-
Notifications
You must be signed in to change notification settings - Fork 214
/
values.yaml
1590 lines (1562 loc) · 77.9 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Copyright (c) 2023 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License 2.0 which is available at
# http://www.eclipse.org/legal/epl-2.0
#
# SPDX-License-Identifier: EPL-2.0
---
# Default values for ditto.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
serviceAccount:
# create controls whether a service account should be created
create: true
# name is the name of the service account to use
# If not set and create is true, a name is generated using the fullname template
name:
rbac:
# enabled controls whether RBAC resources will be created
enabled: true
nameOverride: ""
fullnameOverride: ""
## ----------------------------------------------------------------------------
## global configuration shared by all components
global:
# cluster holds the configuration for the Ditto/Pekko cluster
cluster:
# requiredContactPoints defines the total amount of replicas in the Ditto cluster
# only if this amount is "seen" during cluster formation, the cluster can form itself
requiredContactPoints: 5
# ddata holds the "Distributed Data" configuration:
ddata:
# numberOfShards defines whether ddata structures should be shared (if >1)
# this is needed in case a lot of event subscribers (thousands) are connected simultaneously
numberOfShards: 1
# maxDeltaElements defines how many elements should be synced with a single cluster message
# if numberOfShards is > 1, it makes sense to keep maxDeltaElements lower
# so that the message size for remoting is not exceeding the configured max message size
maxDeltaElements: 1
# numberOfShards configures the sharding applied for things/policies/connections based on their ID
# as a rule of thumb: should be factor ten of the amount of cluster replicas for an entity
numberOfShards: 50
# downingStableAfter is a configuration of the Pekko SBR (split brain resolver)
# how to find the right value: https://pekko.apache.org/docs/pekko/current/split-brain-resolver.html
downingStableAfter: 15s
# downAllWhenUnstable is a configuration of the Pekko SBR (split brain resolver)
downAllWhenUnstable: "on"
# basicAuthUsers configures (as a map) several user/password combinations which the nginx of the Ditto chart will authenticate
basicAuthUsers: {}
# ditto:
# user: ditto
# password: ditto
# hashedBasicAuthUsers configures a list of hashed .htpasswd username/password entries
hashedBasicAuthUsers: []
# jwtOnly controls whether only OpenID-Connect authentication is supported
# if false, both OpenID-Connect and basicAuth via nginx (see above "basicAuthUsers" and "hashedBasicAuthUsers") is used
# ref: https://www.eclipse.dev/ditto/installation-operating.html#openid-connect
jwtOnly: false
# jvmOptions defines the JVM options applied to all Ditto services running in the JVM, it is put in JAVA_TOOL_OPTIONS
jvmOptions: >
-XX:+ExitOnOutOfMemoryError
-XX:+UseContainerSupport
-XX:+UseStringDeduplication
-Xss512k
-XX:MaxMetaspaceSize=256m
-XX:+UseG1GC
-Djava.net.preferIPv4Stack=true
pekkoOptions: >
-Dpekko.management.cluster.bootstrap.contact-point-discovery.port-name=management
-Dpekko.cluster.failure-detector.threshold=15.0
-Dpekko.cluster.failure-detector.expected-response-after=3s
-Dpekko.cluster.failure-detector.acceptable-heartbeat-pause=7s
-Dpekko.persistence.journal-plugin-fallback.recovery-event-timeout=30s
-Dpekko.persistence.max-concurrent-recoveries=100
-Dpekko.cluster.sharding.updating-state-timeout=20s
-Dpekko.cluster.shutdown-after-unsuccessful-join-seed-nodes=120s
# timezone defines the timezone to configure the JVM with
timezone: Europe/Berlin
# imagePullSecrets will be added to every deployment
imagePullSecrets: []
# proxyPart configures a reverse proxy part to be added in front of the Ditto API endpoints:
proxyPart: ""
# prometheus holds the Prometheus specific configuration
prometheus:
# enabled controls whether scrape config annotation will be added to pod templates
enabled: true
# path where prometheus metric will be provided
path: "/"
# port where prometheus metrics will be provided
port: 9095
# logging the logging configuration for Ditto
logging:
# sysout holds the logging to SYSOUT config
sysout:
# enabled defines whether to log to SYSOUT
enabled: true
# logstash configures if logs should be pushed to a logstash endpoint
logstash:
# enabled defines whether to log to logstash
enabled: false
# endpoint configures the logstash endpoint to send logs to
endpoint: ""
# logFiles defines logging to log files config
logFiles:
# enabled whether to write logs to log files
# log files can be found on the host under /var/log/ditto
enabled: false
# customConfigFile configures that a custom "Logback" config file should be used instead of the one bundled
# with Ditto on the classpath
customConfigFile:
# enabled if enabled, a custom logback.xml file added to the Ditto containers will be used for logging configuration
enabled: true
# fileName passed as Java system property "-Dlogback.configurationFile"
fileName: logback.xml
# tracing configuration for Ditto
tracing:
# enabled whether tracing (via OpenTelemetry) is enabled
enabled: false
# otelExporterOtlpEndpoint the OTLP endpoint to report traces to
otelExporterOtlpEndpoint: "http://localhost:4317"
