values.yaml

# Default values for StackStorm HA cluster
# This is a YAML-formatted file.

##
## Docker image settings, applied to all StackStorm pods
##
image:
  # utility image to use as sidecar for running startup scripts
  # allows you to override the registry namespace as well if you are using a private registry
  # ie
  # utilityImage: "myprivateregsistry.local/ext.docker.io/library/busybox:1.28"
  utilityImage: ""
  # Image pull policy
  pullPolicy: IfNotPresent
  # st2 image repository. Set this to override the default ("stackstorm").
  # Applies to all st2 containers except st2packs (which has its own setting).
  # This also does not impact dependencies such as mongo or redis, which have
  # their own helm chart settings.
  repository: ""
  # st2 image tag - defaults to AppVersion.
  # Note that Helm templating is supported in this block!
  tag: "{{ .Chart.AppVersion }}"
  # Image pull secret.
  # May be required for public docker hub due to rate limiting or any private repository.
  # See: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #pullSecret: "your-pull-secret"
  # Image entry point for st2* deployments (except st2web and st2chatops).
  # This chart replaces the entrypoint (command+args) baked into the docker images.
  # If you are have installed a custom init process (like dumb-init, pid1, tini or similar),
  # in the docker image(s) you are using, you can add that entrypoint here.
  entrypoint: []
    # For example you could add dumb-init like this (dumb-init must be present in the image).
    #- "/usr/bin/dumb-init"
    #- "--"

##
## local cluster domain suffix to enable fqdn lookups for redis, mongo
##  kube-dns defaults to cluster.local and allows override with --domain
##  core-dns has no default but allows config in k8 configmap
##    https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/#configuration-of-stub-domain-and-upstream-nameserver-using-coredns
##
clusterDomain: cluster.local

##
## Service Account
##
serviceAccount:
  # Whether the Chart should create the service account or not
  create: true
  # Used to define service account annotations
  serviceAccountAnnotations: {}
  # Used to override service account name
  serviceAccountName:
  # Used to define any custom labels required
  #serviceAccountLabels: {}

  # Fallback image pull secret.
  # If a pod does not have pull secrets, k8s will use the service account's pull secrets.
  # See: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
  #pullSecret: "your-pull-secret"

##
## StackStorm shared variables
##
st2:
  # Username, used to login to StackStorm system
  username: st2admin
  # Password, used to login to StackStorm system
  # If set, st2.password always overrides any existing password.
  # If not set, the password is auto-generated on install and preserved across upgrades.
  # Disabled if st2.existingAuthSecret is set
  #password: Ch@ngeMe
  # Name of existing ST2 Auth secret, disables creation of this secret
  # existingAuthSecret: ""
  # Name of existing ST2 datastore secret, disables creation of this secret
  # existingDatastoreSecret: ""

  # ST2 crypto key for the  K/V datastore.
  # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
  # If set, st2.datastore_crypto_key always overrides any existing datastore_crypto_key.
  # If not set, the datastore_crypto_key is auto-generated on install and preserved across upgrades.
  # If you want to disable datastore encryption, set "datastore_crypto_key: disable".
  #datastore_crypto_key: >-
  #  {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}
  # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
  # If set, st2.ssh_key always overrides any existing ssh_key.
  # If not set, the ssh_key is auto-generated on install and preserved across upgrades.
  #ssh_key: |-
  #  -----BEGIN RSA PRIVATE KEY-----
  #  ...
  #  -----END RSA PRIVATE KEY-----

  # Custom StackStorm config (st2.user.conf) which will apply settings on top of default st2.conf
  # Note that Helm templating is supported in this block!
  config: |
    [api]
    allow_origin = '*'
    # fixes no replicaset found bug;
    [database]
    # Connection and server selection timeout (in ms).
    connection_timeout = 5000


  #Override Definitions can be added here.
  #https://docs.stackstorm.com/latest/packs.html#overriding-pack-defaults
  overrides: {}
  #  overrides:
  #    _global.yaml: |
  #      ---
  #      rules:
  #        defaults:
  #          enabled: true
  #    packA.yaml: |
  #      ---
  #      rules:
  #        rule.name:
  #          enabled: false


  # Custom StackStorm config (st2.secrets.conf) which will be created from the key 'st2.secrets.conf' within this secret.
  # If this is defined, '--config-file=/etc/st2/st2.secrets.conf' will be added to the end of the command line arguments
  # for all pods, superseding all other configuration values.
  # This secret must be populated outside of this chart.
  # existingConfigSecret: stackstorm-config-secret

