values.yaml

## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
##

## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
##
global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: []
  storageClass: ""
  postgresql:
    ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
    ##
    service:
      ports:
        postgresql: ""

## @section K8S env parameters
##

## @param k8sSetup.platform The platform on which you install the chart. Possible values: AWSEKS/AzureAKS/GoogleGKE/PlainK8s
## @param k8sSetup.validateValues Enable validation of the values
##
k8sSetup:
  platform: PlainK8s
  validateValues: true

## @section Release server parameters
##

## @param license Sets your XL License by passing a base64 string license, which will then be added to the license file.
## Convert xl-release.lic files content to base64 ( cat xl-release.lic | base64 -w 0 ) and put the output here
##
license:
## @param licenseAcceptEula Accept EULA, in case of missing license, it will generate temporary license.
##
licenseAcceptEula: false
## @param generateXlConfig Generate configuration from environment parameters passed, and volumes mounted with custom changes. If set to false, a default config will be used and all environment variables and volumes added will be ignored.
##
generateXlConfig: true
## @param useIpAsHostname Set IP address of the container as the hostname for the instance.
## If set to true then IP will be used instead of the container ID. This is useful
## when deploying Release as active-active cluster using docker compose as Pekko cannot resolve aliases within the docker network.
##
useIpAsHostname: false
## @param forceRemoveMissingTypes Force removal of the missing types.
##
forceRemoveMissingTypes: false
## @param clusterMode This is to specify if the HA setup is needed and to specify the HA mode. Possible values: "default", "hot-standby", "full"
##
clusterMode: full
## @param forceUpgrade It can be used to perform an upgrade in non-interactive mode by passing flag -force-upgrades while starting a service.
##
forceUpgrade: true
## @param enableEmbeddedQueue Flag to expose external messaging queue. If set to true, a default embedded-queue will be used and all environment variables will be ignored.
##
enableEmbeddedQueue: false
## @param appProtocol Release protocol (the protocol http or https that will be used by enduser to access Release). It is not used if ingress or route are enabled.
##
appProtocol: http
## @param appHostname Release hostname (the hostname that will be used by enduser to access Release). It is not used if ingress or route are enabled.
##
appHostname: ""
## @param appContextRoot Release context root.
##
appContextRoot: /
## @param logback.globalLoggingLevel Global logging level. Possible values: "trace", "debug", "info", "warn", "error"
## @param logback.scanEnabled Enables scanning of logback.xml.
## @param logback.scanPeriod Interval for checking logback.xml configuration.
##
logback:
  globalLoggingLevel: "info"
  scanEnabled: true
  scanPeriod: "30 seconds"

## @section Release hooks
##

hooks:
  getLicense:
    ## @param hooks.getLicense.enabled set to true to support license auto generation by using helm hook, it is working together with enabled licenseAcceptEula
    enabled: true
    ## @param hooks.getLicense.name Name of the resources that will be used during hook execution
    name: '{{ include "release.name" . }}-license'
    ## @param hooks.getLicense.deletePolicy Helm hook delete policy
    deletePolicy: "before-hook-creation,hook-succeeded"
    ## @param hooks.getLicense.getCommand The command for getting temporary license, see hooks.getLicense.configuration.bin_get-license
    getCommand:
      - /opt/xebialabs/xl-release-server/bin/get-license.sh
    ## @param hooks.getLicense.installCommand The command for creating the secret with the license, see hooks.getLicense.configuration.bin_install-license
    installCommand:
      - /opt/xebialabs/xl-release-server/bin/install-license.sh

    ## @param hooks.getLicense.image.registry getLicense hook container image registry
    ## @param hooks.getLicense.image.repository getLicense hook container image repository
    ## @param hooks.getLicense.image.tag getLicense hook container image tag
    ## @param hooks.getLicense.image.pullPolicy getLicense hook container image pull policy
    ## @param hooks.getLicense.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/kubectl
      tag: 1.28.7-debian-12-r3
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param hooks.getLicense.containerSecurityContext.enabled Enabled get licence containers' Security Context
    ## @param hooks.getLicense.containerSecurityContext.runAsNonRoot Set get licence container's Security Context runAsNonRoot
    ## @param hooks.getLicense.containerSecurityContext.allowPrivilegeEscalation Set get licence container's Security Context allowPrivilegeEscalation
    ## @extra hooks.getLicense.containerSecurityContext.capabilities Set get licence container's Security Context capabilities
    ## @skip hooks.getLicense.containerSecurityContext.capabilities
    ## @extra hooks.getLicense.containerSecurityContext.seccompProfile Set get licence container's Security Context seccompProfile
    ## @skip hooks.getLicense.containerSecurityContext.seccompProfile
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
    ## Example:
    ##   containerSecurityContext:
    ##     capabilities:
    ##       drop: ["NET_RAW"]
    ##     readOnlyRootFilesystem: true
    ##
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault
    ## @extra hooks.getLicense.configuration Release Configuration file content
    ## Do not override unless you know what you are doing.
    ##
    configuration:
      ## @extra hooks.getLicense.configuration.bin_get-license The configuration of the script for getting the license
      ## @param hooks.getLicense.configuration.bin_get-license.path The path to the script for getting the license
      ## @param hooks.getLicense.configuration.bin_get-license.mode The access mode of the script for getting the license
      ## @param hooks.getLicense.configuration.bin_get-license.content Content of the script for getting the license
      bin_get-license:
        path: "bin/get-license.sh"
        mode: 0755
        content: |
          #!/bin/bash

          echo "Requesting unregistered license"
          SERVER_PATH_PART=https://download.xebialabs.com
          echo -e $(curl -X POST "${SERVER_PATH_PART}/api/unregistered/xl-release" | jq --raw-output .license) > ${APP_HOME}/conf/xl-release-license.lic
          file_size=$(stat -c%s "${APP_HOME}/conf/xl-release-license.lic")
          if [ "$file_size" -lt 10 ]; then
            echo "License file is NOT valid"
            exit 1
          fi

      ## @extra hooks.getLicense.configuration.bin_install-license The configuration of the script for setting up license secret
      ## @param hooks.getLicense.configuration.bin_install-license.path The path to the script for setting up license secret
      ## @param hooks.getLicense.configuration.bin_install-license.mode The access mode of the script for setting up license secret
      ## @param hooks.getLicense.configuration.bin_install-license.content Content of the script for setting up license secret
      bin_install-license:
        path: "bin/install-license.sh"
        mode: 0755
        content: |
          #!/bin/bash

          FILE_PATH="/opt/xebialabs/xl-release-server/conf/xl-release-license.lic"
          kubectl create secret generic {{ include "common.tplvalues.render" ( dict "value" $.Values.hooks.getLicense.name "context" $ ) }} --from-file=$FILE_PATH

  genSelfSigned:
    ## @param hooks.genSelfSigned.enabled set to true to support self-signed ket auto generation by using helm hook
    enabled: false
    ## @param hooks.genSelfSigned.name Name of the resources that will be used during hook execution
    name: '{{ include "release.name" . }}-self-signed'
    ## @param hooks.genSelfSigned.deletePolicy Helm hook delete policy
    deletePolicy: "before-hook-creation,hook-succeeded"
    ## @param hooks.genSelfSigned.genCommand The command for getting self-signed key, see hooks.genSelfSigned.configuration.bin_gen-self-signed
    genCommand:
      - /opt/xebialabs/xl-release-server/bin/gen-self-signed.sh
    ## @param hooks.genSelfSigned.installCommand The command for creating the secret with the self-signed key, see hooks.genSelfSigned.configuration.bin_install-self-signed
    installCommand:
      - /opt/xebialabs/xl-release-server/bin/install-self-signed.sh

    ## @param hooks.genSelfSigned.image.registry genSelfSigned hook container image registry
    ## @param hooks.genSelfSigned.image.repository genSelfSigned hook container image repository
    ## @param hooks.genSelfSigned.image.tag genSelfSigned hook container image tag
    ## @param hooks.genSelfSigned.image.pullPolicy genSelfSigned hook container image pull policy
    ## @param hooks.genSelfSigned.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/kubectl
      tag: 1.28.7-debian-12-r3
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param hooks.genSelfSigned.containerSecurityContext.enabled Enabled generate self-signed containers' Security Context
    ## @param hooks.genSelfSigned.containerSecurityContext.runAsNonRoot Set generate self-signed container's Security Context runAsNonRoot
    ## @param hooks.genSelfSigned.containerSecurityContext.allowPrivilegeEscalation Set generate self-signed container's Security Context allowPrivilegeEscalation
    ## @extra hooks.genSelfSigned.containerSecurityContext.capabilities Set generate self-signed container's Security Context capabilities
    ## @skip hooks.genSelfSigned.containerSecurityContext.capabilities
    ## @extra hooks.genSelfSigned.containerSecurityContext.seccompProfile Set generate self-signed container's Security Context seccompProfile
    ## @skip hooks.genSelfSigned.containerSecurityContext.seccompProfile
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
    ## Example:
    ##   containerSecurityContext:
    ##     capabilities:
    ##       drop: ["NET_RAW"]
    ##     readOnlyRootFilesystem: true
    ##
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault
    ## @extra hooks.genSelfSigned.configuration Release Configuration file content
    ## Do not override unless you know what you are doing.
    ##
    configuration:
      ## @extra hooks.genSelfSigned.configuration.bin_gen-self-signed The configuration of the script for creating self signed key
      ## @param hooks.genSelfSigned.configuration.bin_gen-self-signed.path The path to the script forcreating self signed key
      ## @param hooks.genSelfSigned.configuration.bin_gen-self-signed.mode The access mode of the script for creating self signed key
      ## @param hooks.genSelfSigned.configuration.bin_gen-self-signed.content Content of the script for creating self signed key
      bin_gen-self-signed:
        path: "bin/gen-self-signed.sh"
        mode: 0755
        content: |
          #!/bin/bash

          echo "Generating release self-signed cert"
          HOSTNAME="{{- include "release.hostname" . -}}"
          STOREPASS="{{- .Values.ssl.keystorePassword -}}"
          KEYPASS="{{- .Values.ssl.keystoreKeypassword -}}"
          KEYTYPE="{{- .Values.ssl.keystoreType -}}"
          keytool -genkey -keyalg RSA -alias dai-release -keystore conf/keystore.$KEYTYPE -validity 365 -keysize 2048 -storepass "$STOREPASS" -storetype "$KEYTYPE" -keypass "$KEYPASS" \
            -dname "CN=$HOSTNAME,OU=,O=Digital.ai Release,L=,ST=,C=" \
            -ext "SAN=DNS:{{- include "common.names.fullname" . -}}.local"
          keytool -export -alias dai-release -keystore conf/keystore.$KEYTYPE -rfc -file conf/public.cert -storepass "$STOREPASS" -storetype "$KEYTYPE" -keypass "$KEYPASS"

      ## @extra hooks.genSelfSigned.configuration.bin_install-self-signed The configuration of the script for setting up self-signed key secret
      ## @param hooks.genSelfSigned.configuration.bin_install-self-signed.path The path to the script for setting up self-signed key secret
      ## @param hooks.genSelfSigned.configuration.bin_install-self-signed.mode The access mode of the script for setting up self-signed key secret
      ## @param hooks.genSelfSigned.configuration.bin_install-self-signed.content Content of the script for setting up self-signed key secret
      bin_install-self-signed:
        path: "bin/install-self-signed.sh"
        mode: 0755
        content: |
          #!/bin/bash

          KEYSTORE_FILE_PATH="/opt/xebialabs/xl-release-server/conf/keystore.{{- .Values.ssl.keystoreType -}}"
          CERT_FILE_PATH="/opt/xebialabs/xl-release-server/conf/public.cert"
          kubectl create secret generic {{ include "common.tplvalues.render" ( dict "value" $.Values.hooks.genSelfSigned.name "context" $ ) }} \
            --from-file=$KEYSTORE_FILE_PATH \
            --from-file=$CERT_FILE_PATH \
            --from-literal=host={{- include "release.hostname" . -}}

  installReleaseRunner:
    ## @param hooks.installReleaseRunner.enabled set to true to support installation of the Remote Runner after Release installation
    enabled: false
    ## @param hooks.installReleaseRunner.name Name of the resources that will be used during hook execution
    name: '{{ include "release.name" . }}-install-runner'
    ## @param hooks.installReleaseRunner.deletePolicy Helm hook delete policy
    deletePolicy: "before-hook-creation,hook-succeeded"
    ## @param hooks.installReleaseRunner.releaseName The release name for Release Runner installation
    releaseName: ""
    ## @param hooks.installReleaseRunner.answersSecret The secret that will be used during Release Runner installation
    answersSecret: ""
    ## @param hooks.installReleaseRunner.installCommand The command for Release Runner installation
    installCommand:
      - /opt/xebialabs/xl-client/xl
      - kube
      - upgrade
      - --skip-context-check
      - --local-repo
      - /opt/xebialabs/xl-op-blueprints
      - --answers
      - /opt/xebialabs/xl-client/generated_answers.yaml

    ## @param hooks.installReleaseRunner.image.registry getLicense hook container image registry
    ## @param hooks.installReleaseRunner.image.repository getLicense hook container image repository
    ## @param hooks.installReleaseRunner.image.tag getLicense hook container image tag
    ## @param hooks.installReleaseRunner.image.pullPolicy getLicense hook container image pull policy
    ## @param hooks.installReleaseRunner.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: xebialabsunsupported/xl-client
      tag: "{{ .Chart.AppVersion }}"
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param hooks.installReleaseRunner.containerSecurityContext.enabled Enabled install RR containers' Security Context
    ## @param hooks.installReleaseRunner.containerSecurityContext.runAsNonRoot Set install RR container's Security Context runAsNonRoot
    ## @param hooks.installReleaseRunner.containerSecurityContext.allowPrivilegeEscalation Set install RR container's Security Context allowPrivilegeEscalation
    ## @extra hooks.installReleaseRunner.containerSecurityContext.capabilities Set install RR container's Security Context capabilities
    ## @skip hooks.installReleaseRunner.containerSecurityContext.capabilities
    ## @extra hooks.installReleaseRunner.containerSecurityContext.seccompProfile Set install RR container's Security Context seccompProfile
    ## @skip hooks.installReleaseRunner.containerSecurityContext.seccompProfile
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
    ## Example:
    ##   containerSecurityContext:
    ##     capabilities:
    ##       drop: ["NET_RAW"]
    ##     readOnlyRootFilesystem: true
    ##
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault

## @section Release security parameters

## Release Authentication parameters
##
auth:
  ## @param auth.adminPassword Admin password for Release. If user does not provide password, random 10 character alphanumeric string will be generated.
  adminPassword:
  ## @param auth.sessionStorage When enabled it will store session in the DB (it could degrade DB performance).
  sessionStorage: false

ssl:
  ## @param ssl.enabled Enable SSL to be used on Release
  enabled: false
  ## @param ssl.keystorePassword Keystore password with SSL key.
  keystorePassword:
  ## @param ssl.keystoreKeypassword Keystore key password with SSL key.
  keystoreKeypassword:
  ## @param ssl.keystoreType Keystore type, options pkcs12 or jks.
  keystoreType: pkcs12
  ## @extra ssl.keystore Keystore content in base64 format or it can reference the existing secret.
  ## @param ssl.keystore.valueFrom.secretKeyRef.name Name of the secret where the keystore was stored.
  ## @param ssl.keystore.valueFrom.secretKeyRef.key Name of the key in the secret where the keystore was stored.
  keystore:
    valueFrom:
      secretKeyRef:
        name: '{{ include "common.tplvalues.render" ( dict "value" .Values.hooks.genSelfSigned.name "context" $ ) }}'
        key: keystore.{{ .Values.ssl.keystoreType }}

## @section Release external resources

external:
  db:
    ## @param external.db.enabled Enable external database
    enabled: false
    main:
      ## @param external.db.main.url Main database URL for Release
      url: ""
      ## @param external.db.main.username Main database username for Release
      username:
      ## @param external.db.main.password Main database password for Release
      password:
      ## @param external.db.main.maxPoolSize Main database max pool size for Release
      maxPoolSize: ""
    report:
      ## @param external.db.report.url Report database URL for Release
      url: ""
      ## @param external.db.report.username Report database username for Release
      username:
      ## @param external.db.report.password Report database password for Release
      password:
      ## @param external.db.report.maxPoolSize Report database max pool size for Release
      maxPoolSize: ""

  mq:
    ## @param external.mq.enabled Enable external message queue
    enabled: false
    ## @param external.mq.url External message queue broker URL for Release
    url: ""
    ## @param external.mq.queueName External message queue name for Release
    queueName: ""
    ## @param external.mq.username External message queue broker username for Release
    username:
    ## @param external.mq.password External message queue broker password for Release
    password:
    ## @param external.mq.queueType Applies only for external rabbitmq message broker. Can be either classic(default) or quorum
    queueType: ""
    ## @param external.mq.connector Connector type depending on external message queue broker. Can be either rabbitmq-jms(default) or activemq-jms
    connector: ""

## @section Release keystore and truststore parameters

keystore:
  ## @param keystore.passphrase Set passphrase for the keystore
  passphrase:
  ## @param keystore.keystore Use repository-keystore.jceks files content ecoded with base64
  # https://docs.xebialabs.com/v.9.8/release/how-to/update-the-xl-release-digital-certificate/#view-the-certificate
  # Convert repository-keystore.jceks files content to base64
  # ( cat repository-keystore.jceks | base64 -w 0 ) and put the output here
  # if empty during initial run, the default keystore will be generated with provided "passphrase"
  keystore:

truststore:
  ## @param truststore.type Type of truststore, possible value jks or jceks or pkcs12
  type: "pkcs12"
  ## @param truststore.password Truststore password
  password:
  ## @param truststore.truststore Truststore file base64 encoded
  truststore: {}
  ## @param truststore.params Truststore params in the command line
  params: "{{- if .Values.truststore.truststore }} -Djavax.net.ssl.trustStore=$(TRUSTSTORE) -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD) -Djavax.net.ssl.trustStoreType=$(TRUSTSTORE_TYPE){{- end }}"

## @section Release Network Policy configuration
##

## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
  ##
  enabled: false
  ## @param networkPolicy.allowExternal Don't require client label for connections
  ## The Policy model to apply. When set to false, only pods with the correct
  ## client label will have network access to the port Release is listening
  ## on. When true, Release will accept connections from any source
  ## (with the correct destination port).
  ##
  allowExternal: true
  ## @param networkPolicy.additionalRules Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed.
  ## e.g:
  ## additionalRules:
  ##  - matchLabels:
  ##    - role: frontend
  ##  - matchExpressions:
  ##    - key: role
  ##      operator: In
  ##      values:
  ##        - frontend
  ##
  additionalRules: []

## @section Metrics Parameters
##

## Metrics
##
metrics:
  ## @param metrics.enabled Enable exposing Release metrics to be gathered.
  ## Flag to expose internal and system metrics over Java Management Extensions (JMX).
  ## This is to enable the use of monitoring systems that can read JMX data, with XL Products.
  ##
  enabled: false

## @section OIDC parameters
##

oidc:
  accessToken:
    ## @param oidc.accessToken.audience Expected audience 'aud' claim value
    audience:
    ## @param oidc.accessToken.enable Enable access token
    enable: false
    ## @param oidc.accessToken.issuer Expected issuer 'iss' claim value
    issuer:
    ## @param oidc.accessToken.jwsAlg Expected JSON Web Algorithm
    jwsAlg:
    ## @param oidc.accessToken.keyRetrievalUri The jwks_uri to retrieve keys for the token
    keyRetrievalUri:
    ## @param oidc.accessToken.secretKey The secret key if MAC based algorithms is used for the token
    secretKey:
  ## @param oidc.accessTokenUri The redirect URI to use for returning the access token
  accessTokenUri:
  clientAuthJwt:
    ## @param oidc.clientAuthJwt.enable Enable Client Authentication Using private_key_jwt
    enable: false
    ## @param oidc.clientAuthJwt.jwsAlg Expected JSON Web Algorithm
    jwsAlg:
    keyStore:
      ## @param oidc.clientAuthJwt.keyStore.enable Enable keystore
      enable: false
      ## @param oidc.clientAuthJwt.keyStore.path The key store file path
      path:
      ## @param oidc.clientAuthJwt.keyStore.password The key store password
      password:
      ## @param oidc.clientAuthJwt.keyStore.type The type of keystore
      type:
    key:
      ## @param oidc.clientAuthJwt.key.alias Private key alias inside the key store
      alias:
      ## @param oidc.clientAuthJwt.key.enable Enable private key
      enable: false
      ## @param oidc.clientAuthJwt.key.password Private key password
      password:
    ## @param oidc.clientAuthJwt.tokenKeyId Token key identifier 'kid' header - set it if your OpenID Connect provider requires it
    tokenKeyId:
  ## @param oidc.clientAuthMethod Client authentication method
  clientAuthMethod:
  ## @param oidc.clientId Client ID
  clientId:
  ## @param oidc.clientSecret Client secret
  clientSecret:
  ## @param oidc.emailClaim Email claim
  emailClaim:
  ## @param oidc.enabled Enable the OIDC configuration
  enabled: false
  ## @param oidc.external Enable the OIDC configuration
  external: false
  ## @param oidc.externalIdClaim A unique external ID such as the user's employee ID or GitHub ID. This is an optional claim.
  externalIdClaim:
  ## @param oidc.fullNameClaim FullName claim
  fullNameClaim:
  ## @param oidc.idTokenJWSAlg The ID token signature verification algorithm
  idTokenJWSAlg:
  ## @param oidc.issuer OpenID Provider Issuer here
  issuer:
  ## @param oidc.keyRetrievalUri The jwks_uri to retrieve keys
  keyRetrievalUri:
  ## @param oidc.logoutUri The logout endpoint to revoke token via the browser
  logoutUri:
  ## @param oidc.postLogoutRedirectUri If you need to redirect to the login page after logout, you can use your redirectUri as the postLogoutRedirectUri
  postLogoutRedirectUri:
  ## @param oidc.proxyHost Proxy host
  proxyHost:
  ## @param oidc.proxyPort Proxy port
  proxyPort:
  ## @param oidc.redirectUri The redirectUri endpoint must always point to the /oidc-login Release endpoint.
  ## The redirectUri is an endpoint where authentication responses can be sent and received by Release.
  ## It must exactly match one of the redirect_uris you registered in OKTA and Azure AD portal and it must be URL encoded.
  ## For Keycloak you can register a pattern for redirect_uri from the Keycloak Admin Panel
  ## (For example, you can provide a mask such as: http://example.com/mask** that matches http://example.com/mask/ or http://example.com/mask).
  redirectUri:
  ## @param oidc.rolesClaim Roles claim
  rolesClaim:
  ## @param oidc.scopes Fields described here must be present in the scope.
  scopes: [ "openid" ]
  ## @param oidc.userAuthorizationUri The authorize endpoint to request tokens or authorization codes via the browser
  userAuthorizationUri:
  ## @param oidc.userNameClaim A unique username for both internal and external users.
  ## You cannot sign in with a user if a local account with the same username exists.
  userNameClaim:

