values.yaml

Chart Version: 0.0.0

Note, to improve readbility, syntax highlighting is used. A drawback is that links in comments are not clickable. See the Values Description page where the links can be clicked.

---

# Image for oCIS services
image:
  # -- Image repository
  repository: owncloud/ocis
  # -- Image tag. Defaults to the chart's appVersion.
  tag: ""
  # -- Image sha / digest (optional).
  sha: ""
  # -- Image pull policy
  pullPolicy: IfNotPresent

# Logging settings for oCIS services
logging:
  # -- Log level. Valid values: `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace`.
  level: "error"
  # -- Activates pretty log output.
  # Not recommended for production installations.
  pretty: "false"
  # -- Activates colorized log output.
  # Not recommended for production installations.
  color: "false"

# -- Deployment strategy.
deploymentStrategy:
  type: RollingUpdate

# -- Domain where oCIS is reachable for the outside world
externalDomain: ocis.owncloud.test

# Insecure options.
# These are useful for some limited environments like CI or on a test cluster.
insecure:
  # -- Disables SSL certificate checking for connections to the openID connect identity provider.
  # Not recommended for production installations.
  oidcIdpInsecure: false
  # -- Disables SSL certificate checking for connections to the oCIS http apis.
  # Not recommended for production installations.
  ocisHttpApiInsecure: false

# Feature options.
# Enable or disable features of oCIS.
features:
  # -- Enable basic authentication.
  # Not recommended for production installations.
  basicAuthentication: false
  # -- Create demo users on the first startup.
  # Not recommended for production installations.
  demoUsers: false
  emailNotifications:
    # -- Enables email notifications.
    # This features needs the secret from notificationsSmtpSecretRef present.
    enabled: false
    smtp:
      # -- SMTP host to connect to.
      host:
      # -- Port of the SMTP host to connect to.
      port:
      # -- Sender address of emails that will be sent. Example: 'ownCloud <noreply@example.com>'
      sender:
      # -- Authentication method for the SMTP communication. Possible values are ‘login’, ‘plain’, ‘crammd5’, ‘none’
      authentication: none
      # -- Encryption method for the SMTP communication. Possible values are ‘starttls’, ‘ssl’, ‘ssltls’, ‘tls’ and ‘none’.
      encryption: none
  # Apps integration
  appsIntegration:
    # -- Enables the apps integration.
    enabled: false
    # WOPI (office suite integration) needs an [cs3org/wopiserver](https://github.com/cs3org/wopiserver) and at least one office suite.
    wopiIntegration:
      # -- URL of the [cs3org/wopiserver](https://github.com/cs3org/wopiserver). Can be deployed [with this Chart](https://artifacthub.io/packages/helm/cs3org/wopiserver).
      wopiServerURI: https://wopiserver.owncloud.test
      # List of WOPI compliant office suites.
      officeSuites:
        - # -- Name of the office suite. Will be displayed to the users.
          name: Collabora
          # -- Enables the office suite.
          enabled: false
          # -- URI of the office suite.
          uri: https://collabora.owncloud.test
          # -- URI for the icon of the office suite. Will be displayed to the users.
          iconURI: https://collabora.owncloud.test/favicon.ico
          # -- Disables SSL certificate checking for connections to the office suites http api.
          # Not recommended for production installations.
          insecure: false
        - # -- Name of the office suite. Will be displayed to the users.
          name: OnlyOffice
          # -- Enables the office suite.
          enabled: false
          # -- URI of the office suite.
          uri: https://onlyoffice.owncloud.test
          # -- URI for the icon of the office suite. Will be displayed to the users.
          iconURI: https://onlyoffice.owncloud.test/web-apps/apps/documenteditor/main/resources/img/favicon.ico
          # -- Disables SSL certificate checking for connections to the office suites http api.
          # Not recommended for production installations.
          insecure: false
    # -- Mimetype configuration.
    # Let's you configure a mimetypes' default application, if it is allowed to create a new file and more.
    # @default -- default configuration of oCIS, see https://doc.owncloud.com/ocis/next/deployment/services/app-registry.html#yaml-example
    mimetypes: []
      # - mime_type: application/vnd.oasis.opendocument.text
        # extension: odt
        # name: OpenDocument
        # description: OpenDocument text document
        # icon: ""
        # default_app: ""
        # allow_creation: true
  # External user management
  externalUserManagement:
    # -- Enables external user management (and disables internal user management).
    # Needs an external OpenID Connect Identity Provider and an external LDAP server.
    enabled: false
    # OpenID Connect Identity provider related settings.
    oidc:
      # -- Issuer URI of the OpenID Connect Identity Provider.
      # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option.
      issuerURI: https://idp.owncloud.test/realms/ocis

      # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
      userIDClaim: ocis.user.uuid
      # -- Attribute mapping of for the userIDClaim.
      # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
      # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in  `...ldap.user.schema.mail`.
      # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
      userIDClaimAttributeMapping: userid

    # LDAP related settings.
    ldap:
      # -- URI to connect to the LDAP secure server.
      uri: ldaps://ldaps.owncloud.test
      # -- Set only to false, if the certificate of your LDAP secure service is not trusted.
      # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
      certTrusted: true
      # -- Disables SSL certificate checking for connections to the LDAP server.
      # -- For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
      # Not recommended for production installations.
      insecure: false
      # -- DN of the user to use to bind to the LDAP server.
      # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`.
      # The user needs to have permission to list users and groups.
      bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test
      user:
        schema:
          # -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.
          id: ownclouduuid
          # -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s.
          idIsOctetString: false
          # -- LDAP Attribute to use for the email address of users.
          mail: mail
          # -- LDAP Attribute to use for the displayname of users.
          displayName: displayname
          # -- LDAP Attribute to use for username of users.
          userName: uid
        # -- Search base DN for looking up LDAP users.
        baseDN: ou=users,dc=owncloud,dc=com
        # -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`.
        scope: sub
        # -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches
        substringFilterType: any
        # -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`.
        filter:
        # -- The object class to use for users in the default user search filter like `inetOrgPerson`.
        objectClass: inetOrgPerson
      group:
        schema:
          # -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.
          id: ownclouduuid
          # -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s.
          idIsOctetString: false
          # -- LDAP Attribute to use for the email address of groups (can be empty).
          mail: mail
          # -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).
          displayName: cn
          # -- LDAP Attribute to use for the name of groups.
          groupName: cn
          # -- LDAP Attribute that is used for group members.
          member: member
        # -- Search base DN for looking up LDAP groups.
        baseDN: ou=groups,dc=owncloud,dc=com
        # -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`.
        scope: sub
        # -- LDAP filter to add to the default filters for group searches.
        filter:
        # -- The object class to use for groups in the default group search filter like `groupOfNames`.
        objectClass: groupOfNames

# Ingress for oCIS.
ingress:
  # -- Enables the Ingress.
  enabled: false
  # -- Ingress class to use.
  # Uses the default ingress class if not set.
  ingressClassName:
  # -- Ingress annotations.
  annotations: {}
  # -- Labels for the ingress.
  labels: {}
  # -- Ingress TLS configuration.
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - ocis.owncloud.test

# References to secrets.
# The secrets need to be manually created.
# See https://github.com/owncloud/ocis-charts/blob/master/charts/ocis/README.md#secrets for how to generate them.
secretRefs:
  # -- Reference to an existing admin user secret (see Secrets)
  adminUserSecretRef: "admin-user"
  # -- Reference to an existing IDP secret (see Secrets)
  idpSecretRef: "idp-secrets"
  # -- Reference to an existing JWT secret (see Secrets)
  jwtSecretRef: "jwt-secret"
  # -- Reference to an existing LDAP certificate authority secret (see Secrets)
  ldapCaRef: "ldap-ca"
  # -- Reference to an existing LDAP cert secret (see Secrets)
  ldapCertRef: "ldap-cert"
  # -- Reference to an existing LDAP bind secret (see Secrets)
  ldapSecretRef: "ldap-bind-secrets"
  # -- Reference to an existing machine auth api key secret (see Secrets)
  machineAuthApiKeySecretRef: "machine-auth-api-key"
  # -- Reference to an existing SMTP email server settings secret (see Secrets)
  notificationsSmtpSecretRef: "notifications-smtp-secret"
  # -- Reference to an existing storage-system JWT secret (see Secrets)
  storageSystemJwtSecretRef: "storage-system-jwt-secret"
  # -- Reference to an existing storage-system secret (see Secrets)
  storageSystemSecretRef: "storage-system"
  # -- Reference to an existing thumbnails transfer secret (see Secrets)
  thumbnailsSecretRef: "thumbnails-transfer-secret"
  # -- Reference to an existing transfer secret (see Secrets)
  transferSecretSecretRef: "transfer-secret"