  # This mirrors the [system_user] section of st2.conf, but makes the values available for helm templating.
  # If you change the user, you must provide a customized st2actionrunner image that includes your user.
  system_user:
    user: stanley
    # templating is allowed for this key
    ssh_key_file: "/home/{{ .Values.st2.system_user.user }}/.ssh/stanley_rsa"

  # Custom pack configs and image settings.
  #
  # By default, system packs are available. By default, however, `st2 pack install` cannot be run in the k8s cluster,
  # so you will need to bake additional packs into an 'st2packs' image. Please see github.com/stackstorm/stackstorm-k8s/README.md
  # for details on how to build this image.
  # To change this default, and use persistent/shared/writable storage that is available in your cluster, you need to
  # enable st2.packs.volumes below, adding volume definitions customized for use your cluster's storage provider.
  packs:
    # Custom StackStorm pack configs. Each record creates a file in '/opt/stackstorm/configs/'
    # https://docs.stackstorm.com/reference/pack_configs.html#configuration-file
    # NOTE: This takes precedence over the contents of st2.packs.volumes.configs (if defined) on helm upgrade.
    configs:
      core.yaml: |
        ---
        # example core pack config yaml

    # Custom packs images settings.
    #
    # For each given st2packs container you can define repository, name, tag and pullPolicy for this image below.
    # Multiple pack images can help when dealing with frequent updates by only rebuilding smaller images for desired packs
    # E.g. having all desired StackStorm-Exchange packs in one image and several custom packs in additional images
    images: []
      #- repository: index.docker.io/stackstorm
      #  name: st2packs
      #  tag: example
      #  pullPolicy: IfNotPresent
      # Optional name of the imagePullSecret if your custom packs image is hosted by a private Docker registry
      #  pullSecret: st2packs-auth
      # Optional .securityContext override for container
      #  securityContext:

    # Custom packs volumes definitions.
    #
    # Use this to have StackStorm use persistent/shared/writable storage configured previously in your cluster.
    # The choice of storage solution is cluster-dependent (it changes besed on where the cluster is hosted
    # and which storage solutions are available in your cluster).
    #
    # WARNING: These volumes must use ReadWriteMany (RWX) access mode so StackStorm
    # can dynamically install packs from any of the st2actionrunner pods and have those
    # file changes available in all of the other StackStorm pods.
    # see: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
    #
    # To use this, set enabled to true, and add cluster-specific volume definitions for at least packs and virtualenvs below.
    # Please consult the documentation for your cluster's storage solution.
    # Some generic examples are listed under st2.packs.volumes.packs below.
    volumes:
      enabled: false

      packs: {}
        # mounted to /opt/stackstorm/packs
        # packs volume definition is required if st2.packs.volumes is enabled

        # example using persistentVolumeClaim:
        #persistentVolumeClaim:
        #  claimName: pvc-st2-packs

        # example using NFS:
        #nfs:
        #  server: "10.12.34.56"
        #  path: /var/nfsshare/packs

        # example using a flexVolume + rook-ceph
        #flexVolume:
        #  driver: ceph.rook.io/rook
        #  fsType: ceph
        #  options:
        #    fsName: fs1
        #    clusterNamespace: rook-ceph
        #    path: /st2/packs

      virtualenvs: {}
        # mounted to /opt/stackstorm/virtualenvs
        # virtualenvs volume definition is required if st2.packs.volumes is enabled
        # see the examples under st2.packs.volumes.packs

      configs: {}
        # mounted to /opt/stackstorm/configs
        # configs volume definition is optional, but only used if st2.packs.volumes is enabled
        # Anything in `st2.packs.configs` will be added to this volume automatically on helm install/upgrade.
        # see the examples under st2.packs.volumes.packs

    # https://docs.stackstorm.com/reference/ha.html#st2sensorcontainer
    # It is possible to run st2sensorcontainer(s) in one of these modes:
    #   (1) run all sensors in one pod (1 deployment with 1 pod, the default); or
    #   (2) run multiple sensors per pod (2+ deployments with 1 pod each) using hash range partitions; or
    #   (3) run one sensor per pod using st2.packs.sensors (here).
    # Each sensor node needs to be provided with proper partition information to share work with other sensor
    # nodes so that the same sensor does not run on different nodes.
    # By default, this is empty and st2sensorcontainer.deployments (below) is 1 so that there is one pod to run all sensors.
    sensors: []
      # This is a list of sensor pods (stackstorm/sensor-mode=one-sensor-per-pod).
      # Each entry should have `name` (the pod name) and `ref` (which sensor to run in the pod).
      # Each entry can also include other pod settings (annotations, image, resources, etc).
      # These optional pod settings default to the values in st2sensorcontainer,
      # note: postStartScript is not valid in st2.packs.sensors. Use st2sensorcontainer.postStartScript instead.
      #
      # This example only defines name and ref, accepting all defaults in st2sensorcontainer:
      # - name: some-sensor-node
      #   ref: some_pack.some_sensor
      #
      # This example also uses a custom image tag:
      # - name: another-sensor-node
      #   ref: some_pack.another_sensor
      #   image:
      #     tag: 3.5.0-another_sensor-r1

  # Import data into StackStorm's Key/Value datastore (https://docs.stackstorm.com/datastore.html)
  keyvalue:
    #- name: st2_version
    #  scope: st2kv.system
    #  secret: false
    #  encrypted: false
    #  value: "2.9"
    #- name: release_name
    #  scope: st2kv.system
    #  secret: false
    #  encrypted: false
    #  # Note that Helm templating is supported in this block!
    #  value: "{{ .Release.Name }}"
  # Import a list of ST2 API Keys (https://docs.stackstorm.com/authentication.html#api-key-migration)
  apikeys:
    #- created_at: '2018-12-15T00:21:48.507388Z'
    #  enabled: true
    #  id: 5c14491c6cb8de1a9207e3a2
    #  key_hash: 56928c2d9637ce44338e9564d4b939df8b258410db23b5a80f8ad69d58e648b574f35f9293c3a76bde263738be9aa8379a81553cd55513ad672540b7b0ec0cac
    #  metadata: {"comment": "Example unsecure ST2 API key from K8s HA Helm values.yaml"}
    #  uid: api_key:56928c2d9637ce44338e9564d4b939df8b258410db23b5a80f8ad69d58e648b574f35f9293c3a76bde263738be9aa8379a81553cd55513ad672540b7b0ec0cac
    #  user: st2admin
  # StackStorm Role Based Access Control settings (https://docs.stackstorm.com/rbac.html)
  rbac:
    enabled: false
    # Custom StackStorm RBAC roles, shipped in '/opt/stackstorm/rbac/roles/'
    # See https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
    roles:
      # TIP: set files to an empty string to remove them (sample.yaml: "")
      sample.yaml: |
        # sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
        ---
        name: "sample"
        description: "Example Role which contains no permission grants and serves for demonstration purposes"

    # Custom StackStorm RBAC role assignments, shipped in '/opt/stackstorm/rbac/assignments/'
    # See: https://docs.stackstorm.com/rbac.html#defining-user-role-assignments
    assignments:
      # TIP: set files to an empty string to remove them (st2admin.yaml: "")
      st2admin.yaml: |
        ---
        username: st2admin
        roles:
          - system_admin
      stanley.yaml: |
        ---
        username: stanley
        roles:
          - admin

    # StackStorm RBAC LDAP groups-to-roles mapping rules, shipped in '/opt/stackstorm/rbac/mappings/'
    # See RBAC Roles Based on LDAP Groups: https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership
    mappings:
      #stormers.yaml: |
      #  ---
      #  group: "CN=stormers,OU=groups,DC=stackstorm,DC=net"
      #  description: "Automatically grant admin role to all stormers group members."
      #  roles:
      #    - "admin"

##
## Default SecurityContext for pods and containers.
## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images.
##
podSecurityContext: {}
securityContext: {}

##
## StackStorm HA Ingress
##
ingress:
  # As recommended, ingress is disabled by default.
  enabled: false
  # Annotations are used to configure the ingress controller
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  # Map hosts to paths
  hosts: []
  # - host: hostname.domain.tld
  #   # Map paths to services
  #   paths:
  #     - path: /
  #       serviceName: service
  #       servicePort: port
  # Secure the Ingress by specifying a secret that contains a TLS private key and certificate
  tls: []
  # - secretName: chart-example-tls
  #   hosts:
  #     - chart-example.test
  # ingressClassName: nginx-ingress

##
## NOTE: there used to be a secrets.st2 section here. These values have moved into st2.* above. Please update your values.
##