## @section Common resources parameters
##

## @param nameOverride String to partially override release.fullname template (will maintain the release name)
##
nameOverride: ""
## @param fullnameOverride String to fully override release.fullname template
##
fullnameOverride: ""
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ""
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param clusterDomain Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the Release
##
extraDeploy: [ ]
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: { }
## @param commonLabels Labels to add to all deployed objects
## Eg. app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
##
commonLabels: { }

## @section Release debug parameters
##

## Enable diagnostic mode in the deployment
##
diagnosticMode:
  ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
  ##
  enabled: false
  ## @param diagnosticMode.command Command to override all containers in the deployment
  ##
  command:
    - /opt/xebialabs/tini
  ## @param diagnosticMode.args Args to override all containers in the deployment
  ##
  args:
    - --
    - sleep
    - infinity
## Enable debug mode in the deployment
##
debugMode:
  ## @param debugMode.enabled Enable debug mode (it starts all process with debug agent)
  ##
  enabled: false
  ## @param debugMode.remoteJvmParams Agent lib configuration line with port. Do port forwarding to the port you would like to use.
  ##
  remoteJvmParams: "{{- if .Values.debugMode.enabled }} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=localhost:8001{{- end }}"

## @section Release DNS parameters
##

## @param hostAliases Deployment pod host aliases
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
##
hostAliases: []
## @param dnsPolicy DNS Policy for pod
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
## E.g.
## dnsPolicy: ClusterFirst
dnsPolicy: ""
## @param dnsConfig DNS Configuration pod
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
## E.g.
## dnsConfig:
##   options:
##   - name: ndots
##     value: "4"
dnsConfig: {}

## @section Release runtime parameters
##

## @param jvmArgs Release JVM arguments
##
jvmArgs: ""

## @param command Override default container command (useful when using custom images)
##
command:
  - /opt/xebialabs/tini
## @param args Override default container args (useful when using custom images)
##
args:
  - --
  - /opt/xebialabs/xl-release-server/bin/run-in-container.sh
## @param lifecycleHooks Overwrite livecycle for the Release container(s) to automate configuration before or after startup
##
lifecycleHooks: {}
## @param terminationGracePeriodSeconds Default duration in seconds k8s waits for container to exit before sending kill signal.
## Any time in excess of 10 seconds will be spent waiting for any synchronization necessary for cluster not to lose data.
##
terminationGracePeriodSeconds: 200
## @param extraEnvVars Extra environment variables to add to Release pods
## E.g:
## extraEnvVars:
##   - name: FOO
##     value: BAR
##
extraEnvVars: [ ]
## @param extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
##
extraEnvVarsCM: ""
## @param extraEnvVarsSecret Name of existing Secret containing extra environment variables (in case of sensitive data)
##
extraEnvVarsSecret: ""

## Container Ports
## @param containerPorts.releaseHttp Release HTTP port value exposed on the container
## @param containerPorts.releaseHttps Release HTTPS port value exposed on the container
##
containerPorts:
  releaseHttp: 5516
  releaseHttps: 5543

## @param extraContainerPorts Extra ports to be included in container spec, primarily informational
## E.g:
## extraContainerPorts:
## - name: new_port_name
##   containerPort: 1234
##
extraContainerPorts: []

## @extra configuration Release Configuration file content: required cluster configuration
## Do not override unless you know what you are doing.
## To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead
##
configuration:
  ## @extra configuration.default-conf_xl-release-conf-template The configuration for the xl-release.conf.template file
  ## @param configuration.default-conf_xl-release-conf-template.path The path for the xl-release.conf.template file
  ## @param configuration.default-conf_xl-release-conf-template.mode The access mode for the xl-release.conf.template file
  ## @param configuration.default-conf_xl-release-conf-template.content Content of the xl-release.conf.template file
  default-conf_xl-release-conf-template:
    path: "default-conf/xl-release.conf.template"
    mode: 0660
    content: |
      xl {
        cluster {
          # mode: "default", "hot-standby", "full"
          mode = ${XL_CLUSTER_MODE}
          name = "xl-release_cluster"
          pekko {
            loglevel = "INFO"
            actor.debug.receive = off
            remote {
                log-received-messages = off
                log-sent-messages = off
            }
          }
        }
      
        server {
            http2 {
                enabled = ${XLR_HTTP2_ENABLED}
            }
            session {
                storage {
                    enabled = {{ include "common.tplvalues.render" ( dict "value" .Values.auth.sessionStorage "context" $ ) }}
                }
            }
        }
    
        license {
          kind = ${XL_LICENSE_KIND}
          product = "xl-release"
        }
    
        database {
          db-driver-classname="${XL_DB_DRIVER}"
          db-password="""${XL_DB_PASSWORD}"""
          db-url="${XL_DB_URL}"
          db-username=${XL_DB_USERNAME}
          max-pool-size=${XL_DB_MAX_POOL_SIZE}
        }
    
        # TODO Release does not support (H2) running in one schema.
        reporting {
          db-driver-classname="${XL_DB_DRIVER}"
          db-password="""${XL_REPORT_DB_PASSWORD}"""
          db-url="${XL_REPORT_DB_URL}"
          db-username=${XL_REPORT_DB_USERNAME}
          max-pool-size=${XL_REPORT_DB_MAX_POOL_SIZE}
        }
    
        # Task queue
        queue {
          embedded=${ENABLE_EMBEDDED_QUEUE}
          connector="${XLR_TASK_QUEUE_CONNECTOR_TYPE}"
          password="""${XLR_TASK_QUEUE_PASSWORD}"""
          queueName="${XLR_TASK_QUEUE_NAME}"
          url="${XLR_TASK_QUEUE_URL}"
          username="${XLR_TASK_QUEUE_USERNAME}"
          queueType="${XLR_TASK_QUEUE_TYPE}"
        }
    
        metrics {
          enabled = ${XL_METRICS_ENABLED}
        }
      
        {{- if .Values.oidc.enabled }}
        security {
          auth {
            providers {
              oidc {
                clientId=""
                clientId=${?OIDC_CLIENT_ID}
                clientSecret=""
                clientSecret=${?OIDC_CLIENT_SECRET}
                {{- if .Values.oidc.clientAuthMethod }}
                clientAuthMethod={{ .Values.oidc.clientAuthMethod | quote }}
                {{- end }}
                {{- if .Values.oidc.clientAuthJwt.enable }}
                clientAuthJwt {
                    jwsAlg={{ default "" .Values.oidc.clientAuthJwt.jwsAlg | quote }}
                    tokenKeyId={{ default "" .Values.oidc.clientAuthJwt.tokenKeyId | quote }}
                    {{- if .Values.oidc.clientAuthJwt.keyStore.enable }}
                    keyStore {
                        path={{ default "" .Values.oidc.clientAuthJwt.keyStore.path | quote }}
                        password=""
                        password=${?OIDC_CLIENT_AUTH_JWT_KEYSTORE_PASSWORD}
                        type={{ default "" .Values.oidc.clientAuthJwt.keyStore.type | quote }}
                    }
                    {{- end }}
                    {{- if .Values.oidc.clientAuthJwt.key.enable }}
                    key {
                        alias={{ default "" .Values.oidc.clientAuthJwt.key.alias | quote }}
                        password=""
                        password=${?OIDC_CLIENT_AUTH_JWT_KEY_PASSWORD}
                    }
                    {{- end }}
                }
                {{- end }}
                issuer={{ .Values.oidc.issuer | quote }}
                keyRetrievalUri={{ default "" .Values.oidc.keyRetrievalUri | quote }}
                accessTokenUri={{ default "" .Values.oidc.accessTokenUri | quote }}
                userAuthorizationUri={{ default "" .Values.oidc.userAuthorizationUri | quote }}
                logoutUri={{ default "" .Values.oidc.logoutUri | quote }}
                redirectUri={{ .Values.oidc.redirectUri | quote }}
                postLogoutRedirectUri={{ .Values.oidc.postLogoutRedirectUri | quote }}
                userNameClaim={{ default "" .Values.oidc.userNameClaim | quote }}
                fullNameClaim={{ default "" .Values.oidc.fullNameClaim | quote }}
                emailClaim={{ default "" .Values.oidc.emailClaim | quote }}
                {{- if .Values.oidc.externalIdClaim }}
                externalIdClaim={{ .Values.oidc.externalIdClaim | quote }}
                {{- end }}
                rolesClaim={{ default "" .Values.oidc.rolesClaim | quote }}
                {{- if .Values.oidc.scopes }}
                scopes={{ .Values.oidc.scopes }}
                {{- else }}
                scopes=["openid"]
                {{- end }}
                {{- if .Values.oidc.idTokenJWSAlg }}
                idTokenJWSAlg={{ .Values.oidc.idTokenJWSAlg | quote }}
                {{- end }}
                {{- if .Values.oidc.accessToken.enable }}
                access-token {
                    issuer={{ default "" .Values.oidc.accessToken.issuer | quote }}
                    audience={{ default "" .Values.oidc.accessToken.audience | quote }}
                    keyRetrievalUri={{ default "" .Values.oidc.accessToken.keyRetrievalUri | quote }}
                    jwsAlg={{ default "" .Values.oidc.accessToken.jwsAlg | quote }}
                    secretKey=""
                    secretKey=${?OIDC_ACCESS_TOKEN_SECRET_KEY}
                    }
                {{- end }}
                {{- if .Values.oidc.proxyHost }}
                proxyHost={{ .Values.oidc.proxyHost | quote }}
                {{- end }}
                {{- if .Values.oidc.proxyPort }}
                proxyPort={{ .Values.oidc.proxyPort | quote }}
                {{- end }}
              }
            }
          }
        }
        {{- end }}
      }

