generator/default_values.yaml

## --------------------------------------------------------------------------------
##
##                                      argocd
##
## --------------------------------------------------------------------------------
argocd:

  ## a prefix to use for argocd application names
  ##  - allows a single instance of argocd to manage deployKF across multiple clusters
  ##  - if non-empty, `argocd.destination` must be a remote cluster, this is because
  ##    a single cluster can only have one instance of deployKF
  ##
  appNamePrefix: ""

  ## the namespace in which argocd is deployed
  ##
  namespace: argocd

  ## the project used for deployKF argocd applications
  ##
  project: default

  ## the source used for deployKF argocd applications
  ##
  source:

    ## plugin configs
    ##
    plugin:

      ## if the argocd plugin is being used
      ##  - note, this value is automatically set to true when using the plugin
      ##
      enabled: false

    ## configs specifying the git repo which contains your generated manifests
    ##
    repo:
      ## the URL of your manifest git repo
      ##  - for example, if you are using a GitHub repo named 'deployKF/examples', you might set this value
      ##    to "https://github.com/deployKF/examples" or "git@github.com:deployKF/examples.git"
      ##
      url: ""

      ## the git revision which contains your generated manifests
      ##  - for example, if you are using the 'main' branch of your repo, you might set this value to "main"
      ##
      revision: ""

      ## the path within your repo where the generated manifests are stored
      ##  - for example, if you are using a folder named 'GENERATOR_OUTPUT' at the root of your repo,
      ##    you might set this value to "./GENERATOR_OUTPUT/"
      ##
      path: ""

  ## the destination used for deployKF argocd applications
  ##  - the value of `destination.name` takes precedence over `destination.server`
  ##
  destination:
    server: https://kubernetes.default.svc
    name: ""


## --------------------------------------------------------------------------------
##
##                              deploykf-dependencies
##
## --------------------------------------------------------------------------------
deploykf_dependencies:

  ## --------------------------------------
  ##             cert-manager
  ## --------------------------------------
  cert_manager:
    enabled: true
    namespace: cert-manager

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## chart overrides
    ##
    charts:
      certManager:
        name: cert-manager
        version: 1.12.2
        repository: https://charts.jetstack.io

      trustManager:
        name: trust-manager
        version: 0.5.0
        repository: https://charts.jetstack.io

    ## image overrides
    ##
    images:
      certManagerController:
        repository: quay.io/jetstack/cert-manager-controller
        tag: ~
        pullPolicy: IfNotPresent

      certManagerWebhook:
        repository: quay.io/jetstack/cert-manager-webhook
        tag: ~
        pullPolicy: IfNotPresent

      certManagerCainjector:
        repository: quay.io/jetstack/cert-manager-cainjector
        tag: ~
        pullPolicy: IfNotPresent

      certManagerAcmesolver:
        repository: quay.io/jetstack/cert-manager-acmesolver
        tag: ~

      certManagerCtl:
        repository: quay.io/jetstack/cert-manager-ctl
        tag: ~
        pullPolicy: IfNotPresent

      trustManager:
        repository: quay.io/jetstack/trust-manager
        tag: ~
        pullPolicy: IfNotPresent

      trustManagerDefaultPackage:
        repository: quay.io/jetstack/cert-manager-package-debian
        tag: ~
        pullPolicy: IfNotPresent

    ## cert-manager controller configs
    ##
    controller:

      ## PodSecurityContext configs
      ##
      securityContext:
        fsGroup: 1001

      ## ServiceAccount configs
      ##
      serviceAccount:
        create: true
        name: "cert-manager"
        annotations: {}

      ## extra command line args
      ##  - https://cert-manager.io/v1.11-docs/cli/controller/
      ##
      extraArgs:
        ## automatically remove generated secrets when the certificate resource is deleted
        - --enable-certificate-owner-ref=true

    ## istio gateway certificate issuer configs
    ##  - if you wish to use your own ClusterIssuer, set `clusterIssuer.enabled` to false
    ##    and set `clusterIssuer.issuerName` to the name of your issuer, (this still works when you
    ##    bring your own cert-manager deployment by setting `cert_manager.enabled` to false)
    ##
    clusterIssuer:
      enabled: true
      issuerName: deploykf-gateway-issuer

      ## the type of the chart-provided ClusterIssuer
      ##  - currently only "SELF_SIGNED" is supported, to use a different issuer type
      ##    set `clusterIssuer.enabled` to false and provision your own issuer
      ##
      type: SELF_SIGNED

      selfSigned:
        caIssuerName: selfsigned-ca-issuer
        caSecretName: selfsigned-ca-issuer-root-cert

        ## using trust-manager, each Namespace with the "deploykf.github.io/inject-root-ca-cert=enabled" label
        ## is injected with a ConfigMap containing a "root-cert.pem" key that contains the self-signed root CA
        ## applications can then trust the issued gateway certificates by trusting this CA
        injectedConfigMapName: deploykf-gateway-issuer-root-ca-cert


  ## --------------------------------------
  ##                 istio
  ## --------------------------------------
  istio:
    enabled: true
    namespace: istio-system

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## chart overrides
    ##
    charts:
      istioBase:
        name: base
        ## NOTE: this version should be aligned with `deploykf_core.deploykf_istio_gateway.charts.istioGateway.version`
        version: 1.17.3
        repository: https://istio-release.storage.googleapis.com/charts

      istioDaemon:
        name: istiod
        ## NOTE: this version should be aligned with `deploykf_core.deploykf_istio_gateway.charts.istioGateway.version`
        version: 1.17.3
        repository: https://istio-release.storage.googleapis.com/charts

    ## image overrides
    ##  - when tag is unset, default is: "{charts.istioDaemon.version}-{defaultImageVariant}"
    ##
    images:
      istioProxy:
        repository: docker.io/istio/proxyv2
        tag: ~

      istioPilot:
        repository: docker.io/istio/pilot
        tag: ~

    ## the default image variant
    ##  - can be one of: ["", "debug", "distroless"]
    ##    https://istio.io/latest/docs/ops/configuration/security/harden-docker-images/
    ##
    defaultImageVariant: distroless

    ## istio sidecar injector webhook configs
    ##
    sidecarInjectorWebhook:

      ## additional annotations which are added to pods after sidecar injection
      ##
      injectedAnnotations: {}

    ## istio mesh configs
    ##  - note, deployKF will override some configs with the required values, even if they are set here
    ##  - a useful config for debugging is to set `accessLogFile` as "/dev/stdout", which will print access logs to STDOUT
    ##
    meshConfig: {}


  ## --------------------------------------
  ##                kyverno
  ## --------------------------------------
  kyverno:
    enabled: true
    namespace: kyverno

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## chart overrides
    ##
    charts:
      kyverno:
        name: kyverno
        ## NOTE: kyverno's chart versions are NOT aligned to the kyverno app version, see:
        ##       https://artifacthub.io/packages/helm/kyverno/kyverno
        version: 3.0.1
        repository: https://kyverno.github.io/kyverno

    ## image overrides
    ##
    images:
      kubectl:
        repository: docker.io/bitnami/kubectl
        tag: ~
        pullPolicy: IfNotPresent

      kyverno:
        repository: ghcr.io/kyverno/kyverno
        tag: ~
        pullPolicy: IfNotPresent

      kyvernoInit:
        repository: ghcr.io/kyverno/kyvernopre
        tag: ~
        pullPolicy: IfNotPresent

      kyvernoBackgroundController:
        repository: ghcr.io/kyverno/background-controller
        tag: ~
        pullPolicy: IfNotPresent

      kyvernoCleanupController:
        repository: ghcr.io/kyverno/cleanup-controller
        tag: ~
        pullPolicy: IfNotPresent

      kyvernoReportsController:
        repository: ghcr.io/kyverno/reports-controller
        tag: ~
        pullPolicy: IfNotPresent

    ## kyverno extra resource permissions
    ##  - a list of extra kubernetes resources to allow kyverno to generate and manage
    ##  - each element is a map with keys `apiGroups` and `resources` that contain lists of strings
    ##
    extraResourceRules:
      - apiGroups: [ "kubeflow.org" ]
        resources: [ "poddefaults" ]


## --------------------------------------------------------------------------------
##
##                                  deploykf-core
##
## --------------------------------------------------------------------------------
deploykf_core:

  ## --------------------------------------
  ##             deploykf-auth
  ## --------------------------------------
  deploykf_auth:
    enabled: true
    namespace: deploykf-auth

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      dex:
        repository: ghcr.io/dexidp/dex
        tag: v2.37.0
        pullPolicy: IfNotPresent

      oauth2Proxy:
        repository: quay.io/oauth2-proxy/oauth2-proxy
        tag: v7.4.0
        pullPolicy: IfNotPresent

      kubectl:
        repository: docker.io/bitnami/kubectl
        tag: 1.26.6-debian-11-r8
        pullPolicy: IfNotPresent

    ## dex configs
    ##
    dex:

      ## dex static passwords
      ##  - a list of users to create in dex's built-in password database
      ##  - each element is a map with keys `email` and `password`,
      ##    the `password` is a map with the following keys:
      ##     - `value`: the password value
      ##     - `existingSecret`: the name of a kubernetes secret containing the password (overrides `value`)
      ##     - `existingSecretKey`: the key in the secret that contains the password
      ##     - `type`: how the password is provided (default: "plain")
      ##         - "plain": the password is provided as plain text
      ##         - "hash": the password is provided as a bcrypt hash
      ##  - a bcrypt hash for "PASSWORD_STRING" can be generated with one of the following:
      ##     - echo "PASSWORD_STRING" | htpasswd -BinC 10 NULL | cut -d: -f2
      ##     - python -c 'import bcrypt; print(bcrypt.hashpw(b"PASSWORD_STRING", bcrypt.gensalt(10)).decode())'
      ##
      staticPasswords:
        - email: "admin@example.com"
          password:
            value: "admin"
        - email: "user1@example.com"
          password:
            value: "user1"
        - email: "user2@example.com"
          password:
            value: "user2"

      ## dex connectors
      ##  - dex connectors which allow bridging trust to external identity providers
      ##    https://dexidp.io/docs/connectors/
      ##  - not all connector types support refresh tokens, notably "SAML 2.0" and "OAUTH 2.0" do not
      ##    however, most providers support "OpenID Connect" which does support refresh tokens
      ##    without refresh tokens, users will be forced to re-authenticate every `expiry.idToken` period
      ##  - each element is a map with keys `type`, `id`, `name`, and `config` (which are the same aas upstream dex)
      ##    additionally, `configExistingSecret` and `configExistingSecretKey` allow you to set `config`
      ##    from a YAML-formatted string in a kubernetes secret
      ##  - in most cases `config.redirectURI` will be set to "https://{DEPLOYKF_HOST}/dex/callback" (if port is 443)
      ##
      connectors: []

      ## dex token expiry configs
      ##  - times are in Go duration format: https://golang.org/pkg/time/#ParseDuration
      ##
      expiry:
        ## the lifetime of issued id tokens
        idToken: "60m"

        ## refresh token configs
        ##  - note, some dex connectors do NOT support refresh tokens
        ##
        refreshToken:
          ## max time since last use of a refresh token
          idle: "168h" # 7d

          ## max total lifetime of a refresh token
          total: "2160h" # 90d

      ## dex OpenID Connect clients
      ##
      clients:

        ## OpenID client for oauth2-proxy (deployKF Dashboard)
        ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
        ##
        oauth2Proxy:
          clientId: "oauth2-proxy"
          clientSecret:
            value: "bbbbbbbbbbbbbbbb"
            existingSecret: ""
            existingSecretKey: "client_secret"
            generateSecret: false

        ## OpenID client for Minio Console
        ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
        ##
        minioConsole:
          clientId: "minio-console"
          clientSecret:
            value: "bbbbbbbbbbbbbbbb"
            existingSecret: ""
            existingSecretKey: "client_secret"
            generateSecret: false

        ## OpenID client for Argo Server
        ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
        ##
        argoServer:
          clientId: "argo-server"
          clientSecret:
            value: "bbbbbbbbbbbbbbbb"
            existingSecret: ""
            existingSecretKey: "client_secret"
            generateSecret: false

    ## oauth2-proxy configs
    ##
    oauth2Proxy:

      ## oauth2-proxy cookie configs
      ##
      cookie:
        ## sets oauth2-proxy config `--cookie-name`
        name: "_deploykf_token"

        ## sets oauth2-proxy config `--cookie-expire`
        expire: "168h" # 7d

        ## sets oauth2-proxy config `--cookie-refresh`
        refresh: "60m"

        ## sets oauth2-proxy config `--cookie-secret`
        ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
        ##
        secret:
          value: "cccccccccccccccc"
          existingSecret: ""
          existingSecretKey: "cookie_secret"
          generateSecret: false


  ## --------------------------------------
  ##          deploykf-dashboard
  ## --------------------------------------
  deploykf_dashboard:
    enabled: true
    namespace: deploykf-dashboard

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      dashboard:
        repository: ghcr.io/deploykf/dashboard
        tag: 0.1.0
        pullPolicy: IfNotPresent

      profileController:
        repository: kubeflownotebookswg/profile-controller
        tag: v1.7.0
        pullPolicy: IfNotPresent

      kfamApi:
        repository: kubeflownotebookswg/kfam
        tag: v1.7.0
        pullPolicy: IfNotPresent

    ## configs dashboard navigation
    ##
    navigation:

      ## external links that appear in the sidebar
      ##  - a list of extra links to appear in the dashboard sidebar
      ##  - each element is a map with the following keys:
      ##     - `text`: the text that appears in the sidebar (example: "deployKF")
      ##     - `url`: the url to navigate to when the link is clicked (example: "https://deploykf.org")
      ##     - `icon`: the icon that appears in the sidebar (example: "launch")
      ##        - can be any "iron-icon" name, include any "xxxx:" prefix, but not "icons:"
      ##          https://www.webcomponents.org/element/@polymer/iron-icons/demo/demo/index.html
      ##
      externalLinks: []

      ## links that appear in the home page
      ##  - a list of extra links to appear in the dashboard
      ##  - each element is a map with the following keys:
      ##     - `text`: the text that appears in the homepage (example: "deployKF Website")
      ##     - `desc`: the description which appears below (example: "The tool that deployed your ML platform!")
      ##     - `link`: the url to navigate to when the link is clicked (example: "https://deploykf.org")
      ##
      documentationItems:
        - text: deployKF Website
          desc: The tool that deployed your ML platform!
          link: https://github.com/deployKF/deployKF

  ## --------------------------------------
  ##        deploykf-istio-gateway
  ## --------------------------------------
  deploykf_istio_gateway:
    enabled: true
    namespace: deploykf-istio-gateway

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## chart overrides
    ##
    charts:
      istioGateway:
        ## if false, you must create your own istio gateway ~deployment~ and ~service~
        ##  - you do NOT need to create resources like `networking.istio.io/Gateway`
        ##  - you must set the other values to match your deployment,
        ##    otherwise deployKF will be unable to use them
        enabled: true
        name: gateway
        ## NOTE: this version should be aligned with `deploykf_dependencies.istio.charts.istioDaemon.version`
        version: 1.17.3
        repository: https://istio-release.storage.googleapis.com/charts

    ## istio gateway configs
    ##
    gateway:
      name: deploykf-gateway

      hostname: deploykf.example.com
      ports:
        http: 80
        https: 443
      tls:
        enabled: true

      ## the pod labels used by the gateway to find the ingress gateway deployment
      ##
      selectorLabels:
        app: deploykf-gateway
        istio: deploykf-gateway

      ## if the "PROXY Protocol" is enabled on the gateway
      ## - https://istio.io/v1.16/docs/ops/configuration/traffic-management/network-topologies/#proxy-protocol
      ##
      enableProxyProtocol: false

      ## the number of x-forwarded-for HTTP header hops to trust
      ##  - important if using a LoadBalancer (like AWS NLB) as the Service type of deploykf-istio-gateway
      ##
      xffNumTrustedHops: 0

      ## if the email passed in `X-Auth-Request-Email` by `oauth2-proxy` is cast to lowercase
      ##  - note, this will only affect the email passed to Kubeflow apps, other apps connected to
      ##    dex OIDC will still receive the original email, so it's usually best to standardize
      ##    the emails in your upstream identity system
      ##  - this may be helpful if your identity system returns emails with uppercase letters and you
      ##    want to standardize on lowercase emails for RoleBindings
      ##  - this value will also affect the profiles generated by `deploykf-profiles-generator`
      ##
      emailToLowercase: false

    ## istio gateway deployment configs
    ##
    gatewayDeployment:
      replicaCount: 1

      serviceAccount:
        name: deploykf-gateway
        annotations: {}

      autoscaling:
        enabled: true
        minReplicas: 1
        maxReplicas: 5
        targetCPUUtilizationPercentage: 80

      podAnnotations: {}

    ## istio gateway service configs
    ##
    gatewayService:
      name: deploykf-gateway
      annotations: {}
      type: LoadBalancer
      loadBalancerIP: ""
      loadBalancerSourceRanges: []


  ## --------------------------------------
  ##      deploykf-profiles-generator
  ## --------------------------------------
  deploykf_profiles_generator:
    enabled: true

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## profile defaults
    ##
    profileDefaults:

      ## a common prefix to add to all profile names
      ##
      profileNamePrefix: ""

      ## the default email to set as the owner of profiles
      ##  - [WARNING] treat the default owner as a super-admin service account,
      ##              that is, people should NOT use this account day-to-day
      ##  - [WARNING] changing the `ownerEmail` of profiles requires ~manual~ steps
      ##              https://github.com/kubeflow/kubeflow/issues/6576
      ##
      ownerEmail: "admin@example.com"

      ## the default access for members of profiles, when not explicitly specified
      ##  - `role`: the Kubernetes RBAC role to bind to the user in the profile namespace
      ##      - "edit": binds "ClusterRole/kubeflow-edit" (can view/create/delete resources)
      ##      - "view": binds "ClusterRole/kubeflow-view" (cam view resources)
      ##  - `notebooksAccess`: if the user can ~connect~ to kubeflow notebooks in the profile
      ##                       note, the ability to create/delete notebook resources is controlled by `role`
      ##
      memberAccess:
        role: view
        notebooksAccess: false

      ## the default list of plugins for profiles, when not explicitly specified
      ##  - each entry is a map with the following keys:
      ##     - `kind`: the kind of plugin
      ##         - "AwsIamForServiceAccount": manages AWS IRSA for the profile namespace
      ##         - "WorkloadIdentity": manages GCP WorkloadIdentity for the profile namespace
      ##     - `spec`: a map of plugin-specific configurations
      ##         - spec for AwsIamForServiceAccount:
      ##           https://github.com/kubeflow/kubeflow/blob/v1.7.0/components/profile-controller/controllers/plugin_iam.go#L30
      ##         - spec for WorkloadIdentity:
      ##           https://github.com/kubeflow/kubeflow/blob/v1.7.0/components/profile-controller/controllers/plugin_workload_identity.go#L39
      ##
      ## ____ EXAMPLE _______________
      ##  plugins:
      ##    - ## EKS IRSA plugin
      ##      kind: AwsIamForServiceAccount
      ##      spec:
      ##        awsIamRole: arn:aws:iam::000000000000:role/MY_ROLE_NAME
      ##        AnnotateOnly: true
      ##
      ##    - ## GKE WorkloadIdentity plugin
      ##      kind: WorkloadIdentity
      ##      spec:
      ##        gcpServiceAccount: SA_NAME@PROJECT_ID.iam.gserviceaccount.com
      ##
      plugins: []

      ## the default resource quota for profiles, when not explicitly specified
      ##  - spec for ResourceQuotaSpec:
      ##    https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#resourcequotaspec-v1-core
      ##
      resourceQuotaSpec: {}

      ## the default tool configs for profiles
      ##
      tools:

        ## the default Kubeflow Pipelines configs for profiles
        ##
        kubeflowPipelines:

          ## the default Kubeflow Pipelines object store auth configs for profiles
          ##  - the behaviour of these configs depends on `kubeflow_tools.kubeflow_pipelines.objectStore`
          ##  - when `kubeflow_tools.kubeflow_pipelines.objectStore.useExternal`:
          ##     - is false (default):
          ##        - minio is automatically configured to generate unique service-account credentials for each
          ##          profile and store them in a kubernetes secret named `existingSecret` in the minio namespace
          ##        - this secret will be cloned into the profile's namespace and kept in sync with the original
          ##        - note, generated credentials only have access to `kubeflow_tools.pipelines.bucket` under "artifacts/{profile_name}/"
          ##        - note, no credentials are generated for profiles which set `objectStoreAuth`
          ##        - note, the value of `existingSecret` MUST contain "{profile_name}"
          ##        - note, the value of `existingSecretNamespace` is ignored
          ##     - is true:
          ##        - a kubernetes secret named `existingSecret` must exist the namespace `existingSecretNamespace`
          ##          with the keys `existingSecretAccessKeyKey` and `existingSecretSecretKeyKey`
          ##        - this secret will be cloned into the profile's namespace and kept in sync with the original
          ##        - note, all occurances of "{profile_name}" in `existingSecret` are replaced with the profile name
          ##        - note, the default value of `existingSecretNamespace` is the kubeflow-pipelines namespace
          ##  - when `kubeflow_tools.kubeflow_pipelines.objectStore.auth.fromEnv`:
          ##     - is false (default):
          ##        - normal behaviour
          ##     - is true:
          ##        - default configs are ignored to allow for environment-based authentication (e.g. AWS IRSA)
          ##        - if a profile explicitly sets `objectStoreAuth` then it will still be used
          ##
          objectStoreAuth:
            existingSecret: "kubeflow-pipelines--profile-object-store-auth--{profile_name}"
            existingSecretNamespace: ""
            existingSecretAccessKeyKey: "access_key"
            existingSecretSecretKeyKey: "secret_key"

    ## user entities
    ##  - a list of users that can be referenced when defining profile members
    ##  - each element is a map with the following keys:
    ##     - `id`: a unique identifier for the user
    ##     - `email`: the email of the user (must exactly match the email from your identity provider)
    ##
    users:
      - id: user-1
        email: "user1@example.com"
      - id: user-2
        email: "user2@example.com"

    ## group entities
    ##  - a list of groups that can be referenced when defining profile members
    ##  - each element is a map with the following keys:
    ##     - `id`: a unique identifier for the group
    ##     - `users`: a list of user IDs that are members of the group
    ##
    groups:
      - id: team-1
        users:
          - user-1
          - user-2

    ## profile definitions
    ##  - [WARNING] changing the `ownerEmail` of a profile requires ~manual~ steps
    ##              https://github.com/kubeflow/kubeflow/issues/6576
    ##  - a list of profile definitions to be generated
    ##  - each element is a map with the following keys:
    ##     - `name`: the name of the profile (must be unique)
    ##               note, the name of a profile is also its namespace name
    ##     - `members`: a list of members and their access to this profile (default: [])
    ##                  note, if a user appears in multiple memberships, the most permissive access is used
    ##          each element is a map with the following keys:
    ##           - `user`: the ID of a user (mutually exclusive with `group`)
    ##           - `group`: the ID of a group (mutually exclusive with `user`)
    ##           - `access`: a map with configs for this member's access to the profile:
    ##               - `role`: the Kubernetes RBAC role to bind to the user (default: `profileDefaults.memberAccess.role`)
    ##               - `notebooksAccess`: if the user can ~connect~ to kubeflow notebooks (default: `profileDefaults.memberAccess.notebooksAccess`)
    ##     - `ownerEmail`: the email to set as the owner of the profile (default: `profileDefaults.ownerEmail`)
    ##     - `plugins`: the list of plugins for this profile (default: `profileDefaults.plugins`)
    ##     - `resourceQuotaSpec`: the resource quota for this profile (default: `profileDefaults.resourceQuotaSpec`)
    ##     - `tools`: a map with configs for tools:
    ##         - `kubeflowPipelines`: a map with configs for Kubeflow Pipelines:
    ##             - `objectStoreAuth`: a map with configs for object store auth (default: `profileDefaults.tools.kubeflowPipelines.objectStoreAuth`)
    ##                 - `existingSecret`: the name of an existing kubernetes secret
    ##                 - `existingSecretNamespace`: the namespace containing the kubernetes secret (default: namespace of this profile)
    ##                 - `existingSecretAccessKeyKey`: the key within the secret that contains the access-key (default: "access_key")
    ##                 - `existingSecretSecretKeyKey`: the key within the secret that contains the secret-key (default: "secret_key")
    ##
    profiles:
      - name: team-1
        members:
          - group: team-1
            access:
              role: edit
              notebooksAccess: true

      - name: team-1-prod
        members:
          - group: team-1
            access:
              role: view
              notebooksAccess: false


## --------------------------------------------------------------------------------
##
##                                   deploykf-opt
##
## --------------------------------------------------------------------------------
deploykf_opt:

  ## --------------------------------------
  ##            deploykf-minio
  ## --------------------------------------
  deploykf_minio:
    enabled: false
    namespace: deploykf-minio

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      minio:
        repository: docker.io/minio/minio
        tag: RELEASE.2023-08-04T17-40-21Z
        pullPolicy: IfNotPresent

      minioMc:
        repository: docker.io/minio/mc
        tag: RELEASE.2023-08-01T23-30-57Z
        pullPolicy: IfNotPresent

      kubectl:
        repository: docker.io/bitnami/kubectl
        tag: 1.26.6-debian-11-r8
        pullPolicy: IfNotPresent

    ## persistence configs
    ##
    persistence:
      enabled: true

      ## the name of an existing PersistentVolumeClaim to use
      ## - if non-emtpy, you must manually create a PVC with this name
      ##
      existingClaim: ""

      ## the sub-path within the PersistentVolume to mount, instead of the root
      ##
      subPath: ""

      ## the name of the StorageClass requested by the PersistentVolumeClaim
      ## - if set to "", then `PersistentVolumeClaim/spec.storageClassName` is omitted
      ## - if set to "-", then `PersistentVolumeClaim/spec.storageClassName` is set to ""
      ##
      storageClass: ""

      ## the access mode of the PersistentVolumeClaim
      ##
      accessMode: ReadWriteOnce

      ## the initial size for the PersistentVolumeClaim to request
      ## - if your StorageClass has `allowVolumeExpansion=true`, kubernetes allows the
      ##   PVC to grow in size as needed, starting from this value
      ##
      size: 5Gi

    ## root user configs for minio
    ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
    ##
    rootUser:
      username: minioadmin
      password: minioadmin
      existingSecret: ""
      existingSecretUsernameKey: "username"
      existingSecretPasswordKey: "password"
      generateSecret: false

      ## service accounts for the root user
      ##  - these service accounts are created and/or updated by a post-install job
      ##  - each element in the list is a map with the following fields:
      ##     - `accessKey`: the access-key for the service account
      ##     - `secretKey`: the secret-key for the service account
      ##     - `existingSecret`: the name of an existing secret containing the access & secret keys
      ##     - `existingSecretAccessKeyKey`: the key in the secret containing the access-key (default: "access_key")
      ##     - `existingSecretSecretKeyKey`: the key in the secret containing the secret-key (default: "secret_key")
      ##     - `generateSecret`: if true, random keys are generated and stored in `existingSecret` (default: false)
      ##                         note, `existingSecret` must be set to a unique value for each service account
      ##                         note, the job will fail if the secret already exists in the cluster
      ##     - `policy`: the minio policy document as a YAML map, ~not a string~ (default: empty/root-access)
      ##                 https://min.io/docs/minio/container/administration/identity-access-management/policy-based-access-control.html
      ##  - [WARNING] if a `policy` is not specified, the service account will have root access
      ##  - [WARNING] unlisted minio service accounts will be removed from minio
      ##  - [WARNING] unlisted kubernetes secrets with this label will be removed from the cluster:
      ##              "deploykf-minio.deploykf.org/generated-minio-root-service-account: true"
      ##
      serviceAccounts: []

    ## identity configs
    ##
    identity:

      ## OpenID Connect configs (connects to `deploykf-auth` dex)
      ##
      openid:
        ## sets `MINIO_IDENTITY_OPENID_CLAIM_NAME`
        ##  - if set to "email", access `policies` are automatically generated for each user
        ##    based on their `access.role` in each profile
        ##
        policyClaim: "email"

        ## sets `MINIO_IDENTITY_OPENID_SCOPES`
        ##  - NOTE: minio-console does not yet support refresh tokens, so "offline_access" is not used:
        ##          https://github.com/minio/console/issues/2643
        scopes: "openid,email,groups,profile,offline_access"

    ## minio buckets
    ##  - these buckets are created and/or updated by a post-install job
    ##  - each element is a map with the following keys:
    ##     - `name`: the name of the bucket
    ##     - `versioning`: the name of the policy to apply to the bucket
    ##  - if Kubeflow Pipelines is enabled, a bucket named `kubeflow_tools.pipelines.bucket.name`
    ##    is automatically added to this list, with `versioning` disabled
    ##
    buckets: []

    ## minio access policies
    ##  - [WARNING] existing policies that have "@" in their name will be removed from minio if they are not listed here
    ##  - these policies are created and/or updated by a post-install job
    ##  - each element is a map with the following keys:
    ##     - `name`: the name of the policy
    ##     - `policy`: the minio policy document as a YAML map, ~not a string~
    ##                 https://min.io/docs/minio/container/administration/identity-access-management/policy-based-access-control.html
    ##  - if Kubeflow Pipelines is enabled, and `identity.openid.policyClaim` is set to "email",
    ##    policies are automatically generated for each user based on their `access.role` in each profile
    ##
    policies: []


  ## --------------------------------------
  ##            deploykf-mysql
  ## --------------------------------------
  deploykf_mysql:
    enabled: false
    namespace: deploykf-mysql

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      mysql:
        repository: docker.io/mysql
        tag: 8.0.33
        pullPolicy: IfNotPresent

      kubectl:
        repository: docker.io/bitnami/kubectl
        tag: 1.26.6-debian-11-r8
        pullPolicy: IfNotPresent

    ## persistence configs
    ##
    persistence:
      enabled: true

      ## the name of an existing PersistentVolumeClaim to use
      ## - if non-emtpy, you must manually create a PVC with this name
      ##
      existingClaim: ""

      ## the sub-path within the PersistentVolume to mount, instead of the root
      ##
      subPath: ""

      ## the name of the StorageClass requested by the PersistentVolumeClaim
      ## - if set to "", then `PersistentVolumeClaim/spec.storageClassName` is omitted
      ## - if set to "-", then `PersistentVolumeClaim/spec.storageClassName` is set to ""
      ##
      storageClass: ""

      ## the access mode of the PersistentVolumeClaim
      ##
      accessMode: ReadWriteOnce

      ## the initial size for the PersistentVolumeClaim to request
      ## - if your StorageClass has `allowVolumeExpansion=true`, kubernetes allows the
      ##   PVC to grow in size as needed, starting from this value
      ##
      size: 5Gi

    ## configs for the "root@localhost" mysql user
    ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
    ##  - as this is "root@localhost", these credentials can only be used from within the pod
    ##  - these credentials are used by the liveness probes
    ##
    rootUser:
      password: password
      existingSecret: ""
      existingSecretPasswordKey: "password"
      generateSecret: false

    ## configs for the kubeflow mysql user
    ##  - [WARNING] it is strongly recommended to enable `generateSecret` or use a custom value
    ##  - if a Kubeflow app requires MySQL and is not configured to use an external database,
    ##    it will use these credentials
    ##
    kubeflowUser:
      username: kubeflow
      password: password
      existingSecret: ""
      existingSecretUsernameKey: "username"
      existingSecretPasswordKey: "password"
      generateSecret: false

    ## custom users
    ##  - a list of custom users to create/update each time the pod starts
    ##  - each element is a map with the following keys:
    ##     - `username`: the username of the user
    ##     - `password`: the password of the user
    ##     - `hostname`: the hostname of the user (default: "%")
    ##     - `existingSecret`: the name of an existing secret containing the username & password
    ##     - `existingSecretUsernameKey`: the key in the secret containing the username (default: "username")
    ##     - `existingSecretPasswordKey`: the key in the secret containing the password (default: "password")
    ##     - `drop`: if true, the user is dropped instead of created/updated (default: false)
    ##               this is useful for removing users that were previously created by deployKF,
    ##               as deployKF does not automatically remove users that are no longer in this list
    ##
    customUsers: []

    ## custom databases
    ##  - a list of custom databases to create each time the pod starts
    ##  - each element is a map with the following keys:
    ##     - `name`: the name of the database (required)
    ##     - `grantAllPrivileges`: a list of users to GRANT ALL PRIVILEGES to (default: [])
    ##          each element is a map with the following keys:
    ##           - `username`: the username of the user (required)
    ##           - `hostname`: the hostname of the user (required)
    ##
    customDatabases: []

    ## mysql configuration file
    ##  - `disable_log_bin` is set to avoid excessive disk usage by Kubeflow Pipelines:
    ##    https://github.com/kubeflow/manifests/issues/2402
    ##  - `default_authentication_plugin` must be `mysql_native_password` due to an issue in Kubeflow Pipelines:
    ##    https://github.com/kubeflow/pipelines/issues/9549
    ##
    configuration: |
      [mysqld]
      disable_log_bin
      default_authentication_plugin=mysql_native_password


## --------------------------------------------------------------------------------
##
##                                deploykf-tools
##
## --------------------------------------------------------------------------------
deploykf_tools: {}


## --------------------------------------------------------------------------------
##
##                              kubeflow-dependencies
##
## --------------------------------------------------------------------------------
kubeflow_dependencies:

  ## --------------------------------------
  ##        kubeflow-argo-workflows
  ## --------------------------------------
  kubeflow_argo_workflows:
    enabled: false
    namespace: kubeflow-argo-workflows

    ## values overrides
    ##  - [WARNING] it is very easy to break something with this feature
    ##  - a map or string with values to override those generated by deployKF
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    valuesOverrides: {}

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}` and Helm templates `{{ ... }}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      argoCli:
        repository: quay.io/argoproj/argocli
        ## NOTE: we use v3.4 for this image because in v3.3, argo-server does not support Kubernetes 1.24:
        ##        https://github.com/argoproj/argo-workflows/pull/9620
        ##       but Kubeflow Pipelines does not support argo-server v3.4, so we can't upgrade the other images:
        ##        https://github.com/kubeflow/pipelines/issues/8935
        ##        https://github.com/kubeflow/pipelines/issues/8942
        tag: v3.4.8
        pullPolicy: IfNotPresent

      argoExecutor:
        repository: quay.io/argoproj/argoexec
        tag: v3.3.10
        pullPolicy: IfNotPresent

      argoWorkflowController:
        repository: quay.io/argoproj/workflow-controller
        tag: v3.3.10
        pullPolicy: IfNotPresent

    ## configs for the default artifact repository
    ##
    artifactRepository:

      ## a format pattern to define how artifacts will be organized in the bucket
      ##  - if `kubeflow_tools.pipelines.objectStore.useExternal` is false, then this must be left as the default
      ##
      keyFormat: "artifacts/{{ workflow.namespace }}/{{ workflow.name }}/{{ workflow.creationTimestamp.Y }}/{{ workflow.creationTimestamp.m }}/{{ workflow.creationTimestamp.d }}/{{ pod.name }}"

    ## configs for argo workflow controller
    ##
    controller:

      ## configs for the service account used by argo workflow controller
      ##
      serviceAccount:
        create: true
        name: argo-workflow-controller
        annotations: {}

    ## configs for argo server
    ##
    server:

      ## configs for the service account used by argo server
      ##
      serviceAccount:
        create: true
        name: argo-server
        annotations: {}

## --------------------------------------------------------------------------------
##
##                                  kubeflow-tools
##
## --------------------------------------------------------------------------------
kubeflow_tools:

  ## --------------------------------------
  ##                 katib
  ## --------------------------------------
  katib:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      katibController:
        repository: docker.io/kubeflowkatib/katib-controller
        tag: ~

      katibDbManager:
        repository: docker.io/kubeflowkatib/katib-db-manager
        tag: ~

      katibUi:
        repository: docker.io/kubeflowkatib/katib-ui
        tag: ~

    ## mysql connection configs
    ##  - if `useExternal` is true, katib will use the specified external mysql database
    ##  - if `useExternal` is false, katib will use the embedded `deploykf_opt.deploykf_mysql` database,
    ##    and all other configs will be ignored
    ##
    mysql:
      useExternal: false
      host: "mysql.example.com"
      port: 3306
      auth:
        username: kubeflow
        password: password
        existingSecret: ""
        existingSecretUsernameKey: "username"
        existingSecretPasswordKey: "password"

    ## mysql database name
    ##
    mysqlDatabase: katib


  ## --------------------------------------
  ##               notebooks
  ## --------------------------------------
  notebooks:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      jupyterWebApp:
        repository: docker.io/kubeflownotebookswg/jupyter-web-app
        tag: ~

      notebookController:
        repository: docker.io/kubeflownotebookswg/notebook-controller
        tag: ~

    ## notebook spawner configs
    ##  - these configs directly become the `spawner_ui_config.yaml` in the jupyter-web-app
    ##  - about the `readOnly` configs:
    ##     - when `readOnly` is set to true, the option will be disabled for users
    ##     - when 'readOnly' is missing, it defaults to 'false'
    ##
    spawnerFormDefaults:

      ## if users can input custom images, or only select from dropdowns
      allowCustomImage: true

      ## if the registry of the container image is hidden from display
      hideRegistry: true

      ## if the tag of the container image is hidden from display
      hideTag: false

      ## configs for the ImagePullPolicy
      imagePullPolicy:
        readOnly: false

        ## the default ImagePullPolicy
        ## (possible values: "Always", "IfNotPresent", "Never")
        value: IfNotPresent

      ## Jupyter-like Container Images
      ##  - the `image` section is used for "Jupyter-like" apps whose
      ##    HTTP path is configured by the "NB_PREFIX" environment variable
      ##
      image:
        ## the default container image
        value: kubeflownotebookswg/jupyter-scipy:v1.7.0

        ## the list of available container images in the dropdown
        options:
          - kubeflownotebookswg/jupyter-scipy:v1.7.0
          - kubeflownotebookswg/jupyter-pytorch-full:v1.7.0
          - kubeflownotebookswg/jupyter-pytorch-cuda-full:v1.7.0
          - kubeflownotebookswg/jupyter-tensorflow-full:v1.7.0
          - kubeflownotebookswg/jupyter-tensorflow-cuda-full:v1.7.0

      ## VSCode-like Container Images (Group 1)
      ##  - the `imageGroupOne` section is used for "VSCode-like" apps that
      ##    expose themselves under the HTTP root path "/" and support path
      ##    rewriting without breaking
      ##  - the annotation `notebooks.kubeflow.org/http-rewrite-uri: "/"` is
      ##    set on Notebooks spawned by this group, to make Istio rewrite
      ##    the path of HTTP requests to the HTTP root
      ##
      imageGroupOne:
        ## the default container image
        value: kubeflownotebookswg/codeserver-python:v1.7.0

        ## the list of available container images in the dropdown
        options:
          - kubeflownotebookswg/codeserver-python:v1.7.0

      ## RStudio-like Container Images (Group 2)
      ##  - the `imageGroupTwo` section is used for "RStudio-like" apps whose
      ##    HTTP path is configured by the "X-RStudio-Root-Path" header
      ##  - the annotation `notebooks.kubeflow.org/http-rewrite-uri: "/"` is
      ##    set on Notebooks spawned by this group, to make Istio rewrite
      ##    the path of HTTP requests to the HTTP root
      ##  - the annotation `notebooks.kubeflow.org/http-headers-request-set` is
      ##    set on Notebooks spawned by this group, such that Istio injects the
      ##    "X-RStudio-Root-Path" header to all request
      ##
      imageGroupTwo:
        ## the default container image
        value: kubeflownotebookswg/rstudio-tidyverse:v1.7.0

        ## the list of available container images in the dropdown
        options:
          - kubeflownotebookswg/rstudio-tidyverse:v1.7.0

      ## CPU Resources
      ##
      cpu:
        readOnly: false

        ## the default cpu request for the container
        value: "0.5"

        ## a factor by which to multiply the CPU request calculate the cpu limit
        ## (to disable cpu limits, set as "none")
        limitFactor: "1.2"

      ## Memory Resources
      ##
      memory:
        readOnly: false

        ## the default memory request for the container
        value: "1.0Gi"

        ## a factor by which to multiply the memory request calculate the memory limit
        ## (to disable memory limits, set as "none")
        limitFactor: "1.2"

      ## GPU/Device-Plugin Resources
      ##
      gpus:
        readOnly: false

        ## configs for gpu/device-plugin limits of the container
        ## https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/#using-device-plugins
        value:
          ## the `limitKey` of the default vendor
          ## (to have no default, set as "")
          vendor: ""

          ## the list of available vendors in the dropdown
          ##  `limitsKey` - what will be set as the actual limit
          ##  `uiName` - what will be displayed in the dropdown UI
          vendors: []
          #vendors:
          #  - limitsKey: "nvidia.com/gpu"
          #    uiName: "NVIDIA"
          #  - limitsKey: "amd.com/gpu"
          #    uiName: "AMD"

          ## the default value of the limit
          ## (possible values: "none", "1", "2", "4", "8")
          num: "none"

      ## Workspace Volumes
      ##
      workspaceVolume:
        readOnly: false

        ## the default workspace volume to be created and mounted
        ## (to have no default, set `value: null`)
        value:
          mount: /home/jovyan

          ## pvc configs for creating new workspace volumes
          ## https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#persistentvolumeclaim-v1-core
          newPvc:
            metadata:
              ## "{notebook-name}" is replaced with the Notebook name
              name: "{notebook-name}-workspace"
            spec:
              #storageClassName: my-storage-class
              resources:
                requests:
                  storage: 5Gi
              accessModes:
                - ReadWriteOnce

      ## Data Volumes
      ##
      dataVolumes:
        readOnly: false

        ## a list of additional data volumes to be created and/or mounted
        value: []
        #value:
        #  - mount: /home/jovyan/datavol-1
        #    newPvc:
        #      metadata:
        #        name: "{notebook-name}-datavol-1"
        #      spec:
        #        resources:
        #          requests:
        #            storage: 5Gi
        #        accessModes:
        #          - ReadWriteOnce
        #  - mount: /home/jovyan/datavol-1
        #    existingSource:
        #      persistentVolumeClaim:
        #        claimName: "test-pvc"

      ## Affinity
      ##
      affinityConfig:
        readOnly: false

        ## the `configKey` of the default affinity config
        ## (to have no default, set as "")
        ## (if `readOnly`, the default `value` will be the only accessible option)
        value: ""

        ## the list of available affinity configs in the dropdown
        options: []
        #options:
        #  - configKey: "dedicated_node_per_notebook"
        #    displayName: "Dedicated Node Per Notebook"
        #    affinity:
        #      ## Require a Node with label `lifecycle=kubeflow-notebook`
        #      nodeAffinity:
        #        requiredDuringSchedulingIgnoredDuringExecution:
        #          nodeSelectorTerms:
        #            - matchExpressions:
        #                - key: "lifecycle"
        #                  operator: "In"
        #                  values:
        #                    - "kubeflow-notebook"
        #      ## Require a Node WITHOUT an existing Pod having `notebook-name` label
        #      podAntiAffinity:
        #        requiredDuringSchedulingIgnoredDuringExecution:
        #          - labelSelector:
        #              matchExpressions:
        #                - key: "notebook-name"
        #                  operator: "Exists"
        #            topologyKey: "kubernetes.io/hostname"
        #            ## WARNING: `namespaceSelector` is Beta in 1.22 and Stable in 1.24,
        #            ##          setting to {} is required for affinity to work across Namespaces
        #            namespaceSelector: {}

      ## Tolerations
      ##
      tolerationGroup:
        readOnly: false

        ## the `groupKey` of the default toleration group
        ## (to have no default, set as "")
        ## (if `readOnly`, the default `value` will be the only accessible option)
        value: ""

        ## the list of available toleration groups in the dropdown
        options: []
        #options:
        #  - groupKey: "group_1"
        #    displayName: "4 CPU 8Gb Mem at ~$X.XXX USD per day"
        #    tolerations:
        #      - key: "dedicated"
        #        operator: "Equal"
        #        value: "kubeflow-c5.xlarge"
        #        effect: "NoSchedule"
        #  - groupKey: "group_2"
        #    displayName: "8 CPU 16Gb Mem at ~$X.XXX USD per day"
        #    tolerations:
        #      - key: "dedicated"
        #        operator: "Equal"
        #        value: "kubeflow-c5.2xlarge"
        #        effect: "NoSchedule"
        #  - groupKey: "group_3"
        #    displayName: "16 CPU 32Gb Mem at ~$X.XXX USD per day"
        #    tolerations:
        #      - key: "dedicated"
        #        operator: "Equal"
        #        value: "kubeflow-c5.4xlarge"
        #        effect: "NoSchedule"
        #  - groupKey: "group_4"
        #    displayName: "32 CPU 256Gb Mem at ~$X.XXX USD per day"
        #    tolerations:
        #      - key: "dedicated"
        #        operator: "Equal"
        #        value: "kubeflow-r5.8xlarge"
        #        effect: "NoSchedule"

      ## Shared Memory
      ##
      shm:
        readOnly: false

        ## the default state of the "Enable Shared Memory" toggle
        value: true

      ## PodDefaults
      ##
      configurations:
        readOnly: false

        ## the list of PodDefault names that are selected by default
        ## (take care to ensure these PodDefaults exist in Profile Namespaces)
        value: []
        #value:
        #  - my-pod-default

    ## notebook template override
    ##  - a ~string~ to replace the default jupyter-web-app `notebook_template.yaml` with
    ##    https://github.com/kubeflow/kubeflow/blob/v1.7.0/components/crud-web-apps/jupyter/backend/apps/common/yaml/notebook_template.yaml
    ##  - can include deployKF templates `{{< ... >}}`
    ##
    notebookTemplate: ""

    ## spawner icon overrides
    ##
    spawnerIcons:
      ## image group one
      ##  - by default, "group one" has the "Visual Studio Code" icon
      ##  - images must be ~strings~ in SVG format
      ##
      imageGroupOne:
        icon: ""
        logo: ""

      ## image group two
      ##  - by default, "group two" has the "RStudio Server" icon
      ##  - images must be ~strings~ in SVG format
      ##
      imageGroupTwo:
        icon: ""
        logo: ""

    ## notebook culling configs
    ##  - https://github.com/kubeflow/kubeflow/blob/master/components/proposals/20220121-jupyter-notebook-idleness.md
    ##
    notebookCulling:
      ## sets `ENABLE_CULLING` environment variable in notebook-controller
      enabled: false

      ## sets `CULL_IDLE_TIME` environment variable in notebook-controller (in minutes)
      idleTime: 1440

      ## sets `IDLENESS_CHECK_PERIOD` environment variable in notebook-controller (in minutes)
      idlenessCheckPeriod: 1


  ## --------------------------------------
  ##               pipelines
  ## --------------------------------------
  pipelines:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      kfpCacheServer:
        repository: gcr.io/ml-pipeline/cache-server
        tag: ~

      kfpMetadataEnvoy:
        repository: gcr.io/ml-pipeline/metadata-envoy
        tag: ~

      kfpMetadataWriter:
        repository: gcr.io/ml-pipeline/metadata-writer
        tag: ~

      kfpApiServer:
        repository: gcr.io/ml-pipeline/api-server
        tag: ~

      kfpPersistenceagent:
        repository: gcr.io/ml-pipeline/persistenceagent
        tag: ~

      kfpScheduledworkflow:
        repository: gcr.io/ml-pipeline/scheduledworkflow
        tag: ~

      kfpFrontend:
        repository: gcr.io/ml-pipeline/frontend
        tag: ~

      kfpViewerCrdController:
        repository: gcr.io/ml-pipeline/viewer-crd-controller
        tag: ~

      kfpVisualizationServer:
        repository: gcr.io/ml-pipeline/visualization-server
        tag: ~

      tfxMlMetadataStoreServer:
        repository: gcr.io/tfx-oss-public/ml_metadata_store_server
        ## NOTE: this tag is not aligned to the other KFP images
        tag: ~

    ## service account configs
    ##
    serviceAccounts:

      ## the service account used by the 'ml-pipeline' Deployment
      ##  - note, the name of this service account is 'ml-pipeline'
      ##
      apiServer:
        annotations: {}

      ## the service account used by the 'ml-pipeline-ui' Deployment
      ##  - note, the name of this service account is 'ml-pipeline-ui'
      ##
      frontend:
        annotations: {}

    ## storage bucket configs
    ##
    bucket:
      name: kubeflow-pipelines
      region: ""

    ## object store configs
    ##  - if `useExternal` is true, pipelines will use the specified external object store
    ##  - if `useExternal` is false, pipelines will use the embedded `deploykf_opt.deploykf_minio` object store,
    ##    and all other configs will be ignored
    ##
    objectStore:
      useExternal: false
      host: s3.amazonaws.com
      port: ""
      useSSL: true

      ## object store auth configs
      ##  - if `fromEnv` is true, all other configs are ignored to allow for environment-based authentication like
      ##     - AWS IRSA: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
      ##     - GCP Workload Identity: https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
      ##       [WARNING] GCP Workload Identity is not currently supported by Kubeflow Pipelines, this is because
      ##                 the api-server uses an S3 client to access the object store (even GCS), until a native
      ##                 GCS client is used, GCS can only be used via its S3 API with HMAC keys for authentication
      ##  - if `fromEnv` is true, you will likely need to set appropriate Pod ServiceAccount annotations:
      ##     - annotations for Kubeflow Pipelines backend are set with these values:
      ##        - `kubeflow_tools.pipelines.serviceAccounts.apiServer.annotations`
      ##        - `kubeflow_tools.pipelines.serviceAccounts.frontend.annotations`
      ##     - annotations for Argo Workflows backend are set with these values:
      ##        - `kubeflow_dependencies.kubeflow_argo_workflows.controller.serviceAccount.annotations`
      ##        - `kubeflow_dependencies.kubeflow_argo_workflows.workflow.serviceAccount.annotations`
      ##     - annotations for Pods in Profiles are set using profile plugins, which are configured with these values:
      ##        - `deploykf_core.deploykf_profiles_generator.profileDefaults.plugins`
      ##        - `deploykf_core.deploykf_profiles_generator.profiles[].plugins`
      ##
      auth:
        fromEnv: false
        accessKey: my-access-key
        secretKey: my-secret-key
        existingSecret: ""
        existingSecretAccessKeyKey: "AWS_ACCESS_KEY_ID"
        existingSecretSecretKeyKey: "AWS_SECRET_ACCESS_KEY"

    ## mysql connection configs
    ##  - if `useExternal` is true, pipelines will use the specified external mysql database
    ##  - if `useExternal` is false, pipelines will use the embedded `deploykf_opt.deploykf_mysql` database,
    ##    and all other configs will be ignored
    ##
    mysql:
      useExternal: false
      host: "mysql.example.com"
      port: 3306
      auth:
        username: kubeflow
        password: password
        existingSecret: ""
        existingSecretUsernameKey: "username"
        existingSecretPasswordKey: "password"

    ## mysql database names
    ##
    mysqlDatabases:
      cacheDatabase: kfp_cache
      metadataDatabase: kfp_metadata
      pipelinesDatabase: kfp_pipelines

    ## configs specific to Kubeflow Pipelines v2
    ##
    kfpV2:

      ## sets the default `pipeline_root` in each profile
      ##  - https://www.kubeflow.org/docs/components/pipelines/v1/overview/pipeline-root/
      ##  - if `kubeflow_tools.pipelines.objectStore.useExternal` is false, then this must be left as the default
      ##  - the following template variables are available:
      ##     - `{bucket_name}`: the name of the bucket (see `kubeflow_tools.pipelines.bucket.name`)
      ##     - `{profile_name}`: the name of the profile
      ##
      defaultPipelineRoot: "minio://{bucket_name}/v2/artifacts/{profile_name}"

      ## apply fixes to make MinIO work with KFP v2
      ##  - these fixes are needed because KFP v2 uses hard-coded configs for MinIO
      ##    https://github.com/kubeflow/pipelines/issues/9689
      ##  - if true:
      ##     - the name of all cloned object store auth secrets in profiles becomes "mlpipeline-minio-artifact"
      ##     - the key names used in generated minio auth secrets becomes "accesskey" and "secretkey"
      ##     - the 'kfp-launcher' containers in workflow pods are patched at runtime to set:
      ##        - `MINIO_SERVICE_SERVICE_HOST` and `MINIO_SERVICE_SERVICE_PORT`
      ##        - `ML_PIPELINE_SERVICE_HOST` and `ML_PIPELINE_SERVICE_PORT_GRPC`
      ##     - the value of `kubeflow_tools.pipelines.objectStore.useExternal` must be false
      ##
      minioFix: false

      ## overrides the image of 'kfp-launcher' containers at runtime
      ##  - this is useful because pipelines compiled with v2-compatible mode use a hard-coded image
      ##    https://github.com/kubeflow/pipelines/blob/1.8.22/sdk/python/kfp/compiler/v2_compat.py#L25
      ##
      launcherImage: ""

    ## pipeline cache configs
    ##  - note, you can effectively disable caching (for KFP v1 mode) by setting both
    ##    `maximumMaxCacheStaleness` and `defaultMaxCacheStaleness` to "P0D"
    ##
    cache:

      ## cached steps will have their image replaced with this value
      ##  - the only requirement is that the image can run an `echo` command
      ##  - kubeflow pipelines chose this image because it's small, and not subject to rate limiting
      ##    https://github.com/kubeflow/pipelines/issues/4099
      ##
      image: "gcr.io/google-containers/busybox:1.27"

      ## pipeline steps with `max_cache_staleness` larger than this will be reduced to this value
      ##  - values are in RFC3339 Duration format (e.g. "P30D" for 30 days)
      ##
      maximumMaxCacheStaleness: ""

      ## pipeline steps which do not have a `max_cache_staleness` will be set to this value
      ##  - values are in RFC3339 Duration format (e.g. "P7D" for 7 days)
      ##
      defaultMaxCacheStaleness: ""

      ## if artifact requests which use the wrong namespace parameter should be redirected
      ##  - if true, an Istio EnvoyFilter listens on the `/pipelines/artifacts/` HTTP path which
      ##    detects and redirect when the "?namespace=" query parameter does not align with the artifact key
      ##  - this is useful because Kubeflow Pipelines will sometimes use results that were cached by a run
      ##    from a different namespace, and because the default bucket IAM restricts namespaces to their own key
      ##    prefixes, clicking on a cached step in the UI would result in an error unless you manually change the
      ##    "?namespace=" query parameter (note, users without access to the other namespace will still see an error)
      ##  - this feature will be automatically disabled if the following conditions are not met:
      ##     - the `kubeflow_dependencies.kubeflow_argo_workflows.artifactRepository.keyFormat` must start with "artifacts/{{ workflow.namespace }}"
      ##     - the key-part of `kubeflow_tools.pipelines.kfpV2.defaultPipelineRoot` must start with "/v2/artifacts/{profile_name}"
      ##
      namespaceRedirect: true

    ## profile resource generation configs
    ##  - we use a kyverno ClusterPolicy to generate resources needed by KFP in each profile namespace
    ##    these configs provide additional control over the generated resources
    ##
    profileResourceGeneration:

      ## if a PodDefault named "kubeflow-pipelines-api-token" should be generated in each profile namespace
      ##  - the generated PodDefault will mount a serviceAccountToken volume which can be used to authenticate
      ##    with the Kubeflow Pipelines API on Pods which have a `kubeflow-pipelines-api-token` label with value "true"
      ##  - for more information, see the "Full Kubeflow (from inside cluster)" section of the following page:
      ##    https://www.kubeflow.org/docs/components/pipelines/v1/sdk/connect-api/
      ##  - the PodDefault will NOT be generated if `kubeflow_tools.poddefaults_webhook.enabled` is false,
      ##    regardless of this setting
      ##
      kfpApiTokenPodDefault: false


  ## --------------------------------------
  ##          poddefaults-webhook
  ## --------------------------------------
  poddefaults_webhook:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      poddefaultsWebhook:
        repository: docker.io/kubeflownotebookswg/poddefaults-webhook
        tag: ~


  ## --------------------------------------
  ##             tensorboards
  ## --------------------------------------
  tensorboards:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      tensorboardController:
        repository: docker.io/kubeflownotebookswg/tensorboard-controller
        tag: ~

      tensorboardsWebApp:
        repository: docker.io/kubeflownotebookswg/tensorboards-web-app
        tag: ~

      kubeRbacProxy:
        repository: gcr.io/kubebuilder/kube-rbac-proxy
        tag: ~

    ## the image used for all spawned tensorboard pods
    ## - sets `TENSORBOARD_IMAGE` environment variable in the tensorboard-controller
    ##
    tensorboardImage: "docker.io/tensorflow/tensorflow:2.5.1"


  ## --------------------------------------
  ##           training-operator
  ## --------------------------------------
  training_operator:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      trainingOperator:
        repository: docker.io/kubeflow/training-operator
        tag: ~


  ## --------------------------------------
  ##                volumes
  ## --------------------------------------
  volumes:
    enabled: false

    ## extra manifests
    ##  - a list of strings containing extra Kubernetes resource manifests
    ##  - strings can include deployKF templates `{{< ... >}}`
    ##
    extraManifests: []

    ## image overrides
    ##
    images:
      volumesWebApp:
        repository: docker.io/kubeflownotebookswg/volumes-web-app
        tag: ~