extraArgs: # - --storage-timestamp-tolerance 1s replicaCount: 1 strategy: type: RollingUpdate rollingUpdate: maxUnavailable: 0 image: repository: chartmuseum/chartmuseum tag: v0.12.0 pullPolicy: IfNotPresent secret: labels: {} env: open: # storage backend, can be one of: local, alibaba, amazon, google, microsoft, oracle STORAGE: local # oss bucket to store charts for alibaba storage backend STORAGE_ALIBABA_BUCKET: # prefix to store charts for alibaba storage backend STORAGE_ALIBABA_PREFIX: # oss endpoint to store charts for alibaba storage backend STORAGE_ALIBABA_ENDPOINT: # server side encryption algorithm for alibaba storage backend, can be one # of: AES256 or KMS STORAGE_ALIBABA_SSE: # s3 bucket to store charts for amazon storage backend STORAGE_AMAZON_BUCKET: # prefix to store charts for amazon storage backend STORAGE_AMAZON_PREFIX: # region of s3 bucket to store charts STORAGE_AMAZON_REGION: # alternative s3 endpoint STORAGE_AMAZON_ENDPOINT: # server side encryption algorithm STORAGE_AMAZON_SSE: # gcs bucket to store charts for google storage backend STORAGE_GOOGLE_BUCKET: # prefix to store charts for google storage backend STORAGE_GOOGLE_PREFIX: # container to store charts for microsoft storage backend STORAGE_MICROSOFT_CONTAINER: # prefix to store charts for microsoft storage backend STORAGE_MICROSOFT_PREFIX: # container to store charts for openstack storage backend STORAGE_OPENSTACK_CONTAINER: # prefix to store charts for openstack storage backend STORAGE_OPENSTACK_PREFIX: # region of openstack container STORAGE_OPENSTACK_REGION: # path to a CA cert bundle for your openstack endpoint STORAGE_OPENSTACK_CACERT: # compartment id for for oracle storage backend STORAGE_ORACLE_COMPARTMENTID: # oci bucket to store charts for oracle storage backend STORAGE_ORACLE_BUCKET: # prefix to store charts for oracle storage backend STORAGE_ORACLE_PREFIX: # form field which will be queried for the chart file content CHART_POST_FORM_FIELD_NAME: chart # form field which will be queried for the provenance file content PROV_POST_FORM_FIELD_NAME: prov # levels of nested repos for multitenancy. The default depth is 0 (singletenant server) DEPTH: 0 # show debug messages DEBUG: false # output structured logs as json LOG_JSON: true # disable use of index-cache.yaml DISABLE_STATEFILES: false # disable Prometheus metrics DISABLE_METRICS: true # disable all routes prefixed with /api DISABLE_API: true # allow chart versions to be re-uploaded ALLOW_OVERWRITE: false # absolute url for .tgzs in index.yaml CHART_URL: # allow anonymous GET operations when auth is used AUTH_ANONYMOUS_GET: false # sets the base context path CONTEXT_PATH: # parallel scan limit for the repo indexer INDEX_LIMIT: 0 # cache store, can be one of: redis (leave blank for inmemory cache) CACHE: # address of Redis service (host:port) CACHE_REDIS_ADDR: # Redis database to be selected after connect CACHE_REDIS_DB: 0 # enable bearer auth BEARER_AUTH: false # auth realm used for bearer auth AUTH_REALM: # auth service used for bearer auth AUTH_SERVICE: field: # POD_IP: status.podIP secret: # username for basic http authentication BASIC_AUTH_USER: # password for basic http authentication BASIC_AUTH_PASS: # GCP service account json file GOOGLE_CREDENTIALS_JSON: # Redis requirepass server configuration CACHE_REDIS_PASSWORD: # Name of an existing secret to get the secret values ftom existingSecret: # Stores Enviromnt Variable to secret key name mappings existingSecretMappings: # username for basic http authentication BASIC_AUTH_USER: # password for basic http authentication BASIC_AUTH_PASS: # GCP service account json file GOOGLE_CREDENTIALS_JSON: # Redis requirepass server configuration CACHE_REDIS_PASSWORD: deployment: # Define scheduler name. Use of 'default' if empty schedulerName: "" ## Chartmuseum Deployment annotations annotations: {} # name: value labels: {} # name: value matchlabels: {} # name: value replica: ## Chartmuseum Replicas annotations annotations: {} ## Read more about kube2iam to provide access to s3 https://github.com/jtblin/kube2iam # iam.amazonaws.com/role: role-arn service: servicename: type: ClusterIP externalTrafficPolicy: Local ## Limits which cidr blocks can connect to service's load balancer ## Only valid if service.type: LoadBalancer loadBalancerSourceRanges: [] # clusterIP: None externalPort: 8080 nodePort: annotations: {} labels: {} serviceMonitor: enabled: false # namespace: prometheus labels: {} metricsPath: "/metrics" # timeout: 60 # interval: 60 resources: {} # limits: # cpu: 100m # memory: 128Mi # requests: # cpu: 80m # memory: 64Mi probes: liveness: initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 readiness: initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 1 successThreshold: 1 failureThreshold: 3 serviceAccount: create: false # name: ## Annotations for the Service Account annotations: {} # UID/GID 1000 is the default user "chartmuseum" used in # the container image starting in v0.8.0 and above. This # is required for local persistent storage. If your cluster # does not allow this, try setting securityContext: {} securityContext: enabled: true fsGroup: 1000 ## Optionally, specify supplementalGroups and/or ## runAsNonRoot for security purposes # runAsNonRoot: true # supplementalGroups: [1000] containerSecurityContext: {} priorityClassName: "" nodeSelector: {} tolerations: [] affinity: {} persistence: enabled: false accessMode: ReadWriteOnce size: 8Gi labels: {} path: /storage # name: value ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound # existingClaim: ## Chartmuseum data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClass: "-" # volumeName: pv: enabled: false pvname: capacity: storage: 8Gi accessMode: ReadWriteOnce nfs: server: path: ## Init containers parameters: ## volumePermissions: Change the owner of the persistent volume mountpoint to RunAsUser:fsGroup ## volumePermissions: image: registry: docker.io repository: bitnami/minideb tag: buster pullPolicy: Always ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ ## # pullSecrets: # - myRegistryKeySecretName ## Ingress for load balancer ingress: enabled: false ## Chartmuseum Ingress labels ## # labels: # dns: "route53" ## Chartmuseum Ingress annotations ## # annotations: # kubernetes.io/ingress.class: nginx # kubernetes.io/tls-acme: "true" ## Chartmuseum Ingress hostnames ## Must be provided if Ingress is enabled ## # hosts: # - name: chartmuseum.domain1.com # path: / # tls: false # - name: chartmuseum.domain2.com # path: / # # ## Set this to true in order to enable TLS on the ingress record # tls: true # # ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS # ## Secrets must be added manually to the namespace # tlsSecret: chartmuseum.domain2-tls # Adding secrets to tiller is not a great option, so If you want to use an existing # secret that contains the json file, you can use the following entries gcp: secret: enabled: false # Name of the secret that contains the encoded json name: # Secret key that holds the json value. key: credentials.json oracle: secret: enabled: false # Name of the secret that contains the encoded config and key name: # Secret key that holds the oci config config: config # Secret key that holds the oci private key key_file: key_file bearerAuth: secret: enabled: false publicKeySecret: chartmuseum-public-key