values.yaml

# Default values for StackStorm HA cluster
# This is a YAML-formatted file.

##
## Docker image settings, applied to all StackStorm pods
##
image:
  # Image pull policy
  pullPolicy: IfNotPresent
  # st2 image repository. Set this to override the default ("stackstorm") or enterprise
  # docker image repository ("docker.stackstorm.com"). Applies to all st2 containers except
  # st2chatops and st2packs (which have their own override). This also does not impact 
  # dependencies such as mongo or redis, which have their own helm chart settings.
  repository: ""
  # Image pull secret.
  # May be required for public docker hub due to rate limiting or any private repository.
  # See: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #pullSecret: "your-pull-secret"


##
## StackStorm Enterprise settings (Optional)
##
enterprise:
  # Enable/Disable StackStorm Enterprise. Enabling will download StackStorm Enterprise Docker images.
  enabled: false
  # Required StackStorm Enterprise license key.
  # Don't have one? Obtain 90-day free trial at https://stackstorm.com/#product
  license: ""

  # StackStorm Role Based Access Control settings (https://docs.stackstorm.com/rbac.html)
  rbac:
    # Custom StackStorm RBAC roles, shipped in '/opt/stackstorm/rbac/roles/'
    # See https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
    roles:
      sample.yaml: |
        # sample RBAC role file, see https://docs.stackstorm.com/rbac.html#defining-roles-and-permission-grants
        ---
        name: "sample"
        description: "Example Role which contains no permission grants and serves for demonstration purposes"

    # Custom StackStorm RBAC role assignments, shipped in '/opt/stackstorm/rbac/assignments/'
    # See: https://docs.stackstorm.com/rbac.html#defining-user-role-assignments
    assignments:
      st2admin.yaml: |
        ---
        username: st2admin
        roles:
          - system_admin
      stanley.yaml: |
        ---
        username: stanley
        roles:
          - admin

    # StackStorm RBAC LDAP groups-to-roles mapping rules, shipped in '/opt/stackstorm/rbac/mappings/'
    # See RBAC Roles Based on LDAP Groups: https://docs.stackstorm.com/rbac.html#automatically-granting-roles-based-on-ldap-group-membership
    mappings:
      #stormers.yaml: |
      #  ---
      #  group: "CN=stormers,OU=groups,DC=stackstorm,DC=net"
      #  description: "Automatically grant admin role to all stormers group members."
      #  roles:
      #    - "admin"

##
## Service Account
##
serviceAccount:
  # Whether the Chart should create the service account or not
  create: true
  # Used to define service account annotations
  serviceAccountAnnotations: {}
  # Used to override service account name
  serviceAccountName:

##
## StackStorm shared variables
##
st2:
  # Custom StackStorm config (st2.user.conf) which will apply settings on top of default st2.conf
  config: |
    [api]
    allow_origin = '*'

  # Custom pack configs and image settings.
  #
  # By default, system packs are available. However, since 'st2 pack install' cannot be run in the k8s cluster,
  # you will need to bake additional packs into an 'st2packs' image. Please see github.com/stackstorm/stackstorm-ha/README.md
  # for details on how to build this image.
  packs:
    # Custom StackStorm pack configs. Each record creates a file in '/opt/stackstorm/configs/'
    # https://docs.stackstorm.com/reference/pack_configs.html#configuration-file
    configs:
      core.yaml: |
        ---
        # example core pack config yaml

    # Custom packs image settings. The repository, name, tag and pullPolicy for this image
    # are specified below.
    image:
      # Uncomment the following block to make the custom packs image available to the necessary pods
      #repository: your-remote-docker-registry.io
      name: st2packs
      tag: latest
      pullPolicy: IfNotPresent
      # Optional name of the imagePullSecret if your custom packs image is hosted by a private Docker registry behind the auth
      #pullSecret: st2packs-auth

    # https://docs.stackstorm.com/reference/ha.html#st2sensorcontainer
    # It is possible to run st2sensorcontainer in HA mode by running one process on each compute instance.
    # Each sensor node needs to be provided with proper partition information to share work with other sensor
    # nodes so that the same sensor does not run on different nodes.
    sensors:
      # Specify default container that executes all sensors.
      # To partition sensors with one sensor per node, override st2.packs.sensors.
      # NOTE: Do not modify this file.
      - name:
        livenessProbe: {}
        readinessProbe: {}
        annotations: {}
        # TODO: Find out recommended/default resources for this specific service (#5)
        resources: {}
        # Additional advanced settings to control pod/deployment placement
        affinity: {}
        nodeSelector: {}
        tolerations: []
        serviceAccount:
          attach: false
  # Import data into StackStorm's Key/Value datastore (https://docs.stackstorm.com/datastore.html)
  keyvalue:
    #- name: st2_version
    #  scope: st2kv.system
    #  secret: false
    #  encrypted: false
    #  value: "2.9"
    #- name: release_name
    #  scope: st2kv.system
    #  secret: false
    #  encrypted: false
    #  # Note that Helm templating is supported in this block!
    #  value: "{{ .Release.Name }}"
  # Import a list of ST2 API Keys (https://docs.stackstorm.com/authentication.html#api-key-migration)
  apikeys:
    #- created_at: '2018-12-15T00:21:48.507388Z'
    #  enabled: true
    #  id: 5c14491c6cb8de1a9207e3a2
    #  key_hash: 56928c2d9637ce44338e9564d4b939df8b258410db23b5a80f8ad69d58e648b574f35f9293c3a76bde263738be9aa8379a81553cd55513ad672540b7b0ec0cac
    #  metadata: {"comment": "Example unsecure ST2 API key from K8s HA Helm values.yaml"}
    #  uid: api_key:56928c2d9637ce44338e9564d4b939df8b258410db23b5a80f8ad69d58e648b574f35f9293c3a76bde263738be9aa8379a81553cd55513ad672540b7b0ec0cac
    #  user: st2admin

##
## StackStorm HA Ingress
##
ingress:
  # As recommended, ingress is disabled by default.
  enabled: false
  # Annotations are used to configure the ingress controller
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  # Map hosts to paths
  hosts: []
  # - host: hostname.domain.tld
  #   # Map paths to services
  #   paths:
  #     - path: /
  #       serviceName: service
  #       servicePort: port
  # Secure the Ingress by specifying a secret that contains a TLS private key and certificate
  tls: []
  # - secretName: chart-example-tls
  #   hosts:
  #     - chart-example.test