##
## StackStorm HA Cluster pod settings for each individual service/component.
##
# Many st2web instances, placed behind a load balancer that serve web app and proxify requests to st2auth, st2api, st2stream.
st2web:
  # Minimum 2 replicas are recommended to run st2web in HA mode
  replicas: 2
  # Tested resource consumption based on multiple requests to st2web within nginx
  # Please adjust based on your conscious choice
  resources:
    requests:
      memory: "25Mi"
      cpu: "50m"
    limits:
      memory: "100Mi"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # TODO: Add Ingress setting as a way to expose service to public (#6).
  # ingress:
  service:
    # type can be one of "ClusterIP", "NodePort", "LoadBalancer" or "ExternalName"
    type: "NodePort"
    # The hostname associated with st2web service (externalName, added to external DNS, etc.)
    hostname: ""
    # For more information regarding annotations, see
    # https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
    annotations: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  ## st2web serves HTTP (port 80) so that SSL termination can be managed
  ## using kubernetes-native features like LoadBalancer or Ingress Controllers.
  ## To configure st2web to directly serve HTTPS (port 443) instead of HTTP,
  ## provide ssl certs via extra_volumes, and add the ST2WEB_HTTPS env var here:
  # ST2WEB_HTTPS: 1
  serviceAccount:
    attach: false
  # override the default .podSecurityContext or .securityContext here
  podSecurityContext: {}
  securityContext: {}  # NB: nginx requires some capabilities, drop ALL will cause issues.
  # mount extra volumes on the st2web pod(s) (primarily useful for k8s-provisioned secrets)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes
  # User-defined st2web config with custom settings to replace default config.js
  # See https://github.com/StackStorm/st2web#connecting-to-st2-server for more info
  # config: |
  #  // see https://github.com/StackStorm/st2web/blob/master/config.js
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  preStopSleep: "10"

# https://docs.stackstorm.com/reference/ha.html#st2auth
# Multiple st2auth processes can be behind a load balancer in an active-active configuration.
st2auth:
  replicas: 2
  resources:
    requests:
      memory: "85Mi"
      cpu: "50m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  service:
    # type can be one of "ClusterIP", "NodePort", "LoadBalancer" or "ExternalName"
    type: "ClusterIP"
    # The hostname associated with st2auth service (externalName, added to external DNS, etc.)
    hostname: ""
    # For more information regarding annotations, see
    # https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
    annotations: {}
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  preStopSleep: "10"
  # mount extra volumes on the st2auth pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2api
# Multiple st2api process can be behind a load balancer in an active-active configuration.
st2api:
  replicas: 2
  resources:
    requests:
      memory: "150Mi"
      cpu: "25m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  service:
    # type can be one of "ClusterIP", "NodePort", "LoadBalancer" or "ExternalName"
    type: "ClusterIP"
    # The hostname associated with st2api service (externalName, added to external DNS, etc.)
    hostname: ""
    # For more information regarding annotations, see
    # https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
    annotations: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  preStopSleep: "10"
  # mount extra volumes on the st2api pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2stream
# Multiple st2stream process can be behind a load balancer in an active-active configuration.
st2stream:
  replicas: 2
  resources:
    requests:
      memory: "100Mi"
      cpu: "50m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  service:
    # type can be one of "ClusterIP", "NodePort", "LoadBalancer" or "ExternalName"
    type: "ClusterIP"
    # The hostname associated with st2api service (externalName, added to external DNS, etc.)
    hostname: ""
    # For more information regarding annotations, see
    # https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
    annotations: {}
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  preStopSleep: "10"
  # mount extra volumes on the st2stream pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2rulesengine
# Multiple st2rulesengine processes can run in active-active with only connections to MongoDB and RabbitMQ. All these will share the TriggerInstance load and naturally pick up more work if one or more of the processes becomes unavailable.
st2rulesengine:
  replicas: 2
  resources:
    requests:
      memory: "75Mi"
      cpu: "25m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2rulesengine pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2timersengine
# Only single replica is created via K8s Deployment as timersengine can't work in active-active mode at the moment and it relies on K8s failover/reschedule capabilities to address cases of process failure.
st2timersengine:
  resources:
    requests:
      memory: "75Mi"
      cpu: "10m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2timersengine pod (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2workflowengine
# Multiple st2workflowengine processes can run in active-active mode and will share the load and pick up more work if one or more of the processes become available.
st2workflowengine:
  # k8 pod timeout.  set this to a few seconds longer than st2 config workflow_engine.exit_still_active_check
  terminationGracePeriodSeconds: 300
  replicas: 2
  resources:
    requests:
      memory: "200Mi"
      cpu: "100m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2workflowengine pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2scheduler
# TODO: Description TBD
st2scheduler:
  replicas: 2
  resources:
    requests:
      memory: "75Mi"
      cpu: "50m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2scheduler pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2notifier
# st2notifier runs in active-active mode and requires for that coordination backend like Redis or Zookeeper
st2notifier:
  replicas: 2
  resources:
    requests:
      memory: "75Mi"
      cpu: "50m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2notifier pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# https://docs.stackstorm.com/reference/ha.html#st2actionrunner
# Multiple st2actionrunner processes can run in active-active with only connections to MongoDB and RabbitMQ. Work gets naturally
# distributed across runners via RabbitMQ. Adding more st2actionrunner processes increases the ability of StackStorm to execute actions.
st2actionrunner:
  # k8 pod timeout.  set this to a few seconds longer than st2 config actionrunner.exit_still_active_check and set
  # actionrunner.graceful_shutdown = True
  terminationGracePeriodSeconds: 300
  replicas: 5
  resources:
    requests:
      memory: "200Mi"
      cpu: "75m"
  # Override default image settings
  image: {}
    # Uncomment the following block to use your own at2actionrunner docker image
    #repository: your-remote-docker-registry.io
    #name: st2actionrunner
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
    #pullPolicy: Always
    # Optional name of the imagePullSecret if your custom action runner image is hosted by a private Docker registry behind the auth
    #pullSecret: st2actionrunner-auth
  annotations: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  # Allow the injection of hostAliases (https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/#adding-additional-entries-with-hostaliases)
  # records in the st2actionrunner containers to handle edge case in DNS accessibility/topology
  hostAliases: []
  # - hostnames:
  #     - foo
  #   ip: 1.1.1.1
  #  - hostnames:
  #      - bar
  #   ip: 8.8.8.8
  env: {}
  # HTTP_PROXY: http://proxy:1234
  ## These named secrets (managed outside this chart) will be added to envFrom.
  envFromSecrets: []
  serviceAccount:
    attach: false
  # override the default .podSecurityContext or .securityContext here
  podSecurityContext: {}
  securityContext: {} # also applies to init or jobs containers that copy/modify files
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2actionrunner pods (primarily useful for k8s-provisioned secrets)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # For example, if some actions in the fictional acme pack
    # needed some file-based client-side certificates:
    # - name: st2-encryption-key-vol
    #   mount:
    #     mountPath: "{{ .Values.acme.ssl_certs_dir }}"
    #     readOnly: true
    #   volume:
    #     secret:
    #       secretName: "{{ .Release.Name }}-st2-acme-pack-certs"
    #       items:
    #       - key: ssl_certificate
    #         path: acme.crt
    #       - key: ssl_certificate_key
    #         path: acme.key
    #
    # An example that adds a global ansible.cfg file for the ansible pack.
    # - name: global-ansible-config
    #   mount:
    #     mountPath: /etc/ansible/ansible.cfg
    #     subPath: ansible.cfg
    #   volume:
    #     configMap:
    #       name: "{{ .Release.Name }}-st2-ansible-config"
    #
    # An example that loads logging conf from a custom config map
    # - name: custom-logging-conf
    #   mount:
    #     mountPath: /etc/st2/logging.docker.conf
    #     subPath: logging.actionrunner.conf
    #   volume:
    #     configMap:
    #       name: "{{ .Release.Name }}-st2-logging-conf"

# https://docs.stackstorm.com/reference/ha.html#st2sensorcontainer
# It is possible to run st2sensorcontainer(s) in one of these modes:
#   (1) run all sensors in one pod (1 deployment with 1 pod, the default); or
#   (2) run multiple sensor per pod (2+ deployments with 1 pod each) using hash range partitions; or
#   (3) run one sensor per pod using st2.packs.sensors (see above).
# To use the deployments (modes 1 and 2 in this list), st2.packs.sensors must be empty.
# For one-sensor-per-pod, define defaults here and add config for each sensor to st2.packs.sensors (above).
st2sensorcontainer:
  # "deployments" is analogous to "replicas" for other services. Each deployment has 1 replica.
  # The deployments count cannot be greater than 1 unless st2.packs.sensors is empty.
  # If deployments is 1 (the default), then StackStorm puts all sensors in one pod.
  # If deployments is 2+, StackStorm is configured to use sensor hash ranges to ensure that
  # each sensor runs on only one pod. Each hash range is assigned to a separate
  # deployment to ease maintenance of the sensor deployments and pods.
  # See: https://docs.stackstorm.com/reference/sensor_partitioning.html#hash
  deployments: 1

