helm-chart-sources/pulsar/values.yaml

#
#  Copyright 2022 DataStax, Inc.
#
#  Licensed under the Apache License, Version 2.0 (the "License");
#  you may not use this file except in compliance with the License.
#  You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
#  Unless required by applicable law or agreed to in writing, software
#  distributed under the License is distributed on an "AS IS" BASIS,
#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#  See the License for the specific language governing permissions and
#  limitations under the License.
#
#

# Namespace to deploy pulsar
# Use the Helm --namespace option to set the namespace

# Override for the name of the helm deployment
fullnameOverride: pulsar

# DNS name for loadbalancer
dnsName: pulsar.example.com

# The domain name for your kubernetes cluster. This domain is documented here: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#a-aaaa-records-1
# and is used to fully qualify service names when configuring Pulsar.
kubernetesClusterDomain: "cluster.local"

# The DNS Config to apply to all pod specs. It is documented here: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config.
# Note that because we use fully qualified service names for intra cluster networking with Pulsar components, we set
# the ndots value to 4 (the default is 5). This prevents 3 DNS lookups for the fully qualified service names that would
# be guaranteed to result in NXDOMAIN.
dnsConfig:
  options:
    - name: ndots
      value: "4"

# RBAC resource configuration
rbac:
  # create ClusterRole/Role and ClusterRoleBinding/RoleBinding resources
  create: true
  # use ClusterRole and ClusterRoleBinding resources when set to true
  # use namespaced Role and RoleBinding resources when set to false
  clusterRoles: false
# Global node selector
# If set, this will apply to all components
# Individual components can be set to a different node
# selector
# nodeSelector:
#   zone: pulsar
## If persistence is enabled, components that has state will
## be deployed with PersistentVolumeClaims, otherwise, for test
## purposes, they will be deployed with emptDir
persistence: true

# Global priority class
#
# If enabled, a new priority class will be created and applied to
# all Pulsar core pods. Priority indicates the importance of a Pod relative to other Pods.
# If you are running Pulsar with other pods that depend on it (ex. microservices),
# using a higher priority will ensure it gets scheduled first
priorityClass:
  enabled: false
  value: 1000000

# Enable initContainers that wait for dependent components to
# be enabled. Provides a graceful initial install. However, it some
# failure scenarios it can prevent containers from starting
# even though they could operate.
enableWaitContainers: true

default_storage:
  existingStorageClassName: default
  ## The default reclaimPolicy for created storage classes
  reclaimPolicy: Retain

# If default_storage is set, that storage class is the default for all
# persistent volumes created by the chart.
#
# You can override the default_storage storage class in the
# volumes section of each component configuration (example: zookeeper.volumes.data.storageClass)
#
# If you want to use an existing storage class as the default, then
# set existingStorageClassName, like this:

# To use an existing storage class:
# default_storage:
#   existingStorageClassName: <name>

# To use the default storage class of the k8s cluster, use the name "default"
# default_storage:
#   existingStorageClassName: default

# If you want the chart to create storage classes, then don't set
# existingStorageClass name and provide configuration values
# for the storage class. The settings vary based on cloud
# provider. Below are examples for AWS, GCP, and Azure.

# For AWS
# default_storage:
#  provisioner: kubernetes.io/aws-ebs
#  type: gp2
#  fsType: ext4
#  extraParams:
#     iopsPerGB: "10"

# For GCP
# default_storage:
#   provisioner: kubernetes.io/gce-pd
#   type: pd-ssd
#   fsType: ext4
#   extraParams:
#      replication-type: none

# For Azure
# default_storage:
#   provisioner: kubernetes.io/azure-disk
#   fsType: ext4
#   type: managed-premium
#   extraParams:
#     storageaccounttype: Premium_LRS
#     kind: Managed
#     cachingmode: ReadOnly

# TLS
# When you enable TLS and are using a proxy, you need to expose the
# TLS-enabled ports on the service. To allow TLS connections only, remove the plain-text ports.
# See the proxy and broker sections for details.
# This flag enables TLS for all client and admin facing components: broker, proxy, websocket proxy, standalone function
# worker. You must deploy the broker as a StatefulSet for hostname verification to work. In order to enable Pulsar
# components to network using TLS, see the tls.<component> section below; by default, intra cluster networking is
# plaintext.
enableTls: false
# Deprecated in favor of tls.<component>.tlsSecretName to enable certificates per component.
tlsSecretName: pulsar-tls

# When enableTls is true, TLS is enabled on the client- or admin-facing components (broker, proxy, websocket
# proxy, standalone function worker) by default.
# For added security, you can also enable TLS between the internal components (zookeeper, bookkeeper,
# function worker [connect to broker])
tls:
  # Enable TLS between ZooKeeper nodes (quorum TLS), between BookKeeper and ZooKeeper, and between
  # broker and ZooKeeper.
  # Note: The configured certificate must allow for both server and client use since it is used
  #       for mTLS. This should be in certificate:
  #
  # X509v3 Extended Key Usage:
  #               TLS Web Server Authentication, TLS Web Client Authentication
  # If using cert-manager, make sure your certificate includes:
  #
  zookeeper:
    enabled: false
    createCertificates: false
    # Used to enable hostname verification for all zk clients.
    # NOTE: temporarily false to allow for easy transition. In next major version bump, this will default to true.
    enableHostnameVerification: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    # Starting in Zookeeper 3.8.0, it's possible to pass the Java Keystore password by file name.
    configureKeystoreWithPasswordFile: false
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}
  # Enable TLS between broker and BookKeeper, function worker and bookkeeper, and autorecovery and bookkeeper
  bookkeeper:
    enabled: false
    createCertificates: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}

  ## TLS is enabled for the function worker, broker, and proxy when enableTls is true. The below <component>.enableTlsWithBroker
  ## flags are used to determine whether the component's client should use TLS when connecting to the broker or the
  ## function worker. This is an inversion of the paradigm used for the zookeeper and bookkeeper configurations above,
  ## which is used to enable TLS for all components interacting with bookkeeper or zookeeper.

  # Enable TLS between function worker and broker
  # NOTE: the function worker's connection to the broker is only over TLS if brokerClientAuthenticationEnabled is true
  # or if authenticationEnabled is true in the function's configuration.
  function:
    enableTlsWithBroker: false
    # NOTE: temporarily false to allow for easy transition. In next major version bump, this will default to true.
    enableHostnameVerification: false
    createCertificates: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}
  # Websocket will use the tls.proxy.tlsSecretName for TLS
  websocket:
    enableTlsWithBroker: false
  proxy:
    # Specify the tls protocols the proxy will use to negotiate during TLS handshake (a comma-separated list of protocol names).
    tlsProtocols: "TLSv1.3,TLSv1.2"
    # Applies to connections to standalone function worker, too.
    enableTlsWithBroker: false
    # Applies to upstream broker and function worker TLS connections.
    # NOTE: temporarily false to allow for easy transition. In next major version bump, this will default to true.
    enableHostnameVerification: false
    createCertificates: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}

  broker:
    # Specify the tls protocols the broker will use to negotiate during TLS handshake (a comma-separated list of protocol names).
    tlsProtocols: "TLSv1.3,TLSv1.2"
    createCertificates: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}

