diff --git a/.github/ctlint.yaml b/.github/ctlint.yaml new file mode 100644 index 00000000..e98607e5 --- /dev/null +++ b/.github/ctlint.yaml @@ -0,0 +1,8 @@ +extends: default + +rules: + comments: + min-spaces-from-content: 1 + document-start: disable + line-length: disable + truthy: disable diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4957f5dc..e2bb44b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -174,7 +174,7 @@ jobs: uses: helm/chart-testing-action@v2 - name: Run chart-testing (lint) - run: ct lint --config .github/ct.yaml + run: ct lint --config .github/ct.yaml --lint-conf .github/ctlint.yaml lint-yamllint: runs-on: ubuntu-24.04 diff --git a/.prettierignore b/.prettierignore index 206bd53d..619a79ef 100644 --- a/.prettierignore +++ b/.prettierignore @@ -1 +1 @@ -helm/reana +helm/reana/templates diff --git a/.yamllint.yaml b/.yamllint.yaml index 77f287a2..4f733e75 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -8,4 +8,4 @@ rules: truthy: disable ignore: - - helm/reana # is linted by `helm lint` and `ct lint` + - helm/reana/templates # is linted by `helm lint` and `ct lint` diff --git a/helm/reana/Chart.yaml b/helm/reana/Chart.yaml index 605888ed..bea0be32 100644 --- a/helm/reana/Chart.yaml +++ b/helm/reana/Chart.yaml @@ -27,7 +27,7 @@ keywords: - reusable-science type: application version: 0.9.3 -kubeVersion: '>= 1.21.0-0 < 1.32.0-0' +kubeVersion: ">= 1.21.0-0 < 1.32.0-0" dependencies: - name: traefik version: 31.1.0 diff --git a/helm/reana/README.md b/helm/reana/README.md index f62f4971..df22fe4e 100644 --- a/helm/reana/README.md +++ b/helm/reana/README.md @@ -2,195 +2,196 @@ ## Chart Prefix -This Helm automatically prefixes all names using the release name to avoid collisions. +This Helm automatically prefixes all names using the release name to avoid +collisions. ## Configuration -| Parameter | Description | Default value | -|----------------------------------------------------------|--------------------------------------------------------------------------------------|-------------------------------------------------| -| `components.reana_db.enabled` | Instantiate a PostgreSQL database inside the cluster | true | -| `components.reana_db.image` | [PostgreSQL image](https://hub.docker.com/_/postgres) to use | `docker.io/library/postgres:12.13` | -| `components.reana_job_controller.environment` | [REANA-Job-Controller](https://github.com/reanahub/reana-job-controller) environment variables | `{}` | -| `components.reana_job_controller.image` | [REANA-Job-Controller image](https://hub.docker.com/r/reanahub/reana-job-controller) to use | `docker.io/reanahub/reana-job-controller:` | -| `components.reana_message_broker.image` | [REANA-Message-Broker image](https://hub.docker.com/r/reanahub/reana-message-broker) to use | `docker.io/reanahub/reana-message-broker:` | -| `components.reana_message_broker.imagePullPolicy` | REANA-Message-Broker image pull policy | IfNotPresent | -| `components.reana_server.environment` | REANA-Server environment variables | | -| `components.reana_server.environment.REANA_MAX_CONCURRENT_BATCH_WORKFLOWS` | Upper limit on concurrent REANA batch workflows running in the cluster. | 30 | -| `components.reana_server.environment.REANA_USER_EMAIL_CONFIRMATION` | Enable user to confirm their email address. | true | -| `components.reana_server.environment.REANA_SCHEDULER_REQUEUE_SLEEP` | Seconds to wait between consuming workflows. | 15 | -| `components.reana_server.environment.REANA_SCHEDULER_REQUEUE_COUNT` | The number of times to requeue workflow before failing it. "infinity" value could be used to deactivate workflow failing. | 200 | -| `components.reana_server.environment.REANA_WORKFLOW_SCHEDULING_POLICY` | Define workflow scheduling strategy. Options are "fifo" for first-in-first-out strategy regardless of users and "balanced" for multi-user-aware scheduling strategy. | "fifo" | -| `components.reana_server.environment.REANA_WORKFLOW_SCHEDULING_READINESS_CHECK_LEVEL` | Define checks that are performed to assess whether the cluster is ready to start new workflows. Values are: 0 = no readiness check; schedule new workflow as soon as they arrive; 1 = check for maximum number of concurrently running workflows; schedule new workflows if not exceeded; 2 = check for available cluster memory size; schedule new workflow only if it fits; 9 = perform all checks; satisfy all previous criteria. | 9 | -| `components.reana_server.environment.REANA_RATELIMIT_GUEST_USER` | Set API limiter config for guest users. Users using reana-client will be treated as guests. | "40 per second" | -| `components.reana_server.environment.REANA_RATELIMIT_AUTHENTICATED_USER` | Set API limiter config for authenticated web UI users. | "40 per second" | -| `components.reana_server.environment.REANA_RATELIMIT_SLOW` | Set API limiter config for slow endpoints that need to be protected e.g. launch endpoint. | "1/5 second" | -| `components.reana_server.image` | [REANA-Server image](https://hub.docker.com/r/reanahub/reana-server) to use | `docker.io/reanahub/reana-server:` | -| `components.reana_server.imagePullPolicy` | REANA-Server image pull policy | IfNotPresent | -| `components.reana_server.uwsgi.processes` | Number of uWSGI processes | 6 | -| `components.reana_server.uwsgi.threads` | Number of uWSGI threads | 4 | -| `components.reana_server.uwsgi.log_all` | Log all HTTP requests | true | -| `components.reana_server.uwsgi.log_4xx` | Log only error HTTP requests with status code 4xx. To make this configuration effective `components.reana_server.uwsgi.log_all` must be false. | true | -| `components.reana_server.uwsgi.log_5xx` | Log only error HTTP requests with status code 5xx. To make this configuration effective `components.reana_server.uwsgi.log_all` must be false. | true | -| `components.reana_ui.announcement` | Announcement message displayed in site top banner | None | -| `components.reana_ui.enabled` | Instantiate the [REANA-UI](https://github.com/reanahub/reana-ui) | true | -| `components.reana_ui.file_preview_size_limit` | Maximum file size (in bytes) that can be previewed in the web interface. Default value: 5242880 bytes = 5 MiB | 5242880 | -| `components.reana_ui.image` | [REANA-UI image](https://hub.docker.com/r/reanahub/reana-ui) to use | `docker.io/reanahub/reana-ui:` | -| `components.reana_ui.imagePullPolicy` | REANA-UI image pull policy | IfNotPresent | -| `components.reana_ui.polling_secs` | Frequency of workflow list page reload in seconds | 15 | -| `components.reana_ui.client_pyvenv` | REANA-Client python environment to source in the welcome example. | None | -| `components.reana_ui.docs_url` | URL of documentation site (footer icon) | | -| `components.reana_ui.forum_url` | URL of forum site (footer icon) | | -| `components.reana_ui.chat_url` | URL of chat channel (footer icon) | None | -| `components.reana_ui.privacy_notice_url` | URL of the privacy notice (footer icon) | None | -| `components.reana_ui.cern_sso` | Enable CERN SSO sign in | false | -| `components.reana_ui.local_users` | Enable local users sign in/up | true | -| `components.reana_ui.hide_signup` | Hide users sign up form | false | -| `components.reana_workflow_controller.environment` | REANA-Workflow-Controller