##
## StackStorm HA Cluster Secrets.
## NB! It's highly recommended to change ALL defaults!
##
# TODO: Move to `secrets.yaml` when it gets implemented in Helm (https://github.com/kubernetes/helm/issues/2196) ? (#14)
# TODO: Alternatively as part of reorganizing Helm values, consider moving values to existing `st2` and `st2web` sections ? (#14)
secrets:
  st2:
    # Username, used to login to StackStorm system
    username: st2admin
    # Password, used to login to StackStorm system
    password: Ch@ngeMe
    # SSH private key for the 'stanley' system user ('system_user.ssh_key_file' in st2.conf)
    # Warning! Replace with your own SSH key!
    # TODO: For prod/stable consider auto-generating if no key provided (#15)
    ssh_key: |-
      -----BEGIN RSA PRIVATE KEY-----
      MIIEowIBAAKCAQEAs73kblN3XfLR6tYsHRHyX/aQKx4amcNjT+E+2ufwqkiINDyA
      CGim0Z4WFOEO6UtZApeOlUehp2MEFGFpl2u8vUC1b7AsWaImB4ywMIPOFblqaEag
      DskrFp7FOggqZFWX7NwVZpm/KkvCw/fCehnxuv+za+hUtg4Qiv86qXShrlsn98B7
      64Aq27oxkvhRU2OkDUP/wPNQnXzIZxfFYSvS7rGzKrswdZfWysscIUor4a+7GahM
      yq8PGD6qp2wkiL7wFarZerS2Sq3M06Y89yzppCoPYI6kaEPuqrjSYZvh38CAVbGG
      SgPv3CFgR1N3BsBEAx7OF+40R58C+3ldH8e1tQIDAQABAoIBAQCN7137YR3Zqm3p
      q8aaDhn/fYzK/7KxyYEbCxu/cXiyfyRPW5cfDMTuso9tXWuQ/lcDnPqTF0WoEKCg
      F2xyjjk0mWytDcl33nt5areXF/4dWZWVUnACPQkxi57i/J+9K3oVKJYdtzsmAz2B
      0pxYHzSsHk9o3sZGHUUi/fks51TlgPNgOP8hf7/K9w9+FSE26geqjddqWwQbbStI
      rDc3ZPMcGI4E5DuGmnrxWf4omUqScTB+bvUgN+WC02v1Bj4HaAX7PlLCUZMuTk3S
      BcG4v7qiglxVYdBjtHNwtg1YAoVYh6sXckxqi1XudhoRXGlgYtyrcW0mWnnB4hIQ
      vy7//uABAoGBANw8H1h93U1HNsqfIa1Ys3u6qZdHByHvA8e7Jk6GEFUEOAQSyxZ+
      0RbFWC4knuQL+YklqeDNCXekwVEvVenf2lhZ4rHNbmv/9pWhq7sQcDOQPi5nVxJl
      bkQoQkeNGeH8KPF1E2RsfJ8uU3NfD00yMFrNaeBUIlY44ABMOQSJREq1AoGBANDu
      V0IV1BahqEW5mmnTdHLG6+tiSQdutrQv4hxBL59PhwyeMvpzFgwkNmymAZMLl40D
      Y/0wg2lVr7Fb+peCrLpiNMEPWv/a38IEVTDm7YcsHZayEsc1vdjdMoZ8k5VNi25F
      +lvQ/CxDNqJGTNEBBYmb5QHopBh8YowwIrT0yZ8BAoGAFYtAGbz+SA/+WSXl+noh
      3Kmu62CEXxptiT1Siv3sXRSzkhpwiXvQYmTdsm3cqTxOpc7sZlRIZ87TJmj2A5Hl
      Xx0z4ubQtXntmkedcAg0oaarnoh3aRJJDhvOGAfCj2vGaZBlXD6MllnGyhNzgL63
      IjrT76DrVvnrV7wdG8d9yb0CgYAuQFT4wDRPPkIuDURtoO3qarbXSM654nx3rxHz
      B0svjT9sP6kxYEDFN08FBkra7noCMXn1FsRAkUNvk9kJqVfresoK4wdWFHHsVWE2
      jiiO/+kc7xbRGsiINY91ziYtqxjutHcT1FO+yLJTghSHQB6ls+kiXwnUkdSPDCji
      vj3UAQKBgE19oSdfKbpKTyHu5rs+lN/KictDuMrqAriWODCygZ1/X1J1zpqvpUbt
      WE8BWLQ1vBV6c7V4Q0Wp6LuTnNnvu/lvVugJW/TbrzFw6CFe5fEISmIHAMnqVz8x
      OdOJyinSM1svoBGnYfyAqINKrqCSGSKmprlMo0Ma3erI7SuojWBS
      -----END RSA PRIVATE KEY-----
    # ST2 crypto key for the  K/V datastore.
    # See https://docs.stackstorm.com/datastore.html#securing-secrets-admin-only for more info.
    # Warning! Replace with your own generated key!
    #datastore_crypto_key: {"hmacKey": {"hmacKeyString": "", "size": 256}, "size": 256, "aesKeyString": "", "mode": "CBC"}

##
## StackStorm HA Cluster pod settings for each individual service/component.
##
# Many st2web instances, placed behind a load balancer that serve web app and proxify requests to st2auth, st2api, st2stream.
st2web:
  # Minimum 2 replicas are recommended to run st2web in HA mode
  replicas: 2
  # Tested resource consumption based on multiple requests to st2web within nginx
  # Please adjust based on your conscious choice
  resources:
    requests:
      memory: "25Mi"
      cpu: "50m"
    limits:
      memory: "100Mi"
  # TODO: Add Ingress setting as a way to expose service to public (#6).
  # ingress:
  service:
    # type can be one of "ClusterIP", "NodePort", "LoadBalancer" or "ExternalName"
    type: "NodePort"
    # The hostname associated with st2web service (externalName, added to external DNS, etc.)
    hostname: ""
    # For more information regarding annotations, see
    # https://kubernetes.io/docs/concepts/services-networking/service/#ssl-support-on-aws
    annotations: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2auth
# Multiple st2auth processes can be behind a load balancer in an active-active configuration.
st2auth:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2api
# Multiple st2api process can be behind a load balancer in an active-active configuration.
st2api:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2stream
# Multiple st2stream process can be behind a load balancer in an active-active configuration.
st2stream:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2rulesengine
# Multiple st2rulesengine processes can run in active-active with only connections to MongoDB and RabbitMQ. All these will share the TriggerInstance load and naturally pick up more work if one or more of the processes becomes unavailable.
st2rulesengine:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2timersengine
# Only single replica is created via K8s Deployment as timersengine can't work in active-active mode at the moment and it relies on K8s failover/reschedule capabilities to address cases of process failure.
st2timersengine:
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2workflowengine
# Multiple st2workflowengine processes can run in active-active mode and will share the load and pick up more work if one or more of the processes become available.
st2workflowengine:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2scheduler
# TODO: Description TBD
st2scheduler:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2notifier
# st2notifier runs in active-active mode and requires for that coordination backend like Redis or Zookeeper
st2notifier:
  replicas: 2
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false
# https://docs.stackstorm.com/reference/ha.html#st2actionrunner
# Multiple st2actionrunner processes can run in active-active with only connections to MongoDB and RabbitMQ. Work gets naturally
# distributed across runners via RabbitMQ. Adding more st2actionrunner processes increases the ability of StackStorm to execute actions.
st2actionrunner:
  replicas: 5
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  annotations: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  # Allow the injection of hostAliases (https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/#adding-additional-entries-with-hostaliases)
  # records in the st2actionrunner containers to handle edge case in DNS accessibility/topology
  hostAliases: []
  # - hostnames:
  #     - foo
  #   ip: 1.1.1.1
  #  - hostnames:
  #      - bar
  #   ip: 8.8.8.8
  serviceAccount:
    attach: false

# https://docs.stackstorm.com/reference/ha.html#st2garbagecollector
# Optional service that cleans up old executions and other operations data based on setup configurations.
# By default this process does nothing and needs to be setup in st2.conf to perform any work.
st2garbagecollector:
  # Having 1 st2garbagecollector unique replica is enough for periodic task like st2 history garbage collection
  replicas: 1
  # TODO: Find out recommended/default resources for this specific service (#5)
  resources: {}
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false

##
## StackStorm ChatOps (https://docs.stackstorm.com/chatops/index.html)
## As hubot can't be HA scaled properly, we deploy only single replica of st2chatops
##
st2chatops:
  # Enable st2chatops (default: false)
  enabled: false
  # Custom hubot adapter ENV variables to pass through which will override st2chatops.env defaults.
  # See https://github.com/StackStorm/st2chatops/blob/master/st2chatops.env
  # for the full list of supported adapters and example ENV variables.
  env:
    HUBOT_ADAPTER: slack
    HUBOT_SLACK_TOKEN: xoxb-CHANGE-ME-PLEASE
  # Set custom generated st2chatops Docker image source
  # Otherwise default https://hub.docker.com/r/stackstorm/st2chatops is used
  image: {}
    #repository: stackstorm
    #name: st2chatops
    ## Note that Helm templating is supported in this block!
    #tag: "{{ .Chart.AppVersion }}"
    #pullPolicy: IfNotPresent
  # Tested requested resource consumption for st2chatops & hubot in normal mode
  # Please adjust based on your conscious choice
  resources:
    requests:
      memory: "50Mi"
      cpu: "5m"
  # Additional advanced settings to control pod/deployment placement
  nodeSelector: {}
  tolerations: []
  affinity: {}
  serviceAccount:
    attach: false