  # values below this point are also used as defaults in st2.packs.sensors (if used)
  resources:
    requests:
      memory: "100Mi"
      cpu: "50m"
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  livenessProbe: {}
  readinessProbe: {}
  annotations: {}
  # Additional advanced settings to control pod/deployment placement
  affinity: {}
  nodeSelector: {}
  tolerations: []
  env: {}
  # HTTP_PROXY: http://proxy:1234
  ## These named secrets (managed outside this chart) will be added to envFrom.
  envFromSecrets: []
  serviceAccount:
    attach: false
  # override the default .podSecurityContext or .securityContext here
  podSecurityContext: {}
  securityContext: {}
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2sensorcontainer pod(s) (primarily useful for k8s-provisioned secrets)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

# The st2client deployment/pod simplifies ad-hoc administration.
# st2client is a special purpose actionrunner pod, but you can customize it separately
st2client:
  # st2client config (~/.st2/config) template.
  # see: https://docs.stackstorm.com/reference/cli.html#configuration-file
  # You can access env variables here because this is used in a bash heredoc.
  # For example, you could use a var injected with envFromSecrets.
  # Note that Helm templating is supported in this block!
  st2clientConfig: |
    [credentials]
    username = ${ST2_AUTH_USERNAME}
    password = ${ST2_AUTH_PASSWORD}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  ## These named secrets (managed outside this chart) will be added to envFrom.
  envFromSecrets: []
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # override the default .podSecurityContext or .securityContext here
  podSecurityContext: {}
  securityContext: {}
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2client pod (primarily useful for k8s-provisioned secrets)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  resources:
    requests:
      memory: "5Mi"
      cpu: "5m"

# https://docs.stackstorm.com/reference/ha.html#st2garbagecollector
# Optional service that cleans up old executions and other operations data based on setup configurations.
# By default this process only cleans action output and needs to be setup in st2.conf to perform any other work.
st2garbagecollector:
  # Having 1 st2garbagecollector unique replica is enough for periodic task like st2 history garbage collection
  replicas: 1
  resources:
    requests:
      memory: "80Mi"
      cpu: "10m"
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""
  # mount extra volumes on the st2garbagecollector pod(s) (primarily useful for custom logging conf)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes

##
## StackStorm ChatOps (https://docs.stackstorm.com/chatops/index.html)
## As hubot can't be HA scaled properly, we deploy only single replica of st2chatops
##
st2chatops:
  # Enable st2chatops (default: false)
  enabled: false
  # Custom hubot adapter ENV variables to pass through which will override st2chatops.env defaults.
  # These env vars get stored in a k8s secret loaded using envFrom.
  # See https://github.com/StackStorm/st2chatops/blob/master/st2chatops.env
  # for the full list of supported adapters and example ENV variables.
  # Note that Helm templating is supported for env values in this block!
  env:
    HUBOT_ADAPTER: slack
    HUBOT_SLACK_TOKEN: xoxb-CHANGE-ME-PLEASE
    # If ST2_API_KEY is defined, then ST2_AUTH_USERNAME/PASSWORD will not be exposed to st2chatops.
    # Please make sure that the key in ST2_API_KEY gets added to st2.apikeys above so that chatops can use this key.
    #ST2_API_KEY: 12345
  # Set custom generated st2chatops Docker image source
  # Otherwise default https://hub.docker.com/r/stackstorm/st2chatops is used
  image: {}
    #repository: stackstorm
    #name: st2chatops
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
    #pullPolicy: IfNotPresent
  # Tested requested resource consumption for st2chatops & hubot in normal mode
  # Please adjust based on your conscious choice
  resources:
    requests:
      memory: "50Mi"
      cpu: "5m"
  annotations: {}
  # Advanced use-cases only. If defined, this hubot-scripts volume gets mounted to: /opt/stackstorm/chatops/scripts
  # This volume (using any k8s storage solution, including configmap) allows for hubot customization.
  # Most installations should not use this.
  # For details on writing .js or .coffeescript hubot extensions, see: https://hubot.github.com/docs/scripting/
  hubotScriptsVolume: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
  # postStartScript is optional. It has the contents of a bash script.
  # k8s will run the script in the st2 container in parallel with the ENTRYPOINT.
  # The pod will not be marked as "running" until this script completes successfully.
  # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
  postStartScript: ""

##
## Various batch jobs (apply-rbac-definitions, apikey-load, key-load, register-content)
##
jobs:
  # st2client config (~/.st2/config) template for jobs that need it.
  # see: https://docs.stackstorm.com/reference/cli.html#configuration-file
  # You can access env variables here because this is used in a bash heredoc.
  # For example, you could use a var injected with envFromSecrets.
  # Note that Helm templating is supported in this block!
  st2clientConfig: |
    [credentials]
    username = ${ST2_AUTH_USERNAME}
    password = ${ST2_AUTH_PASSWORD}
  annotations: {}
  # Override default image settings (for now, only tag can be overridden)
  # The Jobs use the st2actionrunner image
  image: {}
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Values.image.tag }}"
  # If defined, this preRegisterContentCommand runs in an initContainer on the st2-register-content Job.
  # The initContainer also uses the st2actionrunner image but runs this command instead of its entrypoint.
  preRegisterContentCommand: []
    # For example, to disable aliases in the "packs" system pack before content is registered:
    # - "/bin/bash"
    # - "-c"
    # - |
    #   sed -i -e 's/^\(\s*\)enabled: true/\1enabled: false/' /opt/stackstorm/packs/packs/aliases/*.yaml
    #   for alias in /opt/stackstorm/packs/packs/aliases/*.yaml; do
    #     grep -q 'enabled:' ${alias} || sed -i -e 's/^\(\s*\)name:\(.*\)$/\1name: \2\n\1enabled: false/m' ${alias}
    #   done
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  env: {}
  # HTTP_PROXY: http://proxy:1234
  ## These named secrets (managed outside this chart) will be added to envFrom.
  envFromSecrets: []
  # mount extra volumes on the jobs pods (primarily useful for k8s-provisioned secrets)
  ## Note that Helm templating is supported in 'mount' and 'volume'
  extra_volumes: []
    # see examples under st2actionrunner.extra_volumes
  #
  # Advanced controls to skip creating jobs.
  # This is useful in targeted upgrades with `--set`. Do not set this in values files.
  # Possible jobs include: apply_rbac_definitions, apikey_load, key_load, register_content
  # For example, if an upgrade only touches RBAC config, use this to disable other jobs:
  #   helm upgrade ... --set 'jobs.skip={apikey_load,key_load,register_content}'
  skip: []
  #
  # Advanced: Add extra Helm hook Jobs
  # These hook jobs will use the same settings (eg image, annotations, pod placement) as the other jobs.
  # They will have st2 cli configured, st2.conf files, and packs volumes mounted.
  # See available hooks list: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
  extra_hooks: []
    # Each item in extra_hooks must define a 'name' and the "helm.sh/hook" value in 'hook'.
    # Note that Helm templating is supported in the 'command' block!
    #
    # - name: init-workflow  # required name
    #   hook: post-install   # required "helm.sh/hook"
    #   hook_weight: 10      # optional hook_weight (defaults to 10)
    #   resources: {}        # optional definition of resources to request
    #   podSecurityContext: {} # optional definition of pod securityContext override
    #   securityContext: {}  # optional definition of container securityContext override
    #   command:             # required command to run
    #     - st2
    #     - run
    #     - --tail
    #     - custom_pack.init_stackstorm
    #
    # - name: upgrade-warning
    #   hook: pre-upgrade, pre-rollback
    #   hook_weight: -5
    #   command:
    #     - st2
    #     - run
    #     - --tail
    #     - custom_pack.warn_about_upgrade

##
## MongoDB HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/bitnami/charts/tree/master/bitnami/mongodb
##
mongodb:
  # Change to `false` to disable in-cluster mongodb deployment.
  # Specify your external [database] connection parameters under st2.config
  enabled: true
  image:
    # StackStorm currently supports maximum MongoDB v4.4
    tag: "4.4"
  # MongoDB architecture. Allowed values: standalone or replicaset
  architecture: replicaset
  # Name of the replica set
  # Ignored when mongodb.architecture=standalone
  replicaSetName: rs0
  # Number of MongoDB replicas to deploy.
  # Ignored when mongodb.architecture=standalone
  replicaCount: 3
  auth:
    enabled: true
    # NB! It's highly recommended to change ALL insecure auth defaults!
    #
    # Stackstorm user that services will make connections using
    username: "st2-admin"
    # Stackstorm user that services will make connections using
    password: "XeL5Rxwj7F0Wt43tFZVTN7H8Sg5XDHmK"
    # Root password for the database
    rootPassword: "8fAzdnksdzPFUWm4a68EfY7nMhBPaa"
    # Initial database for stackstorm
    database: "st2"
    # Minimal key length is 6 symbols and may only contain characters in the base64 set.
    replicaSetKey: "82PItDpqroti5RngOA7UqbHH7c6bFUwy"
    # Whether to enable the arbiter
  arbiter:
    enabled: false
  resources: {}

##
## RabbitMQ configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq
##
rabbitmq:
  # Change to `false` to disable in-cluster rabbitmq deployment.
  # Specify your external [messaging] connection parameters under st2.config
  enabled: true
  clustering:
    # On unclean cluster restarts forceBoot is required to cleanup Mnesia tables (see: https://github.com/helm/charts/issues/13485)
    # Use it only if you prefer availability over integrity.
    forceBoot: true
  # Authentication Details
  auth:
    username: admin
    # TODO: Use default random 10 character password, but need to fetch this string for use by downstream services
    password: 9jS+w1u07NbHtZke1m+jW4Cj
    # Up to 255 character string, should be fixed so that re-deploying the chart does not fail (see: https://github.com/helm/charts/issues/12371)
    # NB! It's highly recommended to change the default insecure rabbitmqErlangCookie value!
    erlangCookie: 8MrqQdCQ6AQ8U3MacSubHE5RqkSfvNaRHzvxuFcG
  # RabbitMQ Memory high watermark. See: http://www.rabbitmq.com/memory.html
  # Default values might not be enough for StackStorm deployment to work properly. We recommend to adjust these settings for you needs as well as enable Pod memory limits via "resources".
  #rabbitmqMemoryHighWatermark: 512MB
  #rabbitmqMemoryHighWatermarkType: absolute
  persistence:
    enabled: true
  # Enable Queue Mirroring between nodes
  # See https://www.rabbitmq.com/ha.html
  # This code block is commented out waiting for
  # https://github.com/bitnami/charts/issues/4635
  loadDefinition:
    enabled: true
    existingSecret: "{{ .Release.Name }}-rabbitmq-definitions"
  extraConfiguration: |
    load_definitions = /app/rabbitmq-definitions.json
  # We recommend to set the memory limit for RabbitMQ-HA Pods in production deployments.
  # Make sure to also change the rabbitmqMemoryHighWatermark following the formula:
  # rabbitmqMemoryHighWatermark = 0.4 * resources.limits.memory
  resources: {}
  # number of replicas in the rabbit cluster
  replicaCount: 3
  # As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users
  metrics:
    enabled: false

##
## Redis HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/bitnami/charts/tree/master/bitnami/redis
##
redis:
  # Change to `false` to disable in-cluster redis deployment.
  # Specify your external [coordination] connection parameters under st2.config
  enabled: true
  # By default the cluster is enabled for the subchart.
  # We just need replica count here to ensure it is HA
  cluster:
    slaveCount: 3
  # Sentinel settings. Sentinel is enabled for better resiliency.
  # This is highly recommended as per tooz library documentation.
  # Hence, the chart requires the setting.
  # https://docs.openstack.org/tooz/latest/user/drivers.html#redis
  # https://github.com/bitnami/charts/tree/master/bitnami/redis#master-slave-with-sentinel
  sentinel:
    enabled: true
    # DO NOT SET sentinel.usePassword, the tooz driver cannot connect to a password protected sentinel
    # however it can connect to a password protected redis that is being managed by sentinel
    # usePassword: false
    # Enable or disable static sentinel IDs for each replicas
    # If disabled each sentinel will generate a random id at startup
    # If enabled, each replicas will have a constant ID on each start-up
    staticID: true
  # if redis.usePassword is true, you can set the password here
  # password: mysupersecretpassword
  networkPolicy:
    enabled: false
  usePassword: false
  metrics:
    enabled: false

##
## Settings to be applied to all stackstorm-ha pods
##
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
# "ClusterFirst" is the default. Other options: "Default", "ClusterFirstWithHostNet", "None"
#dnsPolicy: "ClusterFirst"
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
dnsConfig: {}
  # example copied from the docs
  #nameservers:
  #- 1.2.3.4
  #searches:
  #- ns1.svc.cluster-domain.example
  #- my.dns.search.suffix
  #options:
  #- name: ndots
  #  value: "2"
  #- name: edns0

##
## External DNS configuration (3rd party chart dependency)
##
## Creates a deployment of external-dns within the cluster to update DNS with CNAME -> ELB
##
## For values.yaml reference:
## https://github.com/bitnami/charts/tree/master/bitnami/external-dns
##
## TODO: If eq st2web.service.type "LoadBalancer", set enabled to true. Any other cases?
external-dns:
  enabled: false
  provider: aws
  aws:
    zoneType: "public"
  domainFilters: []