## @param extraConfiguration Configuration file content: extra configuration to be appended to Release configuration
## Use this instead of `configuration` to add more configuration
##
extraConfiguration: {}

## @param extraVolumeMounts Optionally specify extra list of additional volumeMounts
## Examples:
## extraVolumeMounts:
##   - name: extras
##     mountPath: /usr/share/extras
##     readOnly: true
##
extraVolumeMounts: []
## @param extraVolumes Optionally specify extra list of additional volumes .
## Example:
## extraVolumes:
##   - name: extras
##     emptyDir: {}
##
extraVolumes: []
## @param extraSecrets Optionally specify extra secrets to be created by the chart.
## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded.
## Example:
## extraSecrets:
##   load-definition:
##     load_definition.json: |
##       {
##         ...
##       }
##
extraSecrets: {}
## @param extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with <release-name> prepended.
##
extraSecretsPrependReleaseName: false

## @section Release Image parameters
## Release image version
## ref: https://hub.docker.com/r/xebialabs/xl-release/tags/
## @param image.registry Release image registry
## @param image.repository Release image repository
## @param image.tag Release image tag (immutable tags are recommended)
## @param image.pullPolicy Release image pull policy
## @param image.pullSecrets Specify docker-registry secret names as an array
##
image:
  registry: docker.io
  repository: xebialabsunsupported/xl-release
  tag: "{{ .Chart.AppVersion }}"
  ## Specify a imagePullPolicy
  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
  ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
  ##
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  ## Example:
  ## pullSecrets:
  ##   - myRegistryKeySecretName
  ##
  pullSecrets: []

## @section Ingress parameters
##

## Configure the ingress resource that allows you to access the
## Release installation. Set up the URL
## ref: https://kubernetes.io/docs/user-guide/ingress/
##
ingress:
  ## @param ingress.enabled Enable ingress resource for Management console
  ##
  enabled: false

  ## @param ingress.path Path for the default host. You may need to set this to '/*' in order to use this with ALB ingress controllers.
  ##
  path: /

  ## @param ingress.pathType Ingress path type
  ##
  pathType: ImplementationSpecific
  ## @param ingress.hostname Default host for the ingress resource
  ##
  hostname: ""
  ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
  ## For a full list of possible ingress annotations, please see
  ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
  ## Use this parameter to set the required annotations for cert-manager, see
  ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
  ##
  ## e.g:
  ## annotations:
  ##   kubernetes.io/ingress.class: nginx
  ##   cert-manager.io/cluster-issuer: cluster-issuer-name
  ##
  ## - generic
  ## ingress.kubernetes.io/tls-acme: "true"
  ##
  ## - nginx
  ## kubernetes.io/ingress.class: "nginx-dair"
  ## nginx.ingress.kubernetes.io/ssl-redirect: "false"
  ## nginx.ingress.kubernetes.io/rewrite-target: /
  ## nginx.ingress.kubernetes.io/affinity: cookie
  ## nginx.ingress.kubernetes.io/session-cookie-name: ROUTE
  ## nginx.ingress.kubernetes.io/proxy-body-size: "0"
  ## nginx.ingress.kubernetes.io/proxy-connect-timeout: "120"
  ## nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
  ## nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
  ##
  ## - haproxy
  ## kubernetes.io/ingress.class: "haproxy-dair"
  ## haproxy-ingress.github.io/ssl-redirect: "false"
  ## haproxy-ingress.github.io/rewrite-target: /
  ## haproxy-ingress.github.io/affinity: cookie
  ## haproxy-ingress.github.io/session-cookie-name: JSESSIONID
  ## haproxy-ingress.github.io/session-cookie-strategy: prefix
  ## haproxy-ingress.github.io/timeout-client: "120s"
  ## haproxy-ingress.github.io/timeout-http-request: "120s"
  ##
  annotations:

  ## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
  ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-ingress-tls" .Values.ingress.hostname }}
  ## You can:
  ##   - Use the `ingress.secrets` parameter to create this TLS secret
  ##   - Relay on cert-manager to create it by setting the corresponding annotations
  ##   - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
  ##
  tls: false
  ## @param ingress.selfSigned Set this to true in order to create a TLS secret for this ingress record
  ## using self-signed certificates generated by Helm
  ##
  selfSigned: false
  ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
  ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
  ## e.g:
  ## extraHosts:
  ##   - name: release.local
  ##     path: /
  ##
  extraHosts: []
  ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
  ## e.g:
  ## extraPaths:
  ## - path: /*
  ##   backend:
  ##     serviceName: ssl-redirect
  ##     servicePort: use-annotation
  ##
  extraPaths: []
  ## @param ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template
  ## Useful when looking for additional customization, such as using different backend
  ##
  extraRules: []
  ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
  ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
  ## e.g:
  ## extraTls:
  ##   - hosts:
  ##       - release.local
  ##     secretName: release.local-ingress-tls
  ##
  extraTls: []
  ## @param ingress.secrets Custom TLS certificates as secrets
  ## NOTE: 'key' and 'certificate' are expected in PEM format
  ## NOTE: 'name' should line up with a 'secretName' set further up
  ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
  ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
  ## It is also possible to create and manage the certificates outside of this helm chart
  ## Please see README.md for more information
  ## e.g:
  ## secrets:
  ##   - name: release.local-ingress-tls
  ##     key: |-
  ##       -----BEGIN RSA PRIVATE KEY-----
  ##       ...
  ##       -----END RSA PRIVATE KEY-----
  ##     certificate: |-
  ##       -----BEGIN CERTIFICATE-----
  ##       ...
  ##       -----END CERTIFICATE-----
  ##
  secrets: []
  ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
  ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
  ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
  ##
  ingressClassName: ""