  # Certificate used for TLS client authentication with bookkeeper and zookeeper, and for verifying self-signed certs
  autoRecovery:
    createCertificates: false
    # NOTE: temporarily false to allow for easy transition. In next major version bump, this will default to true.
    enableHostnameVerification: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}

  pulsarAdminConsole:
    # Applies to all upstream targets
    enableForProxyToBroker: false
    createCertificates: false
    # If set, supersedes the root "tlsSecretName" config
    tlsSecretName: ""
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}
  bastion:
    enableHostnameVerification: true
 # enable these in case you use tls certificate stored in /pulsar/certs/ca.crt
  pulsarHeartbeat:
    enableHostnameVerification: false
  transactionCoordinatorInitialiser:
    enableHostnameVerification: false

  # Configuration for the self-signed root CA Certificate. (All Pulsar components are assumed to share the same root CA.)
  ssCaCert:
    # If set, supersedes the root "tlsSecretName" config. Note, this secret is used to configure TLS verification for
    # components like the Bastion and the Pulsar HeartBeat.
    tlsSecretName: ""
    # Only applied when using Cert Manager's self-signed certs per component.
    certSpec:
      # Spec defined here: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificatePrivateKey
      # Can be used to override the default algorithm that Cert-Manager uses when signing keys.
      privateKey: {}

  # Deprecated. Use tls.ssCaCert.tlsSecretName.
  rootCaSecretName: ""

# secrets:
  ## If you're providing your own certificates, please use this to add the certificates as secrets
  ## key and certificate should start with -----BEGIN CERTIFICATE----- or
  ## -----BEGIN RSA PRIVATE KEY----- # pragma: allowlist secret
  ##
  ## If you're using cert-manager (see below), this is unneeded, as it will create the secret for you if it is not set
  ##
  ## Note: The key should not be in PKCS 8 format even though that is the format used by Pulsar
  ##       The format will be converted by chart to PKCS 8. This is to maintain compatibility with
  ##       cert-manager
  # key: |
  # certificate: |
  # caCertificate: |

# If you are using an external source to populate the TLS certificate (ex cert-manager),
# enter the path and name to the CA cert. This is required so that the components
# within the cluster (proxy, broker, etc.) can talk to each other
#
# If you are using self-signed certs, the CA will be contained within the tlsSecretName above,
# so use the following settings:
#
# tlsCaPath: /pulsar/certs
# tlsCaCert: ca.crt
#
# If your certificate is signed by public CA (ex Let's Encrypt), then you can use
# the standard CA store from the container OS using the following settings:

tlsCaPath: /etc/ssl/certs
tlsCaCert: ca-certificates.crt

superUserRoles: superuser,admin,websocket,proxy
proxyRoles: proxy

# Enable token-based authentication and authorization
enableTokenAuth: false

# Token public key file name
tokenPublicKeyFile: my-public.key

# Token private key file name
tokenPrivateKeyFile: my-private.key

# Turn on anti affinity rules so that replica pods are spread for
# high availability.
# In development environments (ex. Minikube) with a single node, this needs to be disabled
enableAntiAffinity: true

# Settings for anti-affinity. Host antiAffinity ensures that
# replica pods are scheduled on different hosts. The
# number of hosts >= number of replicas. By default, this is
# required, but you can set mode to "preferred" to make
# this a preferred scheduling setting for deployments only (broker, proxy)
#
# Zone antiAffinity distributes replica pods across availability
# zones. This is a "soft" requirement, so that in the event of
# a failure of a zone, pods will run in a different zone
antiAffinity:
  host:
    enabled: true
    mode: "required"
  zone:
    enabled: false

# Install Helm tests (run with helm test <release>)
# Enable basic tests
enableTests: false
# Also enabled extended tests
enableExtendedTests: false

# By default, Kubernetes will not restart pods when only their
# configmap is changed. This setting will restart pods when their
# configmap is changed using an annotation that calculates the
# checksum of the configmap
restartOnConfigMapChange:
  enabled: false

## which extra components
extra:
  # Broker as deployment
  broker: true
  # Broker as stateful set
  brokerSts: false
  # Pulsar proxy
  proxy: true
  # Websocket proxy
  #
  # This will enable a standalone WebSocket proxy that
  # runs as part of the proxy pod.
  #
  # See the broker config section for enabling WebSocket
  # service within the broker.
  wsproxy: true
  # Standalone functions workers
  #
  # See broker config section for information on enabling
  # the function worker within the broker. If you should use one or the other.
  #
  # When enabling the standalone function worker, the proxy will be configured
  # to forward function API calls.
  #
  # ZooKeeper with non-persistent storage
  #
  # These are extra ZooKeepers that can be used to achieve quorum that
  # are not locked to an AZ or host by a PVC requirement
  # They can "float" between AZs for quorum in complete AZ failure scenarios
  zookeepernp: false
  # Standalone function worker
  #
  function: false
  pulsarSQL: false
  # DNS on proxy
  usedns: false
  dnsOnProxy: true
  # Bookkeeper auto-recovery
  autoRecovery: true
  # Bastion pod for administrative commands
  bastion: true
  # Pulsar Beam for HTTP interface
  # Pulsar Beam depends on the proxy pod, so you must enable
  # that to use Beam. You need to expose the Pulsar Beam
  # port on the proxy. See the proxy section for details.
  pulsarBeam: false
  # Burnell - various Pulsar proxies
  burnell: false
  # Burnell log collector for functions when using process runtime
  burnellLogCollector: false
  # Zoonavigator for debugging Zookeeper
  zoonavigator: false
  # Tardigrade for decentralized blob storage
  # This runs the S3 gateway that connects to Tardigrade
  tardigrade: false
  # Pulsar Heartbeat
  pulsarHeartbeat: false
  # Pulsar Admin console
  pulsarAdminConsole: false

## Which images to use
# When upgrading a Pulsar cluster, it is recommended to upgrade the
# components one at a time (zookeeper, bookkeeper, broker, etc.).
# This section allows for targeted upgrades of each component.
#
image:
  broker:
    # If not using tiered storage, you can use the smaller pulsar image for the broker
    repository: datastax/lunastreaming-all
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  brokerSts:
    # If not using tiered storage, you can use the smaller pulsar image for the broker
    repository: datastax/lunastreaming-all
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  function:
    repository: datastax/lunastreaming-all
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  zookeeper:
    repository: datastax/lunastreaming
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  bookkeeper:
    repository: datastax/lunastreaming
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  proxy:
    repository: datastax/lunastreaming
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  bastion:
    repository: datastax/lunastreaming
    pullPolicy: IfNotPresent
    tag: 2.10_1.5
  pulsarBeam:
    repository: kesque/pulsar-beam
    pullPolicy: IfNotPresent
    tag: 1.0.0
  burnell:
    repository: datastax/burnell
    pullPolicy: Always
    tag: 1.0.5
  burnellLogCollector:
    repository: datastax/burnell
    pullPolicy: IfNotPresent
    tag: logcollector_latest
  pulsarSQL:
    repository: datastax/lunastreaming-all
    tag: 2.10_1.5
    pullPolicy: IfNotPresent
  tardigrade:
    repository: storjlabs/gateway
    pullPolicy: IfNotPresent
    tag: 981f92a-v1.20.0-go1.17.5
  pulsarHeartbeat:
    repository: datastax/pulsar-heartbeat
    pullPolicy: IfNotPresent
    tag: 1.0.17
  pulsarAdminConsole:
    repository: datastax/pulsar-admin-console
    pullPolicy: IfNotPresent
    tag: 2.1.5

## Tiered Storage
##

storageOffload:
  driver: ""
  ## General
  ## =======
  # bucket: <bucket>
  # region: <region>
  # maxBlockSizeInBytes: "64000000"
  # readBufferSizeInBytes: "1000000"
  ## The following are default values for the cluster. They can be changed
  ## on each namespace.
  # managedLedgerOffloadDeletionLagMs: "14400000"
  # managedLedgerOffloadAutoTriggerSizeThresholdBytes: "-1" # disabled

  # For AWS S3
  # ======
  # You must create an IAM account with access to the bucket and
  # generate keys for that account.
  #
  # driver: aws-s3
  # accessKey: <access-key>
  # accessSecret: <secret-key> # pragma: allowlist secret

  # For S3 Compatible
  # =================
  # Need to create access and secret key for S3 compatible service
  #
  # driver: aws-s3
  # accessKey: <access-key>
  # accessSecret: <secret-key> # pragma: allowlist secret
  # serviceEndpoint: host:port

  # For Tardigrade
  # =================
  # Need to enable extra.tardigrade for the S3 gateway.
  # See tardigrade section below to configure the S3 gateway
  #
  # driver: aws-s3

  # For Azure Blob
  # =================
  # Need to create an Azure storage account and a blob container (bucket)
  # To retrieve key, see https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal#code-try-1
  #
  # driver: azureblob
  # storageAccount: <account name>
  # storageAccountKey: <account key>

  ## For Google Cloud Storage
  ## ====================
  ## You must create a service account that has access to the objects in GCP buckets
  ## and upload its key as a JSON file to a secret.
  ##
  ## 1. Go to https://console.cloud.google.com/iam-admin/serviceaccounts
  ## 2. Select your project.
  ## 3. Create a new service account.
  ## 4. Give the service account permission to access the bucket. For example,
  ##    the "Storage Object Admin" role.
  ## 5. Create a key for the service account and save it as a JSON file.
  ## 6. Either of the two steps below:
  ##     * Save the JSON file in a k8s secret:
  ##          kubectl create secret generic pulsar-gcp-sa-secret \
  ##             --from-file=account-223201-f12856532197.json \
  ##             --namespace pulsar
  ##      OR
  ##      * Set storageOffload.gcsServiceAccountJsonFileContent to the
  ##        base64-encoded content of the JSON file:
  ##            helm install pulsar \
  ##            --set storageOffload.gcsServiceAccountJsonFile=account-223201-f12856532197.json \
  ##            --set storageOffload.gcsServiceAccountJsonFileContent=$(cat account-223201-f12856532197.json | base64) .
  ##        This method is totally equivalent to the previous one.
  ##         In fact, it would generate the same secret.
  # driver: google-cloud-storage
  # gcsServiceAccountSecret: pulsar-gcp-sa-secret # pragma: allowlist secret
  # gcsServiceAccountJsonFile: account-223201-f12856532197.json

## Pulsar: Zookeeper cluster
## templates/zookeeper-statefulset.yaml
##
zookeeper:
  component: zookeeper
  replicaCount: 3
  updateStrategy:
    type: RollingUpdate
  podManagementPolicy: Parallel
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   preferredDuringSchedulingIgnoredDuringExecution:
  #   - weight: 1
  #     preference:
  #       matchExpressions:
  #       - key: failure-domain.beta.kubernetes.io/region
  #         operator: In
  #         values:
  #         - region1
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8000"
  tolerations: []
  gracePeriod: 60
  probe:
    enabled: true
    initial: 20
    period: 30
    timeout: 30
  resources:
    requests:
      memory: 1Gi
      cpu: 0.3
    # limits:
    #   memory: 1Gi
    #   cpu: 0.3
  volumes:
    data:
      name: data
      size: 5Gi
      # You can override the default_storage class for this volume.
      # To use an existing storage class, set existingStorageClassName.
      # To have the chart create a storage class, leave existingStorageClassName
      # unset and specify the storage class parameters under storageClass. The
      # appropriate parameters will vary by cloud provider. See default_storage above for examples.
      #
      # existingStorageClassName: <name>
      #
      # To use the default storage class of the k8s cluster, use the name "default"
      # existingStorageClassName: default
      #
      # OR (GCP example)
      #
      # storageClass:
      #   provisioner: kubernetes.io/gce-pd
      #   type: pd-ssd
      #   fsType: ext4
      #   extraParams:
      #      replication-type: none
  ## Zookeeper configmap
  ## templates/zookeeper-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-Xms1g -Xmx1g -Dcom.sun.management.jmxremote -Djute.maxbuffer=10485760"
    PULSAR_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dzookeeper.tcpKeepAlive=true -Dzookeeper.clientTcpKeepAlive=true -Dpulsar.log.root.level=info"
  ## Zookeeper service
  ## templates/zookeeper-service.yaml
  ##
  service:
    annotations:
    ports:
    - name: server
      port: 2888
    - name: leader-election
      port: 3888
    - name: client
      port: 2181
  ## Zookeeper PodDisruptionBudget
  ## templates/zookeeper-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

## Pulsar: Zookeeper cluster non persistent storage
## Used as floating Zookeeper to maintain quorum in AZ failures
## templates/zookeepernp-statefulset.yaml
##
zookeepernp:
  component: zookeepernp
  # Keep count at 0 unless you are using the non-persistent zookeeper
  replicaCount: 0
  updateStrategy:
    type: RollingUpdate
  podManagementPolicy: Parallel
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   preferredDuringSchedulingIgnoredDuringExecution:
  #   - weight: 1
  #     preference:
  #       matchExpressions:
  #       - key: failure-domain.beta.kubernetes.io/region
  #         operator: In
  #         values:
  #         - region1
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8000"
  tolerations: []
  gracePeriod: 60
  probe:
    enabled: true
    initial: 20
    period: 30
    timeout: 30
  resources:
    requests:
      memory: 1Gi
      cpu: 0.3
    # limits:
    #   memory: 1Gi
    #   cpu: 0.3
  # Volume is emptyDir
  volumes:
    data:
      name: data
  ## Zookeeper configmap
  ## templates/zookeepernp-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-Xms1g -Xmx1g -Dcom.sun.management.jmxremote -Djute.maxbuffer=10485760"
    PULSAR_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dzookeeper.tcpKeepAlive=true -Dzookeeper.clientTcpKeepAlive=true -Dpulsar.log.root.level=info"
  ## Zookeeper service
  ## templates/zookeepernp-service.yaml
  ##
  service:
    annotations:
    ports:
    - name: server
      port: 2888
    - name: leader-election
      port: 3888
    - name: client
      port: 2181
  ## Zookeeper PodDisruptionBudget
  ## templates/zookeepernp-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

## Pulsar Zookeeper metadata. The metadata will be deployed as
## soon as the last zookeeper node is reachable. The deployment
## of other components that depends on zookeeper, such as the
## bookkeeper nodes, broker nodes, etc. will only start to be
## deployed when the zookeeper cluster is ready and with the
## metadata deployed
zookeeperMetadata:
  component: zookeeper-metadata
  ## timeout (in seconds) for running "bin/pulsar initialize-cluster-metadata" command
  initTimeout: 60

## Pulsar: Bookkeeper cluster
## templates/bookkeeper-statefulset.yaml
##
bookkeeper:
  component: bookkeeper
  replicaCount: 3
  updateStrategy:
    type: RollingUpdate
  podManagementPolicy: Parallel
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8000"
  tolerations: []
  pvcPrexix: ''
  probe:
    enabled: true
    port: 3181
    initial: 10
    period: 30
    timeout: 5
  gracePeriod: 60
  resources:
    requests:
      memory: 2Gi
      cpu: 1
    # limits:
    #   memory: 2Gi
    #   cpu: 1
  volumes:
    journal:
      name: journal
      size: 20Gi
      # To override the default_storage class for this volume, set storageClass.
      # To use an existing storage class, set existingStorageClassName.
      # To have the chart create a storage class, leave existingStorageClassName
      # unset and specify the storage class parameters. The appropriate parameters
      # will vary by cloud provider. See default_storage above for examples.
      #
      # existingStorageClassName: <name>
      #
      # To use the default storage class of the k8s cluster, use the name "default"
      # existingStorageClassName: default
      #
      # OR (GCP example)
      #
      # storageClass:
      #   provisioner: kubernetes.io/gce-pd
      #   type: pd-ssd
      #   fsType: ext4
      #   extraParams:
      #      replication-type: none
    ledgers:
      name: ledgers
      size: 50Gi
      # To override the default_storage class for this volume, set storageClass.
      # To use an existing storage class, set existingStorageClassName.
      # To have the chart create a storage class, leave existingStorageClassName
      # unset and specify the storage class parameters. The appropriate parameters
      # will vary by cloud provider. See default_storage above for examples.
      #
      # existingStorageClassName: <name>
      #
      # To use the default storage class of the k8s cluster, use the name "default"
      # existingStorageClassName: default
      #
      # OR (GCP example)
      #
      # storageClass:
      #   provisioner: kubernetes.io/gce-pd
      #   type: pd-ssd
      #   fsType: ext4
      #   extraParams:
      #      replication-type: none

    # If you enable state storage on BookKeeper, a persistent volume
    # to hold the state files (ranges)
    ranges:
      name: ranges
      size: 5Gi
    # To override the default_storage class for this volume, set storageClass.
    # To use an existing storage class, set existingStorageClassName.
    # To have the chart create a storage class, leave existingStorageClassName
    # unset and specify the storage class parameters. The appropriate parameters
    # will vary by cloud provider. See default_storage above for examples.
    #
    # existingStorageClassName: <name>
    #
    # To use the default storage class of the k8s cluster, use the name "default"
    # existingStorageClassName: default
    #
    # OR (GCP example)
    #
    # storageClass:
    #   provisioner: kubernetes.io/gce-pd
    #   type: pd-ssd
    #   fsType: ext4
    #   extraParams:
    #      replication-type: none

  ## Bookkeeper configmap
  ## templates/bookkeeper-configmap.yaml
  ##
  configData:
    BOOKIE_MEM: "-Xms2g -Xmx2g -XX:MaxDirectMemorySize=2g -Dio.netty.leakDetectionLevel=disabled -Dio.netty.recycler.linkCapacity=1024 -XX:+ExitOnOutOfMemoryError"
    BOOKIE_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"
    statsProviderClass: org.apache.bookkeeper.stats.prometheus.PrometheusMetricsProvider
  ## Bookkeeper configmap
  ## templates/bookkeeper-service.yaml
  ##
  service:
    annotations:
    ports:
    - name: server
      port: 3181
  ## Bookkeeper PodDisruptionBudget
  ## templates/bookkeeper-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

## Pulsar: Broker cluster
## templates/broker-deployment.yaml
##
broker:
  component: broker
  replicaCount: 3
  # ledger:
  #   defaultEnsembleSize: 2
  #   defaultAckQuorum: 2
  #   defaultWriteQuorum: 2
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  # nodeSelector:
  #   cloud.google.com/gke-nodepool: default-pool
  #
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  # podAntiAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #   - labelSelector:
  #       matchExpressions:
  #       - key: "component"
  #         operator: In
  #         values:
  #         - bookkeeper
  #     topologyKey: "kubernetes.io/hostname"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8080"
  tolerations: []
  gracePeriod: 60
  # Enable extra services in the broker
  # These can also be enabled as standalone services
  # See extra section above
  functionsWorkerEnabled: false
  webSocketServiceEnabled: false
  # Enable Transactions on the Pulsar cluster.
  # It starts the transaction coordinator module inside the broker.
  # It runs the Transaction coordinator metadata setup job.
  transactionCoordinator:
    enabled: false
    # set to true to manually initialize transaction coordinator on existing cluster
    initialize: false
    # Count of partitions used for the transaction coordinator.
    initialCount: 16
  probe:
    enabled: true
    port: 8080
    initial: 10
    period: 30
    timeout: 5
  resources:
    requests:
      memory: 2Gi
      cpu: 1
    # limits:
    #   memory: 2Gi
    #   cpu: 1
  # Init container to add files to image
  initContainer: {}
  # initContainer:
  #   repository: repository/image
  #   tag: latest
  #   pullPolicy: IfNotPresent
  #   command: ["cp", "-r", "/pulsar-libs", "/jars" ]
  #   args: []
  #   emptyDirPath: "/jars"
  #   env:
  #   - name:
  #     value:
  #   envFrom:
  #   - configMapRef:
  #     name:

  # Comma delimited list of authentication providers
  authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
  # extraAuthProvider: this is now a deprecated field, use the `.Values.broker.authenticationProviders` field instead

  ## Broker configmap
  ## templates/broker-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-Xms2g -Xmx2g -XX:MaxDirectMemorySize=2g -Dio.netty.leakDetectionLevel=disabled -Dio.netty.recycler.linkCapacity=1024 -XX:+ExitOnOutOfMemoryError"
    PULSAR_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"
    brokerDeduplicationEnabled: "false"
    exposeTopicLevelMetricsInPrometheus: "true"
    exposeConsumerLevelMetricsInPrometheus: "false"
    backlogQuotaDefaultRetentionPolicy: "producer_exception"

  ## Broker service
  ## templates/broker-service.yaml
  ##
  # If you are enabling TLS, make sure these ports are on the port list:
  #   - name: https
  #     port: 8443
  #     protocol: TCP
  #   - name: pulsarssl
  #     port: 6651
  # To only allow TLS connections, remove the plain-text ports (http, pulsar)
  service:
    annotations: {}
    type: ClusterIP
    headless: false
    ports:
    - name: http
      port: 8080
    - name: pulsar
      port: 6650
    - name: https
      port: 8443
    - name: pulsarssl
      port: 6651
  ingress:
    enabled: false
  ## Broker PodDisruptionBudget
  ## templates/broker-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

## Pulsar: Broker cluster
## templates/broker-deployment.yaml
##
brokerSts:
  component: brokersts
  replicaCount: 3
  # ledger:
  #   defaultEnsembleSize: 2
  #   defaultAckQuorum: 2
  #   defaultWriteQuorum: 2
  # nodeSelector:
  #   cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  # podAntiAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #   - labelSelector:
  #       matchExpressions:
  #       - key: "component"
  #         operator: In
  #         values:
  #         - bookkeeper
  #     topologyKey: "kubernetes.io/hostname"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8080"
  tolerations: []
  gracePeriod: 60
  # Enable extra services in the broker
  # These can also be enabled as standalone services
  # See extras section above
  functionsWorkerEnabled: false
  webSocketServiceEnabled: false
  transactionCoordinator:
    enabled: false
    initialCount: 16
  probe:
    enabled: true
    port: 8080
    initial: 10
    period: 30
    timeout: 5
  resources:
    requests:
      memory: 2Gi
      cpu: 1
    # limits:
    #   memory: 2Gi
    #   cpu: 1
  # Init container to add files to image
  initContainer: {}
  # initContainer:
  #   repository: repository/image
  #   tag: latest
  #   pullPolicy: IfNotPresent
  #   command: ["cp", "-r", "/pulsar-libs", "/jars" ]
  #   args: []
  #   emptyDirPath: "/jars"
  #   env:
  #   - name:
  #     value:
  #   envFrom:
  #   - configMapRef:
  #     name:

  # Comma delimited list of authentication providers
  authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
  # extraAuthProvider: this is now a deprecated field, use the `.Values.brokerSts.authenticationProviders` field instead

  ## Broker configmap
  ## templates/broker-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-Xms2g -Xmx2g -XX:MaxDirectMemorySize=2g -Dio.netty.leakDetectionLevel=disabled -Dio.netty.recycler.linkCapacity=1024 -XX:+ExitOnOutOfMemoryError"
    PULSAR_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"
    brokerDeduplicationEnabled: "false"
    exposeTopicLevelMetricsInPrometheus: "true"
    exposeConsumerLevelMetricsInPrometheus: "false"
    backlogQuotaDefaultRetentionPolicy: "producer_exception"

  ## Broker service
  ## templates/broker-service.yaml
  ##
  # If you are enabling TLS, make sure these ports are on the port list:
  #   - name: https
  #     port: 8443
  #     protocol: TCP
  #   - name: pulsarssl
  #     port: 6651
  # To only allow TLS connections, remove the plain-text ports (http, pulsar)
  service:
    annotations: {}
    type: ClusterIP
    headless: false
    ports:
    - name: http
      port: 8080
    - name: pulsar
      port: 6650
    - name: https
      port: 8443
    - name: pulsarssl
      port: 6651
  ingress:
    enabled: false
  ## Broker PodDisruptionBudget
  ## templates/broker-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

## Pulsar Transactions metadata setup.
## This is the job responsible to prepare the cluster for enabling transactions.
## Job will start as soon as one broker pod is available.
brokerTransactionsMetadata:
  component: broker-transactions-metadata

function:
  component: function
  replicaCount: 2
  functionReplicaCount: 2
  usePython3: false
  updateStrategy:
    type: RollingUpdate
  podManagementPolicy: Parallel
  probe:
    enabled: true
    port: 6750
    initial: 10
    period: 30
    timeout: 5
  # Only the process runtime has been tested with this chart
  runtime: "process"
  k8sMinResources:
    cpu: "0.1"
    ram: "307200000"
    disk: "10737418240"
  # If state storage is enabled state storage will be enabled on Bookkeeper and the
  # function workers will connect to BookKeeper by default.
  # Note: State storage is in developer preview
  enableStateStorage: false
  enableMetrics: false
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  annotations:
    prometheus.io/scrape: "false"
    prometheus.io/port: "8080"
  tolerations: []
  gracePeriod: 60
  resources:
    requests:
      memory: 4Gi
      cpu: 1
    # limits:
    #   memory: 4Gi
    #   cpu: 1
  volumes:
    data:
      name: logs
      size: 5Gi
      # To override the default_storage class for this volume, set storageClass.
      # To use an existing storage class, set existingStorageClassName.
      # To have the chart create a storage class, leave existingStorageClassName
      # unset and specify the storage class parameters. The appropriate parameters
      # will vary by cloud provider. See default_storage above for examples.
      #
      # existingStorageClassName: <name>
      #
      # To use the default storage class of the k8s cluster, use the name "default"
      # existingStorageClassName: default
      #
      # OR (GCP example)
      #
      # storageClass:
      #   provisioner: kubernetes.io/gce-pd
      #   type: pd-ssd
      #   fsType: ext4
      #   extraParams:
      #      replication-type: none
  # Init container to add files to image
  initContainer: {}
  # initContainer:
  #   repository: repository/image
  #   tag: latest
  #   pullPolicy: IfNotPresent
  #   command: ["cp", "-r", "/pulsar-connectors", "/connectors" ]
  #   args: []
  #   emptyDirPath: "/connectors"
  #   mainContainerStartupCmd: "cp -f /connectors/pulsar-connectors/* /pulsar/connectors"
  #   env:
  #   - name:
  #     value:
  #   envFrom:
  #   - configMapRef:
  #     name:

  authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.AuthenticationProviderTls"

  ## When adding custom properties to configure a function worker, the values must be supplied here. Normal config
  ## is read in to the WorkerConfig fields. Custom configuration (for fields that are not in the WorkerConfig class)
  ## should be added here. Then, when pulsar calls config.getProperty("my-custom-field"), the fields are in the config's
  ## properties map. For example, you might use this map to configure the openid-connect plugin.
  # customProperties: {}

  ## Arbitrary custom function worker configuration can be added to functions_worker.yml using customConfiguration
  # customConfiguration: {}

  ## Function configmap
  ## templates/function-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-Xms2g -Xmx2g -XX:MaxDirectMemorySize=2g -XX:+ExitOnOutOfMemoryError"
    PULSAR_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"
  ## Function service
  ## templates/function-service.yaml
  ##
  service:
    annotations: {}
    type: ClusterIP
    headless: true
    ports:
    - name: http
      port: 6750
    - name: https
      port: 6751
  ## Function PodDisruptionBudget
  ## templates/function-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

# Configuration for presto SQL
pulsarSQL:
  component: sql
  # nodeSelector:
  # affinity:
  # tolerations:
  resources:
    requests:
      memory: 2Gi
      cpu: 1
  server:
    scheduleCoordinator: true
    workers: 0
    node:
      environment: production
    log:
      presto:
        level: INFO
    config:
      http:
        port: 8090
      query:
        maxMemory: "4GB"
        maxMemoryPerNode: "1GB"
    jvm:
      maxHeapSize: "8G"
      gcMethod:
        type: "UseG1GC"
        g1:
          heapRegionSize: "32M"

  image:
    securityContext:
      enabled: false
      runAsUser: 1000
      runAsGroup: 1000

  service:
    type: LoadBalancer

  ingress:
    enabled: false
    host: presto.host.com
    annotations: {}

  catalog:
    pulsar:
      maxEntryReadBatchSize: "100"
      targetNumSplits: "2"
      maxSplitMessageQueueSize: "10000"
      maxSplitEntryQueueSize: "1000"
      namespaceDelimiterRewriteEnable: "false"
      rewriteNamespaceDelimiter: "/"
      bookkeeperThrottleValue: "0"
      managedLedgerCacheSizeMB: "0"

# Tardigrade S3 gateway
#
# Configure the S3 gateway according to instructions here:
#     https://documentation.tardigrade.io/api-reference/s3-gateway
# Make sure you configure an access grant. Once you have done that, you can find the values
# for access, accessKey, and secretKey in:
#     ~/.local/share/storj/gatewayconfig.yaml
#
tardigrade:
  access: access-key-generated-with-uplink
  # Specify and access and secret key that can be used to connect to the local
  # tardigrade gateway. This will be used for both the gateway and the offload configuration.
  #
  # accessKey:
  # secretKey:
  service:
    port: 7777
    type: ClusterIP

# Placeholder for Burnell config options
burnell: {}

## Pulsar Component: Proxy
## templates/proxy-deployment.yaml
##
proxy:
  component: proxy
  replicaCount: 3
  # when authorization is enabled, proxy will check authorization before proxying requests. zookeeperClientEnabled must be set to true
  authorizationEnabled: true
  # when disabled, proxy won't be configured to connect to zookeeper
  zookeeperClientEnabled: true
  # when false, broker address will be looked up in zookeeper
  disableZookeeperDiscovery: true
  # use "brokersts" instead of "broker" to identify the broker k8s component
  useStsBrokersForDiscovery: false
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8080"
  tolerations: []
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  gracePeriod: 60
  ## Proxy extensions can be configured via the configData map located in this
  ## section of the values file: .Values.proxy.configData
  ## Some configuration options are provided here to simplify deployment
  extensions:
    enabled: false
    directory: "./proxyextensions"
    ## Comma separated list of extensions
    ## Kafka on Pulsar is used as an example
    ## extensions: "kafka"
    extensions: ""
    ## Ports to open on the proxy container for network traffic
    containerPorts: []
    # - name: kafkaplaintext
    #   containerPort: 9092
    # - name: kafkassl
    #   containerPort: 9093
    ## Ports to open on the proxy service for protocol handler traffic
    ## Kafka on Pulsar is used as an example
    servicePorts: []
    # - name: kafkaplaintext
    #   port: 9092
    #   protocol: TCP
    #   targetPort: kafkaplaintext
    # - name: kafkassl
    #   port: 9093
    #   protocol: TCP
    #   targetPort: kafkassl
  probe:
    enabled: true
    initial: 10
    period: 30
    timeout: 5
  # Resources for the main Pulsar proxy
  resources:
    requests:
      memory: 1Gi
      cpu: 1
    # limits:
    #   memory: 1Gi
    #   cpu: 1
  # Resources for the websocket proxy
  wsResources:
    requests:
      memory: 1Gi
      cpu: 1
    # limits:
    #   memory: 1Gi
    #   cpu: 1
  # Init container to add files to image
  initContainer: {}
  # initContainer:
  #   repository: repository/image
  #   tag: latest
  #   pullPolicy: IfNotPresent
  #   command: ["cp", "-r", "/pulsar-libs", "/jars" ]
  #   args: []
  #   emptyDirPath: "/jars"
  #   env:
  #   - name:
  #     value:
  #   envFrom:
  #   - configMapRef:
  #     name:

  # Comma delimited list of authentication providers
  authenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken"
  # extraAuthProvider: this is now a deprecated field, use the `.Values.proxy.authenticationProviders` field instead
  # Configure the wsAuthenticationProviders using .Values.proxy.configData
  wsAuthenticationProviders: "org.apache.pulsar.broker.authentication.AuthenticationProviderToken,org.apache.pulsar.broker.authentication.AuthenticationProviderTls"

  ## Proxy configmap
  ## templates/proxy-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-Xms1g -Xmx1g -XX:MaxDirectMemorySize=1g"
    PULSAR_GC: "-XX:+UseG1GC"
    numHttpServerThreads: "10"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"
    # To disable authentication on the Prometheus /metrics endpoint
    # authenticateMetricsEndpoint: "false"
  wsProxyPort: 8000
  wsProxyPortTls: 8001
  ## Proxy loadbalancer service
  ## templates/proxy-service.yaml
  ##
  # service:
  #   annotations: {}
  #   type: LoadBalancer
  #   ports:
  #   - name: http
  #     port: 8080
  #     protocol: TCP
  #   - name: pulsar
  #     port: 6650
  #     protocol: TCP
  #   - name: ws
  #     port: 8000
  #     protocol: TCP
  #
  # If you are enabling TLS, add these ports:
  #   - name: https
  #     port: 8443
  #     protocol: TCP
  #   - name: pulsarssl
  #     port: 6651
  #     protocol: TCP
  #   - name: wss
  #     port: 8001
  #     protocol: TCP
  #
  # To only use TLS, remove the plain text ports from the list (http, pulsar, ws)
  #
  # If you are enabling Pulsar Beam, add this port:
  #   - name: pulsarbeam
  #     port: 8085
  #     protocol: TCP
  #
  # Pulsar Beam uses the same port for whether TLS is enabled or not

  ## Proxy cluster service
  ## templates/proxy-service.yaml
  ##
  autoPortAssign:
    enablePlainTextWithTLS: false
    matchingNodePort: false
  service:
    annotations: {}
    type: LoadBalancer
    autoPortAssign:
      enabled: false
    ports:
    - name: http
      port: 8080
      protocol: TCP
    - name: pulsar
      port: 6650
      protocol: TCP
    - name: ws
      port: 8000
      protocol: TCP

  # For creating and extra service pointing to the proxy
  extraService:
    enabled: false
    annotations: {}
    autoPortAssign:
      enabled: true
    type: ClusterIP
    ports:
    - name: http
      port: 8080
      protocol: TCP
    - name: pulsar
      port: 6650
      protocol: TCP
    - name: ws
      port: 8000
      protocol: TCP

  ingress:
    enabled: false
    host: admin.host.com
    enableWebSocket: false
    wssPortOnProxy: 8001
    enableBurnell: false

  ## Proxy PodDisruptionBudget
  ## templates/proxy-pdb.yaml
  ##
  pdb:
    usePolicy: true
    maxUnavailable: 1

## Pulsar Component:  DNS on proxy RBAC
## templates/dns-rbac.yaml
## templates/dns-deployment.yaml
dns:
  component: dns
  provider: aws
  domainFilter: example.com
  hostAnnotations:
  # Trying to create CNAME records (ex AWS NLB)
  # Need to add TXT prefix to prevent conflicts
  # txtPrefix: k8s-
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar

## Pulsar Component: Bookkeeper auto-recovery
## templates/autorecovery-deployment.yaml
##
autoRecovery:
  component: autorecovery
  replicaCount: 1
  # Enable auto provisioning of Pulsar keys and JWT
  enableProvisionContainer: false
  # nodeSelector:
  #   cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  # podAntiAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #   - labelSelector:
  #       matchExpressions:
  #       - key: "component"
  #         operator: In
  #         values:
  #         - bookkeeper
  #     topologyKey: "kubernetes.io/hostname"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8000"
  tolerations: []
  gracePeriod: 60
  resources:
    requests:
      memory: 512Mi
      cpu: 0.3
    # limits:
    #   memory: 512Mi
    #   cpu: 0.3
  ## Bookkeeper auto-recovery configmap
  ## templates/autorecovery-configmap.yaml
  ##
  configData:
    BOOKIE_MEM: "-Xms512m -Xmx512m -XX:+ExitOnOutOfMemoryError"
    BOOKIE_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"

## Pulsar Component: Pulsar Admin console
## templates/admin-console/pulsar-admin-console-deployment.yaml
##
pulsarAdminConsole:
  component: adminconsole
  defaultTenant: public
  # authMode: none, k8s, openidconnect
  authMode: none
  serverLogLevel: info
  createUserSecret:
    enabled: false
    user: ''
    password: ''
  apiVersion: "2.7.2"
  probe:
    liveness:
      initialDelaySeconds: 15
      timeoutSeconds: 15
    readiness:
      initialDelaySeconds: 5
      timeoutSeconds: 3
  replicaCount: 1
  codeSampleUrl:
    useDnsName: true
    pulsar: "pulsar+ssl://pulsarhost:6651"
    websocket: "wss://pulsarhost:8001"
    http: "https://pulsarhost:8085"
  ingress:
    enabled: false
    host: ui.host.com
    annotations: {}
    enableTls: false
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  annotations: {}
  tolerations: []
  gracePeriod: 60
  resources:
    requests:
      memory: 512Mi
      cpu: 0.5
  ## Dashboard service
  ## templates/dashboard-service.yaml
  ##
  service:
    annotations: {}
    type: LoadBalancer
    ports:
    - name: http
      port: 80
      targetPort: "http"
    - name: https
      port: 443
      targetPort: "https"

## Pulsar Component: Zoonavigator
## templates/zoonavigator-deployment.yaml
##
zoonavigator:
  component: zoonavigator
  replicaCount: 1
  autoConnect: true
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  annotations: {}
  tolerations: []
  gracePeriod: 60
  resources:
    requests:
      memory: 128Mi
      cpu: 0.1
  image:
    repository:
      web: elkozmon/zoonavigator-web
      api: elkozmon/zoonavigator-api
    tag: 0.6.0
    pullPolicy: IfNotPresent

  ## Zoonavigator service
  ## templates/zoonavigator-service.yaml
  ##
  service:
    annotations: {}
    ports:
    - name: server
      port: 8001

## Pulsar Component: Bastion
## templates/bastion-deployment.yaml
##
bastion:
  component: bastion
  installDebugTools: false
  replicaCount: 1
  # nodeSelector:
    # cloud.google.com/gke-nodepool: default-pool
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar
  annotations: {}
  tolerations: []
  gracePeriod: 60
  resources:
    requests:
      memory: 256Mi
      cpu: 0.25
  ## Bastion configmap
  ## templates/bastion-configmap.yaml
  ##
  configData:
    PULSAR_MEM: "-XX:+ExitOnOutOfMemoryError"
    PULSAR_GC: "-XX:+UseG1GC"
    PULSAR_LOG_LEVEL: "info"
    PULSAR_LOG_ROOT_LEVEL: "info"
    PULSAR_EXTRA_OPTS: "-Dpulsar.log.root.level=info"

## Pulsar Beam
## templates/beamwh-deployment.yaml
##
pulsarBeam:
  tlsCaPath: /etc/ssl
  tlsCaCert: cert.pem
  component: pulsarbeam
  replicaCount: 1
  resources:
    requests:
      memory: 256Mi
      cpu: 0.5
    # limits:
    #   memory: 256Mi
    #   cpu: 0.5
  annotations: {}
  tolerations: []
  gracePeriod: 60
  # logLevel: debug
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #     - matchExpressions:
  #       - key: nodepool
  #         operator: In
  #         values:
  #         - pulsar

pulsarHeartbeat:
  component: pulsarheartbeat
  port: "8089"
  annotations:
    prometheus.io/scrape: "true"
    prometheus.io/port: "8089"
    prometheus.io/path: "/metrics"
  resources:
    requests:
      memory: 64Mi
      cpu: 0.1
    limits:
      memory: 128Mi
      cpu: 0.25
  prometheus:
    enabled: true
  config:
    k8sInClusterMonitorEnabled: "false"
    alertUrl:
    # If not supplied, defaults to "/pulsar/certs/ca.crt"
    trustStore:
    opsGenieHeartbeatUrl:
    opsGenieHeartbeatKey:
    opsGenieAlertKey:
    broker:
      intervalSeconds: 45
    adminRest:
      intervalSeconds: 120
    latencyTest:
      intervalSeconds: 60
      topicName: "persistent://public/default/pubsub-latency-test"
  service: {}

# For configuring OpenID in Okta for Pulsar, instructions are here: https://www.youtube.com/watch?v=UQBrecHOXxU&ab_channel=DataStaxDevelopers
# Please also see the docs here: https://github.com/datastax/pulsar-openid-connect-plugin
# Then, use the values from the Payload generated to populate these fields:
openid:
  component: openid
  enabled: false
  allowedAudience: ""
  roleClaim: sub
    # Set following to true if admin console is configured to use Okta integration. (The admin console uses a local admin token.)
  attemptAuthenticationProviderToken: true
  # Comma delimited list of issuers to trust
  allowedIssuerUrls: ""
  acceptedTimeLeewaySeconds: 0
  withS4k: false
  jwk:
    cacheSize: 10
    expiresSeconds: 300
    connectionTimeoutMillis: 10000
    readTimeoutMillis: 10000
  metadata:
    cacheSize: 10
    expiresSeconds: 86400
    connectionTimeoutMillis: 10000
    readTimeoutMillis: 10000
  requireHttps: true
# Deploy Keycloak
keycloak:
  enabled: false
  # This block sets up an example Pulsar Realm
  # https://www.keycloak.org/docs/latest/server_admin/#_export_import
  extraStartupArgs: "-Dkeycloak.migration.action=import -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=/realm/pulsar-realm.json -Dkeycloak.migration.strategy=IGNORE_EXISTING"
  extraVolumes: |
    - name: realm-config
      configMap:
        name: realm-config
  extraVolumeMounts: |
    - name: realm-config
      mountPath: "/realm/"
      readOnly: true
  auth:
    tls:
      enabled: false
  # Config specific to this helm chart
  # The realm to use when the Pulsar Admin Console calls Keycloak (this configures nginx)
  # Note that this is the realm in the pre-configured realm that ships with this helm chart
  realm: "pulsar"

# Deploy cert-manager
cert-manager:
  enabled: false
  # namespaceOverride: cert-manager
  installCRDs: false

createCertificates:
  # Create a single self-signed certificate for brokers, proxy, and function worker
  selfSigned:
    enabled: false
    includeDns: false
  # Create unique certificates per component. They will share the same root CA generated by CertManager.
  selfSignedPerComponent:
    enabled: false
  acme:
    enabled: false
    # Production server: https://acme-v02.api.letsencrypt.org/directory
    # Staging server: https://acme-staging-v02.api.letsencrypt.org/directory
    server: https://acme-v02.api.letsencrypt.org/directory
    email: user@example.com
    # Only enabled one of the below solvers
    httpSolver:
      # For this solver to work the ingress must support TCP connections to the Pulsar protocol port (6650) as well as HTTP connections since everything must have a single domain name
      enabled: false
      ingressClass: nginx
    azureDns:
      # See https://cert-manager.io/docs/configuration/acme/dns01/azuredns/ for information on getting these values and the format of the file for the secret
      enabled: false
      clientId: ""
      clientSecretName: "azuredns-config"
      clientSecretKey: "client-secret"
      subscriptionId: ""
      tenantId: ""
      resourceGroupName: ""
      dnsZone: ""
    awsDns:
      # Secret must contain the IAM secretAccessKey
      # See https://cert-manager.io/docs/configuration/acme/dns01/route53/ for more info
      enabled: false
      region: "us-east-1"
      accessKey: ""
      accessSecretName: ""
      accessSecretKey: "secret-access-key"
    gcpDns:
      # See https://cert-manager.io/docs/configuration/acme/dns01/google/ for information
      enabled: false
      projectId: ""
      secretName: "clouddns-dns01-solver-svc-acct"
      secretKey: "key.json"
    digitalOceanDns:
      # See https://cert-manager.io/docs/configuration/acme/dns01/digitalocean/
      enabled: false
      secretName: "digitalocean-dns"
      secretKey: "access-token"

