Use ingress.annotations instead of ingress.certManager
581 ## certManager: false
584 ## @param ingress.hostname Default host for the ingress resource
586 hostname: tomcat.local
587 ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
588 ## For a full list of possible ingress annotations, please see
589 ## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
590 ## Use this parameter to set the required annotations for cert-manager, see
591 ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
595 ## kubernetes.io/ingress.class: nginx
596 ## cert-manager.io/cluster-issuer: cluster-issuer-name
599 ## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
600 ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
601 ## You can use the ingress.secrets parameter to create this TLS secret, rely on cert-manager to create it, or
602 ## let the chart create self-signed certificates for you
605 ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
606 ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
609 ## - name: tomcat.local
613 ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
614 ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
619 ## secretName: tomcat.local-tls
622 ## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
623 ## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
627 ## serviceName: ssl-redirect
628 ## servicePort: use-annotation
631 ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
634 ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
635 ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
636 ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
639 ## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
640 ## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY-----
641 ## name should line up with a secretName set further up
643 ## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you
644 ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created
645 ## It is also possible to create and manage the certificates outside of this helm chart
646 ## Please see README.md for more information
650 ## - name: tomcat.local-tls
655 ## @param ingress.extraRules Additional rules to be covered with this ingress record
656 ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
659 ## - host: tomcat.local
669 ## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
672 ## @param ingress.path Ingress path
675 ## @param ingress.pathType Ingress path type
677 pathType: ImplementationSpecific
678## @section Volume Permissions parameters
681## Init containers parameters:
682## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
685 ## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory
688 ## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
689 ## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
690 ## @skip volumePermissions.image.tag Init container volume-permissions image tag
691 ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
692 ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
693 ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
697 repository: chainguard-private/os-shell-iamguarded
700 pullPolicy: IfNotPresent
701 ## Optionally specify an array of imagePullSecrets.
702 ## Secrets must be manually created in the namespace.
703 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
706 ## - myRegistryKeySecretName
709 ## Init container' resource requests and limits
710 ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
711 ## We usually recommend not to specify default resources and to leave this as a conscious
712 ## choice for the user. This also increases chances charts run on environments with little
713 ## resources, such as Minikube. If you do want to specify resources, uncomment the following
714 ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
715 ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
717 resourcesPreset: "none"
718 ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
729## @section Metrics parameters
731## Prometheus Exporters / Metrics
734 ## Prometheus JMX Exporter: exposes the majority of tomcat jvm metrics
737 ## @param metrics.jmx.enabled Whether or not to expose JMX metrics to Prometheus
740 ## @param metrics.jmx.catalinaOpts custom option used to enabled JMX on tomcat jvm evaluated as template
742 catalinaOpts: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5555 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=true
743 ## Iamguarded JMX exporter image
744 ## @param metrics.jmx.image.registry [default: REGISTRY_NAME] JMX exporter image registry
745 ## @param metrics.jmx.image.repository [default: REPOSITORY_NAME/jmx-exporter] JMX exporter image repository
746 ## @skip metrics.jmx.image.tag JMX exporter image tag (immutable tags are recommended)
747 ## @param metrics.jmx.image.digest JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
748 ## @param metrics.jmx.image.pullPolicy JMX exporter image pull policy
749 ## @param metrics.jmx.image.pullSecrets Specify docker-registry secret names as an array
753 repository: chainguard-private/jmx-exporter-iamguarded
756 ## Specify a imagePullPolicy
757 ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
759 pullPolicy: IfNotPresent
760 ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
761 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
764 ## - myRegistryKeySecretName
767 ## @param metrics.jmx.config [string] Configuration file for JMX exporter
768 ## Specify content for jmx-tomcat-prometheus.yml. Evaluated as a template
771 jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:5555/jmxrmi
774 lowercaseOutputName: true
775 lowercaseOutputLabelNames: true
776 attrNameSnakeCase: true
777 ## Prometheus JMX exporter containers' Security Context
778 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
779 ## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context
780 ## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
781 ## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
782 ## @param metrics.jmx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
783 ## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
784 ## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged
785 ## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
786 ## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
787 ## @param metrics.jmx.containerSecurityContext.capabilities.drop List of capabilities to be dropped
788 ## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
789 containerSecurityContext:
796 readOnlyRootFilesystem: true
797 allowPrivilegeEscalation: false
801 type: "RuntimeDefault"
802 ## Prometheus JMX Exporter' resource requests and limits
803 ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
804 ## We usually recommend not to specify default resources and to leave this as a conscious
805 ## choice for the user. This also increases chances charts run on environments with little
806 ## resources, such as Minikube. If you do want to specify resources, uncomment the following
807 ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
808 ## @param metrics.jmx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production).
810 resourcesPreset: "none"
811 ## @param metrics.jmx.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
822 ## @param metrics.jmx.ports.metrics JMX Exporter container metrics ports
826 ## @param metrics.jmx.existingConfigmap Name of existing ConfigMap with JMX exporter configuration
827 ## NOTE: This will override metrics.jmx.config
829 existingConfigmap: ""
830 ## Prometheus pod Monitor
831 ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitorspec
834 ## @param metrics.podMonitor.podTargetLabels Used to keep given pod's labels in target
836 ## - app.kubernetes.io/name
839 ## @param metrics.podMonitor.enabled Create PodMonitor Resource for scraping metrics using PrometheusOperator
842 ## @param metrics.podMonitor.namespace Optional namespace in which Prometheus is running
845 ## @param metrics.podMonitor.interval Specify the interval at which metrics should be scraped
848 ## @param metrics.podMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
851 ## @param metrics.podMonitor.additionalLabels [object] Additional labels that can be used so PodMonitors will be discovered by Prometheus
852 ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
855 ## @param metrics.podMonitor.scheme Scheme to use for scraping
858 ## @param metrics.podMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus
859 ## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
864 ## name: existingSecretName
867 ## @param metrics.podMonitor.relabelings [array] Prometheus relabeling rules
870 ## Custom PrometheusRule to be defined
871 ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
872 ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
875 ## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator
878 ## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus
881 ## @param metrics.prometheusRule.namespace namespace where prometheusRules resource should be created
884 ## @param metrics.prometheusRule.rules Create specified [Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/)
885 ## Make sure to constraint the rules to the current tomcat service.
887 ## - alert: HugeReplicationLag
888 ## expr: up{service="{{ template "common.names.fullname" . }}-metrics"} < 1
891 ## severity: critical
893 ## description: Service {{ template "common.names.fullname" . }} Tomcat is down since 1m.
894 ## summary: Tomcat instance is down.