## @section OpenShift Route parameters
##

route:
  ## @param route.enabled Enable route resource
  ##
  enabled: false
  ## @param route.path Path for the default host.
  ##
  path: /
  ## @param route.hostname Default host for the route resource
  ##
  hostname: ""
  ## @extra route.annotations Additional annotations for the route resource.
  ## @skip route.annotations
  annotations:
    haproxy.router.openshift.io/cookie_name: JSESSIONID
    haproxy.router.openshift.io/disable_cookies: "false"
    haproxy.router.openshift.io/rewrite-target: /
    haproxy.router.openshift.io/timeout: 120s
  ## @extra route.tls Tls configuration
  tls:
    ## @param route.tls.enabled Enable the route TLS configuration
    enabled: false
    ## @param route.tls.secretName Name of the secret to use with Route TLS setup
    secretName: ""
    ## @param route.tls.key key in PEM-encoded format
    key: ""
    ## @param route.tls.certificate certificate in PEM-encoded format
    certificate: ""
    ## @param route.tls.caCertificate CA certificate in a PEM-encoded format
    caCertificate: ""
    ## @param route.tls.destinationCACertificate destination CA certificate in a PEM-encoded format (the Release certificate)
    destinationCACertificate: ""
    ## @param route.tls.insecureEdgeTerminationPolicy Redirect HTTP to HTTPS. The only valid values are None, Redirect, or empty for disabled.
    insecureEdgeTerminationPolicy: ""
    ## @param route.tls.termination The accepted values are edge, passthrough and reencrypt.
    ## All other values are silently ignored.
    ## When the annotation value is unset, edge is the default route.
    ## The TLS certificate details must be defined in the template file to implement the default edge route.
    termination: edge
    ## @param route.tls.selfSigned if set to `true` the key and certificate will be auto generated and set in the route configuration
    selfSigned: false

## @section RBAC parameters
##

## Release pods ServiceAccount
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
  ## @param serviceAccount.create Enable creation of ServiceAccount for Release pods
  ##
  create: true
  ## @param serviceAccount.name Name of the created serviceAccount
  ## If not set and create is true, a name is generated using the release.fullname template
  ##
  name: ""
  ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
  ##
  automountServiceAccountToken: true
  ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
  ##
  annotations: { }
## Role Based Access
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
  ## @param rbac.create Whether RBAC rules should be created
  ## binding Release ServiceAccount to a role
  ## that allows Release pods querying the K8s API
  ##
  create: true

## @section Persistence parameters
##

persistence:
  ## @param persistence.enabled Enable Release data persistence using PVC
  ##
  enabled: true
  ## @param persistence.single Enable Release data to use single PVC
  ##
  single: true
  ## @param persistence.storageClass PVC Storage Class for Release data volume
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  ##
  storageClass: ""
  ## @param persistence.selector Selector to match an existing Persistent Volume
  ## selector:
  ##   matchLabels:
  ##     app: my-app
  ##
  selector: { }
  ## @param persistence.accessModes PVC Access Modes for Release data volume
  ##
  accessModes:
    - ReadWriteMany
  ## @param persistence.existingClaim Provide an existing PersistentVolumeClaims
  ## The value is evaluated as a template
  ## So, for example, the name can depend on .Release or .Chart
  ##
  existingClaim: ""
  ## @param persistence.size PVC Storage Request for Release data volume
  ##
  size: 8Gi
  ## @extra persistence.annotations Persistence annotations. Evaluated as a template
  ## @param persistence.annotations.helm.sh/resource-policy Persistence annotation for keeping created PVCs
  ## Example:
  ## annotations:
  ##   example.io/disk-volume-type: SSD
  ##
  annotations:
    helm.sh/resource-policy: "keep"
  ## @param persistence.paths mounted paths for the Release
  paths:
    - /opt/xebialabs/xl-release-server/reports

## @section Exposure parameters
##

## Kubernetes service type
##
service:
  ## @param service.type Kubernetes Service type
  ##
  type: ClusterIP

  ## @param service.portEnabled Release port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`.
  ##
  portEnabled: true
  ## Service ports
  ## @param service.ports.releaseHttp Release HTTP port value exposed on the service
  ## @param service.ports.releaseHttps Release HTTPS port value exposed on the service
  ##
  ports:
    releaseHttp: 80
    releaseHttps: 443
  ## Service ports name
  ## @param service.portNames.releaseHttp Release HTTP port name
  ## @param service.portNames.releaseHttps Release HTTPS port name
  ##
  portNames:
    releaseHttp: "release-http"
    releaseHttps: "release-https"

  ## Node ports to expose
  ## @param service.nodePorts.releaseHttp Release HTTP port value exposed on the node (in case of NodePort service)
  ## @param service.nodePorts.releaseHttps Release HTTPS port value exposed on the node (in case of NodePort service)
  ##
  nodePorts:
    releaseHttp: ""
    releaseHttps: ""
  ## @param service.extraPorts Extra ports to expose in the service
  ## E.g.:
  ## extraPorts:
  ## - name: new_svc_name
  ##   port: 1234
  ##   targetPort: 1234
  ##
  extraPorts: [ ]
  ## @param service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
  ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
  ## e.g:
  ## loadBalancerSourceRanges:
  ## - 10.10.10.0/24
  ##
  loadBalancerSourceRanges: [ ]
  ## @param service.externalIPs Set the ExternalIPs
  ##
  externalIPs: [ ]
  ## @param service.externalTrafficPolicy Enable client source IP preservation
  ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
  ##
  externalTrafficPolicy: Cluster
  ## @param service.loadBalancerIP Set the LoadBalancerIP
  ##
  loadBalancerIP: ""
  ## @param service.clusterIP Kubernetes service Cluster IP
  ## e.g.:
  ## clusterIP: None
  ##
  clusterIP: ""
  ## @param service.labels Service labels. Evaluated as a template
  ##
  labels: { }
  ## @param service.annotations Service annotations. Evaluated as a template
  ## Example:
  ## annotations:
  ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
  ##
  annotations: { }
  ## @param service.annotationsHeadless Headless Service annotations. Evaluated as a template
  ## Example:
  ## annotations:
  ##   external-dns.alpha.kubernetes.io/internal-hostname: release.example.com
  ##
  annotationsHeadless: { }
  ## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
  ## If "ClientIP", consecutive client requests will be directed to the same Pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
  ##
  sessionAffinity: None
  ## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
  ## sessionAffinityConfig:
  ##   clientIP:
  ##     timeoutSeconds: 300
  ##
  sessionAffinityConfig: { }

## @section Statefulset parameters
##

## @param replicaCount Number of Release replicas to deploy
##
replicaCount: 3
## @param schedulerName Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
schedulerName: ""
## Release should be initialized one by one when building cluster.
## Therefore, the default value of podManagementPolicy is 'OrderedReady'
## @param podManagementPolicy Pod management policy
##
podManagementPolicy: OrderedReady
## @param podLabels Release Pod labels. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
podLabels: {}
## @param podAnnotations Release Pod annotations. Evaluated as a template
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
podAnnotations: {}
## @param updateStrategy.type Update strategy type for Release statefulset
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
##
updateStrategy:
  ## StrategyType
  ## Can be set to RollingUpdate or OnDelete
  ##
  type: RollingUpdate
## @param statefulsetLabels Release statefulset labels. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
statefulsetLabels: {}
## @param statefulsetAnnotations Release statefulset annotations. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
statefulsetAnnotations: {}
## @param priorityClassName Name of the priority class to be used by Release pods, priority class needs to be created beforehand
## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAffinityPreset: ""
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
##
podAntiAffinityPreset: soft
## Node affinity preset
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
##
nodeAffinityPreset:
  ## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ##
  type: ""
  ## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
  ## E.g.
  ## key: "kubernetes.io/e2e-az-name"
  ##
  key: ""
  ## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
  ## E.g.
  ## values:
  ##   - e2e-az1
  ##   - e2e-az2
  ##
  values: []

## @param affinity Affinity for pod assignment. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
## Note: podAffinityPreset, podAntiAffinityPreset, and  nodeAffinityPreset will be ignored when it's set
##
affinity: { }
## @param nodeSelector Node labels for pod assignment. Evaluated as a template
## ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: { }
## @param tolerations Tolerations for pod assignment. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: [ ]
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
##
topologySpreadConstraints: [ ]

## Release pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param podSecurityContext.enabled Enable Release pod's Security Context
## @param podSecurityContext.runAsUser Set Release pod's Security Context runAsUser
## @param podSecurityContext.fsGroup Set Release pod's Security Context fsGroup
##
podSecurityContext:
  enabled: true
  runAsUser: 10001
  fsGroup: 10001

