DirectorySecurity AdvisoriesPricing
Sign in
Directory
tomcat logoHELM

tomcat

Helm chart
iamguarded
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
20
##
21
global:
22
imageRegistry: ""
23
## E.g.
24
## imagePullSecrets:
25
## - myRegistryKeySecretName
26
##
27
imagePullSecrets: []
28
defaultStorageClass: ""
29
storageClass: ""
30
## Security parameters
31
##
32
security:
33
## @param global.security.allowInsecureImages Allows skipping image verification
34
allowInsecureImages: false
35
## Compatibility adaptations for Kubernetes platforms
36
##
37
compatibility:
38
## Compatibility adaptations for Openshift
39
##
40
openshift:
41
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
42
##
43
adaptSecurityContext: disabled
44
org: ""
45
## @section Common parameters
46
##
47
48
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
49
##
50
kubeVersion: ""
51
## @param nameOverride String to partially override common.names.fullname template (will maintain the release name)
52
##
53
nameOverride: ""
54
## @param fullnameOverride String to fully override common.names.fullname template
55
##
56
fullnameOverride: ""
57
## @param commonLabels Add labels to all the deployed resources
58
##
59
commonLabels: {}
60
## @param commonAnnotations Add annotations to all the deployed resources
61
##
62
commonAnnotations: {}
63
## @param clusterDomain Kubernetes Cluster Domain
64
##
65
clusterDomain: cluster.local
66
## @param extraDeploy Array of extra objects to deploy with the release
67
##
68
extraDeploy: []
69
## @param usePasswordFiles Mount credentials as files instead of using environment variables
70
##
71
usePasswordFiles: true
72
## @section Tomcat parameters
73
##
74
75
## Iamguarded Tomcat image version
76
## @param image.registry [default: REGISTRY_NAME] Tomcat image registry
77
## @param image.repository [default: REPOSITORY_NAME/tomcat] Tomcat image repository
78
## @skip image.tag Tomcat image tag (immutable tags are recommended)
79
## @param image.digest Tomcat image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
80
## @param image.pullPolicy Tomcat image pull policy
81
## @param image.pullSecrets Specify docker-registry secret names as an array
82
## @param image.debug Specify if debug logs should be enabled
83
##
84
image:
85
registry: cgr.dev
86
repository: chainguard-private/tomcat-iamguarded
87
tag: 11.0.24
88
digest: ""
89
## Specify a imagePullPolicy
90
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
91
##
92
pullPolicy: IfNotPresent
93
## Optionally specify an array of imagePullSecrets.
94
## Secrets must be manually created in the namespace.
95
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
96
## Example:
97
## pullSecrets:
98
## - myRegistryKeySecretName
99
##
100
pullSecrets: []
101
## Set to true if you would like to see extra information on logs
102
##
103
debug: false
104
## @param automountServiceAccountToken Mount Service Account token in pod
105
##
106
automountServiceAccountToken: false
107
## @param hostAliases Deployment pod host aliases
108
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
109
##
110
hostAliases: []
111
## @param tomcatUsername Tomcat admin user
112
##
113
tomcatUsername: user
114
## @param tomcatPassword Tomcat admin password
115
##
116
tomcatPassword: ""
117
## @param existingSecret Use existing secret for credentials details (`tomcatUsername` and `tomcatPassword` will be ignored and picked up from this secret)
118
##
119
existingSecret: ""
120
## @param secretKeys.adminUsernameKey Name of key in existing secret to use instead of default `tomcat-username` key to provide Tomcat admin username (overrides `tomcatUsername`). Only used when `existingSecret` is set
121
## @param secretKeys.adminPasswordKey Name of key in existing secret to use instead of default `tomcat-password` key to provide Tomcat admin password (overrides `tomcatPassword`). Only used when `existingSecret` is set
122
##
123
secretKeys:
124
adminUsernameKey: ""
125
adminPasswordKey: ""
126
## @param tomcatAllowRemoteManagement Enable remote access to management interface
127
##
128
tomcatAllowRemoteManagement: 0
129
## @param catalinaOpts Java runtime option used by tomcat JVM
130
##
131
catalinaOpts: ""
132
## @param command Override default container command (useful when using custom images)
133
##
134
command: []
135
## @param args Override default container args (useful when using custom images)
136
##
137
args: []
138
## @param extraEnvVars Extra environment variables to be set on Tomcat container
139
## Example:
140
## extraEnvVars:
141
## - name: FOO
142
## value: "bar"
143
##
144
extraEnvVars: []
145
## @param extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
146
##
147
extraEnvVarsCM: ""
148
## @param extraEnvVarsSecret Name of existing Secret containing extra environment variables
149
##
150
extraEnvVarsSecret: ""
151
## @section Tomcat deployment parameters
152
##
153
154
## @param replicaCount Specify number of Tomcat replicas
155
##
156
replicaCount: 1
157
## Deployment
158
##
159
deployment:
160
## @param deployment.type Use Deployment or StatefulSet
161
##
162
type: deployment
163
## Strategy to use to update Pods
164
##
165
updateStrategy:
166
## @param updateStrategy.type StrategyType
167
## Can be set to RollingUpdate or OnDelete
168
##
169
type: RollingUpdate
170
## @param containerPorts.http HTTP port to expose at container level
171
##
172
containerPorts:
173
http: 8080
174
## @param containerExtraPorts Extra ports to expose at container level
175
##
176
## Example:
177
## containerExtraPorts:
178
## - name: ajp
179
## containerPort: 8081
180
##
181
containerExtraPorts: []
182
## Tomcat pods' Security Context
183
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
184
## @param podSecurityContext.enabled Enable Tomcat pods' Security Context
185
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
186
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
187
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
188
## @param podSecurityContext.fsGroup Set Tomcat pod's Security Context fsGroup
189
##
190
podSecurityContext:
191
enabled: true
192
fsGroupChangePolicy: Always
193
sysctls: []
194
supplementalGroups: []
195
fsGroup: 1001
196
## Tomcat containers' SecurityContext
197
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
198
## @param containerSecurityContext.enabled Enabled containers' Security Context
199
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
200
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
201
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
202
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
203
## @param containerSecurityContext.privileged Set container's Security Context privileged
204
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
205
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
206
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
207
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
208
##
209
containerSecurityContext:
210
enabled: true
211
seLinuxOptions: {}
212
runAsUser: 1001
213
runAsGroup: 1001
214
runAsNonRoot: true
215
privileged: false
216
readOnlyRootFilesystem: true
217
allowPrivilegeEscalation: false
218
capabilities:
219
drop: ["ALL"]
220
seccompProfile:
221
type: "RuntimeDefault"
222
## Tomcat containers' resource requests and limits
223
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
224
## We usually recommend not to specify default resources and to leave this as a conscious
225
## choice for the user. This also increases chances charts run on environments with little
226
## resources, such as Minikube. If you do want to specify resources, uncomment the following
227
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
228
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
229
##
230
resourcesPreset: "micro"
231
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
232
## Example:
233
## resources:
234
## requests:
235
## cpu: 2
236
## memory: 512Mi
237
## limits:
238
## cpu: 3
239
## memory: 1024Mi
240
##
241
resources: {}
242
## Configure extra options for liveness probe
243
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
244
## @param livenessProbe.enabled Enable livenessProbe
245
## @param livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
246
## @param livenessProbe.periodSeconds Period seconds for livenessProbe
247
## @param livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
248
## @param livenessProbe.failureThreshold Failure threshold for livenessProbe
249
## @param livenessProbe.successThreshold Success threshold for livenessProbe
250
##
251
livenessProbe:
252
enabled: true
253
initialDelaySeconds: 120
254
periodSeconds: 10
255
failureThreshold: 6
256
timeoutSeconds: 5
257
successThreshold: 1
258
## Configure extra options for readiness probe
259
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
260
## @param readinessProbe.enabled Enable readinessProbe
261
## @param readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
262
## @param readinessProbe.periodSeconds Period seconds for readinessProbe
263
## @param readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
264
## @param readinessProbe.failureThreshold Failure threshold for readinessProbe
265
## @param readinessProbe.successThreshold Success threshold for readinessProbe
266
##
267
readinessProbe:
268
enabled: true
269
initialDelaySeconds: 30
270
periodSeconds: 5
271
failureThreshold: 3
272
timeoutSeconds: 3
273
successThreshold: 1
274
## Configure extra options for startup probe
275
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-startup-probes/#configure-probes
276
## @param startupProbe.enabled Enable startupProbe
277
## @param startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
278
## @param startupProbe.periodSeconds Period seconds for startupProbe
279
## @param startupProbe.timeoutSeconds Timeout seconds for startupProbe
280
## @param startupProbe.failureThreshold Failure threshold for startupProbe
281
## @param startupProbe.successThreshold Success threshold for startupProbe
282
##
283
startupProbe:
284
enabled: false
285
initialDelaySeconds: 30
286
periodSeconds: 5
287
failureThreshold: 3
288
timeoutSeconds: 3
289
successThreshold: 1
290
## @param customLivenessProbe Override default liveness probe
291
##
292
customLivenessProbe: {}
293
## @param customReadinessProbe Override default readiness probe
294
##
295
customReadinessProbe: {}
296
## @param customStartupProbe Override default startup probe
297
##
298
customStartupProbe: {}
299
## @param podLabels Extra labels for Tomcat pods
300
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
301
##
302
podLabels: {}
303
## @param podAnnotations Annotations for Tomcat pods
304
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
305
##
306
podAnnotations: {}
307
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
308
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
309
##
310
podAffinityPreset: ""
311
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
312
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
313
##
314
podAntiAffinityPreset: soft
315
## Node affinity preset
316
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
317
##
318
nodeAffinityPreset:
319
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
320
##
321
type: ""
322
## @param nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set.
323
## E.g.
324
## key: "kubernetes.io/e2e-az-name"
325
##
326
key: ""
327
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
328
## E.g.
329
## values:
330
## - e2e-az1
331
## - e2e-az2
332
##
333
values: []
334
## @param affinity Affinity for pod assignment. Evaluated as a template.
335
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
336
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
337
##
338
affinity: {}
339
## @param nodeSelector Node labels for pod assignment. Evaluated as a template.
340
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
341
##
342
nodeSelector: {}
343
## @param schedulerName Alternative scheduler
344
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
345
##
346
schedulerName: ""
347
## @param lifecycleHooks [object] Override default etcd container hooks
348
##
349
lifecycleHooks: {}
350
## @param podManagementPolicy podManagementPolicy to manage scaling operation of pods (only in StatefulSet mode)
351
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
352
##
353
podManagementPolicy: ""
354
## @param tolerations Tolerations for pod assignment. Evaluated as a template.
355
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
356
##
357
tolerations: []
358
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
359
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
360
##
361
topologySpreadConstraints: []
362
## @param extraPodSpec Optionally specify extra PodSpec
363
##
364
extraPodSpec: {}
365
## @param extraVolumes Optionally specify extra list of additional volumes for Tomcat pods in Deployment
366
##
367
extraVolumes: []
368
## @param extraVolumeClaimTemplates Optionally specify extra list of additional volume claim templates for Tomcat pods in StatefulSet
369
##
370
extraVolumeClaimTemplates: []
371
## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts for Tomcat container(s)
372
##
373
extraVolumeMounts: []
374
## @param initContainers Add init containers to the Tomcat pods.
375
## Example:
376
## initContainers:
377
## - name: your-image-name
378
## image: your-image
379
## imagePullPolicy: Always
380
## ports:
381
## - name: portname
382
## containerPort: 1234
383
##
384
initContainers: []
385
## Pod Disruption Budget configuration
386
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
387
## @param pdb.create Enable/disable a Pod Disruption Budget creation
388
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
389
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
390
##
391
pdb:
392
create: true
393
minAvailable: ""
394
maxUnavailable: ""
395
## @param sidecars Add sidecars to the Tomcat pods.
396
## Example:
397
## sidecars:
398
## - name: your-image-name
399
## image: your-image
400
## imagePullPolicy: Always
401
## ports:
402
## - name: portname
403
## containerPort: 1234
404
##
405
sidecars: []
406
## Enable persistence using Persistent Volume Claims
407
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
408
##
409
persistence:
410
## @param persistence.enabled Enable persistence
411
##
412
enabled: true
413
## @param persistence.storageClass PVC Storage Class for Tomcat volume
414
## If defined, storageClassName: <storageClass>
415
## If set to "-", storageClassName: "", which disables dynamic provisioning
416
## If undefined (the default) or set to null, no storageClassName spec is
417
## set, choosing the default provisioner. (gp2 on AWS, standard on
418
## GKE, AWS & OpenStack)
419
##
420
storageClass: ""
421
## @param persistence.annotations Persistent Volume Claim annotations
422
##
423
annotations: {}
424
## @param persistence.accessModes PVC Access Modes for Tomcat volume
425
##
426
accessModes:
427
- ReadWriteOnce
428
## @param persistence.size PVC Storage Request for Tomcat volume
429
##
430
size: 8Gi
431
## @param persistence.existingClaim An Existing PVC name for Tomcat volume
432
##
433
existingClaim: ""
434
## @param persistence.selectorLabels Selector labels to use in volume claim template in statefulset
435
## Applicable when deployment.type is statefulset
436
##
437
selectorLabels: {}
438
## Network Policy configuration
439
## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
440
##
441
networkPolicy:
442
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
443
##
444
enabled: true
445
## @param networkPolicy.allowExternal Don't require server label for connections
446
## The Policy model to apply. When set to false, only pods with the correct
447
## server label will have network access to the ports server is listening
448
## on. When true, server will accept connections from any source
449
## (with the correct destination port).
450
##
451
allowExternal: true
452
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
453
##
454
allowExternalEgress: true
455
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
456
## e.g:
457
## extraIngress:
458
## - ports:
459
## - port: 1234
460
## from:
461
## - podSelector:
462
## - matchLabels:
463
## - role: frontend
464
## - podSelector:
465
## - matchExpressions:
466
## - key: role
467
## operator: In
468
## values:
469
## - frontend
470
extraIngress: []
471
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
472
## e.g:
473
## extraEgress:
474
## - ports:
475
## - port: 1234
476
## to:
477
## - podSelector:
478
## - matchLabels:
479
## - role: frontend
480
## - podSelector:
481
## - matchExpressions:
482
## - key: role
483
## operator: In
484
## values:
485
## - frontend
486
##
487
extraEgress: []
488
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
489
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
490
##
491
ingressNSMatchLabels: {}
492
ingressNSPodMatchLabels: {}
493
## Service Account
494
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
495
##
496
serviceAccount:
497
## @param serviceAccount.create Enable creation of ServiceAccount for Tomcat pod
498
##
499
create: true
500
## @param serviceAccount.name The name of the ServiceAccount to use.
501
## If not set and create is true, a name is generated using the common.names.fullname template
502
##
503
name: ""
504
## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
505
## Can be set to false if pods using this serviceAccount do not need to use K8s API
506
##
507
automountServiceAccountToken: false
508
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
509
##
510
annotations: {}
511
## @section Traffic Exposure parameters
512
##
513
514
## Service parameters
515
##
516
service:
517
## @param service.type Kubernetes Service type
518
## For minikube, set this to NodePort, elsewhere use LoadBalancer
519
##
520
type: LoadBalancer
521
## @param service.ports.http Service HTTP port
522
##
523
ports:
524
http: 80
525
## @param service.nodePorts.http Kubernetes http node port
526
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
527
##
528
nodePorts:
529
http: ""
530
## @param service.extraPorts Extra ports to expose (normally used with the `sidecar` value)
531
##
532
extraPorts: []
533
## @param service.loadBalancerIP Port Use serviceLoadBalancerIP to request a specific static IP, otherwise leave blank
534
##
535
loadBalancerIP: ""
536
## @param service.clusterIP Service Cluster IP
537
## e.g.:
538
## clusterIP: None
539
##
540
clusterIP: ""
541
## @param service.loadBalancerSourceRanges Service Load Balancer sources
542
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
543
## e.g:
544
## loadBalancerSourceRanges:
545
## - 10.10.10.0/24
546
##
547
loadBalancerSourceRanges: []
548
## @param service.externalTrafficPolicy Enable client source IP preservation
549
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
550
##
551
externalTrafficPolicy: Cluster
552
## @param service.annotations Annotations for Tomcat service
553
## set the LoadBalancer service type to internal only.
554
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
555
##
556
annotations: {}
557
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
558
## If "ClientIP", consecutive client requests will be directed to the same Pod
559
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
560
##
561
sessionAffinity: None
562
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
563
## sessionAffinityConfig:
564
## clientIP:
565
## timeoutSeconds: 300
566
##
567
sessionAffinityConfig: {}
568
## Headless service properties
569
##
570
headless:
571
## @param service.headless.annotations Annotations for the headless service.
572
##
573
annotations: {}
574
## Ingress configuratiom
575
##
576
ingress:
577
## @param ingress.enabled Enable ingress controller resource
578
##
579
enabled: false
580
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
581
## certManager: false
582
##
583
584
## @param ingress.hostname Default host for the ingress resource
585
##
586
hostname: tomcat.local
587
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
588
## For a full list of possible ingress annotations, please see
589
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
590
## Use this parameter to set the required annotations for cert-manager, see
591
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
592
##
593
## e.g:
594
## annotations:
595
## kubernetes.io/ingress.class: nginx
596
## cert-manager.io/cluster-issuer: cluster-issuer-name
597
##
598
annotations: {}
599
## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
600
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
601
## You can use the ingress.secrets parameter to create this TLS secret, rely on cert-manager to create it, or
602
## let the chart create self-signed certificates for you
603
##
604
tls: false
605
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
606
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
607
## Example:
608
## extraHosts:
609
## - name: tomcat.local
610
## path: /
611
##
612
extraHosts: []
613
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
614
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
615
## Example:
616
## extraTls:
617
## - hosts:
618
## - tomcat.local
619
## secretName: tomcat.local-tls
620
##
621
extraTls: []
622
## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
623
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
624
## extraPaths:
625
## - path: /*
626
## backend:
627
## serviceName: ssl-redirect
628
## servicePort: use-annotation
629
##
630
extraPaths: []
631
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
632
##
633
selfSigned: false
634
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
635
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
636
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
637
##
638
ingressClassName: ""
639
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
640
## key and certificate should start with -----BEGIN CERTIFICATE----- or -----BEGIN RSA PRIVATE KEY-----
641
## name should line up with a secretName set further up
642
##
643
## If it is not set and you're using cert-manager, this is unneeded, as it will create the secret for you
644
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created
645
## It is also possible to create and manage the certificates outside of this helm chart
646
## Please see README.md for more information
647
##
648
## Example
649
## secrets:
650
## - name: tomcat.local-tls
651
## key: ""
652
## certificate: ""
653
##
654
secrets: []
655
## @param ingress.extraRules Additional rules to be covered with this ingress record
656
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
657
## e.g:
658
## extraRules:
659
## - host: tomcat.local
660
## http:
661
## path: /
662
## backend:
663
## service:
664
## name: tomcat-svc
665
## port:
666
## name: http
667
##
668
extraRules: []
669
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
670
##
671
apiVersion: ""
672
## @param ingress.path Ingress path
673
##
674
path: /
675
## @param ingress.pathType Ingress path type
676
##
677
pathType: ImplementationSpecific
678
## @section Volume Permissions parameters
679
##
680
681
## Init containers parameters:
682
## volumePermissions: Change the owner and group of the persistent volume mountpoint to runAsUser:fsGroup values from the securityContext section.
683
##
684
volumePermissions:
685
## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory
686
##
687
enabled: false
688
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
689
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image repository
690
## @skip volumePermissions.image.tag Init container volume-permissions image tag
691
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
692
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
693
## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
694
##
695
image:
696
registry: cgr.dev
697
repository: chainguard-private/os-shell-iamguarded
698
tag: 1.0.0
699
digest: ""
700
pullPolicy: IfNotPresent
701
## Optionally specify an array of imagePullSecrets.
702
## Secrets must be manually created in the namespace.
703
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
704
## Example:
705
## pullSecrets:
706
## - myRegistryKeySecretName
707
##
708
pullSecrets: []
709
## Init container' resource requests and limits
710
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
711
## We usually recommend not to specify default resources and to leave this as a conscious
712
## choice for the user. This also increases chances charts run on environments with little
713
## resources, such as Minikube. If you do want to specify resources, uncomment the following
714
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
715
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
716
##
717
resourcesPreset: "none"
718
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
719
## Example:
720
## resources:
721
## requests:
722
## cpu: 2
723
## memory: 512Mi
724
## limits:
725
## cpu: 3
726
## memory: 1024Mi
727
##
728
resources: {}
729
## @section Metrics parameters
730
731
## Prometheus Exporters / Metrics
732
##
733
metrics:
734
## Prometheus JMX Exporter: exposes the majority of tomcat jvm metrics
735
##
736
jmx:
737
## @param metrics.jmx.enabled Whether or not to expose JMX metrics to Prometheus
738
##
739
enabled: false
740
## @param metrics.jmx.catalinaOpts custom option used to enabled JMX on tomcat jvm evaluated as template
741
##
742
catalinaOpts: -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=5555 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=true
743
## Iamguarded JMX exporter image
744
## @param metrics.jmx.image.registry [default: REGISTRY_NAME] JMX exporter image registry
745
## @param metrics.jmx.image.repository [default: REPOSITORY_NAME/jmx-exporter] JMX exporter image repository
746
## @skip metrics.jmx.image.tag JMX exporter image tag (immutable tags are recommended)
747
## @param metrics.jmx.image.digest JMX exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
748
## @param metrics.jmx.image.pullPolicy JMX exporter image pull policy
749
## @param metrics.jmx.image.pullSecrets Specify docker-registry secret names as an array
750
##
751
image:
752
registry: cgr.dev
753
repository: chainguard-private/jmx-exporter-iamguarded
754
tag: 1.6.0
755
digest: ""
756
## Specify a imagePullPolicy
757
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
758
##
759
pullPolicy: IfNotPresent
760
## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
761
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
762
## Example:
763
## pullSecrets:
764
## - myRegistryKeySecretName
765
##
766
pullSecrets: []
767
## @param metrics.jmx.config [string] Configuration file for JMX exporter
768
## Specify content for jmx-tomcat-prometheus.yml. Evaluated as a template
769
##
770
config: |
771
jmxUrl: service:jmx:rmi:///jndi/rmi://127.0.0.1:5555/jmxrmi
772
startDelaySecs: 120
773
ssl: false
774
lowercaseOutputName: true
775
lowercaseOutputLabelNames: true
776
attrNameSnakeCase: true
777
## Prometheus JMX exporter containers' Security Context
778
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
779
## @param metrics.jmx.containerSecurityContext.enabled Enabled containers' Security Context
780
## @param metrics.jmx.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
781
## @param metrics.jmx.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
782
## @param metrics.jmx.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
783
## @param metrics.jmx.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
784
## @param metrics.jmx.containerSecurityContext.privileged Set container's Security Context privileged
785
## @param metrics.jmx.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
786
## @param metrics.jmx.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
787
## @param metrics.jmx.containerSecurityContext.capabilities.drop List of capabilities to be dropped
788
## @param metrics.jmx.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
789
containerSecurityContext:
790
enabled: true
791
seLinuxOptions: {}
792
runAsUser: 1001
793
runAsGroup: 1001
794
runAsNonRoot: true
795
privileged: false
796
readOnlyRootFilesystem: true
797
allowPrivilegeEscalation: false
798
capabilities:
799
drop: ["ALL"]
800
seccompProfile:
801
type: "RuntimeDefault"
802
## Prometheus JMX Exporter' resource requests and limits
803
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
804
## We usually recommend not to specify default resources and to leave this as a conscious
805
## choice for the user. This also increases chances charts run on environments with little
806
## resources, such as Minikube. If you do want to specify resources, uncomment the following
807
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
808
## @param metrics.jmx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.jmx.resources is set (metrics.jmx.resources is recommended for production).
809
##
810
resourcesPreset: "none"
811
## @param metrics.jmx.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
812
## Example:
813
## resources:
814
## requests:
815
## cpu: 2
816
## memory: 512Mi
817
## limits:
818
## cpu: 3
819
## memory: 1024Mi
820
##
821
resources: {}
822
## @param metrics.jmx.ports.metrics JMX Exporter container metrics ports
823
##
824
ports:
825
metrics: 5556
826
## @param metrics.jmx.existingConfigmap Name of existing ConfigMap with JMX exporter configuration
827
## NOTE: This will override metrics.jmx.config
828
##
829
existingConfigmap: ""
830
## Prometheus pod Monitor
831
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitorspec
832
##
833
podMonitor:
834
## @param metrics.podMonitor.podTargetLabels Used to keep given pod's labels in target
835
## e.g:
836
## - app.kubernetes.io/name
837
##
838
podTargetLabels: []
839
## @param metrics.podMonitor.enabled Create PodMonitor Resource for scraping metrics using PrometheusOperator
840
##
841
enabled: false
842
## @param metrics.podMonitor.namespace Optional namespace in which Prometheus is running
843
##
844
namespace: ""
845
## @param metrics.podMonitor.interval Specify the interval at which metrics should be scraped
846
##
847
interval: 30s
848
## @param metrics.podMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
849
##
850
scrapeTimeout: 30s
851
## @param metrics.podMonitor.additionalLabels [object] Additional labels that can be used so PodMonitors will be discovered by Prometheus
852
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
853
##
854
additionalLabels: {}
855
## @param metrics.podMonitor.scheme Scheme to use for scraping
856
##
857
scheme: http
858
## @param metrics.podMonitor.tlsConfig [object] TLS configuration used for scrape endpoints used by Prometheus
859
## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
860
## e.g:
861
## tlsConfig:
862
## ca:
863
## secret:
864
## name: existingSecretName
865
##
866
tlsConfig: {}
867
## @param metrics.podMonitor.relabelings [array] Prometheus relabeling rules
868
##
869
relabelings: []
870
## Custom PrometheusRule to be defined
871
## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart
872
## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
873
##
874
prometheusRule:
875
## @param metrics.prometheusRule.enabled Set this to true to create prometheusRules for Prometheus operator
876
##
877
enabled: false
878
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so prometheusRules will be discovered by Prometheus
879
##
880
additionalLabels: {}
881
## @param metrics.prometheusRule.namespace namespace where prometheusRules resource should be created
882
##
883
namespace: ""
884
## @param metrics.prometheusRule.rules Create specified [Rules](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/)
885
## Make sure to constraint the rules to the current tomcat service.
886
## rules:
887
## - alert: HugeReplicationLag
888
## expr: up{service="{{ template "common.names.fullname" . }}-metrics"} < 1
889
## for: 1m
890
## labels:
891
## severity: critical
892
## annotations:
893
## description: Service {{ template "common.names.fullname" . }} Tomcat is down since 1m.
894
## summary: Tomcat instance is down.
895
##
896
rules: []
897

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.