# Deploy Grafana dashboard for Pulsar.
# These dashboards will be discovered by the kube-prometheus-stack
# if it is running the same namespace as the stack

grafanaDashboards:
  enabled: false
  # namespaceOverride: monitoring

# Deploy a Prometheus Operator PodMonitor to enable scraping metrics from all
# Pulsar components deployed by this helm chart.
# Note: when kube-prometheus-stack.enabled is true, the PodMonitor is deployed to enable monitoring the cluster.
enablePulsarPodMonitor: false

# Deploy the kube-prometheus-stack which includes:
# * Prometheus (using Prometheus Operator)
# * Alertmanager (using Prometheus Operator)
# * Grafana
# * Prometheus node exporter
#
# https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack
#
# The default values will enable Prometheus and
# Grafana, but not AlertManager.
# Scraping configs for Pulsar pods are included. By default,
# pods in the namespace of the deployment will be scraped.
#
# The stack can add standard Kubernetes alert rules, but those
# are disabled by default.
#
# A set of Pulsar-specific rules are included below.
# The threshold for some of the rules are low and should
# be adjusted to match the performance/use of the Pulsar
# deployment. To be notified when the rules are triggered,
# you need to enable and configure Alertmanager. It supports
# many targets including email, Slack, OpsGenie, PagerDuty.

kube-prometheus-stack:
  enabled: false
  # namespaceOverride: monitoring
  prometheus-node-exporter:
    # namespaceOverride: monitoring
  defaultRules:
    create: false
    rules:
      alertmanager: true
      etcd: true
      general: true
      k8s: true
      kubeApiserver: true
      kubePrometheusNodeAlerting: true
      kubePrometheusNodeRecording: true
      kubeScheduler: true
      kubernetesAbsent: true
      kubernetesApps: true
      kubernetesResources: true
      kubernetesStorage: true
      kubernetesSystem: true
      node: true
      prometheusOperator: true
      prometheus: true
  additionalPrometheusRulesMap:
    general-rules:
      groups:
      - name: acks
        rules:
        - alert: unacked-message-high
          expr: pulsar_subscription_unacked_messages > 100
          for: 1m
          labels:
            severity: critical
          annotations:
            identifier: '{{ $labels.topic }}:{{ $labels.subscription }}'
            description: 'Unacked messages on subscription high'
        - alert: subscription-blocked-on-unacked-messages
          expr: pulsar_subscription_blocked_on_unacked_messages > 1
          for: 1m
          labels:
            severity: critical
          annotations:
            identifier: '{{ $labels.topic }}:{{ $labels.subscription }}'
            description: Subscription is blocked on unacked messages
      - name: components
        rules:
        - alert: zookeeper-write-latency-high
          expr: zookeeper_server_requests_latency_ms > 500
          for: 1m
          labels:
            severity: warning
          annotations:
            identifier: '{{ $labels.kubernetes_pod_name }}'
            description: 'Zookeeper write latency is high'
        - alert: bookkeeper-add-latency-high
          expr: bookkeeper_server_ADD_ENTRY_REQUEST > 1500
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Add latency to BookKeeper is high
            identifier: '{{ $labels.kubernetes_pod_name }}'
        - alert: bookkeeper-read-latency-high
          expr: bookkeeper_server_READ_ENTRY_REQUEST > 1000
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Read latency from BookKeeper is high
            identifier: '{{ $labels.kubernetes_pod_name }}'
        - alert: bookkeeper-bookie-readonly
          expr: bookie_SERVER_STATUS == 0
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Bookie is read-only
            identifier: '{{ $labels.kubernetes_pod_name }}'
    cluster-normal:
      groups:
      - name: exp-counts-rates
        rules:
        - alert: producers-high
          expr: pulsar_producers_count > 500
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Producer count is high
            identifier: '{{ $labels.topic }}'
        - alert: consumers-high
          expr: pulsar_consumers_count > 500
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Consumer count is high
            identifier: '{{ $labels.topic }}'
        - alert: in-rate-high
          expr: pulsar_rate_in > 5000
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Incoming message rate is high on broker
            identifier: '{{ $labels.topic }}'
        - alert: out-rate-high
          expr: pulsar_rate_out > 5000
          for: 1m
          labels:
            severity: warning
          annotations:
            description: Outgoing message rate is high on broker
            identifier: '{{ $labels.topic }}'
    volumes:
      groups:
      - name: volumes-filling
        rules:
        - alert: KubePersistentVolumeFillingUp
          expr: kubelet_volume_stats_available_bytes{job="kubelet",metrics_path="/metrics",namespace=~".*"} / kubelet_volume_stats_capacity_bytes{job="kubelet",metrics_path="/metrics",namespace=~".*"} < 0.10
          for: 1m
          labels:
            severity: critical
          annotations:
            message: The PersistentVolume claimed by {{ $labels.persistentvolumeclaim }} in Namespace {{ $labels.namespace }} is only {{ $value | humanizePercentage }} free.

  alertmanager:
    enabled: false

  grafana:
    enabled: true
    # namespaceOverride: "monitoring"
    testFramework:
      enabled: false
    defaultDashboardsEnabled: true
    dashboardProviders:
      dashboardproviders.yaml:
        apiVersion: 1
        providers:
        - name: 'default'
          orgId: 1
          folder: ''
          type: file
          disableDeletion: true
          editable: false
          options:
            path: /var/lib/grafana/dashboards/default
    dashboards:
      default:
        zookeeper:
          gnetId: 10465
          revision: 4
          datasource: Prometheus
    # Configure to set a default admin password for Grafana
    adminPassword:
    service:
      type: LoadBalancer
      port: 3000
    ingress:
      enabled: false
      hosts:
        - grafana.example.com
      path: /
    grafana.ini:
      server:
        root_url: 'http://localhost:3000'
      security:
        allow_embedding: true
        cookie_samesite: 'lax'

  kubeApiServer:
    enabled: true
  kubelet:
    enabled: true
  kubeControllerManager:
    enabled: false
  coreDns:
    enabled: true
  kubeDns:
    enabled: false
  kubeEtcd:
    enabled: true
  kubeScheduler:
    enabled: false
  kubeProxy:
    enabled: false
  kubeStateMetrics:
    enabled: true
  nodeExporter:
    enabled: true

  prometheusOperator:
    enabled: true

  prometheus:
    enabled: true
    ingress:
      enabled: false
      hosts:
        - prometheus.example.com
    prometheusSpec:
      retention: 10d
      # storageSpec:
      #   volumeClaimTemplate:
      #     spec:
      #       storageClassName: default
      #       resources:
      #         requests:
      #           storage: 50Gi
      additionalScrapeConfigs: []