## @param containerSecurityContext.enabled Enabled Release containers' Security Context
## @param containerSecurityContext.runAsNonRoot Set Release container's Security Context runAsNonRoot
## @param containerSecurityContext.allowPrivilegeEscalation Set Release container's Security Context allowPrivilegeEscalation
## @extra containerSecurityContext.capabilities Set Release container's Security Context capabilities
## @skip containerSecurityContext.capabilities
## @extra containerSecurityContext.seccompProfile Set Release container's Security Context seccompProfile
## @skip containerSecurityContext.seccompProfile
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
## Example:
##   containerSecurityContext:
##     capabilities:
##       drop: ["NET_RAW"]
##     readOnlyRootFilesystem: true
##
containerSecurityContext:
  enabled: true
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
    - ALL
  seccompProfile:
    type: RuntimeDefault

## @param securityContextConstraints.enabled Enabled SecurityContextConstraints for Release (only on Openshift)
securityContextConstraints:
  enabled: true

## Release containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
## We usually recommend not to specify default resources and to leave this as a conscious
## choice for the user. This also increases chances charts run on environments with little
## resources, such as Minikube. If you do want to specify resources, uncomment the following
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
##
resourcesPreset: "micro"
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## @param resources.limits The resources limits for Release containers
## @param resources.requests The requested resources for Release containers
## Example:
## resources: 
##   limits:
##     cpu: 1000m
##     memory: 2Gi
##   requests:
##     cpu: 1000m
##     memory: 2Gi
##
resources: {}

## Configure containers' extra options for liveness and readiness probe
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
## @param health.enabled Enable probes
## @param health.periodScans Period seconds for probe
## @param health.probeFailureThreshold Failure threshold for probe
## @param health.probesLivenessTimeout Initial delay seconds for livenessProbe
## @param health.probesReadinessTimeout Initial delay seconds for readinessProbe
##
health:
  enabled: true
  periodScans: 10
  probeFailureThreshold: 12
  probesLivenessTimeout: 60
  probesReadinessTimeout: 60

## Default init containers for the Release pod
defaultInitContainers:
  ## @param defaultInitContainers.resources Set default init container requests and limits for different resources like CPU or memory (essential for production workloads)
  ##
  resources:
    limits:
      cpu: "150m"
      memory: "192Mi"
    requests:
      cpu: "100m"
      memory: "128Mi"
## @param initContainers Add init containers to the Release pod
## Example:
## initContainers:
##   - name: your-image-name
##     image: your-image
##     imagePullPolicy: Always
##     ports:
##       - name: portname
##         containerPort: 1234
##     resources: {}
##
initContainers: []
## @param sidecars Add sidecar containers to the Release pod
## Example:
## sidecars:
##   - name: your-image-name
##     image: your-image
##     imagePullPolicy: Always
##     ports:
##       - name: portname
##         containerPort: 1234
##     resources: {}
##
sidecars: []


## @section Release init Container parameters
##

## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
## values from the securityContext section of the component
##
volumePermissions:
  ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
  ##
  enabled: false
  ## @param volumePermissions.image.registry Init container volume-permissions image registry
  ## @param volumePermissions.image.repository Init container volume-permissions image repository
  ## @param volumePermissions.image.tag Init container volume-permissions image tag
  ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
  ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
  ## @param volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
  ##
  image:
    registry: docker.io
    repository: bitnami/os-shell
    tag: 12-debian-12-r16
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## Example:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []
  ## @param volumePermissions.script Script for changing the owner and group of the persistent volume(s). Paths are declared in the 'paths' variable.
  script: |
    #!/bin/bash
    
    declare -a paths=( {{ range $path := .Values.persistence.paths }} "{{ $path }}"{{ end }} )
    for path in "${paths[@]}"; do
      echo "Changing ownership to {{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} for ${path}"
      chown "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}" "${path}"
      find "${path}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
        xargs -r chown -R "{{ .Values.containerSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }}"
    done
  ## Init Container resource requests and limits
  ## @param volumePermissions.resources.limits Init container volume-permissions resource limits
  ## @param volumePermissions.resources.requests Init container volume-permissions resource requests
  ##
  resources:
    limits:
      cpu: "150m"
      memory: "192Mi"
    requests:
      cpu: "100m"
      memory: "128Mi"
  ## Init container' Security Context
  ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
  ## and not the below volumePermissions.containerSecurityContext.runAsUser
  ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container
  ## @param volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
  ## @param volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
  ## @extra volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
  ## @skip volumePermissions.containerSecurityContext.seccompProfile
  ##
  containerSecurityContext:
    runAsUser: 0
    runAsGroup: 0
    runAsNonRoot: false
    seccompProfile:
      type: RuntimeDefault

## @section Release Pod Disruption Budget parameters
##

## Pod Disruption Budget configuration
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
##
pdb:
  ## @param pdb.create Enable/disable a Pod Disruption Budget creation
  ##
  create: false
  ## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
  ##
  minAvailable: 1
  ## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
  ##
  maxUnavailable: ""

## @section Release Busy-box parameters
##

## @param busyBox.image.registry busyBox container image registry
## @param busyBox.image.repository busyBox container image repository
## @param busyBox.image.tag busyBox container image tag
## @param busyBox.image.pullPolicy busyBox container image pull policy
## @param busyBox.image.pullSecrets Specify docker-registry secret names as an array
##
busyBox:
  image:
    registry: docker.io
    repository: library/busybox
    tag: stable
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## Example:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []

## @section Ingress HAProxy
##

## Install haproxy subchart. If you have haproxy already installed, set 'install' to 'false'.
## If you have any other ingress controller installed, you can set the 'install' to 'false'.
haproxy-ingress:
  ## @param haproxy-ingress.install Enable Haproxy Ingress helm subchart installation
  install: false
  controller:
    ## @param haproxy-ingress.controller.ingressClass Name of the ingress class to route through this controller
    ##
    ingressClass: haproxy-dair
    service:
      ## @param haproxy-ingress.controller.service.type Kubernetes Service type for Controller
      ##
      type: LoadBalancer

## @section Ingress Nginx
##

## Install nginx subchart. If you have nginx already installed, set 'install' to 'false'.
## If you have any other ingress controller installed, you can set the 'install' to 'false'.
## Ref: https://github.com/bitnami/charts/blob/master/bitnami/nginx-ingress-controller/README.md
nginx-ingress-controller:
  ## @param nginx-ingress-controller.install Enable NGINX Ingress Controller helm subchart installation
  install: false
  ## @param nginx-ingress-controller.image.tag NGINX Ingress Controller image tag (immutable tags are recommended)
  image:
    tag: 1.10.1-debian-12-r5
  ## Default 404 backend
  ##
  defaultBackend:
    ## @param nginx-ingress-controller.defaultBackend.image.tag Default backend image tag (immutable tags are recommended)
    image:
      tag: 1.26.0-debian-12-r1
  ## @extra nginx-ingress-controller.extraArgs Additional command line arguments to pass to nginx-ingress-controller
  ## E.g. to specify the default SSL certificate you can use
  ## extraArgs:
  ##   default-ssl-certificate: "<namespace>/<secret_name>"
  ##   ingress-class: nginx
  ##
  extraArgs:
    ## @param nginx-ingress-controller.extraArgs.ingress-class Name of the IngressClass resource
    ingress-class: "nginx-dair"
  ## Configuring this doesn't affect `kubernetes.io/ingress.class` annotation. See `extraArgs` below how to configure processing of custom annotation.
  ## @param nginx-ingress-controller.ingressClassResource.name Name of the IngressClass resource
  ## @param nginx-ingress-controller.ingressClassResource.controllerClass IngressClass identifier for the controller
  ##
  ingressClassResource:
    controllerClass: "k8s.io/ingress-nginx-dair"
    name: "nginx-dair"
  ## @param nginx-ingress-controller.replicaCount Desired number of Controller pods
  ##
  replicaCount: 1
  ## @section Traffic exposure parameters