##
## MongoDB HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/mongodb-replicaset
##
# Specs for the MongoDB image
mongodb-ha:
  # Change to `false` to disable in-cluster mongodb deployment.
  # Specify your external [database] connection parameters under st2.config
  enabled: true
  image:
    # StackStorm currently supports maximum MongoDB v4.0
    tag: "4.0"
  auth:
    enabled: true
    # NB! It's highly recommended to change ALL defaults!
    adminUser: "admin"
    adminPassword: "XeL5Rxwj7F0Wt43tFZVTN7H8Sg5XDHmK"
    # Minimal key length is 6 symbols
    key: "82PItDpqroti5RngOA7UqbHH7c6bFUwy"
  resources: {}

##
## RabbitMQ HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/rabbitmq-ha
##
rabbitmq-ha:
  # Change to `false` to disable in-cluster rabbitmq deployment.
  # Specify your external [messaging] connection parameters under st2.config
  enabled: true
  # On unclean cluster restarts forceBoot is required to cleanup Mnesia tables (see: https://github.com/helm/charts/issues/13485)
  # Use it only if you prefer availability over integrity.
  forceBoot: true
  rabbitmqUsername: admin
  # TODO: Use default random 24 character password, but need to fetch this string for use by downstream services
  rabbitmqPassword: 9jS+w1u07NbHtZke1m+jW4Cj
  # RabbitMQ Memory high watermark. See: http://www.rabbitmq.com/memory.html
  # Default values might not be enough for StackStorm deployment to work properly. We recommend to adjust these settings for you needs as well as enable Pod memory limits via "resources".
  #rabbitmqMemoryHighWatermark: 512MB
  #rabbitmqMemoryHighWatermarkType: absolute
  # Up to 255 character string, should be fixed so that re-deploying the chart does not fail (see: https://github.com/helm/charts/issues/12371)
  # NB! It's highly recommended to change the default insecure rabbitmqErlangCookie value!
  rabbitmqErlangCookie: 8MrqQdCQ6AQ8U3MacSubHE5RqkSfvNaRHzvxuFcG
  persistentVolume:
    enabled: true
  # RabbitMQ application vhost, should match with 'ha' Queue Mirroring definition policy
  rabbitmqVhost: "/"
  definitions:
    # Enable Queue Mirroring between nodes
    # See https://www.rabbitmq.com/ha.html
    policies: '{"vhost":"/","name":"ha","pattern":"", "definition":{"ha-mode":"all","ha-sync-mode":"automatic","ha-sync-batch-size":10}}'
  # We recommend to set the memory limit for RabbitMQ-HA Pods in production deployments.
  # Make sure to also change the rabbitmqMemoryHighWatermark following the formula:
  # rabbitmqMemoryHighWatermark = 0.4 * resources.limits.memory
  resources: {}
  # As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users
  prometheus:
    operator:
      enabled: false

##
## Etcd HA configuration (3rd party chart dependency)
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/etcd-operator
##
etcd-operator:
  # we don't need backup & restore etcd for short-lived coordination operations
  # Change to `false` to disable in-cluster ectd deployment.
  # Specify your external [coordination] connection parameters under st2.config
  enabled: true
  deployments:
    backupOperator: false
    restoreOperator: false
  customResources:
    # create default etcd cluster
    createEtcdClusterCRD: true

##
## External DNS configuration (3rd party chart dependency)
##
## Creates a deployment of external-dns within the cluster to update DNS with CNAME -> ELB
##
## For values.yaml reference:
## https://github.com/helm/charts/tree/master/stable/external-dns
##
## TODO: If eq st2web.service.type "LoadBalancer", set enabled to true. Any other cases?
external-dns:
  enabled: false
  aws:
    zoneType: "public"
  domainFilters: []