# Security context options.
securityContext:
  # -- File system group for all volumes.
  fsGroup: 1000
  # -- File system group change policy for all volumes.
  # Possible values "Always" and "OnRootMismatch".
  fsGroupChangePolicy: "OnRootMismatch"
  # -- User ID that all processes within any containers will run with.
  runAsUser: 1000
  # -- Group ID that all processes within any containers will run with.
  runAsGroup: 1000

# -- Custom labels for all manifests
extraLabels: {}

# -- Override the deployment namespace of all resources in this Helm chart.
namespaceOverride:

# -- Number of replicas for each scalable service. Has no effect when `autoscaling.enabled` is set to `true`.
replicas: 1

# Autoscaling settings.
autoscaling:
  # -- Enables autoscaling. When set to `true`, `replicas` is no longer applied.
  enabled: false
  # -- Sets minimum replicas for autoscaling.
  minReplicas: 3
  # -- Sets maximum replicas for autoscaling.
  maxReplicas: 10
  # -- Metrics to use for autoscaling
  metrics: []
#   metrics:
#   - type: Resource
#     resource:
#       name: cpu
#       targetAverageUtilization: 60
#   - type: Resource
#     resource:
#       name: memory
#       targetAverageUtilization: 60

# -- Resources to apply to all services.
resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi


# Include arbitrary resources, eg. config maps or a cert-manager issuer (see example below)
# -- Extra resources to be included.
extraResources: []
#  - |
#    apiVersion: cert-manager.io/v1alpha2
#    kind: Issuer
#    metadata:
#      name: ocis-certificate-issuer
#      namespace: ocis
#    spec:
#      acme:
#        server: https://acme-v02.api.letsencrypt.org/directory
#        email: test@example.com
#        privateKeySecretRef:
#          name: ocis-certificate-issuer
#        solvers:
#        - http01:
#            ingress:
#              class: nginx


# per-service configuration.
services:

  # STORAGE-SYSTEM service.
  storageSystem:
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 5Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:

  # STORAGE-USERS service.
  storageUsers:
    storageBackend:
      # -- Configures the storage driver. Possible values are "ocis" and "s3ng".
      # The oCIS driver stores all data in the persistent volume if persistence is enabled.
      # The S3NG driver stores all metadata in the persistent volume and uploads blobs to s3 if persistence is enabled.
      driver: ocis
      driverConfig:
        s3ng:
          # -- S3 endpoint to use for the S3NG driver. Only used if driver is set to "s3ng".
          endpoint: https://localhost:1234
          # -- S3 region to use for the S3NG driver. Only used if driver is set to "s3ng".
          region: default
          # -- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng".
          bucket: example-bucket
          # -- S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng".
          accessKey: lorem-ipsum
          # -- S3 secret key to use for the S3NG driver. Only used if driver is set to "s3ng".
          secretKey: lorem-ipsum
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 50Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:

  # store service.
  store:
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 5Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:

  # THUMBNAILS service.
  thumbnails:
    persistence:
      # -- Enables persistence.
      # Is recommended to be enabled on production installations.
      # If enabled, generated thumbnails are cached on this volume and available across pod restarts and service instances.
      # If not enabled, thumbnail generation might lead to higher CPU usage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance or persistence needs to be disabled.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers: []
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:

  # IDM service.
  idm:
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:

  # SEARCH service.
  search:
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:

  # NATS service.
  nats:
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim: