values.yaml

# Default values for Camunda Helm chart.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# The values file follows helm best practices https://helm.sh/docs/chart_best_practices/values/
#
# This means:
#   * Variable names should begin with a lowercase letter, and words should be separated with camelcase.
#   * Every defined property in values.yaml should be documented. The documentation string should begin with the name of the property that it describes, and then give at least a one-sentence description
#
# Furthermore, we try to apply the following pattern: # [VarName] [conjunction] [definition]
#
# VarName:
#
#  * In the documentation the variable name is started with a big letter, similar to kubernetes resource documentation.
#  * If the variable is part of a subsection/object we use a json path expression (to make it more clear where the variable belongs to).
#    The root (chart name) is omitted (e.g. zeebe). This is useful for using --set in helm.
#
# Conjunction:
#   * [defines] for mandatory configuration
#   * [can be used] for optional configuration
#   * [if true] for toggles
#   * [configuration] for section/group of variables


##########################################
 #####
#     # #       ####  #####    ##   #
#       #      #    # #    #  #  #  #
#  #### #      #    # #####  #    # #
#     # #      #    # #    # ###### #
#     # #      #    # #    # #    # #
 #####  ######  ####  #####  #    # ######
##########################################

# Global configuration for variables which can be accessed by all sub charts
## @section Global parameters
## @extra global
global:
  # number of regions that this Camunda Platform instance is stretched across
  regions: 1
  # unique id of the region. Should start at 0 for easy computation. With 2 regions, you would have region 0 and 1.
  regionId: 0
  # mode of installation for multi-region disaster recovery: normal, failOver, failBack
  installationType: normal
  ## Multitenancy configuration.
  ## @extra global.multitenancy
  multitenancy:
    ## @param global.multitenancy.enabled if true, then enable multitenancy in all applicable components.
    enabled: false
  ## @param global.annotations Annotations can be used to define common annotations, which should be applied to all deployments
  annotations: {}
  labels:
  ## @param global.labels.app Name of the application
    app: camunda-platform
  # Image configuration to be used in each sub chart
  # https://hub.docker.com/u/camunda
  image:
    ## @param global.image.registry Can be used to set container image registry.
    registry: ""
    ## @param global.image.tag defines the tag / version which should be used in the most of the apps.
    # renovate: datasource=github-releases depName=camunda/camunda-platform
    tag: 8.3.1
    ## @param global.image.pullPolicy defines the image pull policy which should be used https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
    pullPolicy: IfNotPresent
    ## @param global.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []
  ## Ingress configuration to configure the ingress resource
  ## @extra global.ingress
  ingress:
    ## @param global.ingress.enabled if true, an ingress resource is deployed. Only useful if an ingress controller is available, like Ingress-NGINX.
    enabled: false
    ## @param global.ingress.className Ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param global.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    # Ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    ## @param global.ingress.host If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra global.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param global.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param global.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform

  # Elasticsearch configuration which is shared between the sub charts
  ## @extra global.elasticsearch
  elasticsearch:
    ## @param global.elasticsearch.disableExporter if true, disables the elastic exporter in zeebe
    disableExporter: false
    ## @param global.elasticsearch.url can be used to configure the URL to access elasticsearch, if not set services fallback to host and port configuration
    url:
    ## @param global.elasticsearch.protocol defines the elasticsearch access protocol, by default HTTP.
    protocol: http
    ## @param global.elasticsearch.host Elasticsearch.host defines the elasticsearch host, ideally the service name inside the namespace
    host: "{{ .Release.Name }}-elasticsearch"
    ## @param global.elasticsearch.port Elasticsearch.port defines the elasticsearch port, under which elasticsearch can be accessed
    port: 9200
    ## @param global.elasticsearch.clusterName Elasticsearch.clusterName defines the cluster name which is used by Elasticsearch
    clusterName: "elasticsearch"
    ## @param global.elasticsearch.prefix Elasticsearch.prefix defines the prefix which is used by the Zeebe Elasticsearch Exporter to create Elasticsearch indexes
    prefix: zeebe-record
  ## @param global.zeebeClusterName ZeebeClusterName defines the cluster name for the Zeebe cluster. All Zeebe pods get this prefix in their name and the brokers uses that as cluster name.
  zeebeClusterName: "{{ .Release.Name }}-zeebe"
  ## @param global.zeebePort defines the port which is used for the Zeebe Gateway. This port accepts the GRPC Client messages and forwards them to the Zeebe Brokers.
  zeebePort: 26500

  # Identity configuration to configure identity specifics on global level, which can be accessed by other sub-charts
  identity:
    keycloak:
      # Identity.keycloak.internal if true, it will configure an extra service with type "ExternalName".
      ## @param global.identity.keycloak.internal It's useful for using existing Keycloak in another namespace with and access it with the combined Ingress.
      internal: false
      ## @param global.identity.keycloak.url can be used incorporate with "identity.keycloak.enabled: false" to use your own Keycloak instead of the one comes with Camunda Helm chart.
      url: {}
        # Example to produce the following URL "https://keycloak.prod.svc.cluster.local:8443":
        # url:
        #   protocol: "https"
        #   host: "keycloak.prod.svc.cluster.local"
        #   port: "8443"
      #  defines the endpoint of Keycloak which varies between Keycloak versions.
      ## @param global.identity.keycloak.contextPath In Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's '/'.
      contextPath: "/auth"
      ## @param global.identity.keycloak.realm defines Keycloak realm path used for Camunda.
      realm: "/realms/camunda-platform"
      ## @param global.identity.keycloak.auth same as "identity.keycloak.auth" but it's used for existing Keycloak.
      auth: {}
        # identity.keycloak.auth.adminUser can be used to configure admin user to access existing Keycloak.
        # adminUser: ""
        # identity.keycloak.auth.existingSecret can be used to configure existing Secret object which has admin password
        # to access existing Keycloak.
        # existingSecret: ""
        # identity.keycloak.auth.existingSecretKey can be used to configure the key inside existing Secret object
        # which has admin password to access existing Keycloak.
        # existingSecretKey: "admin-password"

    ## @extra global.identity.auth configuration, to configure identity authentication setup
    auth:
      ## @param global.identity.auth.enabled if true, enables the identity authentication otherwise basic-auth will be used on all services.
      enabled: true

      #  defines the token issuer (Keycloak) URL, where the services can request JWT tokens.
      # Should be publicly accessible, per default we assume a port-forward to Keycloak (18080) is created before login.
      ## @param global.identity.auth.publicIssuerUrl Can be overwritten if ingress is in use and an external IP is available.
      publicIssuerUrl: "http://localhost:18080/auth/realms/camunda-platform"

      ## @extra global.identity.auth.connectors configuration to configure Connectors authentication specifics on global level, which can be accessed by other sub-charts
      connectors:
        ## @param global.identity.auth.connectors.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `connectors-secret` field, which will be used as secret for the identity-Connectors communication.
        existingSecret: ""

      ## @extra global.identity.auth.operate configuration to configure Operate authentication specifics on global level, which can be accessed by other sub-charts
      operate:
        ## @param global.identity.auth.operate.existingSecret can be used to reference an existing secret. If not set, a random secret is generated.
        # The existing secret should contain an `operate-secret` field, which will be used as secret for the identity-Operate communication.
        existingSecret:
        ## @param global.identity.auth.operate.redirectUrl defines the redirect URL, which is used by Keycloak to access Operate.
        # Should be publicly accessible, the default value works if a port-forward to Operate is created to 8081.
        # Can be overwritten if ingress is in use and an external IP is available.
        redirectUrl: "http://localhost:8081"

      ## @extra global.identity.auth.tasklist configuration to configure Tasklist authentication specifics on global level, which can be accessed by other sub-charts
      tasklist:
        ## @param global.identity.auth.tasklist.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `tasklist-secret` field, which will be used as secret for the identity-Tasklist communication.
        existingSecret:
        ## @param global.identity.auth.tasklist.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Tasklist.
        # Should be publicly accessible, the default value works if a port-forward to Tasklist is created to 8082.
        # Can be overwritten if ingress is in use and an external IP is available.
        redirectUrl: "http://localhost:8082"

      ## @extra global.identity.auth.optimize configuration to configure Optimize authentication specifics on global level, which can be accessed by other sub-charts
      optimize:
        ## @param global.identity.auth.optimize.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `optimize-secret` field, which will be used as secret for the identity-Optimize communication.
        existingSecret:
        ## @param global.identity.auth.optimize.redirectUrl defines the root (or redirect) URL, which is used by Keycloak to access Optimize.
        # Should be publicly accessible, the default value works if a port-forward to Optimize is created to 8083.
        # Can be overwritten if ingress is in use and an external IP is available.
        redirectUrl: "http://localhost:8083"

      ## @extra global.identity.auth.webModeler configuration to configure Web Modeler authentication specifics on global level, which can be accessed by other sub-charts
      webModeler:
        ## @param global.identity.auth.webModeler.redirectUrl defines the root URL which is used by Keycloak to access Web Modeler.
        # Should be publicly accessible, the default value works if a port-forward to Web Modeler is created to 8084.
        # Can be overwritten if ingress is in use and an external IP is available.
        redirectUrl: "http://localhost:8084"

      ## @extra global.identity.auth.console configuration to configure Console authentication specifics on global level, which can be accessed by other sub-charts
      console:
        ## @param global.identity.auth.console.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `console-secret` field, which will be used as secret for the identity-console communication.
        existingSecret:
        ## @param global.identity.auth.console.redirectUrl defines the root URL which is used by Keycloak to access Web Modeler.
        # Should be publicly accessible, the default value works if a port-forward to Web Modeler is created to 8080.
        # Can be overwritten if ingress is in use and an external IP is available.
        redirectUrl: "http://localhost:8080"

      ## @extra global.identity.auth.zeebe configuration to configure Zeebe authentication specifics on global level, which can be accessed by other sub-charts
      zeebe:
        ## @param global.identity.auth.zeebe.existingSecret can be used to use an own existing secret. If not set a random secret is generated.
        # The existing secret should contain an `zeebe-secret` field, which will be used as secret for the Identity-Zeebe communication.
        existingSecret: ""


###################################
#######
     #  ###### ###### #####  ######
    #   #      #      #    # #
   #    #####  #####  #####  #####
  #     #      #      #    # #
 #      #      #      #    # #
####### ###### ###### #####  ######
###################################
## @section Zeebe Parameters
## @extra zeebe configuration for the Zeebe sub chart. Contains configuration for the Zeebe broker and related resources.
zeebe:
  ## @param zeebe.enabled if true, all zeebe related resources are deployed via the helm release
  enabled: true

  ## @param zeebe.debug if true, extra info is printed.
  debug: false

  ## @extra zeebe.image configuration to configure the zeebe image specifics
  image:
     ## @param zeebe.image.registry can be used to set container image registry.
    registry: ""
     ## @param zeebe.image.repository defines which image repository to use
    repository: camunda/zeebe
     ## @param zeebe.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
     ## @param zeebe.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param zeebe.sidecars can be used to attach extra containers to the zeebe deployment
  sidecars: []

  ## @param zeebe.clusterSize defines the amount of brokers (=replicas), which are deployed via helm
  clusterSize: "3"
  ## @param zeebe.partitionCount defines how many zeebe partitions are set up in the cluster
  partitionCount: "3"
  ## @param zeebe.replicationFactor defines how each partition is replicated, the value defines the number of nodes
  replicationFactor: "3"
  ## @extra zeebe.env can be used to set extra environment variables in each zeebe broker container
  env:
    ## @param zeebe.env[0].name
    ## @param zeebe.env[0].value
    ## @param zeebe.env[1].name
    ## @param zeebe.env[1].value
    ## @param zeebe.env[2].name
    ## @param zeebe.env[2].value
    - name: ZEEBE_BROKER_DATA_SNAPSHOTPERIOD
      value: "5m"
    - name: ZEEBE_BROKER_DATA_DISK_FREESPACE_REPLICATION
      value: "2GB"
    - name: ZEEBE_BROKER_DATA_DISK_FREESPACE_PROCESSING
      value: "3GB"
  ## @extra zeebe.configMap configuration which will be applied to the mounted config map.
  configMap:
     ## @param zeebe.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. see https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0754
  ## @param zeebe.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []

  ## @param zeebe.logLevel defines the log level which is used by the zeebe brokers
  logLevel: info
  ## @param zeebe.log4j2 can be used to overwrite the log4j2 configuration of the zeebe brokers
  log4j2: ''
  ## @param zeebe.javaOpts can be used to set java options for the zeebe brokers
  javaOpts: >-
    -XX:+HeapDumpOnOutOfMemoryError
    -XX:HeapDumpPath=/usr/local/zeebe/data
    -XX:ErrorFile=/usr/local/zeebe/data/zeebe_error%p.log
    -XX:+ExitOnOutOfMemoryError

  ## @extra zeebe.service configuration for the broker service
  service:
     ## @param zeebe.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
     ## @param zeebe.service.httpPort defines the port of the http endpoint, where for example metrics are provided
    httpPort: 9600
     ## @param zeebe.service.httpName defines the name of the http endpoint, where for example metrics are provided
    httpName: "http"
     ## @param zeebe.service.commandPort defines the port of the command api endpoint, where the broker commands are sent to
    commandPort: 26501
     ## @param zeebe.service.commandName defines the name of the command api endpoint, where the broker commands are sent to
    commandName: "command"
     ## @param zeebe.service.internalPort defines the port of the internal api endpoint, which is used for internal communication
    internalPort: 26502
     ## @param zeebe.service.internalName defines the name of the internal api endpoint, which is used for internal communication
    internalName: "internal"
     ## @param zeebe.service.extraPorts can be used to expose any other ports which are required. Can be useful for exporters
    extraPorts: []
      # - name: hazelcast
      #   protocol: TCP
      #   port: 5701
      #   targetPort: 5701

  ## @extra global.zeebe.ServiceAccount configuration for the service account where the broker pods are assigned to
  serviceAccount:
     ## @param zeebe.serviceAccount.enabled if true, enables the broker service account
    enabled: true
     ## @param zeebe.serviceAccount.name can be used to set the name of the broker service account
    name: ""
     ## @param zeebe.serviceAccount.annotations can be used to set the annotations of the broker service account
    annotations: {}

  ## @param zeebe.cpuThreadCount defines how many threads can be used for the processing on each broker pod
  cpuThreadCount: "3"
  ## @param zeebe.ioThreadCount defines how many threads can be used for the exporting on each broker pod
  ioThreadCount: "3"
  ## @extra zeebe.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @extra zeebe.resources.requests
  ## @param zeebe.resources.requests.cpu
  ## @param zeebe.resources.requests.memory
  ## @param zeebe.resources.limits.cpu
  ## @param zeebe.resources.limits.memory
  resources:
    requests:
      cpu: 800m
      memory: 1200Mi
    limits:
      cpu: 960m
      memory: 1920Mi

  ## @param zeebe.persistenceType defines the type of persistence which is used by Zeebe. Possible values are: disk, local and memory.
  #   disk  - means a persistence volume claim is configured and used
  #   local - means the data is stored into the container, no volumeMount nor volume nor claim is configured
  #   memory   - means zeebe uses a tmpfs for the data persistence, be aware that this takes the limits into account
  persistenceType: disk
  ## @param zeebe.pvcSize defines the persistent volume claim size, which is used by each broker pod https://kubernetes.io/docs/concepts/storage/persistent-volumes/#persistentvolumeclaims
  pvcSize: "32Gi"
  ## @param zeebe.pvcAccessModes can be used to configure the persistent volume claim access mode https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes
  pvcAccessModes: ["ReadWriteOnce"]
  ## @param zeebe.pvcStorageClassName can be used to set the storage class name which should be used by the persistent volume claim. It is recommended to use a storage class, which is backed with a SSD.
  pvcStorageClassName: ''

  ## @param zeebe.extraVolumes can be used to define extra volumes for the broker pods, useful for additional exporters
  extraVolumes: []
  ## @param zeebe.extraVolumeMounts can be used to mount extra volumes for the broker pods, useful for additional exporters
  extraVolumeMounts: []
  ## @param zeebe.extraInitContainers (Deprecated - use `initContainers` instead) ExtraInitContainers can be used to set up extra init containers for the broker pods, useful for additional exporters
  extraInitContainers: []
  ## @param zeebe.initContainers can be used to set up extra init containers for the broker pods, useful for additional exporters
  initContainers: []

  ## @param zeebe.podAnnotations can be used to define extra broker pod annotations
  podAnnotations: {}
  ## @param zeebe.podLabels can be used to define extra broker pod labels
  podLabels: {}
  ## @extra zeebe.podDisruptionBudget configuration to configure a pod disruption budget for the broker pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  podDisruptionBudget:
     ## @param zeebe.podDisruptionBudget.enabled if true a pod disruption budget is defined for the brokers
    enabled: false
     ## @param zeebe.podDisruptionBudget.minAvailable can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive).
    minAvailable:
     ## @param zeebe.podDisruptionBudget.maxUnavailable can be used to set how many pods should be at max. unavailable
    maxUnavailable: 1

  ## @extra zeebe.podSecurityContext defines the security options the Zeebe broker pod should be run with
  podSecurityContext:
    ## @param zeebe.podSecurityContext.runAsNonRoot run as non root
    runAsNonRoot: true
    ## @param zeebe.podSecurityContext.fsGroup
    fsGroup: 1000

  # ContainerSecurityContext defines the security options the Zeebe broker container should be run with
  containerSecurityContext:
    ## @param zeebe.containerSecurityContext.allowPrivilegeEscalation
    allowPrivilegeEscalation: false
    ## @param zeebe.containerSecurityContext.privileged
    privileged: false
    ## @param zeebe.containerSecurityContext.readOnlyRootFilesystem
    readOnlyRootFilesystem: true
    ## @param zeebe.containerSecurityContext.runAsUser
    runAsUser: 1000

  ## @extra zeebe.startupProbe configuration
  startupProbe:
     ## @param zeebe.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
     ## @param zeebe.startupProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
     ## @param zeebe.startupProbe.probePath defines the startup probe route used on the app
    probePath: /ready
     ## @param zeebe.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated.
    initialDelaySeconds: 30
     ## @param zeebe.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
     ## @param zeebe.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
     ## @param zeebe.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
     ## @param zeebe.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra zeebe.readinessProbe configuration
  readinessProbe:
     ## @param zeebe.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
     ## @param zeebe.readinessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
     ## @param zeebe.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /ready
     ## @param zeebe.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
     ## @param zeebe.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
     ## @param zeebe.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
     ## @param zeebe.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
     ## @param zeebe.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra zeebe.livenessProbe configuration
  livenessProbe:
     ## @param zeebe.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
     ## @param zeebe.livenessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
     ## @param zeebe.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /health
     ## @param zeebe.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
     ## @param zeebe.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
     ## @param zeebe.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
     ## @param zeebe.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
     ## @param zeebe.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @param zeebe.nodeSelector can be used to define on which nodes the broker pods should run
  nodeSelector: {}
  ## @param zeebe.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @extra global.zeebe.Affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  # The default defined PodAntiAffinity allows constraining on which nodes the Zeebe pods are scheduled on https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  # It uses a hard requirement for scheduling and works based on the Zeebe pod labels
  ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key
  ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator
  ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values
  ## @skip zeebe.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
              - key: "app.kubernetes.io/component"
                operator: In
                values:
                  - zeebe-broker
          topologyKey: "kubernetes.io/hostname"

  ## @param zeebe.priorityClassName can be used to define the broker pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
  priorityClassName: ""

  retention:
    ## @param zeebe.retention.enabled if true, the ILM Policy is created and applied to the index templates.
    enabled: false
    ## @param zeebe.retention.minimumAge defines how old the data must be, before the data is deleted as a duration.
    minimumAge: 30d
    ## @param zeebe.retention.policyName defines the name of the created and applied ILM policy.
    policyName: zeebe-record-retention-policy

# Zeebe.
 ####    ##   ##### ###### #    #   ##   #   #
#    #  #  #    #   #      #    #  #  #   # #
#      #    #   #   #####  #    # #    #   #
#  ### ######   #   #      # ## # ######   #
#    # #    #   #   #      ##  ## #    #   #
 ####  #    #   #   ###### #    # #    #   #
## @section Zeebe Gateway Parameters
## @extra Gateway configuration to define properties related to the standalone gateway
zeebe-gateway:
  ## @param zeebe-gateway.replicas defines how many standalone gateways are deployed
  replicas: 2
  ## @extra zeebe-gateway.image configuration to configure the zeebe-gateway image specifics
  image:
    ## @param zeebe-gateway.image.registry can be used to set container image registry.
    registry: ""
    ## @param zeebe-gateway.image.repository defines which image repository to use
    repository: camunda/zeebe
    ## @param zeebe-gateway.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    ## @param zeebe-gateway.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param zeebe-gateway.sidecars can be used to attach extra containers to the zeebe gateway deployment
  sidecars: []

  ## @param zeebe-gateway.podAnnotations can be used to define extra gateway pod annotations
  podAnnotations: {}
  ## @param zeebe-gateway.podLabels can be used to define extra gateway pod labels
  podLabels: {}

  ## @param zeebe-gateway.logLevel defines the log level which is used by the gateway
  logLevel: info
  ## @param zeebe-gateway.log4j2 can be used to overwrite the log4j2 configuration of the gateway
  log4j2: ''
  ## @param zeebe-gateway.javaOpts can be used to set java options for the zeebe gateways
  javaOpts: >-
    -XX:+ExitOnOutOfMemoryError

  ## @param zeebe-gateway.env can be used to set extra environment variables in each gateway container
  env: []
  ## @extra zeebe-gateway.configMap configuration which will be applied to the mounted config map.
  configMap:
    ## @param zeebe-gateway.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0744
  ## @param zeebe-gateway.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []

  ## @extra zeebe-gateway.podDisruptionBudget configuration to configure a pod disruption budget for the gateway pods https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  podDisruptionBudget:
    ## @param zeebe-gateway.podDisruptionBudget.enabled if true a pod disruption budget is defined for the gateways
    enabled: false
    ## @param zeebe-gateway.podDisruptionBudget.minAvailable can be used to set how many pods should be available. Be aware that if minAvailable is set, maxUnavailable will not be set (they are mutually exclusive).
    minAvailable: 1
    ## @param zeebe-gateway.podDisruptionBudget.maxUnavailable can be used to set how many pods should be at max. unavailable
    maxUnavailable:

  ## @extra zeebe-gateway.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param zeebe-gateway.resources.requests.cpu
  ## @param zeebe-gateway.resources.requests.memory
  ## @param zeebe-gateway.resources.limits.cpu
  ## @param zeebe-gateway.resources.limits.memory
  resources:
    requests:
      cpu: 400m
      memory: 450Mi
    limits:
      cpu: 400m
      memory: 450Mi

  ## @param zeebe-gateway.priorityClassName can be used to define the gateway pods priority https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass
  priorityClassName: ""

  ## @extra zeebe-gateway.podSecurityContext defines the security options the gateway pod should be run wit
  podSecurityContext:
  ## @param zeebe-gateway.podSecurityContext.runAsNonRoot
    runAsNonRoot: true
  ## @param zeebe-gateway.podSecurityContext.fsGroup
    fsGroup: 1000

  ## @extra zeebe-gateway.containerSecurityContext defines the security options the gateway container should be run with
  containerSecurityContext:
    ## @param zeebe-gateway.containerSecurityContext.privileged
    privileged: false
    ## @param zeebe-gateway.containerSecurityContext.readOnlyRootFilesystem
    readOnlyRootFilesystem: true
    ## @param zeebe-gateway.containerSecurityContext.allowPrivilegeEscalation
    allowPrivilegeEscalation: false
    ## @param zeebe-gateway.containerSecurityContext.runAsNonRoot
    runAsNonRoot: true
    ## @param zeebe-gateway.containerSecurityContext.runAsUser
    runAsUser: 1000

  ## @extra zeebe-gateway.startupProbe configuration
  startupProbe:
    ## @param zeebe-gateway.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param zeebe-gateway.startupProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param zeebe-gateway.startupProbe.probePath defines the startup probe route used on the app
    probePath: /actuator/health/startup
    ## @param zeebe-gateway.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param zeebe-gateway.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param zeebe-gateway.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param zeebe-gateway.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param zeebe-gateway.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra zeebe-gateway.readinessProbe configuration
  readinessProbe:
    ## @param zeebe-gateway.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param zeebe-gateway.readinessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param zeebe-gateway.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /actuator/health/readiness
    ## @param zeebe-gateway.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    ## @extra zeebe-gateway.the probe is initiated.
    initialDelaySeconds: 30
    ## @param zeebe-gateway.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param zeebe-gateway.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param zeebe-gateway.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param zeebe-gateway.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra zeebe-gateway.livenessProbe configuration
  livenessProbe:
    ## @param zeebe-gateway.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param zeebe-gateway.livenessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param zeebe-gateway.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /actuator/health/liveness
    ## @param zeebe-gateway.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    initialDelaySeconds: 30
    ## @param zeebe-gateway.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param zeebe-gateway.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param zeebe-gateway.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param zeebe-gateway.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @param zeebe-gateway.nodeSelector can be used to define on which nodes the gateway pods should run
  nodeSelector: {}
  ## @param zeebe-gateway.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @extra zeebe-gateway.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  # The default defined PodAntiAffinity allows constraining on which nodes the Zeebe gateway pods are scheduled on https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  # It uses a hard requirement for scheduling and works based on the Zeebe gateway pod labels
  ## @skip zeebe-gateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].key
  ## @skip zeebe-gateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].operator
  ## @skip zeebe-gateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].labelSelector.matchExpressions[0].values
  ## @skip zeebe-gateway.affinity.podAntiAffinity.requiredDuringSchedulingIgnoredDuringExecution[0].topologyKey
  affinity:
    podAntiAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        - labelSelector:
            matchExpressions:
              - key: "app.kubernetes.io/component"
                operator: In
                values:
                  - zeebe-gateway
          topologyKey: "kubernetes.io/hostname"

  ## @param zeebe-gateway.extraVolumeMounts can be used to mount extra volumes for the gateway pods, useful for enabling tls between gateway and broker
  extraVolumeMounts: []
  ## @param zeebe-gateway.extraVolumes can be used to define extra volumes for the gateway pods, useful for enabling tls between gateway and broker
  extraVolumes: []
  ## @param zeebe-gateway.extraInitContainers (Deprecated - use `initContainers` instead) can be used to set up extra init containers for the gateway pods, useful for adding interceptors
  extraInitContainers: []
  ## @param zeebe-gateway.initContainers can be used to set up extra init containers for the gateway pods, useful for adding interceptors
  initContainers: []

  ## @extra zeebe-gateway.service configuration for the gateway service
  service:
    ## @param zeebe-gateway.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param zeebe-gateway.service.loadBalancerIP defines public ip of the load balancer if the type is LoadBalancer
    loadBalancerIP: ""
    ## @param zeebe-gateway.service.loadBalancerSourceRanges defines list of allowed source ip address ranges if the type is LoadBalancer
    loadBalancerSourceRanges: []
    ## @param zeebe-gateway.service.httpPort defines the port of the http endpoint, where for example metrics are provided
    httpPort: 9600
    ## @param zeebe-gateway.service.httpName defines the name of the http endpoint, where for example metrics are provided
    httpName: "http"
    ## @param zeebe-gateway.service.gatewayPort defines the port of the gateway endpoint, where client commands (grpc) are sent to
    gatewayPort: 26500
    ## @param zeebe-gateway.service.gatewayName defines the name of the gateway endpoint, where client commands (grpc) are sent to
    gatewayName: "gateway"
    ## @param zeebe-gateway.service.internalPort defines the port of the internal api endpoint, which is used for internal communication
    internalPort: 26502
    ## @param zeebe-gateway.service.internalName defines the name of the internal api endpoint, which is used for internal communication
    internalName: "internal"
    ## @param zeebe-gateway.service.annotations can be used to define annotations, which will be applied to the zeebe-gateway service
    annotations: {}

  ## @extra zeebe-gateway.serviceAccount configuration for the service account where the gateway pods are assigned to
  serviceAccount:
    ## @param zeebe-gateway.serviceAccount.enabled if true, enables the gateway service account
    enabled: true
    ## @param zeebe-gateway.serviceAccount.name can be used to set the name of the gateway service account
    name: ""
    ## @param zeebe-gateway.serviceAccount.annotations can be used to set the annotations of the gateway service account
    annotations: {}

  ingress:
    ## @param zeebe-gateway.ingress.enabled if true, an ingress resource is deployed with the Zeebe gateway deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param zeebe-gateway.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param zeebe-gateway.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip zeebe-gateway.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip zeebe-gateway.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip zeebe-gateway.ingress.annotations.nginx.ingress.kubernetes.io/backend-protocol
    ## @skip zeebe-gateway.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param zeebe-gateway.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param zeebe-gateway.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra zeebe-gateway.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param zeebe-gateway.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param zeebe-gateway.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-zeebe-gateway


################################################
 #####
#     # #####  ###### #####    ##   ##### ######
#     # #    # #      #    #  #  #    #   #
#     # #    # #####  #    # #    #   #   #####
#     # #####  #      #####  ######   #   #
#     # #      #      #   #  #    #   #   #
 #####  #      ###### #    # #    #   #   ######
################################################
## @section Operate Parameters
## @extra.operate configuration for the Operate sub chart.
operate:
  ## @param operate.enabled if true, the Operate deployment and its related resources are deployed via a helm release
  enabled: true

  ## @extra operate.image configuration to configure the Operate image specifics
  image:
    ## @param operate.image.registry can be used to set container image registry.
    registry: ""
    ## @param operate.image.repository defines which image repository to use
    repository: camunda/operate
    ## @param operate.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    ## @param operate.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param operate.sidecars can be used to attach extra containers to the operate deployment
  sidecars: []
  ## @param operate.initContainers can be used to set up extra init containers for the operate pods, useful for additional exporters
  initContainers: []
  # ContextPath can be used to make Operate web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.
  # contextPath: "/operate"

  ## @param operate.podAnnotations can be used to define extra Operate pod annotations
  podAnnotations: {}
  ## @param operate.podLabels can be used to define extra Operate pod labels
  podLabels: {}

  ## @extra operate.logging configuration for the Operate logging. This template will be directly included in the Operate configuration yaml file
  ## @param operate.logging.level.ROOT
  ## @param operate.logging.level.io.camunda.operate
  logging:
    level:
      ROOT: INFO
      io.camunda.operate: DEBUG

  ## @extra operate.service configuration to configure the Operate service.
  service:
    ## @param operate.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param operate.service.port defines the port of the service, where the Operate web application will be available
    port: 80
    ## @param operate.service.annotations can be used to define annotations, which will be applied to the Operate service
    annotations: {}

  ## @extra operate.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param operate.resources.requests.cpu
  ## @param operate.resources.requests.memory
  ## @param operate.resources.limits.cpu
  ## @param operate.resources.limits.memory
  resources:
    requests:
      cpu: 600m
      memory: 400Mi
    limits:
      cpu: 2000m
      memory: 2Gi

  ## @param operate.env can be used to set extra environment variables in each Operate container
  env: []
  ## @extra operate.configMap configuration which will be applied to the mounted config map.
  configMap:
    ## @param operate.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0744
  ## @param operate.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  ## @param operate.extraVolumes can be used to define extra volumes for the Operate pods, useful for tls and self-signed certificates
  extraVolumes: []
  ## @param operate.extraVolumeMounts can be used to mount extra volumes for the Operate pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  ## @extra operate.serviceAccount configuration for the service account where the Operate pods are assigned to
  serviceAccount:
    ## @param operate.serviceAccount.enabled if true, enables the Operate service account
    enabled: true
    ## @param operate.serviceAccount.name can be used to set the name of the Operate service account
    name: ""
    ## @param operate.serviceAccount.annotations can be used to set the annotations of the Operate service account
    annotations: {}

  ingress:
    ## @param operate.ingress.enabled if true, an ingress resource is deployed with the Operate deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param operate.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param operate.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip operate.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip operate.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip operate.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param operate.ingress.path defines the path which is associated with the Operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param operate.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra Ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param operate.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param operate.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-operate

  ## @extra operate.podSecurityContext defines the security options the Operate pod should be run with
  podSecurityContext:
  ## @param operate.podSecurityContext.runAsNonRoot
    runAsNonRoot: true
    ## @param operate.podSecurityContext.fsGroup
    fsGroup: 1000

  ## @extra operate.containerSecurityContext defines the security options the Operate container should be run with
  containerSecurityContext:
  ## @param operate.containerSecurityContext.allowPrivilegeEscalation
    allowPrivilegeEscalation: false
    ## @param operate.containerSecurityContext.privileged
    privileged: false
    ## @param operate.containerSecurityContext.readOnlyRootFilesystem
    readOnlyRootFilesystem: true
    ## @param operate.containerSecurityContext.runAsUser
    runAsUser: 1004

  ## @extra operate.startupProbe configuration
  startupProbe:
    ## @param operate.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param operate.startupProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param operate.startupProbe.probePath defines the startup probe route used on the app
    probePath: /actuator/health/readiness
    ## @param operate.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param operate.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param operate.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param operate.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param operate.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra operate.readinessProbe configuration
  readinessProbe:
    ## @param operate.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param operate.readinessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param operate.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /actuator/health/readiness
    ## @param operate.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param operate.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param operate.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param operate.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param operate.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra operate.livenessProbe configuration
  livenessProbe:
    ## @param operate.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param operate.livenessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param operate.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /actuator/health/liveness
    ## @param operate.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param operate.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param operate.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param operate.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param operate.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @param operate.nodeSelector can be used to define on which nodes the Operate pods should run
  nodeSelector: {}
  ## @param operate.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @param operate.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  # Retention can be used to define the data in Elasticsearch (ILM).
  retention:
    ## @param operate.retention.enabled if true, the ILM Policy is created and applied to the index templates.
    enabled: false
    ## @param operate.retention.minimumAge defines how old the data must be, before the data is deleted as a duration.
    minimumAge: 30d


##################################################
#######
   #      ##    ####  #    # #      #  ####  #####
   #     #  #  #      #   #  #      # #        #
   #    #    #  ####  ####   #      #  ####    #
   #    ######      # #  #   #      #      #   #
   #    #    # #    # #   #  #      # #    #   #
   #    #    #  ####  #    # ###### #  ####    #
##################################################
## @section Tasklist Parameters
# Tasklist configuration for the tasklist sub chart.
tasklist:
  ## @param tasklist.enabled if true, the tasklist deployment and its related resources are deployed via a helm release
  enabled: true

  ## @extra tasklist.image configuration to configure the tasklist image specifics
  image:
    ## @param tasklist.image.registry can be used to set container image registry.
    registry: ""
    ## @param tasklist.image.repository defines which image repository to use
    repository: camunda/tasklist
    ## @param tasklist.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    ## @param tasklist.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param tasklist.sidecars can be used to attach extra containers to the tasklist deployment
  sidecars: []
  ## @param tasklist.initContainers can be used to set up extra init containers for the taskList pods, useful for additional exporters
  initContainers: []
  # tasklist.contextPath can be used to make Tasklist web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.
  # contextPath: "/tasklist"

  ## @param tasklist.env can be used to set extra environment variables on each Tasklist container
  env: []

  ## @param tasklist.podAnnotations can be used to define extra Tasklist pod annotations
  podAnnotations: {}
  ## @param tasklist.podLabels can be used to define extra tasklist pod labels
  podLabels: {}

  ## @extra tasklist.configMap configuration which will be applied to the mounted config map.
  configMap:
    ## @param tasklist.configMap.defaultMode can be used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511.
    # See https://github.com/kubernetes/api/blob/master/core/v1/types.go#L1615-L1623
    defaultMode: 0744
  ## @param tasklist.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  ## @extra tasklist.service configuration to configure the tasklist service.
  service:
    ## @param tasklist.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param tasklist.service.port defines the port of the service, where the tasklist web application will be available
    port: 80

  ## @param tasklist.graphqlPlaygroundEnabled if true, enables the graphql playground
  graphqlPlaygroundEnabled: ""
  ## @param tasklist.graphqlPlaygroundRequestCredentials can be set to include the credentials in each request, should be set to "include" if graphql playground is enabled
  graphqlPlaygroundRequestCredentials: ""

  ## @param tasklist.extraVolumes can be used to define extra volumes for the Tasklist pods, useful for tls and self-signed certificates
  extraVolumes: []
  ## @param tasklist.extraVolumeMounts can be used to mount extra volumes for the Tasklist pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  ## @extra tasklist.serviceAccount configuration for the service account where the Tasklist pods are assigned to
  serviceAccount:
    ## @param tasklist.serviceAccount.enabled if true, enables the Tasklist service account
    enabled: true
    ## @param tasklist.serviceAccount.name can be used to set the name of the Tasklist service account
    name: ""
    ## @param tasklist.serviceAccount.annotations can be used to set the annotations of the Tasklist service account
    annotations: {}

  ## @extra tasklist.podSecurityContext defines the security options the Tasklist pod should be run with
  podSecurityContext:
  ## @param tasklist.podSecurityContext.runAsNonRoot
    runAsNonRoot: true
    ## @param tasklist.podSecurityContext.fsGroup
    fsGroup: 1002

  ## @extra tasklist.containerSecurityContext defines the security options the Tasklist container should be run with
  containerSecurityContext:
  ## @param tasklist.containerSecurityContext.allowPrivilegeEscalation
    allowPrivilegeEscalation: false
    ## @param tasklist.containerSecurityContext.privileged
    privileged: false
    ## @param tasklist.containerSecurityContext.readOnlyRootFilesystem
    readOnlyRootFilesystem: true
    ## @param tasklist.containerSecurityContext.runAsUser
    runAsUser: 1002

  ## @extra tasklist.startupProbe configuration
  startupProbe:
    ## @param tasklist.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param tasklist.startupProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param tasklist.startupProbe.probePath defines the startup probe route used on the app
    probePath: /actuator/health/readiness
    ## @param tasklist.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param tasklist.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param tasklist.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param tasklist.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param tasklist.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra tasklist.readinessProbe configuration
  readinessProbe:
    ## @param tasklist.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param tasklist.readinessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param tasklist.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /actuator/health/readiness
    ## @param tasklist.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param tasklist.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param tasklist.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param tasklist.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param tasklist.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra tasklist.livenessProbe configuration
  livenessProbe:
    ## @param tasklist.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param tasklist.livenessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param tasklist.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /actuator/health/liveness
    ## @param tasklist.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param tasklist.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param tasklist.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param tasklist.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param tasklist.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @param tasklist.nodeSelector can be used to define on which nodes the Tasklist pods should run
  nodeSelector: {}
  ## @param tasklist.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @param tasklist.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  ## @extra tasklist.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param tasklist.resources.requests.cpu
  ## @param tasklist.resources.requests.memory
  ## @param tasklist.resources.limits.cpu
  ## @param tasklist.resources.limits.memory
  resources:
    requests:
      cpu: 400m
      memory: 1Gi
    limits:
      cpu: 1000m
      memory: 2Gi

  ingress:
    ## @param tasklist.ingress.enabled if true, an ingress resource is deployed with the tasklist deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param tasklist.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param tasklist.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip tasklist.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip tasklist.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip tasklist.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size

    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param tasklist.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param tasklist.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    tls:
      ## @param tasklist.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param tasklist.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-tasklist

  # Retention can be used to define the data in Elasticsearch (ILM).
  retention:
    ## @param tasklist.retention.enabled if true, the ILM Policy is created and applied to the index templates.
    enabled: false
    ## @param tasklist.retention.minimumAge defines how old the data must be, before the data is deleted as a duration.
    minimumAge: 30d

#############################################
 #####
#     # #####  ##### # #    # # ###### ######
#     # #    #   #   # ##  ## #     #  #
#     # #    #   #   # # ## # #    #   #####
#     # #####    #   # #    # #   #    #
#     # #        #   # #    # #  #     #
 #####  #        #   # #    # # ###### ######
#############################################
## @section Optimize Parameters
# Optimize configuration for the Optimize sub chart.
optimize:
  ## @param optimize.enabled if true, the Optimize deployment and its related resources are deployed via a helm release
  enabled: true

  ## @extra optimize.image configuration to configure the Optimize image specifics
  # https://hub.docker.com/r/camunda/optimize/tags
  image:
    ## @param optimize.image.registry can be used to set container image registry
    registry: ""
    ## @param optimize.image.repository defines which image repository to use
    repository: camunda/optimize
    ## @param optimize.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag: 3.11.1
    ## @param optimize.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @extra optimize.migration configuration for Optimize migration
  migration:
    ## @param optimize.migration.enabled if true, run Optimize migration script as an init container
    enabled: true
    ## @param optimize.migration.env can be used to set environment variables for Optimize migration init container
    env: []

  ## @param optimize.sidecars can be used to attach extra containers to the optimize deployment
  sidecars: []

  ## optimize.contextPath can be used to make Optimize web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.
  # contextPath: "/optimize"

  ## @param optimize.podAnnotations can be used to define extra Optimize pod annotations
  podAnnotations: {}
  ## @param optimize.podLabels can be used to define extra Optimize pod labels
  podLabels: {}

  ## @param optimize.partitionCount defines how many Zeebe partitions are set up in the cluster and which should be imported by Optimize
  partitionCount: "3"
  ## @param optimize.env can be used to set extra environment variables in each Optimize container
  env: []
  ## @param optimize.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  ## @param optimize.extraVolumes can be used to define extra volumes for the Optimize pods, useful for tls and self-signed certificates
  extraVolumes: []
  ## @param optimize.extraVolumeMounts can be used to mount extra volumes for the Optimize pods, useful for tls and self-signed certificates
  extraVolumeMounts: []
  ## @param optimize.initContainers can be used to set up extra init containers for the optimize pods, useful for additional exporters
  initContainers: []
  ## @extra optimize.serviceAccount configuration for the service account where the Optimize pods are assigned to
  serviceAccount:
    ## @param optimize.serviceAccount.enabled if true, enables the Optimize service account
    enabled: true
    ## @param optimize.serviceAccount.name can be used to set the name of the Optimize service account
    name: ""
    ## @param optimize.serviceAccount.annotations can be used to set the annotations of the Optimize service account
    annotations: {}

  ## @extra optimize.service configuration to configure the Optimize service.
  service:
    ## @param optimize.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param optimize.service.port defines the port of the service, where the Optimize web application will be available
    port: 80
    ## @param optimize.service.annotations can be used to define annotations, which will be applied to the Optimize service
    annotations: {}
    ## @param optimize.service.managementPort defines the port where actuator will be available. Also required to reach backup API
    managementPort: 8092

  ## @extra optimize.podSecurityContext defines the security options the Optimize pod should be run with
  podSecurityContext:
  ## @param optimize.podSecurityContext.runAsNonRoot
    runAsNonRoot: true
    ## @param optimize.podSecurityContext.fsGroup
    fsGroup: 100

 ## @extra optimize.containerSecurityContext defines the security options the Optimize container should be run with
  containerSecurityContext:
  ## @param optimize.containerSecurityContext.allowPrivilegeEscalation
    allowPrivilegeEscalation: false
    ## @param optimize.containerSecurityContext.privileged
    privileged: false
     ## @param optimize.containerSecurityContext.readOnlyRootFilesystem
    readOnlyRootFilesystem: true
    ## @param optimize.containerSecurityContext.runAsUser
    runAsUser: 100

  ## @extra optimize.startupProbe configuration
  startupProbe:
    ## @param optimize.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param optimize.startupProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param optimize.startupProbe.probePath defines the startup probe route used on the app
    probePath: /api/readyz
    ## @param optimize.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param optimize.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param optimize.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param optimize.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param optimize.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra optimize.readinessProbe configuration
  readinessProbe:
    ## @param optimize.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param optimize.readinessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param optimize.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /api/readyz
    ## @param optimize.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param optimize.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param optimize.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param optimize.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param optimize.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra optimize.livenessProbe configuration
  livenessProbe:
    ## @param optimize.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param optimize.livenessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param optimize.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /api/readyz
    ## @param optimize.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param optimize.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param optimize.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param optimize.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param optimize.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @param optimize.nodeSelector can be used to define on which nodes the Optimize pods should run
  nodeSelector: {}
  ## @param optimize.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @param optimize.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  ## @extra optimize.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param optimize.resources.requests.cpu
  ## @param optimize.resources.requests.memory
  ## @param optimize.resources.limits.cpu
  ## @param optimize.resources.limits.memory
  resources:
    requests:
      cpu: 600m
      memory: 1Gi
    limits:
      cpu: 2000m
      memory: 2Gi

  ingress:
    ## @param optimize.ingress.enabled if true, an ingress resource is deployed with the Optimize deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param optimize.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param optimize.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip optimize.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip optimize.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip optimize.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param optimize.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param optimize.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra optimize.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param optimize.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param optimize.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-optimize


############################################
###
 #  #####  ###### #    # ##### # ##### #   #
 #  #    # #      ##   #   #   #   #    # #
 #  #    # #####  # #  #   #   #   #     #
 #  #    # #      #  # #   #   #   #     #
 #  #    # #      #   ##   #   #   #     #
### #####  ###### #    #   #   #   #     #
############################################
## @section Identity Parameters
# Identity configuration for the identity sub chart.
identity:
  ## @param identity.enabled if true, the identity deployment and its related resources are deployed via a helm release
  #
  # Note: Identity is required by Optimize and Web Modeler. If Identity is disabled, both Optimize and Web Modeler will be unusable.
  #       If you need neither Optimize nor Web Modeler, make sure to disable both the Identity authentication and the applications by setting:
  #         global.identity.auth.enabled=false
  #         optimize.enabled=false
  #         webModeler.enabled=false
  enabled: true

  ## @param identity.fullnameOverride can be used to override the full name of the Identity resources
  fullnameOverride: ""
  ## @param identity.nameOverride can be used to partly override the name of the Identity resources (names will still be prefixed with the release name)
  nameOverride: ""

  ## @extra identity.firstUser configuration to configure properties of the first Identity user, which can be used to access all
  # web applications
  firstUser:
    ## @param identity.firstUser.enabled if true, Identity will seed the first user in Keycloak.
    enabled: true
    ## @param identity.firstUser.username defines the username of the first user, needed to log in into the web applications
    username: demo
    ## @param identity.firstUser.password defines the password of the first user, needed to log in into the web applications
    password: demo
    ## @param identity.firstUser.email defines the email address of the first user; a valid email address is required to use Web Modeler
    email: demo@example.org
    ## @param identity.firstUser.firstName defines the first name of the first user; a name is required to use Web Modeler
    firstName: Demo
    ## @param identity.firstUser.lastName defines the last name of the first user; a name is required to use Web Modeler
    lastName: User
    ## @param identity.firstUser.existingSecret can be used to use an own existing secret for Identity first user.
    # Currently, only password field is supported via "identity-firstuser-password" key in the secret resource.
    existingSecret: ""

  ## @extra identity.image configuration to configure the identity image specifics
  image:
    ## @param identity.image.registry can be used to set container image registry.
    registry: ""
    ## @param identity.image.repository defines which image repository to use
    repository: camunda/identity
    ## @param identity.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag:
    ## @param identity.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param identity.sidecars can be used to attach extra containers to the identity deployment
  sidecars: []
  ## @param identity.initContainers can be used to set up extra init containers for the identity pods, useful for additional exporters
  initContainers: []
  # FullURL can be used when Ingress is configured (for both multi and single domain setup).
  # Note: If the `ContextPath` is configured, then value of `ContextPath` should be included in the URL too.
  # fullURL: "https://camunda.example.com/identity"

  # ContextPath can be used to make Identity web application works on a custom sub-path. This is mainly used
  # to run Camunda web applications under a single domain.
  # Note: Identity cannot be accessed over HTTP if a "contextPath" is configured.
  #       Which means that Identity cannot be configured in combined Ingress without HTTPS.
  #       To use Identity over HTTP, setup a separated Ingress using "identity.ingress" and don't set "contextPath".
  # contextPath: "/identity"

  ## @param identity.podAnnotations can be used to define extra Identity pod annotations
  podAnnotations: {}
  ## @param identity.podLabels can be used to define extra Identity pod labels
  podLabels: {}

  ## @extra identity.service configuration to configure the identity service.
  service:
    ## @param identity.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param identity.service.annotations can be used to define annotations, which will be applied to the identity service
    annotations: {}
    ## @param identity.service.port defines the port of the service on which the identity application will be available
    port: 80
    ## @param identity.service.metricsPort defines the port of the service on which the identity metrics will be available
    metricsPort: 82
    ## @param identity.service.metricsName defines the name of the service on which the identity metrics will be available
    metricsName: metrics

 ## @extra identity.podSecurityContext defines the security options the Identity pod should be run with
  podSecurityContext:
  ## @param identity.podSecurityContext.fsGroup
    fsGroup: 1005

  ## @extra identity.containerSecurityContext defines the security options the Identity container should be run with
  containerSecurityContext:
  ## @param identity.containerSecurityContext.privileged
    privileged: false
    ## @param identity.containerSecurityContext.readOnlyRootFilesystem
    readOnlyRootFilesystem: true
    ## @param identity.containerSecurityContext.allowPrivilegeEscalation
    allowPrivilegeEscalation: false
    ## @param identity.containerSecurityContext.runAsNonRoot
    runAsNonRoot: true
    ## @param identity.containerSecurityContext.runAsUser
    runAsUser: 1005

  ## @extra identity.startupProbe configuration
  startupProbe:
    ## @param identity.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param identity.startupProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param identity.startupProbe.probePath defines the startup probe route used on the app
    probePath: /actuator/health
    ## @param identity.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated.
    initialDelaySeconds: 30
    ## @param identity.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param identity.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param identity.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param identity.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra identity.readinessProbe configuration
  readinessProbe:
    ## @param identity.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param identity.readinessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param identity.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /actuator/health
    ## @param identity.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated.
    initialDelaySeconds: 30
    ## @param identity.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param identity.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param identity.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param identity.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra identity.livenessProbe configuration
  livenessProbe:
    ## @param identity.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param identity.livenessProbe.scheme defines the startup probe schema used on calling the probePath
    scheme: HTTP
    ## @param identity.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /actuator/health
    ## @param identity.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param identity.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param identity.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param identity.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param identity.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @param identity.nodeSelector can be used to define on which nodes the Identity pods should run
  nodeSelector: {}
  ## @param identity.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @param identity.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

  ## @extra identity.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param identity.resources.requests.memory
  ## @param identity.resources.limits.cpu
  ## @param identity.resources.requests.cpu
  ## @param identity.resources.limits.memory
  resources:
    requests:
      cpu: 600m
      memory: 400Mi
    limits:
      cpu: 2000m
      memory: 2Gi

  ## @param identity.env can be used to set extra environment variables in each identity container. See the documentation https://docs.camunda.io/docs/self-managed/identity/deployment/configuration-variables/ for more details.
  env: []
  ## @param identity.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  ## @param identity.extraVolumes can be used to define extra volumes for the identity pods, useful for tls and self-signed certificates
  extraVolumes: []
  ## @param identity.extraVolumeMounts can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates
  extraVolumeMounts: []

  ## @extra identity.serviceAccount configuration for the service account where the identity pods are assigned to
  serviceAccount:
    ## @param identity.serviceAccount.enabled if true, enables the identity service account
    enabled: true
    ## @param identity.serviceAccount.name can be used to set the name of the identity service account
    name: ""
    ## @param identity.serviceAccount.annotations can be used to set the annotations of the identity service account
    annotations: {}

  ingress:
    ## @param identity.ingress.enabled if true, an ingress resource is deployed with the identity deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param identity.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param identity.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip identity.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip identity.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip identity.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param identity.ingress.path defines the path which is associated with the operate service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param identity.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra identity.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param identity.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param identity.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-identity

  ## PostgreSQL chart configuration
  postgresql:
    ## @param identity.postgresql.enabled Enable PostgreSQL Helm chart. Required for Multi-Tenancy.
    ##
    enabled: false
    # https://hub.docker.com/r/bitnami/postgresql/tags
    ## @param identity.postgresql.image.repository PostgreSQL repo
    ## @param identity.postgresql.image.tag PostgreSQL image tag
    ##
    image:
      repository: bitnami/postgresql
      tag: 15.4.0
    ## @param identity.postgresql.nameOverride the name used for Identity PostgreSQL.
    ##
    nameOverride: identity-postgresql
    auth:
      ## @param identity.postgresql.auth.username Non-root username
      ##
      username: identity
      ## @param identity.postgresql.auth.database The database name
      ##
      database: identity
      ## @param identity.postgresql.auth.password Password for the non-root username
      ##
      password:
      ## @param identity.postgresql.auth.existingSecret Name of an existing secret resource containing the database credentials
      ##
      existingSecret:

  ## External PostgreSQL configuration
  ## All of these values are only used when postgresql.enabled is set to false
  ## @param identity.externalDatabase.enabled
  ## @param identity.externalDatabase.host Database host
  ## @param identity.externalDatabase.port Database port number
  ## @param identity.externalDatabase.username Non-root username
  ## @param identity.externalDatabase.password Password for the non-root username
  ## @param identity.externalDatabase.database The database name
  ## @param identity.externalDatabase.existingSecret Name of an existing secret resource containing the database credentials
  ## @param identity.externalDatabase.existingSecretPasswordKey Name of an existing secret key containing the database credentials
  ##
  externalDatabase:
    enabled: false
    host:
    port:
    username:
    database:
    password:
    existingSecret:
    existingSecretPasswordKey:

  # Identity.
  #    # ###### #   #  ####  #       ####    ##   #    #
  #   #  #       # #  #    # #      #    #  #  #  #   #
  ####   #####    #   #      #      #    # #    # ####
  #  #   #        #   #      #      #    # ###### #  #
  #   #  #        #   #    # #      #    # #    # #   #
  #    # ######   #    ####  ######  ####  #    # #    #
  ## @section Identity - Keycloak Parameters
  # Identity.keycloak
  ## @extra identity.keycloak configuration, for the keycloak dependency chart which is used by identity.
  # For more details: https://github.com/bitnami/charts/tree/master/bitnami/keycloak#parameters
  keycloak:
    ## @extra identity.keycloak.postgresql configuration.
    postgresql:
      # https://hub.docker.com/r/bitnami/postgresql/tags
      image:
        ## @param identity.keycloak.postgresql.image.repository image repo
        repository: bitnami/postgresql
        ## @param identity.keycloak.postgresql.image.tag image tag
        tag: 15.4.0
      primary:
        ## @skip identity.keycloak.postgresql.primary.extraVolumes[0].name
        ## @skip identity.keycloak.postgresql.primary.extraVolumes[0].emptyDir
        ## @skip identity.keycloak.postgresql.primary.extraVolumes[1].name
        ## @skip identity.keycloak.postgresql.primary.extraVolumes[1].emptyDir
        ## @skip identity.keycloak.postgresql.primary.extraVolumes[2].name
        ## @skip identity.keycloak.postgresql.primary.extraVolumes[2].emptyDir
        extraVolumes:
        - name: tmp
          emptyDir: {}
        - name: config
          emptyDir: {}
        - name: postgresql-tmp
          emptyDir: {}
        ## identity.keycloak.postgresql.primary.extraVolumeMounts can be used to mount extra volumes for the identity pods, useful for tls and self-signed certificates
        ## @skip identity.keycloak.postgresql.primary.extraVolumeMounts[0].mountPath
        ## @skip identity.keycloak.postgresql.primary.extraVolumeMounts[0].name
        ## @skip identity.keycloak.postgresql.primary.extraVolumeMounts[1].mountPath
        ## @skip identity.keycloak.postgresql.primary.extraVolumeMounts[1].name
        ## @skip identity.keycloak.postgresql.primary.extraVolumeMounts[2].mountPath
        ## @skip identity.keycloak.postgresql.primary.extraVolumeMounts[2].name
        extraVolumeMounts:
        - mountPath: /tmp
          name: tmp
        - mountPath: /opt/bitnami/postgresql/conf
          name: config
        - mountPath: /opt/bitnami/postgresql/tmp
          name: postgresql-tmp
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.enabled
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.privileged
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.readOnlyRootFilesystem
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.allowPrivilegeEscalation
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.runAsNonRoot
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.runAsUser
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.capabilities.drop
        ## @param identity.keycloak.postgresql.primary.containerSecurityContext.seccompProfile.type
        containerSecurityContext:
          enabled: true
          privileged: false
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          runAsNonRoot: true
          runAsUser: 1001
          capabilities:
            drop: ["ALL"]
          seccompProfile:
            type: RuntimeDefault
        ## @param identity.keycloak.postgresql.primary.podSecurityContext.enabled
        ## @param identity.keycloak.postgresql.primary.podSecurityContext.runAsNonRoot
        ## @param identity.keycloak.postgresql.primary.podSecurityContext.fsGroup
        podSecurityContext:
          enabled: true
          runAsNonRoot: true
          fsGroup: 1001

    ## @param identity.keycloak.enabled is used incorporate with "global.identity.keycloak" to use your own Keycloak instead of the one comes with Camunda Helm chart
    enabled: true

    ## @extra identity.keycloak.image configuration.
    # https://hub.docker.com/r/bitnami/keycloak/tags
    image:
      ## @param identity.keycloak.image.repository image repo
      repository: bitnami/keycloak
      ## @param identity.keycloak.image.tag image tag
      tag: 22.0.5

    # Keycloak.proxy defines the proxy mode depends on the TLS termination in your environment.
    # Docs: https://www.keycloak.org/server/reverseproxy
    ## @param identity.keycloak.proxy keycloak proxy
    proxy: edge

    ## @extra identity.keycloak.tls can be used to enable TLS encryption. Required for HTTPs traffic.
    tls:
    ## @param identity.keycloak.tls.enabled enabling tls
      enabled: false

    # NOTE: Since Helm v3 (latest checked 3.10.x) doesn't merge lists with custom values files, then you will need to
    # add this to your own values file if you override any of "extraVolumes", "initContainers", or "extraVolumeMounts".
    ## @skip identity.keycloak.extraVolumes [object] Extra volumes for keycloak
    ## @skip identity.keycloak.extraVolumes[0].name
    ## @skip identity.keycloak.extraVolumes[0].emptyDir
    ## @skip identity.keycloak.extraVolumes[1].name
    ## @skip identity.keycloak.extraVolumes[1].emptyDir
    ## @skip identity.keycloak.extraVolumes[2].name
    ## @skip identity.keycloak.extraVolumes[2].emptyDir
    ## @skip identity.keycloak.extraVolumes[3].name
    ## @skip identity.keycloak.extraVolumes[3].emptyDir.sizeLimit
    extraVolumes:
    - name: config
      emptyDir: {}
    - name: quarkus
      emptyDir: {}
    - name: tmp
      emptyDir: {}
    - name: camunda-theme
      emptyDir:
        sizeLimit: 10Mi

    initContainers:
    ## @param identity.keycloak.initContainers[0].name
    ## @param identity.keycloak.initContainers[0].image
    ## @param identity.keycloak.initContainers[0].imagePullPolicy
    ## @param identity.keycloak.initContainers[0].command
    ## @param identity.keycloak.initContainers[0].securityContext.privileged
    ## @param identity.keycloak.initContainers[0].securityContext.readOnlyRootFilesystem
    ## @param identity.keycloak.initContainers[0].securityContext.allowPrivilegeEscalation
    ## @param identity.keycloak.initContainers[0].securityContext.runAsNonRoot
    ## @param identity.keycloak.initContainers[0].securityContext.runAsUser
    ## @param identity.keycloak.initContainers[0].securityContext.capabilities.drop
    ## @param identity.keycloak.initContainers[0].securityContext.seccompProfile.type
    ## @param identity.keycloak.initContainers[0].volumeMounts[0].name
    ## @param identity.keycloak.initContainers[0].volumeMounts[0].mountPath
    - name: copy-camunda-theme
      image: >-
        {{- $identityImageParams := (dict "base" .Values.global "overlay" .Values.global.identity) -}}
        {{- include "camundaPlatform.imageByParams" $identityImageParams }}
      imagePullPolicy: "{{ .Values.global.image.pullPolicy }}"
      command: ["sh", "-c", "cp -a /app/keycloak-theme/* /mnt"]
      securityContext:
        privileged: false
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        # TODO: Remove the runAsUser when the numeric ID is used in the Identity Docker image.
        runAsUser: 1005
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault
      volumeMounts:
      - name: camunda-theme
        mountPath: /mnt
    ## @param identity.keycloak.initContainers[1].name
    ## @param identity.keycloak.initContainers[1].image
    ## @param identity.keycloak.initContainers[1].imagePullPolicy
    ## @param identity.keycloak.initContainers[1].command
    ## @param identity.keycloak.initContainers[1].securityContext.privileged
    ## @param identity.keycloak.initContainers[1].securityContext.readOnlyRootFilesystem
    ## @param identity.keycloak.initContainers[1].securityContext.allowPrivilegeEscalation
    ## @param identity.keycloak.initContainers[1].securityContext.runAsNonRoot
    ## @param identity.keycloak.initContainers[1].securityContext.capabilities.drop
    ## @param identity.keycloak.initContainers[1].securityContext.seccompProfile.type
    ## @param identity.keycloak.initContainers[1].volumeMounts[0].name
    ## @param identity.keycloak.initContainers[1].volumeMounts[0].mountPath
    ## @param identity.keycloak.initContainers[1].volumeMounts[1].name
    ## @param identity.keycloak.initContainers[1].volumeMounts[1].mountPath
    - name: copy-configs
      image: bitnami/keycloak:{{ .Values.image.tag }}
      imagePullPolicy: "Always"
      command: ["sh", "-c", "cp -ar /opt/bitnami/keycloak/conf/* /config && cp -a /opt/bitnami/keycloak/lib/quarkus/* /quarkus"]
      securityContext:
        privileged: false
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
        runAsNonRoot: true
        capabilities:
          drop: ["ALL"]
        seccompProfile:
          type: RuntimeDefault
      volumeMounts:
      - name: config
        mountPath: /config
      - name: quarkus
        mountPath: /quarkus
    ## @param identity.keycloak.extraVolumeMounts[0].name
    ## @param identity.keycloak.extraVolumeMounts[0].mountPath
    ## @param identity.keycloak.extraVolumeMounts[1].mountPath
    ## @param identity.keycloak.extraVolumeMounts[1].name
    ## @param identity.keycloak.extraVolumeMounts[2].name
    ## @param identity.keycloak.extraVolumeMounts[2].mountPath
    ## @param identity.keycloak.extraVolumeMounts[3].mountPath
    ## @param identity.keycloak.extraVolumeMounts[3].name
    extraVolumeMounts:
    - mountPath: /opt/bitnami/keycloak/conf/
      name: config
    - mountPath: /opt/bitnami/keycloak/lib/quarkus
      name: quarkus
    - name: camunda-theme
      mountPath: /opt/bitnami/keycloak/themes/identity
    - mountPath: /tmp
      name: tmp

    ## @param identity.keycloak.containerSecurityContext.privileged
    ## @param identity.keycloak.containerSecurityContext.readOnlyRootFilesystem
    ## @param identity.keycloak.containerSecurityContext.allowPrivilegeEscalation
    ## @param identity.keycloak.containerSecurityContext.runAsNonRoot
    ## @param identity.keycloak.containerSecurityContext.runAsUser
    ## @param identity.keycloak.containerSecurityContext.capabilities.drop
    ## @param identity.keycloak.containerSecurityContext.seccompProfile.type
    containerSecurityContext:
      privileged: false
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1001
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault
    ## @param identity.keycloak.podSecurityContext.fsGroup
    podSecurityContext:
      fsGroup: 1001
    ## @param identity.keycloak.httpRelativePath defines the context for Keycloak. This config is valid for Keycloak v19.x.x only
    # where in Keycloak v16.x.x it's hard-coded as '/auth', but in v19.x.x it's configurable.
    # NOTE: This should be the same as ".Values.global.identity.keycloak.contextPath" plus a trailing slash,
    # but it cannot be referenced directly because of a bug in Helm (tested with Helm v3.9.3).
    httpRelativePath: /auth/
    ## @extra identity.extraEnvVars
    ## @param identity.keycloak.extraEnvVars[0].name
    ## @param identity.keycloak.extraEnvVars[0].value
    extraEnvVars:
    # KEYCLOAK_PROXY_ADDRESS_FORWARDING can be used with Ingress that has SSL Termination. It will be "true" if the TLS
    # in global Ingress is enabled, but it could be overwritten with separate Ingress setup.
    - name: KEYCLOAK_PROXY_ADDRESS_FORWARDING
      value: "{{ .Values.global.ingress.tls.enabled }}"

    # under "global.ingress" is enabled. However, it's possible to setup Keycloak on a separate Ingress if needed.
    # For more details: https://github.com/bitnami/charts/tree/main/bitnami/keycloak#configure-ingress
    ingress:
      ## @param identity.keycloak.ingress.enabled can be used enable ingress record generation for Keycloak.
      enabled: false
      ## @param identity.keycloak.ingress.tls can be used to enable TLS configuration for the host defined at ingress.hostname parameter.
      tls: false
      ## @param identity.keycloak.ingress.extraTls configuration for additional hostnames to be covered with this ingress record.
      extraTls: []
      ## @param identity.keycloak.ingress.annotations [object] configures annotations to be applied to the ingress record.
      annotations:
      ## @skip identity.keycloak.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
        nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"

    ## @extra identity.keycloak.service configuration, to configure the service which is deployed along with keycloak
    service:
      ## @param identity.keycloak.service.type can be set to change the service type.
      # We use clusterIP for keycloak service, since per default LoadBalancer is used, which is not supported on all cloud providers.
      # This might prevent scheduling of the service.
      type: ClusterIP
    ## Keycloak authentication parameters
    ## ref: https://github.com/bitnami/bitnami-docker-keycloak#admin-credentials
    ##
    ## @extra identity.keycloak.auth uses the secrets generated by keycloak, to access keycloak.
    auth:
      ## @param identity.keycloak.auth.adminUser defines the keycloak administrator user
      adminUser: admin
      ## @param identity.keycloak.auth.existingSecret can be used to reuse an existing secret containing authentication information.
      # See https://docs.bitnami.com/kubernetes/apps/keycloak/configuration/manage-passwords/ for more details.
      existingSecret: ""


#######################################################################
#     #               #     #
#  #  # ###### #####  ##   ##  ####  #####  ###### #      ###### #####
#  #  # #      #    # # # # # #    # #    # #      #      #      #    #
#  #  # #####  #####  #  #  # #    # #    # #####  #      #####  #    #
#  #  # #      #    # #     # #    # #    # #      #      #      #####
#  #  # #      #    # #     # #    # #    # #      #      #      #   #
 ## ##  ###### #####  #     #  ####  #####  ###### ###### ###### #    #
#######################################################################
## @section WebModeler Parameters
# WebModeler configuration of the Web Modeler deployment
webModeler:
  ## @param webModeler.enabled if true, the Web Modeler deployment and its related resources are deployed via a helm release
  enabled: false

  ## @param webModeler.fullnameOverride can be used to override the full name of the Web Modeler resources
  fullnameOverride: ""
  ## @param webModeler.nameOverride can be used to partly override the name of the Web Modeler resources (names will still be prefixed with the release name)
  nameOverride: ""

  ## @extra webModeler.image configuration of the Web Modeler Docker images
  # Camunda Enterprise repository.
  # registry.camunda.cloud/web-modeler-ee
  image:
    ## @param webModeler.image.registry can be used to set the Docker registry for the Web Modeler images (overwrites global.image.registry)
    # Note: The images are not publicly available on Docker Hub, but only from Camunda's private registry.
    registry: registry.camunda.cloud
    ## @param webModeler.image.tag can be used to set the Docker image tag for the Web Modeler images (overwrites global.image.tag)
    # renovate: datasource=docker depName=camunda/web-modeler lookupName=registry.camunda.cloud/web-modeler-ee/modeler-restapi
    tag: 8.3.0
    ## @param webModeler.image.pullSecrets can be used to configure image pull secrets, see https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    # Note: A secret will be required, if the Web Modeler images are pulled directly from Camunda's private registry.
    #
    # Example:
    #
    # pullSecrets:
    #   - name: registry-secret
    pullSecrets: []

  # ContextPath can be used to make Web Modeler available on a custom sub-path. This is mainly used to run the Camunda web applications under a single domain.
  # Note: The WebSocket application will be exposed on the configured path suffixed with "-ws", e.g. "/modeler-ws"
  # contextPath: "/modeler"

  # WebModeler.
  ######                         #    ######  ###
  #     # ######  ####  #####   # #   #     #  #
  #     # #      #        #    #   #  #     #  #
  ######  #####   ####    #   #     # ######   #
  #   #   #           #   #   ####### #        #
  #    #  #      #    #   #   #     # #        #
  #     # ######  ####    #   #     # #       ###
  ## @section WebModeler - RestAPI Parameters
  ## @extra webModeler.restapi configuration of the Web Modeler restapi component
  restapi:
    ## @extra webModeler.restapi.image configuration of the restapi Docker image
    image:
      ## @param webModeler.restapi.image.repository defines which image repository to use for the restapi Docker image
      repository: web-modeler-ee/modeler-restapi

    ## @param webModeler.restapi.sidecars can be used to attach extra containers to the restapi deployment
    sidecars: []
    ## @param webModeler.restapi.initContainers can be used to set up extra init containers to the restapi deployment
    initContainers: []

    ## @extra webModeler.restapi.externalDatabase can be used to configure a connection to an external database. This will only be applied
    # if the postgresql dependency chart is disabled (by setting postgresql.enabled to false).
    # Note: Currently, the only supported database system is PostgreSQL.
    externalDatabase:
     ## @param webModeler.restapi.externalDatabase.url defines the JDBC url of the database instance
      url: ""
     ## @param webModeler.restapi.externalDatabase.user
      user: ""
      ## @param webModeler.restapi.externalDatabase.password defines the database user's password
      password: ""

    ## @extra webModeler.restapi.mail configuration for emails sent by Web Modeler
    mail:
      ## @param webModeler.restapi.mail.smtpHost defines the host name of the SMTP server to be used by Web Modeler
      smtpHost: ""
      ## @param webModeler.restapi.mail.smtpPort defines the port number of the SMTP server
      smtpPort: 587
      ## @param webModeler.restapi.mail.smtpUser can be used to provide a user for the SMTP server
      smtpUser: ""
      ## @param webModeler.restapi.mail.smtpPassword can be used to provide a password for the SMTP server
      smtpPassword: ""
      ## @param webModeler.restapi.mail.smtpTlsEnabled if true, enforces TLS encryption for SMTP connections (using STARTTLS)
      smtpTlsEnabled: true
      ## @param webModeler.restapi.mail.fromAddress defines the email address that will be displayed as the sender of emails sent by Web Modeler
      # NOTE: This value is mandatory.
      fromAddress: ""
      ## @param webModeler.restapi.mail.fromName defines the name that will be displayed as the sender of emails sent by Web Modeler
      fromName: "Camunda 8"

    ## @param webModeler.restapi.podAnnotations can be used to define extra restapi pod annotations
    podAnnotations: {}
    ## @param webModeler.restapi.podLabels can be used to define extra restapi pod labels
    podLabels: {}

    ## @param webModeler.restapi.env can be used to set extra environment variables in each restapi container
    env: []
    ## @param webModeler.restapi.command can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
    command: []
    ## @param webModeler.restapi.extraVolumes can be used to define extra volumes for the restapi pods, useful for TLS and self-signed certificates
    extraVolumes: []
    ## @param webModeler.restapi.extraVolumeMounts can be used to mount extra volumes for the restapi pods, useful for TLS and self-signed certificates
    extraVolumeMounts: []

    ## @extra webModeler.restapi.podSecurityContext can be used to define the security options the restapi pod should be run with
    podSecurityContext:
      ## @param webModeler.restapi.podSecurityContext.runAsNonRoot
      ## @param webModeler.restapi.podSecurityContext.fsGroup
      runAsNonRoot: true
      fsGroup: 1000
    ## @extra webModeler.restapi.containerSecurityContext can be used to define the security options the restapi container should be run with
    ## @param webModeler.restapi.containerSecurityContext.privileged
    ## @param webModeler.restapi.containerSecurityContext.readOnlyRootFilesystem
    ## @param webModeler.restapi.containerSecurityContext.allowPrivilegeEscalation
    ## @param webModeler.restapi.containerSecurityContext.runAsNonRoot
    ## @param webModeler.restapi.containerSecurityContext.runAsUser
    containerSecurityContext:
      privileged: false
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1000

    ## @extra webModeler.restapi.startupProbe configuration of the restapi startup probe
    startupProbe:
      ## @param webModeler.restapi.startupProbe.enabled if true, the startup probe will be enabled for the restapi container
      enabled: false
      ## @param webModeler.restapi.startupProbe.scheme defines the startup probe schema used on calling the probePath
      scheme: HTTP
      ## @param webModeler.restapi.startupProbe.probePath defines the HTTP endpoint used for the startup probe
      probePath: /health/liveness
      ## @param webModeler.restapi.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 30
      ## @param webModeler.restapi.startupProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.restapi.startupProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.restapi.startupProbe.failureThreshold defines when the probe is considered failed so the container will be restarted
      failureThreshold: 5
      ## @param webModeler.restapi.startupProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @extra webModeler.restapi.readinessProbe configuration of the restapi readiness probe
    readinessProbe:
      ## @param webModeler.restapi.readinessProbe.enabled if true, the readiness probe will be enabled for the restapi container
      enabled: true
      ## @param webModeler.restapi.readinessProbe.scheme defines the startup probe schema used on calling the probePath
      scheme: HTTP
      ## @param webModeler.restapi.readinessProbe.probePath defines the HTTP endpoint used for the readiness probe
      probePath: /health/readiness
      ## @param webModeler.restapi.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 30
      ## @param webModeler.restapi.readinessProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.restapi.readinessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.restapi.readinessProbe.failureThreshold defines when the probe is considered failed so the Pod will be marked unready
      failureThreshold: 5
      ## @param webModeler.restapi.readinessProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @extra webModeler.restapi.livenessProbe configuration of the restapi liveness probe
    livenessProbe:
      ## @param webModeler.restapi.livenessProbe.enabled if true, the liveness probe will be enabled for the restapi container
      enabled: false
      ## @param webModeler.restapi.livenessProbe.scheme defines the startup probe schema used on calling the probePath
      scheme: HTTP
      ## @param webModeler.restapi.livenessProbe.probePath defines the HTTP endpoint used for the liveness probe
      probePath: /health/liveness
      ## @param webModeler.restapi.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 30
      ## @param webModeler.restapi.livenessProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.restapi.livenessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.restapi.livenessProbe.failureThreshold defines when the probe is considered failed so the container will be restarted
      failureThreshold: 5
      ## @param webModeler.restapi.livenessProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @param webModeler.restapi.nodeSelector can be used to select the nodes the restapi pods should run on
    nodeSelector: {}
    ## @param webModeler.restapi.tolerations can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
    tolerations: []
    ## @param webModeler.restapi.affinity can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
    affinity: {}

    ## @extra webModeler.restapi.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
    ## @param webModeler.restapi.resources.requests.cpu
    ## @param webModeler.restapi.resources.requests.memory
    ## @param webModeler.restapi.resources.limits.cpu
    ## @param webModeler.restapi.resources.limits.memory
    resources:
      requests:
        cpu: 500m
        memory: 1Gi
      limits:
        cpu: 1000m
        memory: 2Gi

    ## @extra webModeler.restapi.service configuration of the Web Modeler restapi service
    service:
      ## @param webModeler.restapi.service.type defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
      type: ClusterIP
      ## @param webModeler.restapi.service.port defines the default port of the service
      port: 80
      ## @param webModeler.restapi.service.managementPort defines the management port of the service
      managementPort: 8091
      ## @param webModeler.restapi.service.annotations can be used to define annotations which will be applied to the service
      annotations: {}

  # WebModeler.
  #    # ###### #####    ##   #####  #####
  #    # #      #    #  #  #  #    # #    #
  #    # #####  #####  #    # #    # #    #
  # ## # #      #    # ###### #####  #####
  ##  ## #      #    # #    # #      #
  #    # ###### #####  #    # #      #
  ## @section WebModeler - WebApp Parameters
  ## @extra webModeler.webapp. configuration of the Web Modeler webapp component
  webapp:
    ## @extra webModeler.webapp.image configuration of the webapp Docker image
    image:
      ## @param webModeler.webapp.image.repository defines which image repository to use for the webapp Docker image
      repository: web-modeler-ee/modeler-webapp

    ## @param webModeler.webapp.sidecars can be used to attach extra containers to the modeler webapp deployment
    sidecars: []
    ## @param webModeler.webapp.initContainers can be used to set up extra init containers to the modeler webapp deployment
    initContainers: []

    ## @param webModeler.webapp.podAnnotations can be used to define extra webapp pod annotations
    podAnnotations: {}
    ## @param webModeler.webapp.podLabels can be used to define extra webapp pod labels
    podLabels: {}

    ## @param webModeler.webapp.env can be used to set extra environment variables in each webapp container
    env: []
    ## @param webModeler.webapp.command can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
    command: []
    ## @param webModeler.webapp.extraVolumes can be used to define extra volumes for the webapp pods, useful for TLS and self-signed certificates
    extraVolumes: []
    ## @param webModeler.webapp.extraVolumeMounts can be used to mount extra volumes for the webapp pods, useful for TLS and self-signed certificates
    extraVolumeMounts: []

    ## @extra webModeler.webapp.podSecurityContext can be used to define the security options the webapp pod should be run with
    ## @param webModeler.webapp.podSecurityContext.runAsNonRoot
    ## @param webModeler.webapp.podSecurityContext.fsGroup
    podSecurityContext:
      runAsNonRoot: true
      fsGroup: 1000
    ## @extra webModeler.webapp.containerSecurityContext can be used to define the security options the webapp container should be run with
    ## @param webModeler.webapp.containerSecurityContext.privileged
    ## @param webModeler.webapp.containerSecurityContext.readOnlyRootFilesystem
    ## @param webModeler.webapp.containerSecurityContext.allowPrivilegeEscalation
    ## @param webModeler.webapp.containerSecurityContext.runAsNonRoot
    ## @param webModeler.webapp.containerSecurityContext.runAsUser
    containerSecurityContext:
      privileged: false
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1000

    ## @extra webModeler.webapp.startupProbe configuration of the webapp startup probe
    startupProbe:
      ## @param webModeler.webapp.startupProbe.enabled if true, the startup probe will be enabled for the webapp container
      enabled: false
      ## @param webModeler.webapp.startupProbe.scheme defines the startup probe schema used on calling the probePath
      scheme: HTTP
      ## @param webModeler.webapp.startupProbe.probePath defines the HTTP endpoint used for the startup probe
      probePath: /health/liveness
      ## @param webModeler.webapp.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 15
      ## @param webModeler.webapp.startupProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.webapp.startupProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.webapp.startupProbe.failureThreshold defines when the probe is considered failed so the container will be restarted
      failureThreshold: 5
      ## @param webModeler.webapp.startupProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @extra webModeler.webapp.readinessProbe configuration of the webapp readiness probe
    readinessProbe:
      ## @param webModeler.webapp.readinessProbe.enabled if true, the readiness probe will be enabled for the webapp container
      enabled: true
      ## @param webModeler.webapp.readinessProbe.scheme defines the startup probe schema used on calling the probePath
      scheme: HTTP
      ## @param webModeler.webapp.readinessProbe.probePath defines the HTTP endpoint used for the readiness probe
      probePath: /health/readiness
      ## @param webModeler.webapp.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 15
      ## @param webModeler.webapp.readinessProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.webapp.readinessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.webapp.readinessProbe.failureThreshold defines when the probe is considered failed so the Pod will be marked unready
      failureThreshold: 5
      ## @param webModeler.webapp.readinessProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @extra webModeler.webapp.livenessProbe configuration of the webapp liveness probe
    livenessProbe:
      ## @param webModeler.webapp.livenessProbe.enabled if true, the liveness probe will be enabled for the webapp container
      enabled: false
      ## @param webModeler.webapp.livenessProbe.scheme defines the startup probe schema used on calling the probePath
      scheme: HTTP
      ## @param webModeler.webapp.livenessProbe.probePath defines the HTTP endpoint used for the liveness probe
      probePath: /health/liveness
      ## @param webModeler.webapp.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 15
      ## @param webModeler.webapp.livenessProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.webapp.livenessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.webapp.livenessProbe.failureThreshold defines when the probe is considered failed so the container will be restarted
      failureThreshold: 5
      ## @param webModeler.webapp.livenessProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @param webModeler.webapp.nodeSelector can be used to select the nodes the webapp pods should run on
    nodeSelector: {}
    ## @param webModeler.webapp.tolerations can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
    tolerations: []
    ## @param webModeler.webapp.affinity can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
    affinity: {}

    ## @extra webModeler.webapp.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
    ## @param webModeler.webapp.resources.requests.cpu
    ## @param webModeler.webapp.resources.requests.memory
    ## @param webModeler.webapp.resources.limits.cpu
    ## @param webModeler.webapp.resources.limits.memory
    resources:
      requests:
        cpu: 400m
        memory: 256Mi
      limits:
        cpu: 800m
        memory: 512Mi

    ## @extra webModeler.webapp.service configuration of the Web Modeler webapp service
    service:
      ## @param webModeler.webapp.service.type defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
      type: ClusterIP
      ## @param webModeler.webapp.service.port defines the port of the service
      port: 80
      ## @param webModeler.webapp.service.managementPort defines the management port of the service
      managementPort: 8071
      ## @param webModeler.webapp.service.annotations can be used to define annotations which will be applied to the service
      annotations: {}

  # WebModeler.
  #    # ###### #####   ####   ####   ####  #    # ###### #####  ####
  #    # #      #    # #      #    # #    # #   #  #        #   #
  #    # #####  #####   ####  #    # #      ####   #####    #    ####
  # ## # #      #    #      # #    # #      #  #   #        #        #
  ##  ## #      #    # #    # #    # #    # #   #  #        #   #    #
  #    # ###### #####   ####   ####   ####  #    # ######   #    ####
  ## @section WebModeler - WebSockets Parameters
  ## @extra webModeler.websockets configuration of the Web Modeler websockets component
  websockets:
    ## @extra webModeler.websockets.image configuration of the websockets Docker image
    image:
      ## @param webModeler.websockets.image.repository defines which image repository to use for the websockets Docker image
      repository: web-modeler-ee/modeler-websockets

    ## @param webModeler.websockets.sidecars can be used to attach extra containers to the modeler websockets deployment
    sidecars: []
    ## @param webModeler.websockets.initContainers can be used to set up extra init containers to the modeler websockets deployment
    initContainers: []

    ## @param webModeler.websockets.publicHost can be used to define the host on which the WebSockets server can be reached from the Web Modeler client in the browser.
    # The default value assumes that a port-forwarding to the websockets service has been created.
    # Note: The host will only be used if the Ingress resource for Web Modeler is disabled.
    publicHost: localhost
    ## @param webModeler.websockets.publicPort can be used to define the port number on which the WebSockets server can be reached from the Web Modeler client in the browser.
    # The default value assumes that a port-forwarding to the websockets service on port 8085 has been created.
    # Note: The port will only be used if the Ingress resource for Web Modeler is disabled.
    publicPort: 8085

    ## @param webModeler.websockets.podAnnotations can be used to define extra websockets pod annotations
    podAnnotations: {}
    ## @param webModeler.websockets.podLabels can be used to define extra websockets pod labels
    podLabels: {}

    ## @param webModeler.websockets.env can be used to set extra environment variables in each websockets container
    env: []
    ## @param webModeler.websockets.command can be used to override the default command provided by the container image, see https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
    command: []
    ## @param webModeler.websockets.extraVolumes can be used to define extra volumes for the websockets pod; useful for logging to a file
    extraVolumes: []
    ## @param webModeler.websockets.extraVolumeMounts can be used to mount extra volumes for the websockets pod; useful for logging to a file
    extraVolumeMounts: []

    ## @extra webModeler.websockets.podSecurityContext can be used to define the security options the websockets pod should be run with
    ## @param webModeler.websockets.podSecurityContext.runAsNonRoot
    ## @param webModeler.websockets.podSecurityContext.fsGroup
    podSecurityContext:
      runAsNonRoot: true
      fsGroup: 1000
    ## @extra webModeler.websockets.containerSecurityContext can be used to define the security options the websockets container should be run with
    ## @param webModeler.websockets.containerSecurityContext.privileged
    ## @param webModeler.websockets.containerSecurityContext.readOnlyRootFilesystem
    ## @param webModeler.websockets.containerSecurityContext.allowPrivilegeEscalation
    ## @param webModeler.websockets.containerSecurityContext.runAsNonRoot
    ## @param webModeler.websockets.containerSecurityContext.runAsUser
    containerSecurityContext:
      privileged: false
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1000

    ## @extra webModeler.websockets.startupProbe configuration of the websockets startup probe
    startupProbe:
      ## @param webModeler.websockets.startupProbe.enabled if true, the startup probe will be enabled for the websockets container
      enabled: false
      ## @param webModeler.websockets.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 10
      ## @param webModeler.websockets.startupProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.websockets.startupProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.websockets.startupProbe.failureThreshold defines when the probe is considered failed so the container will be restarted
      failureThreshold: 5
      ## @param webModeler.websockets.startupProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @extra webModeler.websockets.readinessProbe configuration of the websockets readiness probe
    readinessProbe:
      ## @param webModeler.websockets.readinessProbe.enabled if true, the readiness probe will be enabled for the websockets container
      enabled: true
      ## @param webModeler.websockets.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 10
      ## @param webModeler.websockets.readinessProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.websockets.readinessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.websockets.readinessProbe.failureThreshold defines when the probe is considered failed so the Pod will be marked unready
      failureThreshold: 5
      ## @param webModeler.websockets.readinessProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @extra webModeler.websockets.livenessProbe configuration of the websockets liveness probe
    livenessProbe:
      ## @param webModeler.websockets.livenessProbe.enabled if true, the liveness probe will be enabled for the websockets container
      enabled: false
      ## @param webModeler.websockets.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated
      initialDelaySeconds: 10
      ## @param webModeler.websockets.livenessProbe.periodSeconds defines how often the probe is executed
      periodSeconds: 30
      ## @param webModeler.websockets.livenessProbe.successThreshold defines how often the probe needs to succeed to be considered successful after having failed
      successThreshold: 1
      ## @param webModeler.websockets.livenessProbe.failureThreshold defines when the probe is considered failed so the container will be restarted
      failureThreshold: 5
      ## @param webModeler.websockets.livenessProbe.timeoutSeconds defines the number of seconds after which the probe times out
      timeoutSeconds: 1

    ## @param webModeler.websockets.nodeSelector can be used to select the nodes the websockets pods should run on
    nodeSelector: {}
    ## @param webModeler.websockets.tolerations can be used to define pod tolerations, see https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
    tolerations: []
    ## @param webModeler.websockets.affinity can be used to define pod affinity or anti-affinity, see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
    affinity: {}

    ## @extra webModeler.websockets.resources configuration of resource requests and limits for the container, see https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
    ## @param webModeler.websockets.resources.requests.cpu
    ## @param webModeler.websockets.resources.requests.memory
    ## @param webModeler.websockets.resources.limits.cpu
    ## @param webModeler.websockets.resources.limits.memory
    resources:
      requests:
        cpu: 100m
        memory: 64Mi
      limits:
        cpu: 200m
        memory: 128Mi

    ## @extra webModeler.websockets.service configuration of the Web Modeler websockets service
    service:
      ## @param webModeler.websockets.service.type defines the type of the service, see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
      type: ClusterIP
      ## @param webModeler.websockets.service.port defines the port of the service
      port: 80
      ## @param webModeler.websockets.service.annotations can be used to define annotations which will be applied to the service
      annotations: {}

  ## @extra webModeler.serviceAccount configuration for the service account the Web Modeler pods are assigned to
  serviceAccount:
    ## @param webModeler.serviceAccount.enabled if true, enables the Web Modeler service account
    enabled: true
    ## @param webModeler.serviceAccount.name can be used to set the name of the Web Modeler service account
    name: ""
    ## @param webModeler.serviceAccount.annotations can be used to set the annotations of the Web Modeler service account
    annotations: {}

  ingress:
    ## @param webModeler.ingress.enabled if true, an Ingress resource will be deployed with the Web Modeler deployment. Only useful if an Ingress controller like NGINX is available.
    enabled: false
    ## @param webModeler.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param webModeler.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip webModeler.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip webModeler.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip webModeler.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @extra webModeler.ingress.webapp configuration of the webapp ingress
    webapp:
      ## @param webModeler.ingress.webapp.host defines the host of the ingress rule, see https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules; this is the host name on which the Web Modeler web application will be available
      # webModeler.note: the value must be different from ingress.websockets.host
      host: ""
      ## @extra webModeler.ingress.webapp.tls configuration for TLS on the ingress resource, see https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
      tls:
        ## @param webModeler.ingress.webapp.tls.enabled if true, TLS will be configured on the ingress resource
        enabled: false
        ## @param webModeler.ingress.webapp.tls.secretName defines the secret name which contains the TLS private key and certificate
        secretName: camunda-platform-webmodeler-webapp
    ## @extra webModeler.ingress.websockets configuration of the websockets ingress
    websockets:
      ## @param webModeler.ingress.websockets.host defines the host of the ingress rule, see https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules; this is the host name the Web Modeler client in the browser will use to connect to the WebSockets server
      # Note: the value must be different from ingress.webapp.host
      host: ""
      ## @extra webModeler.ingress.websockets.tls configuration for TLS on the ingress resource, see https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
      tls:
        ## @param webModeler.ingress.websockets.tls.enabled if true, TLS will be configured on the ingress resource
        enabled: false
        ## @param webModeler.ingress.websockets.tls.secretName defines the secret name which contains the TLS private key and certificate
        secretName: camunda-platform-webmodeler-websockets

# WebModeler.
#####   ####   ####  #####  ####  #####  ######  ####   ####  #
#    # #    # #        #   #    # #    # #      #      #    # #
#    # #    #  ####    #   #      #    # #####   ####  #    # #
#####  #    #      #   #   #  ### #####  #           # #  # # #
#      #    # #    #   #   #    # #   #  #      #    # #   #  #
#       ####   ####    #    ####  #    # ######  ####   ### # ######
## @section WebModeler - PostgreSQL Parameters
## @extra postgresql configuration for the postgresql dependency chart used by Web Modeler. See the chart documentation https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters for more details.
postgresql:
  ## @param postgresql.enabled if true, a PostgreSQL database will be deployed as part of the Helm release by using the dependency chart
  # Note: if set to false, a connection to an external database must be configured instead (see WebModeler.restapi.externalDatabase)
  enabled: false
  ## @param postgresql.nameOverride defines the name of the Postgres resources (names will be prefixed with the release name), see https://github.com/bitnami/charts/tree/main/bitnami/postgresql#common-parameters
  # Note: Must be different from the default value "postgresql" which is already used for Keycloak's database
  nameOverride: postgresql-web-modeler
  ## @extra postgresql.auth configuration of the database authentication
  auth:
    ## @param postgresql.auth.username defines the name of the database user to be created for Web Modeler
    username: web-modeler
    ## @param postgresql.auth.password defines the database user's password; a random password will be generated if left empty
    password: ""
    ## @param postgresql.auth.database defines the name of the database to be created for Web Modeler
    database: web-modeler

  primary:
    ## @param postgresql.primary.extraVolumes[0].name
    ## @param postgresql.primary.extraVolumes[0].emptyDir
    ## @param postgresql.primary.extraVolumes[1].name
    ## @param postgresql.primary.extraVolumes[1].emptyDir
    ## @param postgresql.primary.extraVolumes[2].name
    ## @param postgresql.primary.extraVolumes[2].emptyDir
    extraVolumes:
    - name: tmp
      emptyDir: {}
    - name: config
      emptyDir: {}
    - name: postgresql-tmp
      emptyDir: {}
    ## @param postgresql.primary.extraVolumeMounts[0].mountPath
    ## @param postgresql.primary.extraVolumeMounts[0].name
    ## @param postgresql.primary.extraVolumeMounts[1].mountPath
    ## @param postgresql.primary.extraVolumeMounts[1].name
    ## @param postgresql.primary.extraVolumeMounts[2].mountPath
    ## @param postgresql.primary.extraVolumeMounts[2].name
    extraVolumeMounts:
    - mountPath: /tmp
      name: tmp
    - mountPath: /opt/bitnami/postgresql/conf
      name: config
    - mountPath: /opt/bitnami/postgresql/tmp
      name: postgresql-tmp
    ## @param postgresql.primary.containerSecurityContext.enabled
    ## @param postgresql.primary.containerSecurityContext.privileged
    ## @param postgresql.primary.containerSecurityContext.readOnlyRootFilesystem
    ## @param postgresql.primary.containerSecurityContext.allowPrivilegeEscalation
    ## @param postgresql.primary.containerSecurityContext.runAsNonRoot
    ## @param postgresql.primary.containerSecurityContext.runAsUser
    ## @param postgresql.primary.containerSecurityContext.capabilities.drop
    ## @param postgresql.primary.containerSecurityContext.seccompProfile.type
    containerSecurityContext:
      enabled: true
      privileged: false
      readOnlyRootFilesystem: true
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1001
      capabilities:
        drop: ["ALL"]
      seccompProfile:
        type: RuntimeDefault
    ## @param postgresql.primary.podSecurityContext.enabled
    ## @param postgresql.primary.podSecurityContext.runAsNonRoot
    ## @param postgresql.primary.podSecurityContext.fsGroup
    ## @param connectors.podSecurityContext.fsGroup
    podSecurityContext:
      enabled: true
      runAsNonRoot: true
      fsGroup: 1001

#####################################################################
 #####
#     #  ####  #    # #    # ######  ####  #####  ####  #####   ####
#       #    # ##   # ##   # #      #    #   #   #    # #    # #
#       #    # # #  # # #  # #####  #        #   #    # #    #  ####
#       #    # #  # # #  # # #      #        #   #    # #####       #
#     # #    # #   ## #   ## #      #    #   #   #    # #   #  #    #
 #####   ####  #    # #    # ######  ####    #    ####  #    #  ####
#####################################################################
## @section Connectors Parameters
## @extra connectors configuration for the Connectors.
connectors:
  ## @param connectors.enabled if true, the Connectors deployment and its related resources are deployed via a helm release
  enabled: true

  ## @extra connectors.inbound Switch for inbound mode (e.g., for webhook or polling)
  inbound:
    ## @param connectors.inbound.mode acceptable values: disabled, credentials, or oauth
    mode: oauth
    ## @extra connectors.inbound.auth configuration of the credentials authentication.
    auth:
      ## @param connectors.inbound.auth.existingSecret can be used to configure Secret name that contains connectors password
      existingSecret: ""

  ## @extra connectors.image configuration to configure the Connectors image specifics
  # https://hub.docker.com/r/camunda/connectors-bundle/tags
  image:
    ## @param connectors.image.registry can be used to set container image registry.
    registry: ""
    ## @param connectors.image.repository defines which image repository to use
    repository: camunda/connectors-bundle
    ## @param connectors.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag: 8.3.0
    ## @param connectors.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param connectors.sidecars can be used to attach extra containers to the connectors deployment
  sidecars: []
  ## @param connectors.initContainers can be used to set up extra init containers to the connectors deployment
  initContainers: []

  ## @param connectors.replicas number of Connectors replicas
  replicas: 1

  # contextPath can be used to make Connectors web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.
  # contextPath: "/connectors"

  ## @param connectors.podAnnotations can be used to define extra Connectors pod annotations
  podAnnotations: {}
  ## @param connectors.podLabels can be used to define extra Connectors pod labels
  podLabels: {}

  ## @extra connectors.logging configuration for the Connectors logging. This template will be directly included in the Operate configuration yaml file
  ## @param connectors.logging.level.io.camunda.connector
  logging:
    level:
      io.camunda.connector: ERROR

  ## @extra connectors.service configuration to configure the Connectors service.
  service:
    ## @param connectors.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param connectors.service.annotations can be used to define annotations, which will be applied to the Connectors service
    annotations: {}
    ## @param connectors.service.serverPort defines the port number where the Connector web application will be available
    serverPort: 8080
    ## @param connectors.service.serverName defines the port name where the Connector web application will be available
    serverName: http

  ## @extra connectors.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param connectors.resources.requests.cpu
  ## @param connectors.resources.requests.memory
  ## @param connectors.resources.limits.cpu
  ## @param connectors.resources.limits.memory
  resources:
    requests:
      cpu: 1
      memory: 1Gi
    limits:
      cpu: 2
      memory: 2Gi

  ## @param connectors.env can be used to set extra environment variables in each Connector container
  env: []
  ## @param connectors.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  ## @param connectors.extraVolumes can be used to define extra volumes for the Connectors pods, useful for TLS and self-signed certificates
  extraVolumes: []
  ## @param connectors.extraVolumeMounts can be used to mount extra volumes for the Connectors pods, useful for TLS and self-signed certificates
  extraVolumeMounts: []

  ## @extra connectors.startupProbe configuration
  startupProbe:
    ## @param connectors.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param connectors.startupProbe.scheme defines the startup probe scheme used on calling the probePath
    scheme: HTTP
    ## @param connectors.startupProbe.probePath defines the startup probe route used on the app
    probePath: /actuator/health/readiness
    ## @param connectors.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param connectors.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param connectors.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param connectors.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param connectors.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra connectors.readinessProbe configuration
  readinessProbe:
    ## @param connectors.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param connectors.readinessProbe.scheme defines the startup probe scheme used on calling the probePath
    scheme: HTTP
    ## @param connectors.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /actuator/health/readiness
    ## @param connectors.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before the probe is initiated.
    initialDelaySeconds: 30
    ## @param connectors.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param connectors.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param connectors.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param connectors.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra connectors.livenessProbe configuration
  livenessProbe:
    ## @param connectors.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param connectors.livenessProbe.scheme defines the startup probe scheme used on calling the probePath
    scheme: HTTP
    ## @param connectors.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /actuator/health/liveness
    ## @param connectors.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    ## @param connectors.livenessProbe.initialDelaySeconds the probe is initiated.
    initialDelaySeconds: 30
    ## @param connectors.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param connectors.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param connectors.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param connectors.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra connectors.serviceAccount configuration for the service account where the Connectors pods are assigned to
  serviceAccount:
    ## @param connectors.serviceAccount.enabled if true, enables the Connectors service account
    enabled: false
    ## @param connectors.serviceAccount.name can be used to set the name of the Connectors service account
    name: ""
    ## @param connectors.serviceAccount.annotations can be used to set the annotations of the Operate service account
    annotations: {}

  ingress:
    ## @param connectors.ingress.enabled if true, an ingress resource is deployed with the Connectors deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param connectors.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param connectors.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip connectors.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip connectors.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip connectors.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param connectors.ingress.path defines the path which is associated with the Connectors service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param connectors.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all inbound http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra connectors.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param connectors.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param connectors.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-connectors

  ## @extra connectors.podSecurityContext defines the security options the Connectors pod should be run with
  podSecurityContext:
    fsGroup: 1003

  ## @extra connectors.containerSecurityContext defines the security options the Connectors container should be run with
  ## @param connectors.containerSecurityContext.privileged
  ## @param connectors.containerSecurityContext.readOnlyRootFilesystem
  ## @param connectors.containerSecurityContext.allowPrivilegeEscalation
  ## @param connectors.containerSecurityContext.runAsNonRoot
  ## @param connectors.containerSecurityContext.runAsUser
  containerSecurityContext:
    privileged: false
    readOnlyRootFilesystem: true
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    runAsUser: 1003

  ## @param connectors.nodeSelector can be used to define on which nodes the Connectors pods should run
  nodeSelector: {}
  ## @param connectors.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @param connectors.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}


#################################################
 #####
#     #  ####  #    #  ####   ####  #      ######
#       #    # ##   # #      #    # #      #
#       #    # # #  #  ####  #    # #      #####
#       #    # #  # #      # #    # #      #
#     # #    # #   ## #    # #    # #      #
 #####   ####  #    #  ####   ####  ###### ######
#################################################
## @section Console Parameters
## @extra console configuration.
# NOTE: The values here are just placeholder and not all of them are active.
# TODO: Update Console template to match the values when the 1st dev iteration is done.
console:
  ## @param console.enabled if true, the Console deployment and its related resources are deployed via a helm release
  enabled: false

  ## @param console.createReleaseInfo Create config that will be used in console controller deployment.
  # NOTE: This should be under global but we keep it here till console is ready for alpha.
  createReleaseInfo: true

  ## @param console.managed Example for managed Camunda releases/deployments.
  managed: {}

  # Method 01: Plain
  # The full config is passed to Console as a ConfigMap.

  # managed:
  #   method: plain
  #   releases:
  #   - name: camunda-platform-dev
  #     namespace: camunda-dev
  #     version: 8.2.10
  #     components:
  #     - name: Console
  #       url: "https://example-dev.camunda.com/"
  #     - name: Optimize
  #       url: "https://example-dev.camunda.com/optimize"
  #     - name: Operate
  #       url: "https://example-dev.camunda.com/operate"
  #     - name: WebModeler WebApp
  #       url: "https://example-dev.camunda.com/modeler"
  #     - name: zeebeGateway
  #       url: "grpc://zeebe-example-dev.camunda.com/"
  #   - name: camunda-platform-stage
  #     namespace: camunda-stage
  #     version: 8.2.11
  #     components:
  #     - name: Console
  #       url: "https://example-stage.camunda.com/"
  #     - name: Optimize
  #       url: "https://example-stage.camunda.com/optimize"
  #     - name: Operate
  #       url: "https://example-stage.camunda.com/operate"
  #     - name: WebModeler WebApp
  #       url: "https://example-stage.camunda.com/modeler"
  #     - name: zeebeGateway
  #       url: "grpc://zeebe-example-stage.camunda.com/"

  # Method 02: Helm
  # With each Camunda there is a ConfigMap contains the release info.
  # Hence, only namespaces are passed as config to Console, then Console will retrieve
  # the Camunda deployment details from there.

  # managed:
  #   method: helm
  #   releases:
  #   - name: camunda-platform-dev
  #     namespace: camunda-dev
  #   - name: camunda-platform-dev
  #     namespace: camunda-stage

  ## @extra console.image configuration to configure the Console image specifics
  image:
    ## @param console.image.registry can be used to set container image registry.
    registry: registry.camunda.cloud
    ## @param console.image.repository defines which image repository to use
    repository: console/console-sm
    ## @param console.image.tag can be set to overwrite the global tag, which should be used in that chart
    tag: latest
    ## @param console.image.pullSecrets can be used to configure image pull secrets https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
    pullSecrets: []

  ## @param console.sidecars can be used to attach extra containers to the console deployment
  sidecars: []

  ## @param console.replicas Number of Console replicas
  replicas: 1

  ## @param console.contextPath can be used to make Console web application works on a custom sub-path. This is mainly used to run Camunda web applications under a single domain.
  contextPath: "/"

  ## @param console.podAnnotations can be used to define extra Console pod annotations
  podAnnotations: {}
  ## @param console.podLabels can be used to define extra Console pod labels
  podLabels: {}

  ## @param console.logging configuration for the Console logging. This template will be directly included in the Operate configuration yaml file
  logging: {}

  ## @extra console.service configuration to configure the Console service.
  service:
    ## @param console.service.type defines the type of the service https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
    type: ClusterIP
    ## @param console.service.annotations can be used to define annotations, which will be applied to the Console service
    annotations: {}
    ## @param console.service.port defines the port number where the web application will be available
    port: 8080
    ## @param console.service.serverName defines the port name where the web application will be available
    serverName: http

  ## @extra console.resources configuration to set request and limit configuration for the container https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits
  ## @param console.resources.requests.memory
  ## @param console.resources.limits.cpu
  ## @param console.resources.limits.memory
  ## @param console.resources.requests.cpu
  resources:
    requests:
      cpu: 1
      memory: 1Gi
    limits:
      cpu: 2
      memory: 2Gi

  ## @param console.env can be used to set extra environment variables in each app container
  env: []
  ## @param console.command can be used to override the default command provided by the container image. See https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/
  command: []
  ## @param console.extraVolumes can be used to define extra volumes for the Console pods, useful for TLS and self-signed certificates
  extraVolumes: []
  ## @param console.extraVolumeMounts can be used to mount extra volumes for the Console pods, useful for TLS and self-signed certificates
  extraVolumeMounts: []

  ## @extra console.startupProbe configuration
  startupProbe:
    ## @param console.startupProbe.enabled if true, the startup probe is enabled in app container
    enabled: false
    ## @param console.startupProbe.scheme defines the startup probe scheme used on calling the probePath
    scheme: HTTP
    ## @param console.startupProbe.probePath defines the startup probe route used on the app
    probePath: /health/readiness
    ## @param console.startupProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param console.startupProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param console.startupProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param console.startupProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param console.startupProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra console.readinessProbe configuration
  readinessProbe:
    ## @param console.readinessProbe.enabled if true, the readiness probe is enabled in app container
    enabled: true
    ## @param console.readinessProbe.scheme defines the startup probe scheme used on calling the probePath
    scheme: HTTP
    ## @param console.readinessProbe.probePath defines the readiness probe route used on the app
    probePath: /health/readiness
    ## @param console.readinessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param console.readinessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param console.readinessProbe.successThreshold defines how often it needs to be true to be marked as ready, after failure
    successThreshold: 1
    ## @param console.readinessProbe.failureThreshold defines when the probe is considered as failed so the Pod will be marked Unready
    failureThreshold: 5
    ## @param console.readinessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra console.livenessProbe configuration
  livenessProbe:
    ## @param console.livenessProbe.enabled if true, the liveness probe is enabled in app container
    enabled: false
    ## @param console.livenessProbe.scheme defines the startup probe scheme used on calling the probePath
    scheme: HTTP
    ## @param console.livenessProbe.probePath defines the liveness probe route used on the app
    probePath: /actuator/health/liveness
    ## @param console.livenessProbe.initialDelaySeconds defines the number of seconds after the container has started before
    # the probe is initiated.
    initialDelaySeconds: 30
    ## @param console.livenessProbe.periodSeconds defines how often the probe is executed
    periodSeconds: 30
    ## @param console.livenessProbe.successThreshold defines how often it needs to be true to be considered successful after having failed
    successThreshold: 1
    ## @param console.livenessProbe.failureThreshold defines when the probe is considered as failed so the container will be restarted
    failureThreshold: 5
    ## @param console.livenessProbe.timeoutSeconds defines the seconds after the probe times out
    timeoutSeconds: 1

  ## @extra console.serviceAccount configuration for the service account where the Console pods are assigned to
  serviceAccount:
    ## @param console.serviceAccount.enabled if true, enables the Console service account
    enabled: false
    ## @param console.serviceAccount.name can be used to set the name of the Console service account
    name: ""
    ## @param console.serviceAccount.annotations can be used to set the annotations of the Operate service account
    annotations: {}

  ingress:
    ## @param console.ingress.enabled if true, an ingress resource is deployed with the Console deployment. Only useful if an ingress controller is available, like nginx.
    enabled: false
    ## @param console.ingress.className defines the class or configuration of ingress which should be used by the controller
    className: nginx
    ## @param console.ingress.annotations [object] defines the ingress related annotations, consumed mostly by the ingress controller
    ## @skip console.ingress.annotations.ingress.kubernetes.io/rewrite-target
    ## @skip console.ingress.annotations.nginx.ingress.kubernetes.io/ssl-redirect
    ## @skip console.ingress.annotations.nginx.ingress.kubernetes.io/proxy-buffer-size
    annotations:
      ingress.kubernetes.io/rewrite-target: "/"
      nginx.ingress.kubernetes.io/ssl-redirect: "false"
      nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    ## @param console.ingress.path defines the path which is associated with the Console service and port https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    path: /
    ## @param console.ingress.host can be used to define the host of the ingress rule. https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
    # If not specified the rules applies to all http traffic, if specified the rule applies to that host.
    host: ""
    ## @extra console.ingress.tls configuration for tls on the ingress resource https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
    tls:
      ## @param console.ingress.tls.enabled if true, then tls is configured on the ingress resource. If enabled the Ingress.host need to be defined.
      enabled: false
      ## @param console.ingress.tls.secretName defines the secret name which contains the TLS private key and certificate
      secretName: camunda-platform-console

  ## @param console.podSecurityContext defines the security options the Console pod should be run with
  podSecurityContext: {}

  ## @param console.containerSecurityContext defines the security options the Console container should be run with
  containerSecurityContext: {}

  ## @param console.nodeSelector can be used to define on which nodes the Console pods should run
  nodeSelector: {}
  ## @param console.tolerations can be used to define pod toleration's https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
  tolerations: []
  ## @param console.affinity can be used to define pod affinity or anti-affinity https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}


#####################################################################################
#######
#       #        ##    ####  ##### #  ####   ####  ######   ##   #####   ####  #    #
#       #       #  #  #        #   # #    # #      #       #  #  #    # #    # #    #
#####   #      #    #  ####    #   # #       ####  #####  #    # #    # #      ######
#       #      ######      #   #   # #           # #      ###### #####  #      #    #
#       #      #    # #    #   #   # #    # #    # #      #    # #   #  #    # #    #
####### ###### #    #  ####    #   #  ####   ####  ###### #    # #    #  ####  #    #
#####################################################################################

## @section Elasticsearch Parameters

## @extra elasticsearch
elasticsearch:
  ## @param elasticsearch.enabled
  enabled: true
  # https://hub.docker.com/r/bitnami/elasticsearch/tags
  image:
    ## @param elasticsearch.image.repository
    repository: bitnami/elasticsearch
    ## @param elasticsearch.image.tag
    tag: 8.7.1
  ## @param elasticsearch.extraVolumes[0].name
  ## @param elasticsearch.extraVolumes[0].emptyDir
  ## @param elasticsearch.extraVolumes[1].name
  ## @param elasticsearch.extraVolumes[1].emptyDir
  ## @param elasticsearch.extraVolumes[2].name
  ## @param elasticsearch.extraVolumes[2].emptyDir
  extraVolumes:
  - name: tmp
    emptyDir: {}
  - name: logs
    emptyDir: {}
  - name: config
    emptyDir: {}
  ## @param elasticsearch.extraVolumeMounts[0].mountPath
  ## @param elasticsearch.extraVolumeMounts[0].name
  ## @param elasticsearch.extraVolumeMounts[1].mountPath
  ## @param elasticsearch.extraVolumeMounts[1].name
  ## @param elasticsearch.extraVolumeMounts[2].mountPath
  ## @param elasticsearch.extraVolumeMounts[2].name
  extraVolumeMounts:
  - mountPath: /tmp
    name: tmp
  - mountPath: /usr/share/elasticsearch/logs
    name: logs
  - mountPath: /usr/share/elasticsearch/config
    name: config
  master:
    ## @param elasticsearch.master.masterOnly
    masterOnly: false
    ## @param elasticsearch.master.heapSize
    heapSize: 1024m
    persistence:
      ## @param elasticsearch.master.persistence.size
      size: 64Gi
    resources:
      requests:
        ## @param elasticsearch.master.resources.requests.cpu cpu request
        cpu: 1
        ## @param elasticsearch.master.resources.requests.memory request
        memory: 2Gi
      limits:
        ## @param elasticsearch.master.resources.limits.cpu cpu limit
        cpu: 2
        ## @param elasticsearch.master.resources.limits.memory memory limit
        memory: 2Gi
    extraEnvVars:
    ## @param elasticsearch.master.extraEnvVars[0].name env
    - name: ELASTICSEARCH_ENABLE_REST_TLS
    ## @param elasticsearch.master.extraEnvVars[0].value env value
      value: "false"
  sysctlImage:
  ## @param elasticsearch.sysctlImage.enabled
    enabled: true
  data:
    ## @param elasticsearch.data.replicaCount
    replicaCount: 0
  coordinating:
    ## @param elasticsearch.coordinating.replicaCount
    replicaCount: 0
  ingest:
    ## @param elasticsearch.ingest.enabled
    enabled: false


#####################################################################
######
#     # #####   ####  #    # ###### ##### #    # ###### #    #  ####
#     # #    # #    # ##  ## #        #   #    # #      #    # #
######  #    # #    # # ## # #####    #   ###### #####  #    #  ####
#       #####  #    # #    # #        #   #    # #      #    #      #
#       #   #  #    # #    # #        #   #    # #      #    # #    #
#       #    #  ####  #    # ######   #   #    # ######  ####   ####
#####################################################################

## @section Prometheus Parameters

## @extra PrometheusServiceMonitor configuration to configure a prometheus service monitor
prometheusServiceMonitor:
  ## @param prometheusServiceMonitor.enabled if true then a service monitor will be deployed, which allows an installed prometheus controller to scrape metrics from the deployed pods
  enabled: false
  ## @extra promotheuServiceMonitor.labels can be set to configure extra labels, which will be added to the servicemonitor and can be used on the prometheus controller for selecting the servicemonitors
  labels:
  ## @param prometheusServiceMonitor.labels.release
    release: metrics
  ## @param prometheusServiceMonitor.scrapeInterval can be set to configure the interval at which metrics should be scraped
  # Should be *less* than 60s if the provided grafana dashboard is used, which can be found here https://github.com/camunda/zeebe/tree/main/monitor/grafana,
  # otherwise it isn't able to show any metrics which is aggregated over 1 min.
  scrapeInterval: 10s