environment variables | `{SHARED_VOLUME_PATH: /var/reana}` | -| `components.reana_workflow_controller.image` | [REANA-Workflow-Controller image](https://hub.docker.com/r/reanahub/reana-workflow-controller) to use | `docker.io/reanahub/reana-workflow-controller:` | -| `components.reana_workflow_controller.imagePullPolicy` | REANA-Workflow-Controller image pull policy | IfNotPresent | -| `components.reana_workflow_controller.environment.REANA_JOB_HOSTPATH_MOUNTS` | JSON list of optional hostPath mounts, for all user jobs. Each mount object has a key `name` (name of the mount), `hostPath` (path to the directory to be mounted from the Kubernetes nodes) and `mountPath` (path inside the job containers where the `hostPath` will be mounted) | None | -| `components.reana_workflow_controller.environment.REANA_RUNTIME_KUBERNETES_KEEP_ALIVE_JOBS_WITH_STATUSES` | Keep alive Kubernetes user runtime jobs depending on status (`finished` and/or `failed`). | None | -| `components.reana_workflow_controller.environment.REANA_JOB_STATUS_CONSUMER_PREFETCH_COUNT` | Define max number of unacknowledged deliveries that are permitted on `jobs-status` queue consumer. | 10 | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_ENABLED` | Enable workflow and job log retrieval from OpenSearch. | false | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_HOST` | OpenSearch host. | None | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_PORT` | OpenSearch port. | None | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_URL_PREFIX` | OpenSearch URL prefix. | None | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_USE_SSL` | Use SSL when connecting to OpenSearch instance. | true | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_CA_CERTS` | Path to a file with OpenSearch root CA certificates. | "/code/certs/ca.crt" | -| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_USER` | OpenSearch user name for Basic Authentication. | reana | -| `components.reana_workflow_engine_cwl.environment` | [REANA-Workflow-Engine-CWL](https://github.com/reanahub/reana-workflow-engine-cwl) environment variables | `{}` | -| `components.reana_workflow_engine_cwl.image` | [REANA-Workflow-Engine-CWL image](https://hub.docker.com/r/reanahub/reana-workflow-engine-cwl) to use | `docker.io/reanahub/reana-workflow-engine-cwl:` | -| `components.reana_workflow_engine_serial.environment` | [REANA-Workflow-Engine-Serial](https://github.com/reanahub/reana-workflow-engine-serial) environment variables | `{}` | -| `components.reana_workflow_engine_serial.image` | [REANA-Workflow-Engine-Serial image](https://hub.docker.com/r/reanahub/reana-workflow-engine-serial) to use | `docker.io/reanahub/reana-workflow-engine-serial:` | -| `components.reana_workflow_engine_yadage.environment` | [REANA-Workflow-Engine-yadage](https://github.com/reanahub/reana-workflow-engine-yadage) environment variables | `{}` | -| `components.reana_workflow_engine_yadage.image` | [REANA-Workflow-Engine-Yadage image](https://hub.docker.com/r/reanahub/reana-workflow-engine-yadage) to use | `docker.io/reanahub/reana-workflow-engine-yadage:` | -| `components.reana_workflow_engine_snakemake.environment` | [REANA-Workflow-Engine-Snakemake](https://github.com/reanahub/reana-workflow-engine-snakemake) environment variables | `{}` | -| `components.reana_workflow_engine_snakemake.image` | [REANA-Workflow-Engine-Snakemake image](https://hub.docker.com/r/reanahub/reana-workflow-engine-snakemake) to use | `docker.io/reanahub/reana-workflow-engine-snakemake:` | -| `compute_backends` | List of supported compute backends (kubernetes, htcondorcern, slurmcern) | "kubernetes" | -| `dask.enabled` | Enable support for running Dask workflows | false | -| `dask.autoscaler_enabled` | Enable Dask autoscaler | true | -| `dask.cluster_max_memory_limit` | The maximum memory limit for Dask clusters created by users | "16Gi" | -| `dask.cluster_default_number_of_workers` | The number of Dask workers created by default | 2 | -| `dask.cluster_max_number_of_workers` | The maximum number of Dask workers that users can ask for | 20 | -| `dask.cluster_default_single_worker_memory` | The amount of memory used by default by a single Dask worker | "2Gi" | -| `dask.cluster_max_single_worker_memory` | The maximum amount of memory that users can ask for the single Dask worker | "8Gi" | -| `db_env_config.REANA_DB_HOST` | Environment variable to connect to external databases | `-db` | -| `db_env_config.REANA_DB_NAME` | Environment variable to connect to external databases | reana | -| `db_env_config.REANA_DB_PORT` | Environment variable to connect to external databases | "5432" | -| `debug.enabled` | Instantiate a [wdb](https://github.com/Kozea/wdb) remote debugger inside the cluster, accessible in port `31984` | false | -| `eos.enabled` | **[CERN only]** Enable EOS support inside the cluster | false | -| `fluent-bit.enabled` | Enable FluentBit | false | -| `fluent-bit.inputConfig.*` | Pass certain `tail` input [configuration parameters](https://docs.fluentbit.io/manual/pipeline/inputs/tail#config)| | -| `fluent-bit.inputConfig.refreshInterval` | `tail` input configuration parameter `Refresh_Interval` | 2 | -| `fluent-bit.inputConfig.rotateWait` | `tail` input configuration parameter `Rotate_Wait` | 5 | -| `fluent-bit.inputConfig.skipLongLines` | `tail` input configuration parameter `Skip_Long_Lines` | On | -| `fluent-bit.inputConfig.skipEmptyLines` | `tail` input configuration parameter `Skip_Empty_Lines` | On | -| `fluent-bit.filterConfig.*` | Pass certain `kubernetes` filter [configuration parameters](https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#configuration-parameters)| | -| `fluent-bit.filterConfig.bufferSize` | `kubernetes` filter configuration parameter `Buffer_Size` | 512k | -| `fluent-bit.filterConfig.kubeUrl` | `kubernetes` filter configuration parameter `Kube_URL` | | -| `fluent-bit.filterConfig.kubeCaFile` | `kubernetes` filter configuration parameter `Kube_CA_File` | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | -| `fluent-bit.filterConfig.kubeTokenFile` | `kubernetes` filter configuration parameter `Kube_Token_File` | /var/run/secrets/kubernetes.io/serviceaccount/token | -| `fluent-bit.outputConfig.*` | Pass certain `opensearch` output [configuration parameters](https://docs.fluentbit.io/manual/pipeline/outputs/opensearch#configuration-parameters)| | -| `fluent-bit.outputConfig.host` | `opensearch` output configuration parameter `Host` | reana-opensearch-master | -| `fluent-bit.outputConfig.httpUser` | `opensearch` output configuration parameter `HTTP_User` | fluentbit | -| `fluent-bit.outputConfig.httpPasswd` | `opensearch` output configuration parameter `HTTP_Passwd` | None | -| `fluent-bit.outputConfig.tls` | `opensearch` output configuration parameter `tls` | "On" | -| `fluent-bit.outputConfig.tlsVerify` | `opensearch` output configuration parameter `tls.verify` | "On" | -| `fluent-bit.outputConfig.tlsVerifyHostname` | `opensearch` output configuration parameter `tls.verify_hostname` | "Off" | -| `fluent-bit.outputConfig.tlsCaFile` | `opensearch` output configuration parameter `tls.ca_file` | /fluent-bit/etc/certs/ca.crt | -| `fluent-bit.outputConfig.tlsCrtFile` | `opensearch` output configuration parameter `tls.crt_file` | "" | -| `fluent-bit.outputConfig.tlsKeyFile` | `opensearch` output configuration parameter `tls.key_file` | "" | -| `fluent-bit.outputConfig.tlsKeyPassword` | `opensearch` output configuration parameter `tls.key_passwd` | "" | -| `fluent-bit.priority` | Priority class value for FluentBit pods | 1000000 | -| `fullnameOverride` | Name to override the `reana.prefix` | None | -| `infrastructure_storage` | Optional volume used by REANA's infrastructure (i.e. database and message broker). It has the same settings as `shared_storage` | {} | -| `ingress.annotations.traefik.ingress.kubernetes.io/router.entrypoints` | Entrypoints allowed by the ingress controller | "web,websecure" | -| `ingress.enabled` | Create an ingress resource to access the REANA instance from outside the cluster | true | -| `ingress.extra` | An array of extra ingress resources. They can be configured in the same way as the default ingress, with the addition of `ingress.extra[].name`. | [] | -| `ingress.ingress_class_name` | Name of the Ingress class to use. Default value (`null`) will use the cluster's default Ingress class. | null | -| `ingress.tls.hosts` | List of hosts included in the TLS certificate, needed by cert-manager | [] | -| `ingress.tls.secret_name` | Name of the Kubernetes secret containing the TLS certificate to be used | None | -| `ingress.tls.self_signed_cert` | Enable the generation of a self-signed TLS certificate | true | -| `kubernetes_jobs_memory_limit` | Maximum default memory limit for user job containers. Exceeding this limit will terminate the container. Please see the following URL for possible values . | 4Gi | -| `kubernetes_jobs_max_user_memory_limit` | Maximum custom memory limit that users can assign to their job containers via `kubernetes_memory_limit` hint in `reana.yaml`. Exceeding this limit will terminate the container. Please see the following URL for possible values . | None | -| `kubernetes_jobs_timeout_limit` | Default timeout for user's jobs in *seconds*. Exceeding this time will terminate the job. Please see the following URL for more details . Default value: 604800 seconds = 7 days. | 604800 | -| `kubernetes_jobs_max_user_timeout_limit` | Maximum custom timeout in *seconds* that users can assign to their jobs. Please see the following URL for more details . Default value: 1209600 seconds = 14 days. | 1209600 | -| `login` | Enable and configure SSO authentication via a third-party Keycloak identity provider ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `[]` | -| `node_label_infrastructure` | Define the label which identifies the nodes where the infrastructure pods should run, e.g. `reana.io/system=infrastructure`. If you are setting this configuration variable, please also set `.traefik.nodeSelector.reana.io/system=infrastructure` so the ingress controller is also deployed on the infrastructure node. By default infrastructure pods can be scheduled to any available node in the cluster. | None | -| `node_label_infrastructuremq` | Define the label which identifies the node where message broker pod should run, e.g. `reana.io/system=infrastructuremq`. By default message broker pod can be scheduled to any available node in the cluster. | None | -| `node_label_infrastructuredb` | Define the label which identifies the node where database pod should run, e.g. `reana.io/system=infrastructuredb`. By default the database pod can be scheduled to any available node in the cluster. | None | -| `node_label_runtimebatch` | Define the label which identifies the nodes where the runtime workflow pods should run, e.g. `reana.io/system=runtimebatch`. By default runtime workflow pods can be scheduled to any available node in the cluster. | None | -| `node_label_runtimejobs` | Define the label which identifies the nodes where the runtime job pods should run, e.g. `reana.io/system=runtimejobs`. By default runtime job pods can be scheduled to any available node in the cluster. | None | -| `node_label_runtimesessions` | Define the label which identifies the nodes where the runtime session pods should run, e.g. `reana.io/system=runtimesessions`. By default runtime session pods can be scheduled to any available node in the cluster. | None | -| `notifications.email_config.login` | Login for the sender email address | None | -| `notifications.email_config.password` | Password for the sender email address | None | -| `notifications.email_config.receiver` | Email address which will be receiving the notifications | None | -| `notifications.email_config.sender` | Email address which will be sending the notifications | None | -| `notifications.email_config.smtp_server` | SMTP email server host | None | -| `notifications.email_config.smtp_ssl` | Use SSL to connect to SMTP server | false | -| `notifications.email_config.smtp_starttls` | Use STARTTLS command of SMTP to upgrade to an encrypted connection | true | -| `notifications.email_config.smtp_port` | SMTP email server port | None | -| `notifications.enabled` | Enable REANA system events notifications. For more information, visit the [documentation page](https://docs.reana.io/administration/configuration/configuring-access/) on user sign up. | false | -| `notifications.system_status` | Cronjob pattern representing how often the system status notification should be sent. Leave it empty to deactivate it | `"0 0 * * *"` | -| `reana_hostname` | REANA hostname (e.g. reana.example.org) | None | -| `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` | -| `naming_scheme` | REANA component naming scheme | None | -| `opensearch.*` | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - | -| `opensearch.enabled` | Enable OpenSearch | false | -| `opensearch.tls.generate` | Enable the generation of a self-signed TLS certificates for OpenSearch | true | -| `opensearch.tls.ca.cn` | OpenSearch root CA certificate common name (CN) | reana.io | -| `opensearch.tls.ca.ttl` | OpenSearch root CA certificate TTL in days | 365 | -| `opensearch.tls.cert.cn` | OpenSearch node certificate common name (CN) | reana-opensearch-master | -| `opensearch.tls.cert.ttl` | OpenSearch node certificate TTL in days | 180 | -| `opensearch.tls.admin.cn` | OpenSearch admin certificate common name (CN) | opensearch-admin.reana.io | -| `opensearch.tls.admin.ttl` | OpenSearch admin certificate TTL in days | 180 | -| `opensearch.customSecurityConfig.internalUsers` | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None | -| `opensearch.customSecurityConfig.roles` | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None | -| `opensearch.customSecurityConfig.rolesMapping` | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None | -| `pgbouncer.enabled` | Instantiate PgBouncer inside the cluster to pool database connections | false | -| `pgbouncer.image` | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use | `bitnami/pgbouncer:1.23.1` | -| `pgbouncer.pool_mode` | Pool mode to use (session, transaction, statement) | transaction | -| `pgbouncer.max_client_conn` | Maximum number of client connections allowed | 1000 | -| `pgbouncer.max_db_connections` | Maximum number of server connections allowed | 100 | -| `pgbouncer.environment` | Additional PgBouncer environment variables | `{}` | -| `secrets.cern.sso.CERN_CONSUMER_KEY` | CERN SSO consumer key | None | -| `secrets.cern.sso.CERN_CONSUMER_SECRET` | **[Do not use in production, use secrets instead]** CERN SSO consumer secret | None | -| `secrets.database.password` | **[Do not use in production, use secrets instead]** PostgreSQL database password | None | -| `secrets.database.user` | PostgreSQL database username | None | -| `secrets.gitlab.REANA_GITLAB_HOST` | Hostname of the GitLab instance | None | -| `secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID` | GitLab OAuth application id | None | -| `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET` | **[Do not use in production, use secrets instead]** GitLab OAuth application secret | None | -| `secrets.login` | **[Do not use in production, use secrets instead]** Third-party Keycloak identity provider consumer key and secret ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `{}` | -| `secrets.opensearch.password` | **[Do not use in production, use secrets instead]** OpenSearch password for Basic Authentication | None | -| `secrets.reana.REANA_SECRET_KEY` | **[Do not use in production, use secrets instead]** REANA encryption secret key | None | -| `serviceAccount.create` | Create a service account for the REANA system user | true | -| `serviceAccount.name` | Service account name | reana | -| `shared_storage.access_modes` | Shared volume access mode | ReadWriteMany | -| `shared_storage.backend` | Shared volume storage backend | hostpath | -| `shared_storage.cephfs.availability_zone` | **[CERN only]** OpenStack Availability zone | nova | -| `shared_storage.cephfs.cephfs_os_share_access_id` | **[CERN only]** CephFS share access ID | None | -| `shared_storage.cephfs.cephfs_os_share_id` | **[CERN only]** CephFS share id | None | -| `shared_storage.cephfs.os_secret_name` | **[CERN only]** Name of the Secret object containing OpenStack credentials | os-trustee | -| `shared_storage.cephfs.os_secret_namespace` | **[CERN only]** Namespace of the OpenStack credentials Secret object | kube-system | -| `shared_storage.cephfs.provisioner` | **[CERN only]** CephFS provisioner | manila-provisioner | -| `shared_storage.cephfs.type` | **[CERN only]** CephFS availability zone | "Geneva CephFS Testing" | -| `shared_storage.volume_size`               | Shared volume size | 200 | -| `shared_storage.shared_volume_mount_path` | Path inside the REANA components where the shared volume will be mounted | /var/reana | -| `shared_storage.hostpath.root_path` | Path to the REANA directory inside the underlying storage volume | /var/reana | -| `traefik.*` | Pass any value from [Traefik Helm chart values](https://github.com/helm/charts/tree/master/stable/traefik#configuration) here, e.g. `traefik.rbac.enabled=true` | - | -| `traefik.enabled` | Install Traefik in the cluster when installing REANA | true | -| `volume_paths.root_path` | Path to the REANA directory inside the underlying storage volume | /var/reana | -| `volume_paths.shared_volume_path` | Path inside the REANA components where the shared volume will be mounted | /var/reana | -| `quota.enabled` | Enable user workflow accounting capabilities. | true | -| `quota.periodic_update_policy` | Cronjob pattern representing how often the users Disk and CPU quota usage should be updated. Leave it empty to deactivate it | `"0 3 * * *"` | -| `quota.workflow_termination_update_policy` | Resources to calculate quotas on worflow termination. Possible values: "cpu" and "disk". Leave it empty to deactivate workflow termination accounting. | "" | -| `quota.default_disk_limit` | Default users disk quota limit in bytes. (0=unlimited) | 0 | -| `quota.default_cpu_limit` | Default users CPU quota limit in milliseconds. (0=unlimited) | 0 | -| `workspaces.retention_rules.maximum_period` | Set a default period in days for workspace retention rules. Users will not be able to specify a longer period to retain the workspace files. After this period the workspace will be cleared. To disable the period and allow files to be kept forever, use value "forever". | forever | -| `workspaces.retention_rules.cronjob_schedule` | Cron format string describing how often pending retention rules should be applied. | `"0 2 * * *"` | -| `workspaces.paths` | List of additional workspace paths as strings. Each mount string is composed by a key `hostPath`(path to the directory to be mounted from the Kubernetes nodes) and a cluster_pod_mountpath (path inside the cluster containers where the `mountPath` will be mounted) e.g. `hostPath:mountPath`. The first value listed will be the default workspace root path. Any POSIX filesystem mounted on cluster nodes is supported | None | -| `interactive_sessions.cronjob_schedule` | Cron format string describing how often interactive session cleanup should be performed. | `"0 3 * * *"` | -| `interactive_sessions.environments.jupyter.recommended` | List of recommended environments (container images) for Jupyter notebooks. Each environment is composed of a `name` and an `image`. The first environment in the list is the default one. | `[{"image": "docker.io/jupyter/scipy-notebook:notebook-6.4.5", "name": "Jupyter SciPy Notebook 6.4.5"}]` | -| `interactive_sessions.environments.jupyter.allow_custom` | Allow users to specify custom docker images for Jupyter notebooks. | false | -| `interactive_sessions.maximum_inactivity_period` | Set a limit in days for the maximum inactivity period of interactive sessions. After this period interactive sessions will be automatically closed. To disable autoclosure and allow interactive sessions to run forever, use value "forever". | forever | -| `components.reana_ui.launcher_examples` | Array of demo examples to show in the launch page in the UI. Each demo repository is composed of `name`, `url`, `image_url`; you can also optionally specify a `description` and the `specification` filename. | [] | +| Parameter | Description | Default value | +| --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------- | +| `components.reana_db.enabled` | Instantiate a PostgreSQL database inside the cluster | true | +| `components.reana_db.image` | [PostgreSQL image](https://hub.docker.com/_/postgres) to use | `docker.io/library/postgres:12.13` | +| `components.reana_job_controller.environment` | [REANA-Job-Controller](https://github.com/reanahub/reana-job-controller) environment variables | `{}` | +| `components.reana_job_controller.image` | [REANA-Job-Controller image](https://hub.docker.com/r/reanahub/reana-job-controller) to use | `docker.io/reanahub/reana-job-controller:` | +| `components.reana_message_broker.image` | [REANA-Message-Broker image](https://hub.docker.com/r/reanahub/reana-message-broker) to use | `docker.io/reanahub/reana-message-broker:` | +| `components.reana_message_broker.imagePullPolicy` | REANA-Message-Broker image pull policy | IfNotPresent | +| `components.reana_server.environment` | REANA-Server environment variables | | +| `components.reana_server.environment.REANA_MAX_CONCURRENT_BATCH_WORKFLOWS` | Upper limit on concurrent REANA batch workflows running in the cluster. | 30 | +| `components.reana_server.environment.REANA_USER_EMAIL_CONFIRMATION` | Enable user to confirm their email address. | true | +| `components.reana_server.environment.REANA_SCHEDULER_REQUEUE_SLEEP` | Seconds to wait between consuming workflows. | 15 | +| `components.reana_server.environment.REANA_SCHEDULER_REQUEUE_COUNT` | The number of times to requeue workflow before failing it. "infinity" value could be used to deactivate workflow failing. | 200 | +| `components.reana_server.environment.REANA_WORKFLOW_SCHEDULING_POLICY` | Define workflow scheduling strategy. Options are "fifo" for first-in-first-out strategy regardless of users and "balanced" for multi-user-aware scheduling strategy. | "fifo" | +| `components.reana_server.environment.REANA_WORKFLOW_SCHEDULING_READINESS_CHECK_LEVEL` | Define checks that are performed to assess whether the cluster is ready to start new workflows. Values are: 0 = no readiness check; schedule new workflow as soon as they arrive; 1 = check for maximum number of concurrently running workflows; schedule new workflows if not exceeded; 2 = check for available cluster memory size; schedule new workflow only if it fits; 9 = perform all checks; satisfy all previous criteria. | 9 | +| `components.reana_server.environment.REANA_RATELIMIT_GUEST_USER` | Set API limiter config for guest users. Users using reana-client will be treated as guests. | "40 per second" | +| `components.reana_server.environment.REANA_RATELIMIT_AUTHENTICATED_USER` | Set API limiter config for authenticated web UI users. | "40 per second" | +| `components.reana_server.environment.REANA_RATELIMIT_SLOW` | Set API limiter config for slow endpoints that need to be protected e.g. launch endpoint. | "1/5 second" | +| `components.reana_server.image` | [REANA-Server image](https://hub.docker.com/r/reanahub/reana-server) to use | `docker.io/reanahub/reana-server:` | +| `components.reana_server.imagePullPolicy` | REANA-Server image pull policy | IfNotPresent | +| `components.reana_server.uwsgi.processes` | Number of uWSGI processes | 6 | +| `components.reana_server.uwsgi.threads` | Number of uWSGI threads | 4 | +| `components.reana_server.uwsgi.log_all` | Log all HTTP requests | true | +| `components.reana_server.uwsgi.log_4xx` | Log only error HTTP requests with status code 4xx. To make this configuration effective `components.reana_server.uwsgi.log_all` must be false. | true | +| `components.reana_server.uwsgi.log_5xx` | Log only error HTTP requests with status code 5xx. To make this configuration effective `components.reana_server.uwsgi.log_all` must be false. | true | +| `components.reana_ui.announcement` | Announcement message displayed in site top banner | None | +| `components.reana_ui.enabled` | Instantiate the [REANA-UI](https://github.com/reanahub/reana-ui) | true | +| `components.reana_ui.file_preview_size_limit` | Maximum file size (in bytes) that can be previewed in the web interface. Default value: 5242880 bytes = 5 MiB | 5242880 | +| `components.reana_ui.image` | [REANA-UI image](https://hub.docker.com/r/reanahub/reana-ui) to use | `docker.io/reanahub/reana-ui:` | +| `components.reana_ui.imagePullPolicy` | REANA-UI image pull policy | IfNotPresent | +| `components.reana_ui.polling_secs` | Frequency of workflow list page reload in seconds | 15 | +| `components.reana_ui.client_pyvenv` | REANA-Client python environment to source in the welcome example. | None | +| `components.reana_ui.docs_url` | URL of documentation site (footer icon) | | +| `components.reana_ui.forum_url` | URL of forum site (footer icon) | | +| `components.reana_ui.chat_url` | URL of chat channel (footer icon) | None | +| `components.reana_ui.privacy_notice_url` | URL of the privacy notice (footer icon) | None | +| `components.reana_ui.cern_sso` | Enable CERN SSO sign in | false | +| `components.reana_ui.local_users` | Enable local users sign in/up | true | +| `components.reana_ui.hide_signup` | Hide users sign up form | false | +| `components.reana_workflow_controller.environment` | REANA-Workflow-Controller environment variables | `{SHARED_VOLUME_PATH: /var/reana}` | +| `components.reana_workflow_controller.image` | [REANA-Workflow-Controller image](https://hub.docker.com/r/reanahub/reana-workflow-controller) to use | `docker.io/reanahub/reana-workflow-controller:` | +| `components.reana_workflow_controller.imagePullPolicy` | REANA-Workflow-Controller image pull policy | IfNotPresent | +| `components.reana_workflow_controller.environment.REANA_JOB_HOSTPATH_MOUNTS` | JSON list of optional hostPath mounts, for all user jobs. Each mount object has a key `name` (name of the mount), `hostPath` (path to the directory to be mounted from the Kubernetes nodes) and `mountPath` (path inside the job containers where the `hostPath` will be mounted) | None | +| `components.reana_workflow_controller.environment.REANA_RUNTIME_KUBERNETES_KEEP_ALIVE_JOBS_WITH_STATUSES` | Keep alive Kubernetes user runtime jobs depending on status (`finished` and/or `failed`). | None | +| `components.reana_workflow_controller.environment.REANA_JOB_STATUS_CONSUMER_PREFETCH_COUNT` | Define max number of unacknowledged deliveries that are permitted on `jobs-status` queue consumer. | 10 | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_ENABLED` | Enable workflow and job log retrieval from OpenSearch. | false | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_HOST` | OpenSearch host. | None | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_PORT` | OpenSearch port. | None | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_URL_PREFIX` | OpenSearch URL prefix. | None | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_USE_SSL` | Use SSL when connecting to OpenSearch instance. | true | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_CA_CERTS` | Path to a file with OpenSearch root CA certificates. | "/code/certs/ca.crt" | +| `components.reana_workflow_controller.environment.REANA_OPENSEARCH_USER` | OpenSearch user name for Basic Authentication. | reana | +| `components.reana_workflow_engine_cwl.environment` | [REANA-Workflow-Engine-CWL](https://github.com/reanahub/reana-workflow-engine-cwl) environment variables | `{}` | +| `components.reana_workflow_engine_cwl.image` | [REANA-Workflow-Engine-CWL image](https://hub.docker.com/r/reanahub/reana-workflow-engine-cwl) to use | `docker.io/reanahub/reana-workflow-engine-cwl:` | +| `components.reana_workflow_engine_serial.environment` | [REANA-Workflow-Engine-Serial](https://github.com/reanahub/reana-workflow-engine-serial) environment variables | `{}` | +| `components.reana_workflow_engine_serial.image` | [REANA-Workflow-Engine-Serial image](https://hub.docker.com/r/reanahub/reana-workflow-engine-serial) to use | `docker.io/reanahub/reana-workflow-engine-serial:` | +| `components.reana_workflow_engine_yadage.environment` | [REANA-Workflow-Engine-yadage](https://github.com/reanahub/reana-workflow-engine-yadage) environment variables | `{}` | +| `components.reana_workflow_engine_yadage.image` | [REANA-Workflow-Engine-Yadage image](https://hub.docker.com/r/reanahub/reana-workflow-engine-yadage) to use | `docker.io/reanahub/reana-workflow-engine-yadage:` | +| `components.reana_workflow_engine_snakemake.environment` | [REANA-Workflow-Engine-Snakemake](https://github.com/reanahub/reana-workflow-engine-snakemake) environment variables | `{}` | +| `components.reana_workflow_engine_snakemake.image` | [REANA-Workflow-Engine-Snakemake image](https://hub.docker.com/r/reanahub/reana-workflow-engine-snakemake) to use | `docker.io/reanahub/reana-workflow-engine-snakemake:` | +| `compute_backends` | List of supported compute backends (kubernetes, htcondorcern, slurmcern) | "kubernetes" | +| `dask.enabled` | Enable support for running Dask workflows | false | +| `dask.autoscaler_enabled` | Enable Dask autoscaler | true | +| `dask.cluster_max_memory_limit` | The maximum memory limit for Dask clusters created by users | "16Gi" | +| `dask.cluster_default_number_of_workers` | The number of Dask workers created by default | 2 | +| `dask.cluster_max_number_of_workers` | The maximum number of Dask workers that users can ask for | 20 | +| `dask.cluster_default_single_worker_memory` | The amount of memory used by default by a single Dask worker | "2Gi" | +| `dask.cluster_max_single_worker_memory` | The maximum amount of memory that users can ask for the single Dask worker | "8Gi" | +| `db_env_config.REANA_DB_HOST` | Environment variable to connect to external databases | `-db` | +| `db_env_config.REANA_DB_NAME` | Environment variable to connect to external databases | reana | +| `db_env_config.REANA_DB_PORT` | Environment variable to connect to external databases | "5432" | +| `debug.enabled` | Instantiate a [wdb](https://github.com/Kozea/wdb) remote debugger inside the cluster, accessible in port `31984` | false | +| `eos.enabled` | **[CERN only]** Enable EOS support inside the cluster | false | +| `fluent-bit.enabled` | Enable FluentBit | false | +| `fluent-bit.inputConfig.*` | Pass certain `tail` input [configuration parameters](https://docs.fluentbit.io/manual/pipeline/inputs/tail#config) | | +| `fluent-bit.inputConfig.refreshInterval` | `tail` input configuration parameter `Refresh_Interval` | 2 | +| `fluent-bit.inputConfig.rotateWait` | `tail` input configuration parameter `Rotate_Wait` | 5 | +| `fluent-bit.inputConfig.skipLongLines` | `tail` input configuration parameter `Skip_Long_Lines` | On | +| `fluent-bit.inputConfig.skipEmptyLines` | `tail` input configuration parameter `Skip_Empty_Lines` | On | +| `fluent-bit.filterConfig.*` | Pass certain `kubernetes` filter [configuration parameters](https://docs.fluentbit.io/manual/pipeline/filters/kubernetes#configuration-parameters) | | +| `fluent-bit.filterConfig.bufferSize` | `kubernetes` filter configuration parameter `Buffer_Size` | 512k | +| `fluent-bit.filterConfig.kubeUrl` | `kubernetes` filter configuration parameter `Kube_URL` | | +| `fluent-bit.filterConfig.kubeCaFile` | `kubernetes` filter configuration parameter `Kube_CA_File` | /var/run/secrets/kubernetes.io/serviceaccount/ca.crt | +| `fluent-bit.filterConfig.kubeTokenFile` | `kubernetes` filter configuration parameter `Kube_Token_File` | /var/run/secrets/kubernetes.io/serviceaccount/token | +| `fluent-bit.outputConfig.*` | Pass certain `opensearch` output [configuration parameters](https://docs.fluentbit.io/manual/pipeline/outputs/opensearch#configuration-parameters) | | +| `fluent-bit.outputConfig.host` | `opensearch` output configuration parameter `Host` | reana-opensearch-master | +| `fluent-bit.outputConfig.httpUser` | `opensearch` output configuration parameter `HTTP_User` | fluentbit | +| `fluent-bit.outputConfig.httpPasswd` | `opensearch` output configuration parameter `HTTP_Passwd` | None | +| `fluent-bit.outputConfig.tls` | `opensearch` output configuration parameter `tls` | "On" | +| `fluent-bit.outputConfig.tlsVerify` | `opensearch` output configuration parameter `tls.verify` | "On" | +| `fluent-bit.outputConfig.tlsVerifyHostname` | `opensearch` output configuration parameter `tls.verify_hostname` | "Off" | +| `fluent-bit.outputConfig.tlsCaFile` | `opensearch` output configuration parameter `tls.ca_file` | /fluent-bit/etc/certs/ca.crt | +| `fluent-bit.outputConfig.tlsCrtFile` | `opensearch` output configuration parameter `tls.crt_file` | "" | +| `fluent-bit.outputConfig.tlsKeyFile` | `opensearch` output configuration parameter `tls.key_file` | "" | +| `fluent-bit.outputConfig.tlsKeyPassword` | `opensearch` output configuration parameter `tls.key_passwd` | "" | +| `fluent-bit.priority` | Priority class value for FluentBit pods | 1000000 | +| `fullnameOverride` | Name to override the `reana.prefix` | None | +| `infrastructure_storage` | Optional volume used by REANA's infrastructure (i.e. database and message broker). It has the same settings as `shared_storage` | {} | +| `ingress.annotations.traefik.ingress.kubernetes.io/router.entrypoints` | Entrypoints allowed by the ingress controller | "web,websecure" | +| `ingress.enabled` | Create an ingress resource to access the REANA instance from outside the cluster | true | +| `ingress.extra` | An array of extra ingress resources. They can be configured in the same way as the default ingress, with the addition of `ingress.extra[].name`. | [] | +| `ingress.ingress_class_name` | Name of the Ingress class to use. Default value (`null`) will use the cluster's default Ingress class. | null | +| `ingress.tls.hosts` | List of hosts included in the TLS certificate, needed by cert-manager | [] | +| `ingress.tls.secret_name` | Name of the Kubernetes secret containing the TLS certificate to be used | None | +| `ingress.tls.self_signed_cert` | Enable the generation of a self-signed TLS certificate | true | +| `kubernetes_jobs_memory_limit` | Maximum default memory limit for user job containers. Exceeding this limit will terminate the container. Please see the following URL for possible values . | 4Gi | +| `kubernetes_jobs_max_user_memory_limit` | Maximum custom memory limit that users can assign to their job containers via `kubernetes_memory_limit` hint in `reana.yaml`. Exceeding this limit will terminate the container. Please see the following URL for possible values . | None | +| `kubernetes_jobs_timeout_limit` | Default timeout for user's jobs in _seconds_. Exceeding this time will terminate the job. Please see the following URL for more details . Default value: 604800 seconds = 7 days. | 604800 | +| `kubernetes_jobs_max_user_timeout_limit` | Maximum custom timeout in _seconds_ that users can assign to their jobs. Please see the following URL for more details . Default value: 1209600 seconds = 14 days. | 1209600 | +| `login` | Enable and configure SSO authentication via a third-party Keycloak identity provider ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `[]` | +| `node_label_infrastructure` | Define the label which identifies the nodes where the infrastructure pods should run, e.g. `reana.io/system=infrastructure`. If you are setting this configuration variable, please also set `.traefik.nodeSelector.reana.io/system=infrastructure` so the ingress controller is also deployed on the infrastructure node. By default infrastructure pods can be scheduled to any available node in the cluster. | None | +| `node_label_infrastructuremq` | Define the label which identifies the node where message broker pod should run, e.g. `reana.io/system=infrastructuremq`. By default message broker pod can be scheduled to any available node in the cluster. | None | +| `node_label_infrastructuredb` | Define the label which identifies the node where database pod should run, e.g. `reana.io/system=infrastructuredb`. By default the database pod can be scheduled to any available node in the cluster. | None | +| `node_label_runtimebatch` | Define the label which identifies the nodes where the runtime workflow pods should run, e.g. `reana.io/system=runtimebatch`. By default runtime workflow pods can be scheduled to any available node in the cluster. | None | +| `node_label_runtimejobs` | Define the label which identifies the nodes where the runtime job pods should run, e.g. `reana.io/system=runtimejobs`. By default runtime job pods can be scheduled to any available node in the cluster. | None | +| `node_label_runtimesessions` | Define the label which identifies the nodes where the runtime session pods should run, e.g. `reana.io/system=runtimesessions`. By default runtime session pods can be scheduled to any available node in the cluster. | None | +| `notifications.email_config.login` | Login for the sender email address | None | +| `notifications.email_config.password` | Password for the sender email address | None | +| `notifications.email_config.receiver` | Email address which will be receiving the notifications | None | +| `notifications.email_config.sender` | Email address which will be sending the notifications | None | +| `notifications.email_config.smtp_server` | SMTP email server host | None | +| `notifications.email_config.smtp_ssl` | Use SSL to connect to SMTP server | false | +| `notifications.email_config.smtp_starttls` | Use STARTTLS command of SMTP to upgrade to an encrypted connection | true | +| `notifications.email_config.smtp_port` | SMTP email server port | None | +| `notifications.enabled` | Enable REANA system events notifications. For more information, visit the [documentation page](https://docs.reana.io/administration/configuration/configuring-access/) on user sign up. | false | +| `notifications.system_status` | Cronjob pattern representing how often the system status notification should be sent. Leave it empty to deactivate it | `"0 0 * * *"` | +| `reana_hostname` | REANA hostname (e.g. reana.example.org) | None | +| `namespace_runtime` | Namespace in which the REANA runtime pods (workflow engines, jobs etc...) will run | `.Release.Namespace` | +| `naming_scheme` | REANA component naming scheme | None | +| `opensearch.*` | Pass any value from [OpenSearch Helm chart values](https://github.com/opensearch-project/helm-charts/tree/main/charts/opensearch#configuration) here | - | +| `opensearch.enabled` | Enable OpenSearch | false | +| `opensearch.tls.generate` | Enable the generation of a self-signed TLS certificates for OpenSearch | true | +| `opensearch.tls.ca.cn` | OpenSearch root CA certificate common name (CN) | reana.io | +| `opensearch.tls.ca.ttl` | OpenSearch root CA certificate TTL in days | 365 | +| `opensearch.tls.cert.cn` | OpenSearch node certificate common name (CN) | reana-opensearch-master | +| `opensearch.tls.cert.ttl` | OpenSearch node certificate TTL in days | 180 | +| `opensearch.tls.admin.cn` | OpenSearch admin certificate common name (CN) | opensearch-admin.reana.io | +| `opensearch.tls.admin.ttl` | OpenSearch admin certificate TTL in days | 180 | +| `opensearch.customSecurityConfig.internalUsers` | Provide YAML users configuration for `internal_users.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#internal_usersyml) | None | +| `opensearch.customSecurityConfig.roles` | Provide YAML roles configuration for `roles.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#rolesyml) | None | +| `opensearch.customSecurityConfig.rolesMapping` | Provide YAML roles mapping configuration for `roles_mapping.yaml` file; see [documentation](https://opensearch.org/docs/latest/security/configuration/yaml/#roles_mappingyml) | None | +| `pgbouncer.enabled` | Instantiate PgBouncer inside the cluster to pool database connections | false | +| `pgbouncer.image` | [PgBouncer image](https://hub.docker.com/r/bitnami/pgbouncer/) to use | `bitnami/pgbouncer:1.23.1` | +| `pgbouncer.pool_mode` | Pool mode to use (session, transaction, statement) | transaction | +| `pgbouncer.max_client_conn` | Maximum number of client connections allowed | 1000 | +| `pgbouncer.max_db_connections` | Maximum number of server connections allowed | 100 | +| `pgbouncer.environment` | Additional PgBouncer environment variables | `{}` | +| `secrets.cern.sso.CERN_CONSUMER_KEY` | CERN SSO consumer key | None | +| `secrets.cern.sso.CERN_CONSUMER_SECRET` | **[Do not use in production, use secrets instead]** CERN SSO consumer secret | None | +| `secrets.database.password` | **[Do not use in production, use secrets instead]** PostgreSQL database password | None | +| `secrets.database.user` | PostgreSQL database username | None | +| `secrets.gitlab.REANA_GITLAB_HOST` | Hostname of the GitLab instance | None | +| `secrets.gitlab.REANA_GITLAB_OAUTH_APP_ID` | GitLab OAuth application id | None | +| `secrets.gitlab.REANA_GITLAB_OAUTH_APP_SECRET` | **[Do not use in production, use secrets instead]** GitLab OAuth application secret | None | +| `secrets.login` | **[Do not use in production, use secrets instead]** Third-party Keycloak identity provider consumer key and secret ([configuration details](https://docs.reana.io/administration/configuration/configuring-access/#keycloak-single-sign-on-configuration)) | `{}` | +| `secrets.opensearch.password` | **[Do not use in production, use secrets instead]** OpenSearch password for Basic Authentication | None | +| `secrets.reana.REANA_SECRET_KEY` | **[Do not use in production, use secrets instead]** REANA encryption secret key | None | +| `serviceAccount.create` | Create a service account for the REANA system user | true | +| `serviceAccount.name` | Service account name | reana | +| `shared_storage.access_modes` | Shared volume access mode | ReadWriteMany | +| `shared_storage.backend` | Shared volume storage backend | hostpath | +| `shared_storage.cephfs.availability_zone` | **[CERN only]** OpenStack Availability zone | nova | +| `shared_storage.cephfs.cephfs_os_share_access_id` | **[CERN only]** CephFS share access ID | None | +| `shared_storage.cephfs.cephfs_os_share_id` | **[CERN only]** CephFS share id | None | +| `shared_storage.cephfs.os_secret_name` | **[CERN only]** Name of the Secret object containing OpenStack credentials | os-trustee | +| `shared_storage.cephfs.os_secret_namespace` | **[CERN only]** Namespace of the OpenStack credentials Secret object | kube-system | +| `shared_storage.cephfs.provisioner` | **[CERN only]** CephFS provisioner | manila-provisioner | +| `shared_storage.cephfs.type` | **[CERN only]** CephFS availability zone | "Geneva CephFS Testing" | +| `shared_storage.volume_size`               | Shared volume size | 200 | +| `shared_storage.shared_volume_mount_path` | Path inside the REANA components where the shared volume will be mounted | /var/reana | +| `shared_storage.hostpath.root_path` | Path to the REANA directory inside the underlying storage volume | /var/reana | +| `traefik.*` | Pass any value from [Traefik Helm chart values](https://github.com/helm/charts/tree/master/stable/traefik#configuration) here, e.g. `traefik.rbac.enabled=true` | - | +| `traefik.enabled` | Install Traefik in the cluster when installing REANA | true | +| `volume_paths.root_path` | Path to the REANA directory inside the underlying storage volume | /var/reana | +| `volume_paths.shared_volume_path` | Path inside the REANA components where the shared volume will be mounted | /var/reana | +| `quota.enabled` | Enable user workflow accounting capabilities. | true | +| `quota.periodic_update_policy` | Cronjob pattern representing how often the users Disk and CPU quota usage should be updated. Leave it empty to deactivate it | `"0 3 * * *"` | +| `quota.workflow_termination_update_policy` | Resources to calculate quotas on worflow termination. Possible values: "cpu" and "disk". Leave it empty to deactivate workflow termination accounting. | "" | +| `quota.default_disk_limit` | Default users disk quota limit in bytes. (0=unlimited) | 0 | +| `quota.default_cpu_limit` | Default users CPU quota limit in milliseconds. (0=unlimited) | 0 | +| `workspaces.retention_rules.maximum_period` | Set a default period in days for workspace retention rules. Users will not be able to specify a longer period to retain the workspace files. After this period the workspace will be cleared. To disable the period and allow files to be kept forever, use value "forever". | forever | +| `workspaces.retention_rules.cronjob_schedule` | Cron format string describing how often pending retention rules should be applied. | `"0 2 * * *"` | +| `workspaces.paths` | List of additional workspace paths as strings. Each mount string is composed by a key `hostPath`(path to the directory to be mounted from the Kubernetes nodes) and a cluster_pod_mountpath (path inside the cluster containers where the `mountPath` will be mounted) e.g. `hostPath:mountPath`. The first value listed will be the default workspace root path. Any POSIX filesystem mounted on cluster nodes is supported | None | +| `interactive_sessions.cronjob_schedule` | Cron format string describing how often interactive session cleanup should be performed. | `"0 3 * * *"` | +| `interactive_sessions.environments.jupyter.recommended` | List of recommended environments (container images) for Jupyter notebooks. Each environment is composed of a `name` and an `image`. The first environment in the list is the default one. | `[{"image": "docker.io/jupyter/scipy-notebook:notebook-6.4.5", "name": "Jupyter SciPy Notebook 6.4.5"}]` | +| `interactive_sessions.environments.jupyter.allow_custom` | Allow users to specify custom docker images for Jupyter notebooks. | false | +| `interactive_sessions.maximum_inactivity_period` | Set a limit in days for the maximum inactivity period of interactive sessions. After this period interactive sessions will be automatically closed. To disable autoclosure and allow interactive sessions to run forever, use value "forever". | forever | +| `components.reana_ui.launcher_examples` | Array of demo examples to show in the launch page in the UI. Each demo repository is composed of `name`, `url`, `image_url`; you can also optionally specify a `description` and the `specification` filename. | [] | diff --git a/helm/reana/values.yaml b/helm/reana/values.yaml index 87e6aaca..e0dbbc6f 100644 --- a/helm/reana/values.yaml +++ b/helm/reana/values.yaml @@ -16,12 +16,12 @@ maintenance: workspaces: retention_rules: maximum_period: forever - cronjob_schedule: "0 2 * * *" # everyday at 2am + cronjob_schedule: "0 2 * * *" # everyday at 2am paths: - /var/reana:/var/reana interactive_sessions: - cronjob_schedule: "0 3 * * *" # everyday at 3am + cronjob_schedule: "0 3 * * *" # everyday at 3am environments: jupyter: recommended: @@ -34,7 +34,7 @@ compute_backends: - kubernetes shared_storage: - backend: hostpath # hostpath | cephfs | nfs + backend: hostpath # hostpath | cephfs | nfs volume_size: 200 access_modes: ReadWriteMany shared_volume_mount_path: "/var/reana" @@ -82,7 +82,7 @@ components: enabled: true docs_url: https://docs.reana.io forum_url: https://forum.reana.io - file_preview_size_limit: 5242880 # 5 * 1024**2 = 5 MiB + file_preview_size_limit: 5242880 # 5 * 1024**2 = 5 MiB imagePullPolicy: IfNotPresent image: docker.io/reanahub/reana-ui:0.9.4 reana_db: @@ -199,9 +199,10 @@ pgbouncer: quota: enabled: true periodic_update_policy: "{{ .Values.quota.disk_update }}" - workflow_termination_update_policy: "{{ .Values.quota.termination_update_policy }}" + workflow_termination_update_policy: + "{{ .Values.quota.termination_update_policy }}" # backward compatibility - disk_update: "0 3 * * *" # everyday at 3am + disk_update: "0 3 * * *" # everyday at 3am termination_update_policy: "" # OpenSearch chart values.yaml @@ -220,7 +221,7 @@ opensearch: admin: cn: "opensearch-admin.reana.io" ttl: 180 - singleNode: true # advanced storage configuration needed if set to false + singleNode: true # advanced storage configuration needed if set to false config: opensearch.yml: | cluster.name: reana-opensearch @@ -288,16 +289,16 @@ opensearch: - name: reana-opensearch-volume hostPath: path: /var/reana - # You can instead configure infrastructure volume: - # - name: reana-opensearch-volume - # persistentVolumeClaim: - # claimName: reana-infrastructure-persistent-volume - # readOnly: false - # Or shared volume: - # - name: reana-opensearch-volume - # persistentVolumeClaim: - # claimName: reana-shared-persistent-volume - # readOnly: false + # You can instead configure infrastructure volume: + # - name: reana-opensearch-volume + # persistentVolumeClaim: + # claimName: reana-infrastructure-persistent-volume + # readOnly: false + # Or shared volume: + # - name: reana-opensearch-volume + # persistentVolumeClaim: + # claimName: reana-shared-persistent-volume + # readOnly: false extraVolumeMounts: - mountPath: /usr/share/opensearch/data subPath: opensearch @@ -306,13 +307,13 @@ opensearch: customSecurityConfig: internalUsers: reana: - hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p ; supply in Helm command flags + hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p ; supply in Helm command flags reserved: false backend_roles: - readall description: REANA user fluentbit: - hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p ; supply in Helm command flags + hash: "" # Required. To generate hash, run plugins/opensearch-security/tools/hash.sh -p ; supply in Helm command flags reserved: false backend_roles: - fluentbit @@ -332,7 +333,7 @@ opensearch: - indices:data/write/bulk* index_permissions: - index_patterns: - - fluentbit-* + - fluentbit-* fls: [] masked_fields: [] allowed_actions: @@ -347,7 +348,7 @@ opensearch: reserved: false hidden: false backend_roles: - - fluentbit + - fluentbit and_backend_roles: [] own_index: hosts: [] @@ -549,8 +550,8 @@ fluent-bit: secret: secretName: reana-opensearch-tls-secrets items: - - key: ca.crt - path: ca.crt + - key: ca.crt + path: ca.crt extraVolumeMounts: - name: reana-opensearch-ca mountPath: /fluent-bit/etc/certs