# sampler the tracing sampler to use
# can be one of:
# - always: report all traces.
# - never: don't report any trace.
# - random: randomly decide using the probability defined in the random-sampler.probability setting.
# - adaptive: keeps dynamic samplers for each operation while trying to achieve a set throughput goal.
sampler: never
# randomSampler configures the 'random' sampler
randomSampler:
# probability configures the probability of a span being sampled, must be a value between 0 and 1
probability: 0.01
# adaptiveSampler configures the 'adaptive' sampler
adaptiveSampler:
# throughput the throughput goal trying to achieve with the adaptive sampler
throughput: 600
## ----------------------------------------------------------------------------
## dbconfig for mongodb connections
## will be handled as k8s secret as connection uri might contain auth credentials
dbconfig:
# policies the MongoDB configuration for Ditto "policies" service
policies:
uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
ssl: false
# things the MongoDB configuration for Ditto "things" service
things:
uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
ssl: false
# connectivity the MongoDB configuration for Ditto "connectivity" service
connectivity:
uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
ssl: false
# thingsSearch the MongoDB configuration for Ditto "things-search" service
thingsSearch:
uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
ssl: false
## If following property is set, an existing secret will be used to retrieve the mongodb connectionUris from.
# uriSecret: my-uri-secret
## ----------------------------------------------------------------------------
## ingress configures the Ingress
ingress:
# enabled whether Ingress should be enabled as alternative to the contained nginx
enabled: false
# className is the 'ingressClassName' to configure in the Ingress spec
className: nginx
# host the hostname of the Ingress shared for all: api, ws and ui
host: localhost
# defaultBackendSuffix the suffix to add to the internal fullname to use as Ingress "defaultBackend"
defaultBackendSuffix: nginx
# annotations common annotations for all 3 Ingresses of Ditto
controller:
# enabled whether Ingress controller should be enabled
enabled: false
# namespace for ingress controller, managed by helm, should not be created manually
namespace: ingress-nginx
# Ingress-NGINX version. Check Supported Versions table from https://github.com/kubernetes/ingress-nginx to match k8s version.
nginxIngressVersion: "v1.8.0"
# Nginx Version. Check Supported Versions table from https://github.com/kubernetes/ingress-nginx to match k8s version.
nginxVersion: "1.21.6"
annotations:
nginx.ingress.kubernetes.io/service-upstream: "true"
nginx.ingress.kubernetes.io/server-snippet: |
charset utf-8;
default_type application/json;
chunked_transfer_encoding off;
send_timeout 70; # seconds, default: 60
client_header_buffer_size 8k; # allow longer URIs + headers (default: 1k)
large_client_header_buffers 4 16k;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
# api the /api, /devops, /status, /overall and /health Ingress configuration
api:
# paths configures ingress paths
paths:
- path: /api
backendSuffix: gateway
- path: /devops
backendSuffix: gateway
- path: /status
backendSuffix: gateway
- path: /stats
backendSuffix: gateway
- path: /overall
backendSuffix: gateway
- path: /health
backendSuffix: gateway
kubernetesAuthAnnotations: |
nginx.ingress.kubernetes.io/auth-type: basic
nginx.ingress.kubernetes.io/auth-secret: {{ .Release.Name }}-nginx-ingress-htpasswd
nginx.ingress.kubernetes.io/auth-realm: 'Authentication required to use HTTP API!'
# annotations defines k8s annotations to add to the Ingress
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/proxy-send-timeout: "70"
nginx.ingress.kubernetes.io/proxy-read-timeout: "70"
nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout http_502"
nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "4"
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "50"
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
nginx.ingress.kubernetes.io/configuration-snippet: |
set $cors '1';
if ($request_method = 'OPTIONS') {
set $cors "${cors}o";
}
if ($cors = '1') {
add_header 'Access-Control-Allow-Origin' '$http_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' '$http_access_control_request_headers' always;
add_header 'Access-Control-Expose-Headers' '*' always;
}
if ($cors = '1o') {
# Tell client that this pre-flight info is valid for 20 days
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Access-Control-Allow-Origin' '$http_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' '$http_access_control_request_headers' always;
add_header 'Access-Control-Expose-Headers' '*' always;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 200;
}
if ($request_method = 'OPTIONS') {
add_header 'Content-Type' 'text/plain charset=UTF-8';
return 405 "Origin $http_origin is not in CORS allow-list, contact your admin to get it added";
}
# security relevant headers:
add_header "Content-Security-Policy" "default-src 'none'; frame-ancestors 'none'" always;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains;" always;
add_header "Cache-Control" "no-cache" always;
add_header "X-Content-Type-Options" "nosniff" always;
add_header "X-Frame-Options" "SAMEORIGIN" always;
add_header "X-XSS-Protection" "1; mode=block" always;
# ws the /ws (WebSocket) Ingress configuration
ws:
# paths configures ingress paths
paths:
- path: /ws
backendSuffix: gateway
# annotations defines k8s annotations to add to the Ingress
annotations:
nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout http_502"
nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "4"
nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "50"
nginx.ingress.kubernetes.io/proxy-buffering: "off"
# the / Ingress configuration for serving the landing page and static resources
root:
# paths configures ingress paths
paths:
- path: /
pathType: Exact
backendSuffix: nginx
- path: /index.html
pathType: Exact
backendSuffix: nginx
- path: /ditto-up.svg
pathType: Exact
backendSuffix: nginx
- path: /ditto-down.svg
pathType: Exact
backendSuffix: nginx
# annotations defines k8s annotations to add to the Ingress
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/configuration-snippet: |
# security relevant headers:
add_header "Content-Security-Policy" "default-src 'self'; script-src-elem 'self' 'sha256-Kq9eqc/CtX2tgHPLJUEf8vDO9eNiGaRBrwAYYXTroVc=' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; worker-src 'self' blob:; object-src 'none';" always;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains;" always;
add_header "Cache-Control" "no-cache" always;
add_header "X-Content-Type-Options" "nosniff" always;
add_header "X-Frame-Options" "SAMEORIGIN" always;
add_header "X-XSS-Protection" "1; mode=block" always;
# ui the /ui and /apidoc Ingress configuration
ui:
# paths configures ingress paths
paths:
- path: /
pathType: Exact
backendSuffix: nginx
- path: /apidoc(/|$)(.*)
backendSuffix: swaggerui
- path: /ui(/|$)(.*)
backendSuffix: dittoui
# annotations defines k8s annotations to add to the Ingress
annotations:
nginx.ingress.kubernetes.io/use-regex: "true"
nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
nginx.ingress.kubernetes.io/configuration-snippet: |
# security relevant headers:
add_header "Content-Security-Policy" "default-src 'self'; script-src-elem 'self' 'sha256-Ve/Ec/6YDEeTc+9y+QCJ+e9OhyGWAj3bYxCzNGfOn6U=' 'sha256-Kq9eqc/CtX2tgHPLJUEf8vDO9eNiGaRBrwAYYXTroVc=' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; img-src 'self' data: https://raw.githubusercontent.com; font-src 'self' https://cdnjs.cloudflare.com; worker-src 'self' blob:; connect-src 'self' localhost http://localhost:8080; object-src 'none';" always;
add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains;" always;
add_header "Cache-Control" "no-cache" always;
add_header "X-Content-Type-Options" "nosniff" always;
add_header "X-Frame-Options" "SAMEORIGIN" always;
add_header "X-XSS-Protection" "1; mode=block" always;
# tls configures the TLS for ingress
tls: []
# - secretName: ditto-tls
# hosts:
# - localhost
## ----------------------------------------------------------------------------
## openshift configures the OpenShift deployment
openshift:
# enabled whether to deploy to OpenShift
enabled: false
# routes the OpenShift Routes
routes:
# enabled whether OpenShift routes are enabled
enabled: false
# annotations define k8s annotations to apply for the routes
annotations: {}
# host: ""
# targetPort configures the target port
targetPort: http
# tlsTermination: "edge"
# tlsInsecurePolicy: "Redirect"
# securityContext the security context for OpenShift
securityContext: {}
## ----------------------------------------------------------------------------
## pekko holds the Pekko actor configuration
## ref: https://pekko.apache.org/docs/pekko/current/typed/index.html
pekko:
# actorSystemName defines the actor/cluster name of the Ditto cluster
actorSystemName: ditto-cluster
# remoting holds configuration for the Pekko cluster remoting
remoting:
# port defines the Port to use for remoting
port: 2551
# mgmthttp holds configuration for the Pekko cluster management
mgmthttp:
# port defines the Port to use for akka http management
port: 8558
# Set "dittoTag" in order to specify another Ditto version to use for all Ditto services:
# you may also use "1" (for latest Ditto 1.x.x) or "1.5" (for latest Ditto 1.5.x)
# dittoTag: 3.3.0
## ----------------------------------------------------------------------------
## policies configuration
## ref: https://www.eclipse.dev/ditto/architecture-services-policies.html
policies:
# enabled controls whether policies related resources should be created
enabled: true
# replicaCount configuration for policies
replicaCount: 1
# updateStrategy configuration for policies
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
# of its containers crashing, for it to be considered available
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 10
# additionalLabels configuration for policies
additionalLabels: {}
# additionalAnnotations configuration for policies
additionalAnnotations: {}
image:
# repository for the policies docker image
repository: docker.io/eclipse/ditto-policies
# tag for the policies docker image - overwrite to specify something else than Chart.AppVersion
# tag: 3.3.0
# pullPolicy for the policies docker image
pullPolicy: IfNotPresent
# additionalJvmOptions JVM options to put into JAVA_TOOL_OPTIONS
additionalJvmOptions: ""
# systemProps used to define arbitrary system properties for policies service
# ref: https://www.eclipse.dev/ditto/installation-operating.html#configuration
systemProps:
# extraEnv to add arbitrary environment variable to policies container
extraEnv:
# - name: LOG_LEVEL_APPLICATION
# value: "DEBUG"
# resources configures the resources available/to use for the policies service
resources:
# cpu defines the "required" CPU of a node so that the service is placed there
cpu: 0.5
# memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
memoryMi: 1024
# jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
jvm:
# activeProcessorCount defines how many processors the JVM should be configured to use
# this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
activeProcessorCount: 2
# heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
# be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
heapRamPercentage: 60
# maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
# default (by JVM if not set): 200
maxGcPauseMillis: 150
# readinessProbe configuration for policies
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
# livenessProbe configuration for policies
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
livenessProbe:
initialDelaySeconds: 160
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 4
# podDisruptionBudget configuration for policies
# ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
podDisruptionBudget:
# enabled controls whether policies related PodDisruptionBudget should be created
enabled: true
# minAvailable number of replicas during voluntary disruptions
minAvailable: 1
# nodeSelector configuration for policies
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# tolerations configuration for policies
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# affinity configuration for policies
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# podMonitor configuration for policies
podMonitor:
# enabled configures whether Pod Monitor is enabled, then a resource to scrape policies metrics will be created
enabled: false
# interval: 30s
# scrapeTimeout: 15s
# config holds policies specific configuration
config:
# mongodb holds mongodb specific configuration of policies
mongodb:
# minPoolSize configures the minimum number of connections in the connection pool
minPoolSize: 10
# maxPoolSize configures the minimum number of connections in the connection pool
maxPoolSize: 200
# maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
maxPoolIdleTime: 10m
# journalWriteConcern the MongoDB write concern to apply for writing operations on the event journal
# one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
journalWriteConcern: "Journaled"
# snapsWriteConcern the MongoDB write concern to apply for writing operations on the snapshots persistence
# one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
snapsWriteConcern: "Journaled"
# journalCircuitBreaker configures the circuit breaker for MongoDB operations on the event journal
journalCircuitBreaker:
# maxTries opens the circuit breaker if an exception during persisting an event occurs this often
# a successful write resets the counter
maxTries: 10
# timeout configures the MongoDB write timeouts also causing the circuit breaker to open
timeout: 10s
# reset after this time in "Open" state, the circuit breaker is "Half-opened" again
reset: 5s
# snapsCircuitBreaker configures the circuit breaker for MongoDB operations on the snapshots persistence
snapsCircuitBreaker:
# maxTries opens the circuit breaker if an exception during persisting a snapshot occurs this often
# a successful write resets the counter
maxTries: 10
# timeout configures the MongoDB write timeouts also causing the circuit breaker to open
timeout: 20s
# reset after this time in "Open" state, the circuit breaker is "Half-opened" again
reset: 8s
# cleanup contains the configuration for the background cleanup of stale snapshots and events
cleanup:
# enabled configures whether background cleanup is enabled or not
# if enabled, stale "snapshot" and "journal" entries will be cleaned up from the MongoDB by a background process:
enabled: false
# quietPeriod defines how long to stay in a state where the background cleanup is not yet started
quietPeriod: 5m
# history contains configuration regarding the event history
history:
# retentionDuration configures the duration of how long to "keep" events and snapshots before being allowed to remove them in scope of cleanup
retentionDuration: 30d
# metricsReporter config of MongoMetricsReporter which is used by policies in order to report current persistence
# roundtrip times in order to determine credits to cleanup stale data (journal entries, snapshots)
metricsReporter:
# resolution configures how far apart each measurement should be done
resolution: 1s
# history configures how many historical items to keep
history: 5
# interval configures how often a "credit decision" is made
interval: 1s
# timerThreshold configures the maximum database latency to give out credit for cleanup actions
timerThreshold: 100ms
# creditsPerBatch configures how many "cleanup credits" should be generated per "interval" as long as the
creditsPerBatch: 5
# persistence holds configuration regarding (akka) persistence of policies (event journal and snapshots)
persistence:
# activityCheckInterval configures to keep policies for that amount of time in memory when no other use did happen:
activityCheckInterval: 2d
# pingRate used to throttle pinging of PolicyPersistenceActors, so that not all PolicyPersistenceActors are recovered at the same time:
pingRate:
# frequency the frequency of sent "pings" to PolicyPersistenceActors
frequency: 1s
# entities the amount of entities to wake up per "frequency" interval
entities: 50
# events contains event journal specific configuration
events:
# historicalHeadersToPersist define the DittoHeaders to persist when persisting events to the journal
# those can e.g. be retrieved as additional "audit log" information when accessing a historical Policy revision
historicalHeadersToPersist:
# - "ditto-originator"
# - "ditto-origin"
# - "correlation-id"
# snapshots contains snapshots persistence specific configuration
snapshots:
# interval configures the interval when to do snapshot for a Policy which had changes to it
interval: 15m
# threshold configures the threshold after how many changes to a Policy to do a snapshot
threshold: 5
# entityCreation by default, Ditto allows anyone to create a new entity (policy in this case) in any namespace.
# However, this behavior can be customized, and the ability to create new entities can be restricted:
entityCreation:
# grants contains the list of creation config entries which would allow the creation of entities
# An empty list would *not* allow any entity to be created.
# You must have at least one entry, even if it is without restrictions.
grants:
- # namespaces holds the list of namespaces this entry applies to. An empty list would match any.
# Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
namespaces: []
# authSubjects holds list of authentication subjects this entry applies to. An empty list would match any.
# Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
authSubjects: []
# revokes contains the list of creation config entries which would reject the creation of entities
revokes: []
# - namespaces: []
# authSubjects: []
## ----------------------------------------------------------------------------
## things configuration
## ref: https://www.eclipse.dev/ditto/architecture-services-things.html
things:
# enabled controls whether things related resources should be created
enabled: true
# replicaCount configuration for things
replicaCount: 1
# updateStrategy configuration for things
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
# of its containers crashing, for it to be considered available
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 10
# additionalLabels configuration for things
additionalLabels: {}
# additionalAnnotations configuration for things
additionalAnnotations: {}
image:
# repository for the things docker image
repository: docker.io/eclipse/ditto-things
# tag for the things docker image - overwrite to specify something else than Chart.AppVersion
# tag: 3.3.0
# pullPolicy for the things docker image
pullPolicy: IfNotPresent
# additionalJvmOptions JVM options to put into JAVA_TOOL_OPTIONS
additionalJvmOptions: ""
# systemProps used to define arbitrary system properties for things service
# ref: https://www.eclipse.dev/ditto/installation-operating.html#configuration
systemProps:
# extraEnv to add arbitrary environment variable to things container
extraEnv:
# - name: LOG_LEVEL_APPLICATION
# value: "DEBUG"
# resources configures the resources available/to use for the things service
resources:
# cpu defines the "required" CPU of a node so that the service is placed there
cpu: 0.5
# memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
memoryMi: 1024
# jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
jvm:
# activeProcessorCount defines how many processors the JVM should be configured to use
# this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
activeProcessorCount: 2
# heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
# be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
heapRamPercentage: 60
# maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
# default (by JVM if not set): 200
maxGcPauseMillis: 150
# readinessProbe configuration for things
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
# livenessProbe configuration for things
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
livenessProbe:
initialDelaySeconds: 160
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 4
# podDisruptionBudget configuration for things
# ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
podDisruptionBudget:
# enabled controls whether things related PodDisruptionBudget should be created
enabled: true
# minAvailable number of replicas during voluntary disruptions
minAvailable: 1
# nodeSelector configuration for things
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# tolerations configuration for things
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# affinity configuration for things
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# podMonitor configuration for things
podMonitor:
# enabled configures whether Pod Monitor is enabled, then a resource to scrape things metrics will be created
enabled: false
# interval: 30s
# scrapeTimeout: 15s
# config holds things specific configuration
config:
# mongodb holds mongodb specific configuration of things
mongodb:
# minPoolSize configures the minimum number of connections in the connection pool
minPoolSize: 10
# maxPoolSize configures the minimum number of connections in the connection pool
maxPoolSize: 200
# maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
maxPoolIdleTime: 10m
# journalWriteConcern the MongoDB write concern to apply for writing operations on the event journal
# one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
journalWriteConcern: "Acknowledged"
# snapsWriteConcern the MongoDB write concern to apply for writing operations on the snapshots persistence
# one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
snapsWriteConcern: "Acknowledged"
# journalCircuitBreaker configures the circuit breaker for MongoDB operations on the event journal
journalCircuitBreaker:
# maxTries opens the circuit breaker if an exception during persisting an event occurs this often
# a successful write resets the counter
maxTries: 10
# timeout configures the MongoDB write timeouts also causing the circuit breaker to open
timeout: 10s
# reset after this time in "Open" state, the circuit breaker is "Half-opened" again
reset: 5s
# snapsCircuitBreaker configures the circuit breaker for MongoDB operations on the snapshots persistence
snapsCircuitBreaker:
# maxTries opens the circuit breaker if an exception during persisting a snapshot occurs this often
# a successful write resets the counter
maxTries: 10
# timeout configures the MongoDB write timeouts also causing the circuit breaker to open
timeout: 20s
# reset after this time in "Open" state, the circuit breaker is "Half-opened" again
reset: 8s
# cleanup contains the configuration for the background cleanup of stale snapshots and events
cleanup:
# enabled configures whether background cleanup is enabled or not
# if enabled, stale "snapshot" and "journal" entries will be cleaned up from the MongoDB by a background process:
enabled: true
# quietPeriod defines how long to stay in a state where the background cleanup is not yet started
quietPeriod: 5m
# history contains configuration regarding the event history
history:
# retentionDuration configures the duration of how long to "keep" events and snapshots before being allowed to remove them in scope of cleanup
retentionDuration: 30d
# metricsReporter config of MongoMetricsReporter which is used by policies in order to report current persistence
# roundtrip times in order to determine credits to cleanup stale data (journal entries, snapshots)
metricsReporter:
# resolution configures how far apart each measurement should be done
resolution: 1s
# history configures how many historical items to keep
history: 5
# interval configures how often a "credit decision" is made
interval: 1s
# timerThreshold configures the maximum database latency to give out credit for cleanup actions
timerThreshold: 100ms
# creditsPerBatch configures how many "cleanup credits" should be generated per "interval" as long as the
creditsPerBatch: 5
# persistence holds configuration regarding (akka) persistence of things (event journal and snapshots)
persistence:
# activityCheckInterval configures to keep things for that amount of time in memory when no other use did happen
activityCheckInterval: 2d
# events contains event journal specific configuration
events:
# historicalHeadersToPersist define the DittoHeaders to persist when persisting events to the journal
# those can e.g. be retrieved as additional "audit log" information when accessing a historical Thing revision
historicalHeadersToPersist:
# - "ditto-originator"
# - "ditto-origin"
# - "correlation-id"
# snapshots contains snapshots persistence specific configuration
snapshots:
# the interval when to do snapshot for a Thing which had changes to it
interval: 15m
# the threshold after how many changes to a Thing to do a snapshot
threshold: 50
# entityCreation by default, Ditto allows anyone to create a new entity (thing in this case) in any namespace.
# However, this behavior can be customized, and the ability to create new entities can be restricted:
entityCreation:
# grants contains the list of creation config entries which would allow the creation of entities
# An empty list would *not* allow any entity to be created.
# You must have at least one entry, even if it is without restrictions.
grants:
- # namespaces holds the list of namespaces this entry applies to. An empty list would match any.
# Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
namespaces: []
# authSubjects holds list of authentication subjects this entry applies to. An empty list would match any.
# Wildcards `*` (Matching any number of any character) and `?` (Matches any single character) are supported in entries of this list.
authSubjects: []
# revokes contains the list of creation config entries which would reject the creation of entities
revokes: []
# - namespaces: []
# authSubjects: []
# policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
policiesEnforcer:
# cache holds the configuration of policy enforcer caching
cache:
# enabled whether caching of policy enforcers should be enabled
enabled: true
# maxSize the maximum size of policy enforcers to keep in the cache
maxSize: 50000
# expireAfterWrite the maximum duration of inconsistency after losing a cache invalidation
expireAfterWrite: 8h
# expireAfterAccess prolonged on each cache access by that duration
expireAfterAccess: 4h
# wot contains Web of Things (WoT) specific configuration
wot:
# tdBasePrefix is the base to use where the Ditto endpoint is located in order to be injected into TDs:
tdBasePrefix: "http://localhost:8080"
# tdJsonTemplate contains a json template added to generated TDs, e.g. containing security information:
tdJsonTemplate: >-
{
"securityDefinitions": {
"basic_sc": {
"scheme": "basic",
"in": "header"
}
},
"security": "basic_sc",
"support": "https://www.eclipse.dev/ditto/"
}
## ----------------------------------------------------------------------------
## things-search configuration
## ref: https://www.eclipse.dev/ditto/architecture-services-things-search.html
thingsSearch:
# enabled controls whether things-search related resources should be created
enabled: true
# replicaCount configuration for things-search
replicaCount: 1
# updateStrategy configuration for things-search
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
# of its containers crashing, for it to be considered available
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 10
# additionalLabels configuration for things-search
additionalLabels: {}
# additionalAnnotations configuration for things-search
additionalAnnotations: {}
image:
# repository for the things-search docker image
repository: docker.io/eclipse/ditto-things-search
# tag for the things-search docker image - overwrite to specify something else than Chart.AppVersion
# tag: 3.3.0
# pullPolicy for the things-search docker image
pullPolicy: IfNotPresent
# additional JVM options to put into JAVA_TOOL_OPTIONS
additionalJvmOptions: ""
# systemProps used to define arbitrary system properties for things-search service
# ref: https://www.eclipse.dev/ditto/installation-operating.html#configuration
systemProps:
# extraEnv to add arbitrary environment variable to things-search container
extraEnv:
# - name: LOG_LEVEL_APPLICATION
# value: "DEBUG"
# resources configures the resources available/to use for the things search service
resources:
# cpu defines the "required" CPU of a node so that the service is placed there
cpu: 0.5
# memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
memoryMi: 1024
# jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
jvm:
# activeProcessorCount defines how many processors the JVM should be configured to use
# this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
activeProcessorCount: 2
# heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
# be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
heapRamPercentage: 60
# maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
# default (by JVM if not set): 200
maxGcPauseMillis: 150
# readinessProbe configuration for things-search
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 3
successThreshold: 1
failureThreshold: 3
# livenessProbe configuration for things-search
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
livenessProbe:
initialDelaySeconds: 160
periodSeconds: 10
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 4
# podDisruptionBudget configuration for things-search
# ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
podDisruptionBudget:
# enabled controls whether things-search related PodDisruptionBudget should be created
enabled: true
# minAvailable number of replicas during voluntary disruptions
minAvailable: 1
# nodeSelector configuration for things-search
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# tolerations configuration for things-search
# ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# affinity configuration for things-search
# ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
# podMonitor configuration for things-search
podMonitor:
# enabled configures whether Pod Monitor is enabled, then a resource to scrape things search metrics will be created
enabled: false
# interval: 30s
# scrapeTimeout: 15s
# config holds things-search specific configuration
config:
# mongodb holds mongodb specific configuration of things-search
mongodb:
# minPoolSize configures the minimum number of connections in the connection pool
minPoolSize: 10
# maxPoolSize configures the minimum number of connections in the connection pool
maxPoolSize: 100
# maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
maxPoolIdleTime: 10m
# searchReadPreference configures the overall MongoDB read preference
# one of: primary | primaryPreferred | secondary | secondaryPreferred | nearest
searchReadPreference: "primary"
# searchWriteConcern configures the overall MongoDB write concern
# one of: unacknowledged | acknowledged | majority | journaled | w1 | w2 | w3
searchWriteConcern: "acknowledged"
# searchWithAcksWriteConcern configures the MongoDB write concern for commands sent with "search-persisted" ACK
# ref: https://www.eclipse.dev/ditto/basic-acknowledgements.html#built-in-acknowledgement-labels
# one of: unacknowledged | acknowledged | majority | journaled | w1 | w2 | w3
searchWithAcksWriteConcern: "majority"
# queryReadConcern configures the MongoDB read concern for doing queries / performing searches
# only if this is "linearizable" in combination with the searchWithAcksWriteConcern: "majority" a strong consistency
# if used in a replicated MongoDB setup, this should be changed to `queryReadConcern: "linearizable"`
# for commands using the "search-persisted" requested ACK is guaranteed
# one of: default | local | majority | linearizable | snapshot | available
queryReadConcern: "local"
# updaterPersistenceReadConcern configures the MongoDB read concern for the "ThingUpdater"
# one of: default | local | majority | linearizable | snapshot | available
updaterPersistenceReadConcern: "local"
# updaterPersistenceReadPreference configures the MongoDB read preference for the "ThingUpdater"
updaterPersistenceReadPreference: "primaryPreferred"
# updater contains configuration for the "Things Updater" of things-search service
updater:
# activityCheckInterval configures to keep thing updaters for that amount of time in memory when no update did happen:
activityCheckInterval: 2h
# stream contains streaming configuration settings of the things-search service
stream:
# retrievalParallelism configures the upper bound of parallel SudoRetrieveThing commands
# (by extension, parallel loads of policy enforcer cache)
retrievalParallelism: 64
persistence:
# parallelism configures how much bulk writes to request in parallel - must be a power of 2
parallelism: 16
# policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
policiesEnforcer:
# cache holds the configuration of policy enforcer caching
cache:
# maxSize the maximum size of policy enforcers to keep in the cache
maxSize: 30000
# expireAfterWrite the maximum duration of inconsistency after losing a cache invalidation
expireAfterWrite: 12h
# expireAfterAccess prolonged on each cache access by that duration
expireAfterAccess: 6h
# thingCache configures the cache configuration for caching of things in things-search
thingCache:
# maxSize defines how many things to cache
maxSize: 30000
# expireAfterWrite defines how long at most to keep things in the cache after loading them into the cache
expireAfterWrite: 12h
# expireAfterWrite defines how long at most to keep things in the cache after last accessing them from the cache
expireAfterAccess: 6h
# backgroundSync contains the configuration for the "background sync" responsible for continuously streaming
# over snapshot entries of things to ensure the eventual consistency of the search index
backgroundSync:
# enabled whether background sync is turned on
enabled: true
# quietPeriod the duration between service start-up and the beginning of background sync
quietPeriod: 5m
# idleTimeout how soon to close the remote stream if no element passed through it
idleTimeout: 5m
# toleranceWindow how long to wait before reacting to out-of-date search index entries
toleranceWindow: 20m
# keepEvents how many events to keep in the actor state
keepEvents: 2
# throttle contains the background sync throttling configuration
throttle:
# throughput how many things to update per throttle period
throughput: 100
# period the throttle period
period: 30s
## ----------------------------------------------------------------------------
## connectivity configuration
## ref: https://www.eclipse.dev/ditto/architecture-services-connectivity.html
connectivity:
# enabled controls whether connectivity related resources should be created
enabled: true
# replicaCount configuration for connectivity
replicaCount: 1
# updateStrategy configuration for connectivity
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
# minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
# of its containers crashing, for it to be considered available
# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
minReadySeconds: 10
# additionalLabels configuration for connectivity
additionalLabels: {}
# additionalAnnotations configuration for connectivity
additionalAnnotations: {}
image:
# repository for the connectivity docker image
repository: docker.io/eclipse/ditto-connectivity
# tag for the connectivity docker image - overwrite to specify something else than Chart.AppVersion
# tag: 3.3.0
# pullPolicy for the connectivity docker image
pullPolicy: IfNotPresent
# additional JVM options to put into JAVA_TOOL_OPTIONS