  ## Service parameters
  ##
  service:
    ## @param nginx-ingress-controller.service.type Kubernetes Service type for Controller
    ##
    type: LoadBalancer

## @section Postgresql
##

## Ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
## Install postgresql chart. If you have an existing database deployment, set 'install' to 'false'.
postgresql:
  ## @param postgresql.install Enable PostgreSQL helm subchart installation
  install: true
  ## @param postgresql.image.tag PostgreSQL image tag (immutable tags are recommended)
  image:
    tag: 16.1.0-debian-11-r27
  ## @section PostgreSQL Primary parameters
  ##

  primary:
    ## Initdb configuration
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments
    ##
    initdb:
      ## @param postgresql.primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information)
      ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap`
      ##
      scriptsSecret: '{{ include "postgresql.v1.primary.fullname" . }}-release'
    ## @param postgresql.primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration)
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
    ##
    extendedConfiguration: |
      max_connections = 150
    ## PostgreSQL Primary persistence configuration
    ##
    persistence:
      ## @param postgresql.primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC
      ##
      enabled: true
      ## @param postgresql.primary.persistence.accessModes PVC Access Mode for PostgreSQL volume
      ##
      accessModes:
        - ReadWriteOnce
      ## @param postgresql.primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume
      ## If defined, storageClassName: <storageClass>
      ## If set to "-", storageClassName: "", which disables dynamic provisioning
      ## If undefined (the default) or set to null, no storageClassName spec is
      ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
      ##   GKE, AWS & OpenStack)
      ##
      storageClass: ""
      ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
      ##
      size: 8Gi
      ## @param postgresql.primary.persistence.existingClaim Name of an existing PVC to use
      ##
      existingClaim: ""

    ## PostgreSQL Primary service configuration
    ##
    service:
      ## @param postgresql.primary.service.ports.postgresql PostgreSQL service port
      ##
      ports:
        postgresql: 5432
      ## @param postgresql.primary.service.type Kubernetes Service type
      ##
      type: ClusterIP

    ## @param postgresql.primary.securityContextConstraints.enabled Enabled SecurityContextConstraints for Postgresql (only on Openshift)
    securityContextConstraints:
      enabled: true

  ## @section Postgresql Authentication parameters
  ##

  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run
  ##
  auth:
    ## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
    ##
    enablePostgresUser: true
    ## @param postgresql.auth.username Name for a custom user to create
    ##
    username: postgres
    ## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided
    ##
    postgresPassword: postgres
  ## Service account for PostgreSQL to use.
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
  ##
  serviceAccount:
    ## @param postgresql.serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod
    ##
    create: true

  ## @section Postgresql Volume Permissions parameters
  ##

  ## Init containers parameters:
  ## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
  ##
  volumePermissions:
    ## @param postgresql.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
    ##
    enabled: true
    ## @param postgresql.volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
    image:
      tag: 12-debian-12-r21

## @section RabbitMQ
##

## Install rabbitmq chart. If you have an existing message queue deployment, set 'install' to 'false'.
## ref: https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/README.md
rabbitmq:
  ## @param rabbitmq.install Enable Rabbitmq helm subchart installation
  install: true
  ## @param rabbitmq.image.tag RabbitMQ image tag (immutable tags are recommended)
  image:
    tag: 3.13.2-debian-12-r4
  ## Clustering settings
  ##
  clustering:
    ## @param rabbitmq.clustering.forceBoot Force boot of an unexpectedly shut down cluster (in an unexpected order).
    ## forceBoot executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an unknown order
    ## ref: https://www.rabbitmq.com/rabbitmqctl.8.html#force_boot
    ##
    forceBoot: true
  ## @param rabbitmq.replicaCount Number of RabbitMQ replicas to deploy
  ##
  replicaCount: 3
  ## RabbitMQ Authentication parameters
  ##
  auth:
    ## @param rabbitmq.auth.username RabbitMQ application username
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
    ##
    username: guest
    ## @param rabbitmq.auth.password RabbitMQ application password
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
    ##
    password: guest
    ## @param rabbitmq.auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key)
    ## e.g:
    ## existingErlangSecret: name-of-existing-secret
    ##
    existingErlangSecret: '{{ include "common.names.fullname" . }}-release'
  ## @param rabbitmq.extraPlugins Extra plugins to enable (single string containing a space-separated list)
  ## Use this instead of `plugins` to add new plugins
  ##
  extraPlugins: "rabbitmq_amqp1_0, rabbitmq_jms_topic_exchange"
  ## Loading a RabbitMQ definitions file to configure RabbitMQ
  ##
  loadDefinition:
    ## @param rabbitmq.loadDefinition.enabled Enable loading a RabbitMQ definitions file to configure RabbitMQ
    ##
    enabled: true
    ## @param rabbitmq.loadDefinition.file Name of the definitions file
    ##
    file: /app/release_load_definition.json
    ## @param rabbitmq.loadDefinition.existingSecret Existing secret with the load definitions file
    ## Can be templated if needed, e.g:
    ## existingSecret: "{{ .Release.Name }}-load-definition"
    ##
    existingSecret: '{{ include "common.names.fullname" . }}-release'
  ## @param rabbitmq.extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
  ## Use this instead of `configuration` to add more configuration
  ## Do not use simultaneously with `extraConfigurationExistingSecret`
  ##
  extraConfiguration: |
    raft.wal_max_size_bytes = 1048576

  ## @section RabbitMQ persistence parameters
  ##
  persistence:
    ## @param rabbitmq.persistence.enabled Enable RabbitMQ data persistence using PVC
    ##
    enabled: true
    ## @param rabbitmq.persistence.accessModes PVC Access Modes for RabbitMQ data volume
    ##
    accessModes:
      - ReadWriteOnce
    ## @param rabbitmq.persistence.storageClass PVC Storage Class for RabbitMQ data volume
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: ""
    ## @param rabbitmq.persistence.size PVC Storage Request for RabbitMQ data volume
    ## If you change this value, you might have to adjust `rabbitmq.diskFreeLimit` as well
    ##
    size: 8Gi

  ## @param rabbitmq.containerSecurityContext.allowPrivilegeEscalation Set volume permissions init container's Security Context allowPrivilegeEscalation
  ## @extra rabbitmq.containerSecurityContext.capabilities Set volume permissions init container's Security Context capabilities
  ## @skip rabbitmq.containerSecurityContext.capabilities
  ## @extra rabbitmq.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
  ## @skip rabbitmq.containerSecurityContext.seccompProfile
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    seccompProfile:
      type: RuntimeDefault

  ## @param rabbitmq.securityContextConstraints.enabled Enabled SecurityContextConstraints for Rabbitmq (only on Openshift)
  securityContextConstraints:
    enabled: true

  ## @section RabbitMQ Exposure parameters
  ##

  ## Kubernetes service type
  ##
  service:
    ## @param rabbitmq.service.type Kubernetes Service type
    ##
    type: ClusterIP

  ## @section RabbitMQ Init Container Parameters
  ##

  ## Init Container parameters
  ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
  ## values from the securityContext section of the component
  ##
  volumePermissions:
    ## @param rabbitmq.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
    ##
    enabled: true
    ## @param rabbitmq.volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
    image:
      tag: 12-debian-12-r21

    ## Init container' Security Context
    ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
    ## and not the below volumePermissions.containerSecurityContext.runAsUser
    ## @param rabbitmq.volumePermissions.containerSecurityContext.runAsUser User ID for the init container
    ## @param rabbitmq.volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
    ## @param rabbitmq.volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
    ## @extra rabbitmq.volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
    ## @skip rabbitmq.volumePermissions.containerSecurityContext.seccompProfile
    containerSecurityContext:
      runAsUser: 0
      runAsGroup: 0
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault