values.yaml

## @section Global parameters
## Global Docker image parameters
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
##

## @param global.imageRegistry Global Docker image registry
## @param global.imagePullSecrets Global Docker registry secret names as an array
## @param global.storageClass Global StorageClass for Persistent Volume(s)
##
global:
  imageRegistry: ""
  ## E.g.
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  ##
  imagePullSecrets: []
  storageClass: ""
  postgresql:
    ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
    ##
    service:
      ports:
        postgresql: ""

## @section K8S Env parameters
##

## @param k8sSetup.platform The platform on which you install the chart. Possible values: AWSEKS/AzureAKS/GoogleGKE/PlainK8s
## @param k8sSetup.validateValues Enable validation of the values
##
k8sSetup:
  platform: PlainK8s
  validateValues: true

## @section Deploy servers common parameters
##

## @param license Sets your XL License by passing a base64 string license, which will then be added to the license file.
## Convert xl-deploy.lic files content to base64 ( cat xl-deploy.lic | base64 -w 0 ) and put the output here
##
license:
## @param licenseAcceptEula Accept EULA, in case of missing license, it will generate temporary license.
##
licenseAcceptEula: false
## @param generateXlConfig Generate configuration from environment parameters passed, and volumes mounted with custom changes. If set to false, a default config will be used and all environment variables and volumes added will be ignored.
##
generateXlConfig: true
## @param externalCentralConfig Flag to disable the embedded config server and use external config server. If "true", the embedded config server will be used and the external config server denoted by the "CENTRAL_CONFIG_URL" variable will be used
##
externalCentralConfig: true
## @param xldInProcess Used to control whether the internal in-process worker should be used or not. If you need to use external workers then this needs to be set to false.
xldInProcess: false
## @param usaCache Flag to disable/enable the use of application cache
usaCache: false
## @param appContextRoot Deploy context root.
##
appContextRoot: /

## @param clusterMode This is to specify if the HA setup is needed and to specify the HA mode. Possible values: "default", "hot-standby", "full"
##
clusterMode: full

## @section Deploy external resources

external:
  db:
    ## @param external.db.enabled Enable external database
    enabled: false
    main:
      ## @param external.db.main.url Main database URL for Deploy
      url: ""
      ## @param external.db.main.username Main database username for Deploy
      username: 
      ## @param external.db.main.password Main database password for Deploy
      password: 
      ## @param external.db.main.maxPoolSize Main database max pool size for Deploy
      maxPoolSize: ""
    report:
      ## @param external.db.report.url Report database URL for Deploy
      url: ""
      ## @param external.db.report.username Report database username for Deploy
      username:
      ## @param external.db.report.password Report database password for Deploy
      password: 
      ## @param external.db.report.maxPoolSize Report database max pool size for Deploy
      maxPoolSize: ""

  mq:
    ## @param external.mq.enabled Enable external message queue
    enabled: false
    ## @param external.mq.url External message queue broker URL for Deploy
    url: ""
    ## @param external.mq.queueName External message queue name for Deploy
    queueName: ""
    ## @param external.mq.username External message queue broker username for Deploy
    username: 
    ## @param external.mq.password External message queue broker password for Deploy
    password: 
    ## @param external.mq.driverClassName External message queue driver class name for Deploy
    driverClassName: ""
    ## @param external.mq.queueType Valid only for External rabbitmq message queue. Possible values: "quorum", "classic"
    queueType: "classic"

## @section Deploy keystore and truststore parameters

keystore:
  ## @param keystore.passphrase Set passphrase for the keystore
  passphrase:
  ## @param keystore.keystore Use repository-keystore.jceks files content ecoded with base64
  # https://docs.xebialabs.com/v.9.8/deploy/how-to/update-the-xl-deploy-digital-certificate/#view-the-certificate
  # Convert repository-keystore.jceks files content to base64
  # ( cat repository-keystore.jceks | base64 -w 0 ) and put the output here
  # if empty during initial run, the default keystore will be generated with provided "passphrase"
  keystore:

truststore:
  ## @param truststore.type Type of truststore, possible value jks or jceks or pkcs12
  type: "pkcs12"
  ## @param truststore.password Truststore password
  password: 
  ## @param truststore.truststore Truststore file base64 encoded
  truststore: {}
  ## @param truststore.params Truststore params in the command line
  params: "{{- if .Values.truststore.truststore }} -Djavax.net.ssl.trustStore=$(TRUSTSTORE) -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD) -Djavax.net.ssl.trustStoreType=$(TRUSTSTORE_TYPE){{- end }}"


## @section Deploy hooks
##

hooks:
  ## @param busyBox.image.registry busyBox container image registry
  ## @param busyBox.image.repository busyBox container image repository
  ## @param busyBox.image.tag busyBox container image tag
  ## @param busyBox.image.pullPolicy busyBox container image pull policy
  ## @param busyBox.image.pullSecrets Specify docker-registry secret names as an array
  ##
  getLicense:
    ## @param hooks.getLicense.enabled set to true to support license auto generation by using helm hook, it is working together with enabled licenseAcceptEula
    enabled: true
    ## @param hooks.getLicense.name Name of the resources that will be used during hook execution
    name: '{{ include "common.names.fullname" . }}-license'
    ## @param hooks.getLicense.deletePolicy Helm hook delete policy
    deletePolicy: "before-hook-creation,hook-succeeded"
    ## @param hooks.getLicense.getCommand The command for getting temporary license, see hooks.getLicense.configuration.bin_get-license
    getCommand:
      - /opt/xebialabs/xl-deploy-server/bin/get-license.sh
    ## @param hooks.getLicense.installCommand The command for creating the secret with the license, see hooks.getLicense.configuration.bin_install-license
    installCommand:
      - /opt/xebialabs/xl-deploy-server/bin/install-license.sh

    ## @param hooks.getLicense.image.registry getLicense hook container image registry
    ## @param hooks.getLicense.image.repository getLicense hook container image repository
    ## @param hooks.getLicense.image.tag getLicense hook container image tag
    ## @param hooks.getLicense.image.pullPolicy getLicense hook container image pull policy
    ## @param hooks.getLicense.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/kubectl
      tag: 1.30.6-debian-12-r0
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param hooks.getLicense.containerSecurityContext.enabled Enabled get licence containers' Security Context
    ## @param hooks.getLicense.containerSecurityContext.runAsNonRoot Set get licence container's Security Context runAsNonRoot
    ## @param hooks.getLicense.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
    ## @param hooks.getLicense.containerSecurityContext.allowPrivilegeEscalation Set get licence container's Security Context allowPrivilegeEscalation
    ## @extra hooks.getLicense.containerSecurityContext.capabilities Set get licence container's Security Context capabilities
    ## @skip hooks.getLicense.containerSecurityContext.capabilities
    ## @extra hooks.getLicense.containerSecurityContext.seccompProfile Set get licence container's Security Context seccompProfile
    ## @skip hooks.getLicense.containerSecurityContext.seccompProfile
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
    ## Example:
    ##   containerSecurityContext:
    ##     capabilities:
    ##       drop: ["NET_RAW"]
    ##     readOnlyRootFilesystem: true
    ##
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault
    ## @extra hooks.getLicense.configuration Deploy Configuration file content
    ## Do not override unless you know what you are doing.
    ##
    configuration:
      ## @extra hooks.getLicense.configuration.bin_get-license The configuration of the script for getting the license
      ## @param hooks.getLicense.configuration.bin_get-license.path The path to the script for getting the license
      ## @param hooks.getLicense.configuration.bin_get-license.mode The access mode of the script for getting the license
      ## @param hooks.getLicense.configuration.bin_get-license.content Content of the script for getting the license
      bin_get-license:
        path: "bin/get-license.sh"
        mode: 0755
        content: |
          #!/bin/bash

          echo "Requesting unregistered license"
          SERVER_PATH_PART=https://download.xebialabs.com
          echo -e $(curl -X POST "${SERVER_PATH_PART}/api/unregistered/xl-deploy" | jq --raw-output .license) > ${APP_HOME}/conf/deployit-license.lic
          file_size=$(stat -c%s "${APP_HOME}/conf/deployit-license.lic")
          if [ "$file_size" -lt 10 ]; then
            echo "License file is NOT valid"
            exit 1
          fi

      ## @extra hooks.getLicense.configuration.bin_install-license The configuration of the script for setting up license secret
      ## @param hooks.getLicense.configuration.bin_install-license.path The path to the script for setting up license secret
      ## @param hooks.getLicense.configuration.bin_install-license.mode The access mode of the script for setting up license secret
      ## @param hooks.getLicense.configuration.bin_install-license.content Content of the script for setting up license secret
      bin_install-license:
        path: "bin/install-license.sh"
        mode: 0755
        content: |
          #!/bin/bash

          SECRET_NAME="{{ include "common.tplvalues.render" ( dict "value" $.Values.hooks.getLicense.name "context" $ ) }}"
          FILE_PATH="/opt/xebialabs/xl-deploy-server/conf/deployit-license.lic"
          
          if kubectl get secret "$SECRET_NAME" > /dev/null 2>&1; then
            echo "Secret '$SECRET_NAME' exists skipping creation."
          else
            kubectl create secret generic $SECRET_NAME \
              --from-file=$FILE_PATH \
              --dry-run=client \
              -o yaml | kubectl apply -f -
          fi

  genSelfSigned:
    ## @param hooks.genSelfSigned.enabled set to true to support self-signed ket auto generation by using helm hook
    enabled: false
    ## @param hooks.genSelfSigned.name Name of the resources that will be used during hook execution
    name: '{{ include "common.names.fullname" . }}-self-signed'
    ## @param hooks.genSelfSigned.deletePolicy Helm hook delete policy
    deletePolicy: "before-hook-creation,hook-succeeded"
    ## @param hooks.genSelfSigned.genCommand The command for getting self-signed key, see hooks.genSelfSigned.configuration.bin_gen-self-signed
    genCommand:
      - /opt/xebialabs/xl-deploy-server/bin/gen-self-signed.sh
    ## @param hooks.genSelfSigned.installCommand The command for creating the secret with the self-signed key, see hooks.genSelfSigned.configuration.bin_install-self-signed
    installCommand:
      - /opt/xebialabs/xl-deploy-server/bin/install-self-signed.sh

    ## @param hooks.genSelfSigned.image.registry genSelfSigned hook container image registry
    ## @param hooks.genSelfSigned.image.repository genSelfSigned hook container image repository
    ## @param hooks.genSelfSigned.image.tag genSelfSigned hook container image tag
    ## @param hooks.genSelfSigned.image.pullPolicy genSelfSigned hook container image pull policy
    ## @param hooks.genSelfSigned.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/kubectl
      tag: 1.30.6-debian-12-r0
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param hooks.genSelfSigned.containerSecurityContext.enabled Enabled generate self-signed containers' Security Context
    ## @param hooks.genSelfSigned.containerSecurityContext.runAsNonRoot Set generate self-signed container's Security Context runAsNonRoot
    ## @param hooks.genSelfSigned.containerSecurityContext.allowPrivilegeEscalation Set generate self-signed container's Security Context allowPrivilegeEscalation
    ## @param hooks.genSelfSigned.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
    ## @extra hooks.genSelfSigned.containerSecurityContext.capabilities Set generate self-signed container's Security Context capabilities
    ## @skip hooks.genSelfSigned.containerSecurityContext.capabilities
    ## @extra hooks.genSelfSigned.containerSecurityContext.seccompProfile Set generate self-signed container's Security Context seccompProfile
    ## @skip hooks.genSelfSigned.containerSecurityContext.seccompProfile
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
    ## Example:
    ##   containerSecurityContext:
    ##     capabilities:
    ##       drop: ["NET_RAW"]
    ##     readOnlyRootFilesystem: true
    ##
    containerSecurityContext:
      enabled: true
      runAsNonRoot: true
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault
    ## @extra hooks.genSelfSigned.configuration Deploy Configuration file content
    ## Do not override unless you know what you are doing.
    ##
    configuration:
      ## @extra hooks.genSelfSigned.configuration.bin_gen-self-signed The configuration of the script for creating self signed key
      ## @param hooks.genSelfSigned.configuration.bin_gen-self-signed.path The path to the script forcreating self signed key
      ## @param hooks.genSelfSigned.configuration.bin_gen-self-signed.mode The access mode of the script for creating self signed key
      ## @param hooks.genSelfSigned.configuration.bin_gen-self-signed.content Content of the script for creating self signed key
      bin_gen-self-signed:
        path: "bin/gen-self-signed.sh"
        mode: 0755
        content: |
          #!/bin/bash

          echo "Generating deploy self-signed cert"
          HOSTNAME="{{- include "deploy.hostname" . -}}"
          STOREPASS="{{- .Values.ssl.keystorePassword -}}"
          KEYPASS="{{- .Values.ssl.keystoreKeypassword -}}"
          KEYTYPE="{{- .Values.ssl.keystoreType -}}"
          keytool -genkey -keyalg RSA -alias dai-deploy -keystore conf/keystore.$KEYTYPE -validity 365 -keysize 2048 -storepass "$STOREPASS" -storetype "$KEYTYPE" -keypass "$KEYPASS" \
            -dname "CN=$HOSTNAME,OU=,O=Digital.ai Deploy,L=,ST=,C=" \
            -ext "SAN=DNS:{{- include "common.names.fullname" . -}}.local"
          keytool -export -alias dai-deploy -keystore conf/keystore.$KEYTYPE -rfc -file conf/public.cert -storepass "$STOREPASS" -storetype "$KEYTYPE" -keypass "$KEYPASS"

      ## @extra hooks.genSelfSigned.configuration.bin_install-self-signed The configuration of the script for setting up self-signed key secret
      ## @param hooks.genSelfSigned.configuration.bin_install-self-signed.path The path to the script for setting up self-signed key secret
      ## @param hooks.genSelfSigned.configuration.bin_install-self-signed.mode The access mode of the script for setting up self-signed key secret
      ## @param hooks.genSelfSigned.configuration.bin_install-self-signed.content Content of the script for setting up self-signed key secret
      bin_install-self-signed:
        path: "bin/install-self-signed.sh"
        mode: 0755
        content: |
          #!/bin/bash

          SECRET_NAME="{{ include "common.tplvalues.render" ( dict "value" $.Values.hooks.genSelfSigned.name "context" $ ) }}"
          KEYSTORE_FILE_PATH="/opt/xebialabs/xl-deploy-server/conf/keystore.{{- .Values.ssl.keystoreType -}}"
          CERT_FILE_PATH="/opt/xebialabs/xl-deploy-server/conf/public.cert"
          
          if kubectl get secret "$SECRET_NAME" > /dev/null 2>&1; then
            echo "Secret '$SECRET_NAME' exists skipping creation."
          else
            kubectl create secret generic $SECRET_NAME \
              --from-file=$KEYSTORE_FILE_PATH \
              --from-file=$CERT_FILE_PATH \
              --dry-run=client \
              -o yaml | kubectl apply -f -
          fi

## @section Deploy satellite parameters
##

satellite:
  ## @param satellite.enabled Enable support to work with Deploy Satellites
  enabled: false

## @section Deploy security parameters
##

## Deploy Authentication parameters
##
auth:
  ## @param auth.adminPassword Admin password for Deploy. If user does not provide password, random 10 character alphanumeric string will be generated.
  adminPassword:

ssl:
  ## @param ssl.enabled Enable SSL to be used on Deploy
  enabled: false
  ## @param ssl.keystorePassword Keystore password with SSL key.
  keystorePassword: changeme
  ## @param ssl.keystoreKeypassword Keystore key password with SSL key.
  keystoreKeypassword: changeme
  ## @param ssl.keystoreType Keystore type, options pkcs12 or jks.
  keystoreType: pkcs12
  ## @extra ssl.keystore Keystore content in base64 format or it can reference the existing secret.
  ## @param ssl.keystore.valueFrom.secretKeyRef.name Name of the secret where the keystore was stored.
  ## @param ssl.keystore.valueFrom.secretKeyRef.key Name of the key in the secret where the keystore was stored.
  keystore:
    valueFrom:
      secretKeyRef:
        name: '{{ include "common.tplvalues.render" ( dict "value" .Values.hooks.genSelfSigned.name "context" $ ) }}'
        key: keystore.{{ .Values.ssl.keystoreType }}

## @section Deploy Central Configuration parameters
##

centralConfiguration:
  ## @param centralConfiguration.overrideName If set the template will override the STS name.
  ##
  overrideName: ""
  ## @param centralConfiguration.useIpAsHostname Set IP address of the container as the hostname for the instance.
  ## If set to true then IP will be used instead of the container ID. This is useful
  ## when deploying XL Deploy as active-active cluster using docker compose as Pekko cannot resolve aliases within the docker network.
  ##
  useIpAsHostname: false
  ## @param centralConfiguration.terminationGracePeriodSeconds Default duration in seconds k8s waits for container to exit before sending kill signal.
  ## Any time in excess of 10 seconds will be spent waiting for any synchronization necessary for cluster not to lose data.
  ##
  terminationGracePeriodSeconds: 10
  ## @param centralConfiguration.encryptKey spring cloud config encryption key
  encryptKey:
  ## @param centralConfiguration.migrateFromEmbedded Migrate to central configuration seprate server based setup
  migrateFromEmbedded: false

  ## @param centralConfiguration.replicaCount Number of deploy replicas to deploy
  ##
  replicaCount: 1

  ## @section deploy Central Configuration Image parameters
  ## deploy image version
  ## ref: https://hub.docker.com/r/xebialabs/xl-deploy/tags/
  ## @param centralConfiguration.image.registry deploy image registry
  ## @param centralConfiguration.image.repository deploy image repository
  ## @param centralConfiguration.image.tag deploy image tag (immutable tags are recommended)
  ## @param centralConfiguration.image.pullPolicy deploy image pull policy
  ## @param centralConfiguration.image.pullSecrets Specify docker-registry secret names as an array
  ##
  image:
    registry: docker.io
    repository: xebialabsunsupported/central-configuration
    tag: "{{ .Chart.AppVersion }}"
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## Example:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []

  ## @section Central Configuration debug parameters
  ##

  ## Enable diagnostic mode in the deployment
  ##
  diagnosticMode:
    ## @param centralConfiguration.diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
    ##
    enabled: false
    ## @param centralConfiguration.diagnosticMode.command Command to override all containers in the deployment
    ##
    command:
      - /opt/xebialabs/tini
    ## @param centralConfiguration.diagnosticMode.args Args to override all containers in the deployment
    ##
    args:
      - --
      - sleep
      - infinity
  ## Enable debug mode in the deployment
  ##
  debugMode:
    ## @param centralConfiguration.debugMode.enabled Enable debug mode (it starts all process with debug agent)
    ##
    enabled: false
    ## @param centralConfiguration.debugMode.remoteJvmParams Agent lib configuration line with port. Do port forwarding to the port you would like to use.
    ##
    remoteJvmParams: "{{- if .Values.centralConfiguration.debugMode.enabled }} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8001{{- end }}"      

  ## @section Central configuration DNS parameters
  ##

  ## @param centralConfiguration.hostAliases Deployment pod host aliases
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
  hostAliases: [ ]
  ## @param centralConfiguration.dnsPolicy DNS Policy for pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
  ## E.g.
  ## dnsPolicy: ClusterFirst
  dnsPolicy: ""
  ## @param centralConfiguration.dnsConfig DNS Configuration pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
  ## E.g.
  ## dnsConfig:
  ##   options:
  ##   - name: ndots
  ##     value: "4"
  dnsConfig: { }

  ## @section Central configuration resource parameters
  ##

  ## Deploy central configuration containers' resource requests and limits
  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  ## We usually recommend not to specify default resources and to leave this as a conscious
  ## choice for the user. This also increases chances charts run on environments with little
  ## resources, such as Minikube. If you do want to specify resources, uncomment the following
  ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  ## @param centralConfiguration.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
  ##
  resourcesPreset: "micro"
  ## @param centralConfiguration.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
  ## Example:
  ## resources: 
  ##   limits:
  ##     cpu: 1000m
  ##     memory: 2Gi
  ##   requests:
  ##     cpu: 1000m
  ##     memory: 2Gi
  ##
  resources: {}

  ## @section Central configuration Statefulset parameters
  ##

  ## Configure containers' extra options for liveness and readiness probe for the Deploy central configuration
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ## @param centralConfiguration.health.enabled Enable probes
  ## @param centralConfiguration.health.periodScans Period seconds for probe
  ## @param centralConfiguration.health.probeFailureThreshold Failure threshold for probe
  ## @param centralConfiguration.health.probesLivenessTimeout Initial delay seconds for livenessProbe
  ## @param centralConfiguration.health.probesReadinessTimeout Initial delay seconds for readinessProbe
  ##
  health:
    enabled: true
    periodScans: 10
    probeFailureThreshold: 12
    probesLivenessTimeout: 20
    probesReadinessTimeout: 20


  ## @param centralConfiguration.schedulerName Use an alternate scheduler, e.g. "stork".
  ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
  ##
  schedulerName: ""
  ## deploy should be initialized one by one when building cluster.
  ## Therefore, the default value of podManagementPolicy is 'OrderedReady'
  ## @param centralConfiguration.podManagementPolicy Pod management policy
  ##
  podManagementPolicy: OrderedReady
  ## @extra centralConfiguration.podLabels deploy Pod labels. Evaluated as a template
  ## @param centralConfiguration.podLabels.app.kubernetes.io/component Label with component name
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  podLabels:
    "app.kubernetes.io/component": centralConfiguration
  ## @param centralConfiguration.podAnnotations deploy Pod annotations. Evaluated as a template
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  podAnnotations: {}
  ## @param centralConfiguration.updateStrategy.type Update strategy type for deploy statefulset
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
  ##
  updateStrategy:
    ## StrategyType - for Deploy master is set OnDelete update strategy because Deploy master needs to start in incremental pod sequence
    ## Can be set to RollingUpdate or OnDelete
    ##
    type: RollingUpdate
  ## @extra centralConfiguration.statefulsetLabels deploy statefulset labels. Evaluated as a template
  ## @param centralConfiguration.statefulsetLabels.app.kubernetes.io/component Label with component name
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  statefulsetLabels:
    "app.kubernetes.io/component": centralConfiguration
  ## @param centralConfiguration.statefulsetAnnotations Deploy central configuration statefulset annotations. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  statefulsetAnnotations: {}
  ## @param centralConfiguration.priorityClassName Name of the priority class to be used by deploy pods, priority class needs to be created beforehand
  ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  ##
  priorityClassName: ""
  ## @param centralConfiguration.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  ##
  podAffinityPreset: ""
  ## @param centralConfiguration.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  ##
  podAntiAffinityPreset: soft
  ## Node affinity preset
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
  ##
  nodeAffinityPreset:
    ## @param centralConfiguration.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
    ##
    type: ""
    ## @param centralConfiguration.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
    ## E.g.
    ## key: "kubernetes.io/e2e-az-name"
    ##
    key: ""
    ## @param centralConfiguration.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
    ## E.g.
    ## values:
    ##   - e2e-az1
    ##   - e2e-az2
    ##
    values: []

  ## @param centralConfiguration.affinity Affinity for pod assignment. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ## Note: podAffinityPreset, podAntiAffinityPreset, and  nodeAffinityPreset will be ignored when it's set
  ##
  affinity: { }
  ## @param centralConfiguration.nodeSelector Node labels for pod assignment. Evaluated as a template
  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
  ##
  nodeSelector: { }
  ## @param centralConfiguration.tolerations Tolerations for pod assignment. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  tolerations: [ ]
  ## @param centralConfiguration.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
  ##
  topologySpreadConstraints: [ ]

  ## deploy pods' Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param centralConfiguration.podSecurityContext.enabled Enable deploy pods' Security Context
  ## @param centralConfiguration.podSecurityContext.runAsUser Set Deploy pod's Security Context runAsUser
  ## @param centralConfiguration.podSecurityContext.fsGroup Set deploy pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    runAsUser: 10001
    fsGroup: 10001

  ## @param centralConfiguration.containerSecurityContext.enabled Enabled deploy containers' Security Context
  ## @param centralConfiguration.containerSecurityContext.runAsNonRoot Set deploy container's Security Context runAsNonRoot
  ## @param centralConfiguration.containerSecurityContext.allowPrivilegeEscalation Set deploy container's Security Context allowPrivilegeEscalation
  ## @param centralConfiguration.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
  ## @extra centralConfiguration.containerSecurityContext.capabilities Set deploy container's Security Context capabilities
  ## @skip centralConfiguration.containerSecurityContext.capabilities
  ## @extra centralConfiguration.containerSecurityContext.seccompProfile Set deploy container's Security Context seccompProfile
  ## @skip centralConfiguration.containerSecurityContext.seccompProfile
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## Example:
  ##   containerSecurityContext:
  ##     capabilities:
  ##       drop: ["NET_RAW"]
  ##     readOnlyRootFilesystem: true
  ##
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
      - ALL
    seccompProfile:
      type: RuntimeDefault

  ## @param centralConfiguration.initContainers Add init containers to the deploy pod
  ## Example:
  ## initContainers:
  ##   - name: your-image-name
  ##     image: your-image
  ##     imagePullPolicy: Always
  ##     ports:
  ##       - name: portname
  ##         containerPort: 1234
  ##     resources: {}
  ##
  initContainers: []
  ## @param centralConfiguration.sidecars Add sidecar containers to the deploy pod
  ## Example:
  ## sidecars:
  ##   - name: your-image-name
  ##     image: your-image
  ##     imagePullPolicy: Always
  ##     ports:
  ##       - name: portname
  ##         containerPort: 1234
  ##     resources: {}
  ##
  sidecars: []

  ## @section Central Configuration Init Container parameters
  ##

  ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
  ## values from the securityContext section of the component
  ##
  volumePermissions:
    ## @param centralConfiguration.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
    ##
    enabled: false
    ## @param centralConfiguration.volumePermissions.image.registry Init container volume-permissions image registry
    ## @param centralConfiguration.volumePermissions.image.repository Init container volume-permissions image repository
    ## @param centralConfiguration.volumePermissions.image.tag Init container volume-permissions image tag
    ## @param centralConfiguration.volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
    ## @param centralConfiguration.volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
    ## @param centralConfiguration.volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/os-shell
      tag: 12-debian-12-r31
      digest: ""
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param centralConfiguration.volumePermissions.script Script for changing the owner and group of the persistent volume(s). Paths are declared in the 'paths' variable.
    script: |
      #!/bin/bash
      
      declare -a paths=( {{ range $path := .Values.centralConfiguration.persistence.paths }} "{{ $path }}"{{ end }} )
      for path in "${paths[@]}"; do
        echo "Changing ownership to {{ .Values.centralConfiguration.containerSecurityContext.runAsUser }}:{{ .Values.centralConfiguration.podSecurityContext.fsGroup }} for ${path}"
        chown "{{ .Values.centralConfiguration.containerSecurityContext.runAsUser }}:{{ .Values.centralConfiguration.podSecurityContext.fsGroup }}" "${path}"
        find "${path}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
          xargs -r chown -R "{{ .Values.centralConfiguration.containerSecurityContext.runAsUser }}:{{ .Values.centralConfiguration.podSecurityContext.fsGroup }}"
      done
    ## Init Container resource requests and limits
    ## @extra centralConfiguration.volumePermissions.resources.limits Init container volume-permissions resource limits
    ## @skip centralConfiguration.volumePermissions.resources.limits
    ## @skextraip centralConfiguration.volumePermissions.resources.requests Init container volume-permissions resource requests
    ## @skip centralConfiguration.volumePermissions.resources.requests
    ##
    resources:
      limits:
        cpu: "150m"
        memory: "192Mi"
        ephemeral-storage: "2Gi"
      requests:
        cpu: "100m"
        memory: "128Mi"
        ephemeral-storage: "50Mi"
    ## Init container' Security Context
    ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
    ## and not the below volumePermissions.containerSecurityContext.runAsUser
    ## @param centralConfiguration.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process
    ## @param centralConfiguration.volumePermissions.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
    ## @param centralConfiguration.volumePermissions.containerSecurityContext.runAsUser User ID for the init container
    ## @param centralConfiguration.volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
    ## @param centralConfiguration.volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
    ## @extra centralConfiguration.volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
    ## @skip centralConfiguration.volumePermissions.containerSecurityContext.seccompProfile
    ##
    containerSecurityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsUser: 0
      runAsGroup: 0
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault

  ## @section Central Configuration Pod Disruption Budget configuration
  ##

  ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  ##
  pdb:
    ## @param centralConfiguration.pdb.create Enable/disable a Pod Disruption Budget creation
    ##
    create: false
    ## @param centralConfiguration.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
    ##
    minAvailable: 1
    ## @param centralConfiguration.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
    ##
    maxUnavailable: ""

  ## @section Central Configuration Persistence parameters
  ##

  persistence:
    ## @param centralConfiguration.persistence.enabled Enable deploy data persistence using PVC
    ##
    enabled: false
    ## @param centralConfiguration.persistence.single Enable deploy data to use single PVC
    ##
    single: false
    ## @param centralConfiguration.persistence.storageClass PVC Storage Class for deploy data volume
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: ""
    ## @param centralConfiguration.persistence.selector Selector to match an existing Persistent Volume
    ## selector:
    ##   matchLabels:
    ##     app: my-app
    ##
    selector: { }
    ## @param centralConfiguration.persistence.accessModes PVC Access Modes for deploy data volume
    ##
    accessModes:
      - ReadWriteOnce
    ## @param centralConfiguration.persistence.existingClaim Provide an existing PersistentVolumeClaims
    ## The value is evaluated as a template
    ## So, for example, the name can depend on .Release or .Chart
    ##
    existingClaim: ""
    ## @param centralConfiguration.persistence.size PVC Storage Request for deploy data volume
    ##
    size: 1Gi
    ## @extra centralConfiguration.persistence.annotations Persistence annotations. Evaluated as a template
    ## @param centralConfiguration.persistence.annotations.helm.sh/resource-policy Persistence annotation for keeping created PVCs
    ## Example:
    ## annotations:
    ##   example.io/disk-volume-type: SSD
    ##
    annotations:
      helm.sh/resource-policy: "keep"
    ## @param centralConfiguration.persistence.paths mounted paths for the Deploy master
    paths: []
    ## @param centralConfiguration.persistence.emptyDirPaths mounted empty-dir mounts to have wrtieable paths
    emptyDirPaths:
      - /tmp
      - /opt/xebialabs/central-configuration-server/centralConfiguration
      - /opt/xebialabs/central-configuration-server/conf
      - /opt/xebialabs/central-configuration-server/log

  ## @section Central Configuration Deploy runtime parameters
  ##

  ## @param centralConfiguration.jvmArgs Deploy centralConfiguration JVM arguments
  ##
  jvmArgs: ""

  ## @param centralConfiguration.command Override default container command (useful when using custom images)
  ##
  command:
    - /opt/xebialabs/tini
  ## @param centralConfiguration.args Override default container args (useful when using custom images)
  ##
  args:
    - --
    - /opt/xebialabs/central-configuration-server/bin/run-in-operator.sh
  ## @param centralConfiguration.lifecycleHooks Overwrite livecycle for the deploy container(s) to automate configuration before or after startup
  ##
  lifecycleHooks: { }
  ## @extra centralConfiguration.ssl This section exists as placeholder, but the CC HTTPS is not yet supported.
  ssl:
    ## @param centralConfiguration.ssl.enabled Enable SSL to be used on Deploy
    enabled: false
    ## @param centralConfiguration.ssl.keystorePassword Keystore password with SSL key.
    keystorePassword: changeme
    ## @param centralConfiguration.ssl.keystoreKeypassword Keystore key password with SSL key.
    keystoreKeypassword: changeme
    ## @param centralConfiguration.ssl.keystoreType Keystore type, options pkcs12 or jks.
    keystoreType: pkcs12
    ## @extra centralConfiguration.ssl.keystore Keystore content in base64 format or it can reference the existing secret.
    ## @param centralConfiguration.ssl.keystore.valueFrom.secretKeyRef.name Name of the secret where the keystore was stored.
    ## @param centralConfiguration.ssl.keystore.valueFrom.secretKeyRef.key Name of the key in the secret where the keystore was stored.
    keystore:
      valueFrom:
        secretKeyRef:
          name: '{{ include "common.tplvalues.render" ( dict "value" .Values.hooks.genSelfSigned.name "context" $ ) }}'
          key: keystore.{{ .Values.ssl.keystoreType }}
  ## @param centralConfiguration.logback.globalLoggingLevel Global logging level. Possible values: "trace", "debug", "info", "warn", "error".
  ## @param centralConfiguration.logback.scanEnabled Enables scanning of logback.xml.
  ## @param centralConfiguration.logback.scanPeriod Interval for checking logback.xml configuration.
  ##
  logback:
    globalLoggingLevel: "info"
    scanEnabled: true
    scanPeriod: "30 seconds"
  ## @param centralConfiguration.extraEnvVars Extra environment variables to add to deploy pods
  ## E.g:
  ## extraEnvVars:
  ##   - name: FOO
  ##     value: BAR
  ##
  extraEnvVars: [ ]
  ## @param centralConfiguration.extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
  ##
  extraEnvVarsCM: ""
  ## @param centralConfiguration.extraEnvVarsSecret Name of existing Secret containing extra environment variables (in case of sensitive data)
  ##
  extraEnvVarsSecret: ""

  ## Container Ports
  ## @param centralConfiguration.containerPorts.ccHttp Deploy central configuration HTTP port value exposed on the central configuration container
  ## @param centralConfiguration.containerPorts.ccHttps Deploy central configuration HTTPS port value exposed on the central configuration container
  ##
  containerPorts:
    ccHttp: 8888
    ccHttps: 8843

  ## @param centralConfiguration.extraContainerPorts Extra ports to be included in container spec, primarily informational
  ## E.g:
  ## extraContainerPorts:
  ## - name: new_port_name
  ##   containerPort: 1234
  ##
  extraContainerPorts: [ ]

  ## @extra centralConfiguration.configuration deploy Configuration file content: required cluster configuration
  ## Do not override unless you know what you are doing.
  ## To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead
  ##
  configuration:
    ## @extra centralConfiguration.configuration.bin_run-in-operator-sh The script for starting the central configuration with K8S configuration
    ## @param centralConfiguration.configuration.bin_run-in-operator-sh.path The path for the script for starting the central configuration with K8S configuration
    ## @param centralConfiguration.configuration.bin_run-in-operator-sh.mode The access mode for the script for starting the central configuration with K8S configuration
    ## @param centralConfiguration.configuration.bin_run-in-operator-sh.content Content of the script for starting the central configuration with K8S configuration
    "bin_run-in-operator-sh":
      path: "bin/run-in-operator.sh"
      mode: 0755
      content: |
        #!/bin/bash
        
        echo "Delete empty files to replace them with latest configuration"
        find /opt/xebialabs/central-configuration-server/centralConfiguration -maxdepth 1 -type f -empty -print -delete
        {{- if .Values.oidc.enabled }}
        if [[ ${GENERATE_XL_CONFIG,,} != "true" ]]; then
          echo "Not generating deploy-oidc.yaml as GENERATE_XL_CONFIG != 'true'"
        elif [[ -e ${APP_HOME}/central-conf/deploy-oidc.yaml.template && ! -f "${APP_HOME}/centralConfiguration/deploy-oidc.yaml" ]]; then
          echo "Generate configuration file deploy-oidc.yaml from environment parameters"
          sed -e "s#\${XL_DB_DRIVER}#${XL_DB_DRIVER}#g" \
          -e "s#\${HOSTNAME_SUFFIX}#${HOSTNAME_SUFFIX}#g" \
          -e "s#\${DNS_RESOLVER}#${DNS_RESOLVER}#g" \
          -e "s#\${HOSTNAME}#${HOSTNAME}#g" \
          -e "s#\${XLD_TASK_QUEUE_DRIVER_CLASS_NAME}#${JMS_DRIVER_CLASS_NAME}#g" \
          -e "s#\${XL_CLUSTER_MODE}#${XL_CLUSTER_MODE}#g" \
          -e "s#\${XL_DB_URL}#${XL_DB_URL}#g" \
          -e "s#\${XL_DB_USERNAME}#${XL_DB_USERNAME}#g" \
          -e "s#\${XL_DB_PASSWORD}#${XL_DB_PASSWORD}#g" \
          -e "s#\${XL_DB_MAX_POOL_SIZE}#${XL_DB_MAX_POOL_SIZE}#g" \
          -e "s#\${XL_REPORT_DB_URL}#${XL_REPORT_DB_URL}#g" \
          -e "s#\${XL_REPORT_DB_USERNAME}#${XL_REPORT_DB_USERNAME}#g" \
          -e "s#\${XL_REPORT_DB_PASSWORD}#${XL_REPORT_DB_PASSWORD}#g" \
          -e "s#\${XL_REPORT_DB_MAX_POOL_SIZE}#${XL_REPORT_DB_MAX_POOL_SIZE}#g" \
          -e "s#\${XL_METRICS_ENABLED}#${XL_METRICS_ENABLED}#g" \
          -e "s#\${XLD_IN_PROCESS}#${XLD_IN_PROCESS}#g" \
          -e "s#\${XLD_TASK_QUEUE_NAME}#${XLD_TASK_QUEUE_NAME}#g" \
          -e "s#\${XLD_TASK_QUEUE_IN_PROCESS_MAX_DISK_USAGE}#${XLD_TASK_QUEUE_IN_PROCESS_MAX_DISK_USAGE}#g" \
          -e "s#\${XLD_TASK_QUEUE_IN_PROCESS_SHUTDOWN_TIMEOUT}#${XLD_TASK_QUEUE_IN_PROCESS_SHUTDOWN_TIMEOUT}#g" \
          -e "s#\${XLD_TASK_QUEUE_DRIVER_CLASS_NAME}#${XLD_TASK_QUEUE_DRIVER_CLASS_NAME}#g" \
          -e "s#\${XLD_TASK_QUEUE_URL}#${XLD_TASK_QUEUE_URL}#g" \
          -e "s#\${XLD_TASK_QUEUE_USERNAME}#${XLD_TASK_QUEUE_USERNAME}#g" \
          -e "s#\${XLD_TASK_QUEUE_PASSWORD}#${XLD_TASK_QUEUE_PASSWORD}#g" \
          -e "s#\${HOSTNAME_SUFFIX}#${HOSTNAME_SUFFIX}#g" \
          -e "s#\${XL_LICENSE_KIND}#${XL_LICENSE_KIND}#g" \
          -e "s#\${GENERATE_XL_CONFIG}#${GENERATE_XL_CONFIG}#g" \
          -e "s#\${USE_IP_AS_HOSTNAME}#${USE_IP_AS_HOSTNAME}#g" \
          -e "s#\${ENABLE_SATELLITE}#${ENABLE_SATELLITE}#g" \
          -e "s#\${CENTRAL_CONFIG_ENCRYPT_KEY}#${CENTRAL_CONFIG_ENCRYPT_KEY}#g" \
          -e "s#\${USE_CACHE}#${USE_CACHE}#g" \
          -e "s#\${OIDC_CLIENT_ID}#${OIDC_CLIENT_ID}#g" \
          -e "s#\${OIDC_CLIENT_SECRET}#${OIDC_CLIENT_SECRET}#g" \
          -e "s#\${OIDC_CLIENT_AUTH_JWT_KEYSTORE_PASSWORD}#${OIDC_CLIENT_AUTH_JWT_KEYSTORE_PASSWORD}#g" \
          -e "s#\${OIDC_CLIENT_AUTH_JWT_KEY_PASSWORD}#${OIDC_CLIENT_AUTH_JWT_KEY_PASSWORD}#g" \
          -e "s#\${OIDC_ACCESS_TOKEN_SECRET_KEY}#${OIDC_ACCESS_TOKEN_SECRET_KEY}#g" \
          ${APP_HOME}/central-conf/deploy-oidc.yaml.template > ${APP_HOME}/centralConfiguration/deploy-oidc.yaml
        fi
        {{- end }}

        # copy central-conf files
        cd ${APP_HOME}/central-conf
        echo "... Copying default centralConfiguration from ${APP_HOME}/central-conf"
        for f in *; do
          if [[ $f == *.template ]]; then
            continue
          fi
          if [ -f ${APP_HOME}/centralConfiguration/$f ]; then
            echo "... Not copying $f because it already exists in the centralConfiguration directory"
          else
            echo "... Copying $f to the centralConfiguration directory"
            cp -R $f ${APP_HOME}/centralConfiguration/
          fi
        done
        cd ${APP_HOME}

        exec /opt/xebialabs/central-configuration-server/bin/run-in-container.sh $@
    ## @extra centralConfiguration.configuration.central-conf_deploy-server-yaml-template The configuration file deploy-server.yaml.template
    ## @param centralConfiguration.configuration.central-conf_deploy-server-yaml-template.path The path to the configuration file deploy-server.yaml.template
    ## @param centralConfiguration.configuration.central-conf_deploy-server-yaml-template.mode The access mode for the configuration file deploy-server.yaml.template
    ## @param centralConfiguration.configuration.central-conf_deploy-server-yaml-template.content Content of the configuration file deploy-server.yaml.template
    "central-conf_deploy-server-yaml-template":
      path: "central-conf/deploy-server.yaml.template"
      mode: 0660
      content: |
        deploy.server:
          bind-hostname: 0.0.0.0
          bind-port: {{ .Values.master.containerPorts.deployPekko }}
          license:
            daysBeforeWarning: 10
          {{- if .Values.oidc.enabled }}    
          security:
            auth:
              provider: "oidc"
          {{- end }}
        pekko:
          io:
            dns:
              resolver: "${DNS_RESOLVER}"
          # loggers:
          #  - "org.apache.pekko.event.slf4j.Slf4jLogger"
          loglevel: "INFO"
    ## @extra centralConfiguration.configuration.central-conf_deploy-oidc-yaml-template The configuration file deploy-oidc.yaml.template
    ## @param centralConfiguration.configuration.central-conf_deploy-oidc-yaml-template.path The path to the configuration file deploy-oidc.yaml.template
    ## @param centralConfiguration.configuration.central-conf_deploy-oidc-yaml-template.mode The access mode for the configuration file deploy-oidc.yaml.template
    ## @param centralConfiguration.configuration.central-conf_deploy-oidc-yaml-template.content Content of the configuration file deploy-oidc.yaml.template
    "central-conf_deploy-oidc-yaml-template":
      path: "central-conf/deploy-oidc.yaml.template"
      mode: 0660
      content: |
        deploy.security:
          {{- if .Values.oidc.enabled }}
          auth:
            providers:
              oidc:
                clientId: "${OIDC_CLIENT_ID}"
                clientSecret: "${OIDC_CLIENT_SECRET}"
                {{- if .Values.oidc.clientAuthMethod }}
                clientAuthMethod: {{ .Values.oidc.clientAuthMethod | quote }}
                {{- end }}
                {{- if .Values.oidc.clientAuthJwt.enable }}
                clientAuthJwt:
                  jwsAlg: {{ .Values.oidc.clientAuthJwt.jwsAlg | quote }}
                  tokenKeyId: {{ .Values.oidc.clientAuthJwt.tokenKeyId | quote }}
                  {{- if .Values.oidc.clientAuthJwt.keyStore.enable }}
                  keyStore:
                    path: {{ .Values.oidc.clientAuthJwt.keyStore.path | quote }}
                    password: "${OIDC_CLIENT_AUTH_JWT_KEYSTORE_PASSWORD}"
                    type: {{ .Values.oidc.clientAuthJwt.keyStore.type | quote }}
                  {{- end }}
                  {{- if .Values.oidc.clientAuthJwt.key.enable }}
                  key:
                    alias: {{ .Values.oidc.clientAuthJwt.key.alias | quote }}
                    password: "${OIDC_CLIENT_AUTH_JWT_KEY_PASSWORD}"
                  {{- end }}
                {{- end }}
                issuer: {{ .Values.oidc.issuer | quote }}
                keyRetrievalUri: {{ .Values.oidc.keyRetrievalUri | quote }}
                accessTokenUri: {{ .Values.oidc.accessTokenUri | quote }}
                userAuthorizationUri: {{ .Values.oidc.userAuthorizationUri | quote }}
                logoutUri: {{ .Values.oidc.logoutUri | quote }}
                redirectUri: {{ .Values.oidc.redirectUri | quote }}
                postLogoutRedirectUri: {{ .Values.oidc.postLogoutRedirectUri | quote }}
                rolesClaimName: {{ .Values.oidc.rolesClaimName | quote }}
                userNameClaimName: {{ .Values.oidc.userNameClaimName | quote }}
                {{- if .Values.oidc.scopes }}
                scopes: {{ .Values.oidc.scopes }}
                {{- end }}
                {{- if .Values.oidc.idTokenJWSAlg }}
                idTokenJWSAlg: {{ .Values.oidc.idTokenJWSAlg | quote }}
                {{- end }}
                {{- if .Values.oidc.accessToken.enable }}
                access-token:
                  {{- if .Values.oidc.accessToken.issuer }}
                  issuer: {{ .Values.oidc.accessToken.issuer | quote }}
                  {{- end }}
                  {{- if .Values.oidc.accessToken.audience }}
                  audience: {{ .Values.oidc.accessToken.audience | quote }}
                  {{- end }}
                  {{- if .Values.oidc.accessToken.keyRetrievalUri }}
                  keyRetrievalUri: {{ .Values.oidc.accessToken.keyRetrievalUri | quote }}
                  {{- end }}
                  {{- if .Values.oidc.accessToken.jwsAlg }}
                  jwsAlg: {{ .Values.oidc.accessToken.jwsAlg | quote }}
                  {{- end }}
                  {{- if .Values.oidc.accessToken.secretKey }}
                  secretKey: "${OIDC_ACCESS_TOKEN_SECRET_KEY}"
                  {{- end }}
                {{- end }}
                loginMethodDescription: {{ default "External login (OpenID Connect)" .Values.oidc.loginMethodDescription | quote }}
                {{- if .Values.oidc.proxyHost }}
                proxyHost: {{ .Values.oidc.proxyHost | quote }}
                {{- end }}
                {{- if .Values.oidc.proxyPort }}
                proxyPort: {{ .Values.oidc.proxyPort | quote }}
                {{- end }}
          {{- end }}

  ## @param centralConfiguration.extraConfiguration Configuration file content: extra configuration to be appended to deploy configuration
  ## Use this instead of `configuration` to add more configuration
  ##
  extraConfiguration: {}

  ## @param centralConfiguration.extraVolumeMounts Optionally specify extra list of additional volumeMounts
  ## Examples:
  ## extraVolumeMounts:
  ##   - name: extras
  ##     mountPath: /usr/share/extras
  ##     readOnly: true
  ##
  extraVolumeMounts: [ ]
  ## @param centralConfiguration.extraVolumes Optionally specify extra list of additional volumes .
  ## Example:
  ## extraVolumes:
  ##   - name: extras
  ##     emptyDir: {}
  ##
  extraVolumes: [ ]
  ## @param centralConfiguration.extraSecrets Optionally specify extra secrets to be created by the chart.
  ## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded.
  ## Example:
  ## extraSecrets:
  ##   load-definition:
  ##     load_definition.json: |
  ##       {
  ##         ...
  ##       }
  ##
  extraSecrets: { }
  ## @param centralConfiguration.extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with <release-name> prepended.
  ##
  extraSecretsPrependReleaseName: false

  ## @section Central Configuration Exposure parameters
  ##

  ## Kubernetes service type
  ##
  service:
    ## @param centralConfiguration.service.type Kubernetes Service type
    ##
    type: ClusterIP

    ## @param centralConfiguration.service.portEnabled deploy port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`.
    ##
    portEnabled: true
    ## Service ports
    ## @param centralConfiguration.service.ports.ccHttp Deploy central configuration service HTTP port value
    ## @param centralConfiguration.service.ports.ccHttps Deploy central configuration service HTTPS port value
    ##
    ports:
      ccHttp: 8888
      ccHttps: 8843
    ## Service ports name
    ## @param centralConfiguration.service.portNames.ccHttp Deploy central configuration HTTP port name
    ## @param centralConfiguration.service.portNames.ccHttps Deploy central configuration HTTPS port name
    ##
    portNames:
      ccHttp: "deploy-http-cc"
      ccHttps: "deploy-https-cc"

    ## Node ports to expose
    ## @param centralConfiguration.service.nodePorts.ccHttp Deploy central configuration HTTP port value exposed on the node (in case of NodePort service)
    ## @param centralConfiguration.service.nodePorts.ccHttps Deploy central configuration HTTPS port value exposed on the node (in case of NodePort service)
    ##
    nodePorts:
      ccHttp: ""
      ccHttps: ""
    ## @param centralConfiguration.service.extraPorts Extra ports to expose in the service
    ## E.g.:
    ## extraPorts:
    ## - name: new_svc_name
    ##   port: 1234
    ##   targetPort: 1234
    ##
    extraPorts: [ ]
    ## @param centralConfiguration.service.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g:
    ## loadBalancerSourceRanges:
    ## - 10.10.10.0/24
    ##
    loadBalancerSourceRanges: [ ]
    ## @param centralConfiguration.service.externalIPs Set the ExternalIPs
    ##
    externalIPs: [ ]
    ## @param centralConfiguration.service.externalTrafficPolicy Enable client source IP preservation
    ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
    ##
    externalTrafficPolicy: Cluster
    ## @param centralConfiguration.service.loadBalancerIP Set the LoadBalancerIP
    ##
    loadBalancerIP: ""
    ## @param centralConfiguration.service.clusterIP Kubernetes service Cluster IP
    ## e.g.:
    ## clusterIP: None
    ##
    clusterIP: ""
    ## @extra centralConfiguration.service.labels Service labels. Evaluated as a template
    ## @param centralConfiguration.service.labels.app.kubernetes.io/component Label with component name
    ##
    labels:
      "app.kubernetes.io/component": centralConfiguration
    ## @param centralConfiguration.service.annotations Service annotations. Evaluated as a template
    ## Example:
    ## annotations:
    ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    ##
    annotations: { }
    ## @param centralConfiguration.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
    ## If "ClientIP", consecutive client requests will be directed to the same Pod
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
    ##
    sessionAffinity: None
    ## @param centralConfiguration.service.sessionAffinityConfig Additional settings for the sessionAffinity
    ## sessionAffinityConfig:
    ##   clientIP:
    ##     timeoutSeconds: 300
    ##
    sessionAffinityConfig: { }

## @section Deploy master parameters
##

master:
  ## @param master.overrideName If set the template will override the STS name.
  ##
  overrideName: ""
  ## @param master.useIpAsHostname Set IP address of the container as the hostname for the instance.
  ## If set to true then IP will be used instead of the container ID. This is useful
  ## when deploying XL Deploy as active-active cluster using docker compose as Pekko cannot resolve aliases within the docker network.
  ##
  useIpAsHostname: false
  ## @param master.clusterNodeHostnameSuffix If set the template will override the hostname.
  ##
  clusterNodeHostnameSuffix: '.{{ include "deploy.names.master" $ }}.{{ include "common.names.namespace" . }}.svc.cluster.local'
  ## @param master.terminationGracePeriodSeconds Default duration in seconds k8s waits for container to exit before sending kill signal.
  ## Any time in excess of 10 seconds will be spent waiting for any synchronization necessary for cluster not to lose data.
  ##
  terminationGracePeriodSeconds: 90
  ## @param master.forceUpgrade It can be used to perform an upgrade in non-interactive mode by passing flag -force-upgrades while starting a service.
  ##
  forceUpgrade: true

  ## @param master.replicaCount Number of deploy master replicas to deploy
  ##
  replicaCount: 3

  ## @section Deploy Master Image parameters
  ## deploy image version
  ## ref: https://hub.docker.com/r/xebialabs/xl-deploy/tags/
  ## @param master.image.registry deploy master image registry
  ## @param master.image.repository deploy master image repository
  ## @param master.image.tag deploy master image tag (immutable tags are recommended)
  ## @param master.image.pullPolicy deploy master image pull policy
  ## @param master.image.pullSecrets Specify docker-registry secret names as an array
  ##
  image:
    registry: docker.io
    repository: xebialabsunsupported/xl-deploy
    tag: "{{ .Chart.AppVersion }}"
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## Example:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []

  ## @section Master debug parameters
  ##

  ## Enable diagnostic mode in the deployment
  ##
  diagnosticMode:
    ## @param master.diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
    ##
    enabled: false
    ## @param master.diagnosticMode.command Command to override all containers in the deployment
    ##
    command:
      - /opt/xebialabs/tini
    ## @param master.diagnosticMode.args Args to override all containers in the deployment
    ##
    args:
      - --
      - sleep
      - infinity
  ## Enable debug mode in the deployment
  ##
  debugMode:
    ## @param master.debugMode.enabled Enable debug mode (it starts all process with debug agent)
    ##
    enabled: false
    ## @param master.debugMode.remoteJvmParams Agent lib configuration line with port. Do port forwarding to the port you would like to use.
    ##
    remoteJvmParams: "{{- if .Values.master.debugMode.enabled }} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8001{{- end }}"  

  ## @section Master DNS parameters
  ##

  ## @param master.hostAliases Deployment pod host aliases
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
  hostAliases: [ ]
  ## @param master.dnsPolicy DNS Policy for pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
  ## E.g.
  ## dnsPolicy: ClusterFirst
  dnsPolicy: ""
  ## @param master.dnsConfig DNS Configuration pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
  ## E.g.
  ## dnsConfig:
  ##   options:
  ##   - name: ndots
  ##     value: "4"
  dnsConfig: { }

  ## @section Master resource parameters
  ##

  ## Deploy master containers' resource requests and limits
  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  ## We usually recommend not to specify default resources and to leave this as a conscious
  ## choice for the user. This also increases chances charts run on environments with little
  ## resources, such as Minikube. If you do want to specify resources, uncomment the following
  ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
  ##
  resourcesPreset: "micro"
  ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
  ## Example:
  ## resources: 
  ##   limits:
  ##     cpu: 1000m
  ##     memory: 2Gi
  ##   requests:
  ##     cpu: 1000m
  ##     memory: 2Gi
  ##
  resources: {}

  ## @section Master Statefulset parameters
  ##

  ## Configure containers' extra options for liveness and readiness probe for the Deploy master
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ## @param master.health.enabled Enable probes
  ## @param master.health.periodScans Period seconds for probe
  ## @param master.health.probeFailureThreshold Failure threshold for probe
  ## @param master.health.probesLivenessTimeout Initial delay seconds for livenessProbe
  ## @param master.health.probesReadinessTimeout Initial delay seconds for readinessProbe
  ##
  health:
    enabled: true
    periodScans: 10
    probeFailureThreshold: 12
    probesLivenessTimeout: 60
    probesReadinessTimeout: 60

  ## @param master.schedulerName Use an alternate scheduler, e.g. "stork".
  ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
  ##
  schedulerName: ""
  ## deploy should be initialized one by one when building cluster.
  ## Therefore, the default value of podManagementPolicy is 'OrderedReady'
  ## @param master.podManagementPolicy Pod management policy
  ##
  podManagementPolicy: OrderedReady
  ## @extra master.podLabels deploy Pod labels. Evaluated as a template
  ## @param master.podLabels.app.kubernetes.io/component Label with component name
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  podLabels:
    "app.kubernetes.io/component": master
  ## @param master.podAnnotations deploy Pod annotations. Evaluated as a template
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  podAnnotations: {}
  ## @param master.updateStrategy.type Update strategy type for deploy statefulset
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
  ##
  updateStrategy:
    ## StrategyType
    ## Can be set to RollingUpdate or OnDelete
    ##
    type: OnDelete
  ## @extra master.statefulsetLabels deploy statefulset labels. Evaluated as a template
  ## @param master.statefulsetLabels.app.kubernetes.io/component Label with component name
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  statefulsetLabels:
    "app.kubernetes.io/component": master
  ## @param master.statefulsetAnnotations Deploy cmaster statefulset annotations. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  statefulsetAnnotations: {}
  ## @param master.priorityClassName Name of the priority class to be used by deploy pods, priority class needs to be created beforehand
  ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  ##
  priorityClassName: ""
  ## @param master.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  ##
  podAffinityPreset: ""
  ## @param master.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  ##
  podAntiAffinityPreset: soft
  ## Node affinity preset
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
  ##
  nodeAffinityPreset:
    ## @param master.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
    ##
    type: ""
    ## @param master.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
    ## E.g.
    ## key: "kubernetes.io/e2e-az-name"
    ##
    key: ""
    ## @param master.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
    ## E.g.
    ## values:
    ##   - e2e-az1
    ##   - e2e-az2
    ##
    values: []

  ## @param master.affinity Affinity for pod assignment. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ## Note: podAffinityPreset, podAntiAffinityPreset, and  nodeAffinityPreset will be ignored when it's set
  ##
  affinity: { }
  ## @param master.nodeSelector Node labels for pod assignment. Evaluated as a template
  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
  ##
  nodeSelector: { }
  ## @param master.tolerations Tolerations for pod assignment. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  tolerations: [ ]
  ## @param master.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
  ##
  topologySpreadConstraints: [ ]

  ## deploy pods' Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param master.podSecurityContext.enabled Enable deploy pods' Security Context
  ## @param master.podSecurityContext.runAsUser Set Deploy pod's Security Context runAsUser
  ## @param master.podSecurityContext.fsGroup Set deploy pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    runAsUser: 10001
    fsGroup: 10001

  ## @param master.containerSecurityContext.enabled Enabled deploy containers' Security Context
  ## @param master.containerSecurityContext.runAsNonRoot Set deploy container's Security Context runAsNonRoot
  ## @param master.containerSecurityContext.allowPrivilegeEscalation Set deploy container's Security Context allowPrivilegeEscalation
  ## @param master.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
  ## @extra master.containerSecurityContext.capabilities Set deploy container's Security Context capabilities
  ## @skip master.containerSecurityContext.capabilities
  ## @extra master.containerSecurityContext.seccompProfile Set deploy container's Security Context seccompProfile
  ## @skip master.containerSecurityContext.seccompProfile
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## Example:
  ##   containerSecurityContext:
  ##     capabilities:
  ##       drop: ["NET_RAW"]
  ##     readOnlyRootFilesystem: true
  ##
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
      - ALL
    seccompProfile:
      type: RuntimeDefault

  ## Default init containers for the Deploy pod
  defaultInitContainers:
    ## @extra master.defaultInitContainers.resources Set default init container requests and limits for different resources like CPU or memory (essential for production workloads)
    ## @skip master.defaultInitContainers.resources.limits
    ## @skip master.defaultInitContainers.resources.requests
    ##
    resources:
      limits:
        cpu: "150m"
        memory: "192Mi"
        ephemeral-storage: "2Gi"
      requests:
        cpu: "100m"
        memory: "128Mi"
        ephemeral-storage: "50Mi"
  ## @param master.initContainers Add init containers to the deploy master pod
  ## Example:
  ## initContainers:
  ##   - name: your-image-name
  ##     image: your-image
  ##     imagePullPolicy: Always
  ##     ports:
  ##       - name: portname
  ##         containerPort: 1234
  ##     resources: {}
  ##
  initContainers: []
  ## @param master.sidecars Add sidecar containers to the deploy master pod
  ## Example:
  ## sidecars:
  ##   - name: your-image-name
  ##     image: your-image
  ##     imagePullPolicy: Always
  ##     ports:
  ##       - name: portname
  ##         containerPort: 1234
  ##     resources: {}
  ##
  sidecars: []

  ## @section Master Init Container parameters
  ##

  ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
  ## values from the securityContext section of the component
  ##
  volumePermissions:
    ## @param master.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
    ##
    enabled: false
    ## @param master.volumePermissions.image.registry Init container volume-permissions image registry
    ## @param master.volumePermissions.image.repository Init container volume-permissions image repository
    ## @param master.volumePermissions.image.tag Init container volume-permissions image tag
    ## @param master.volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
    ## @param master.volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
    ## @param master.volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/os-shell
      tag: 12-debian-12-r31
      digest: ""
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param master.volumePermissions.script Script for changing the owner and group of the persistent volume(s). Paths are declared in the 'paths' variable.
    script: |
      #!/bin/bash
      
      declare -a paths=( {{ range $path := .Values.master.persistence.paths }} "{{ $path }}"{{ end }} )
      for path in "${paths[@]}"; do
        echo "Changing ownership to {{ .Values.master.containerSecurityContext.runAsUser }}:{{ .Values.master.podSecurityContext.fsGroup }} for ${path}"
        chown "{{ .Values.master.containerSecurityContext.runAsUser }}:{{ .Values.master.podSecurityContext.fsGroup }}" "${path}"
        find "${path}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
          xargs -r chown -R "{{ .Values.master.containerSecurityContext.runAsUser }}:{{ .Values.master.podSecurityContext.fsGroup }}"
      done
    ## Init Container resource requests and limits
    ## @param master.volumePermissions.resources.limits Init container volume-permissions resource limits
    ## @skip master.volumePermissions.resources.limits
    ## @param master.volumePermissions.resources.requests Init container volume-permissions resource requests
    ## @skip master.volumePermissions.resources.requests
    ##
    resources:
      limits:
        cpu: "150m"
        memory: "192Mi"
        ephemeral-storage: "2Gi"
      requests:
        cpu: "100m"
        memory: "128Mi"
        ephemeral-storage: "50Mi"
    ## Init container' Security Context
    ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
    ## and not the below volumePermissions.containerSecurityContext.runAsUser
    ## @param master.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process
    ## @param master.volumePermissions.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only    
    ## @param master.volumePermissions.containerSecurityContext.runAsUser User ID for the init container
    ## @param master.volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
    ## @param master.volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
    ## @extra master.volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
    ## @skip master.volumePermissions.containerSecurityContext.seccompProfile
    ##
    containerSecurityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsUser: 0
      runAsGroup: 0
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault

  ## @section Master Pod Disruption Budget configuration
  ##

  ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  ##
  pdb:
    ## @param master.pdb.create Enable/disable a Pod Disruption Budget creation
    ##
    create: false
    ## @param master.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
    ##
    minAvailable: 1
    ## @param master.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
    ##
    maxUnavailable: ""

  ## @section Master Persistence parameters
  ##

  persistence:
    ## @param master.persistence.enabled Enable deploy data persistence using PVC
    ##
    enabled: true
    ## @param master.persistence.single Enable deploy data to use single PVC
    ##
    single: false
    ## @param master.persistence.storageClass PVC Storage Class for deploy data volume
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: ""
    ## @param master.persistence.selector Selector to match an existing Persistent Volume
    ## selector:
    ##   matchLabels:
    ##     app: my-app
    ##
    selector: { }
    ## @param master.persistence.accessModes PVC Access Modes for deploy data volume
    ##
    accessModes:
      - ReadWriteOnce
    ## @param master.persistence.existingClaim Provide an existing PersistentVolumeClaims
    ## The value is evaluated as a template
    ## So, for example, the name can depend on .Release or .Chart
    ##
    existingClaim: ""
    ## @param master.persistence.size PVC Storage Request for deploy data volume
    ##
    size: 8Gi
    ## @extra master.persistence.annotations Persistence annotations. Evaluated as a template
    ## @param master.persistence.annotations.helm.sh/resource-policy Persistence annotation for keeping created PVCs
    ## Example:
    ## annotations:
    ##   example.io/disk-volume-type: SSD
    ##
    annotations:
      helm.sh/resource-policy: "keep"
    ## @param master.persistence.paths mounted paths for the Deploy master
    paths:
      - /opt/xebialabs/xl-deploy-server/work
    ## @param master.persistence.emptyDirPaths mounted empty-dir mounts to have wrtieable paths
    emptyDirPaths:
      - /opt/xebialabs/xl-deploy-server/artifacts
      - /opt/xebialabs/xl-deploy-server/cache
      - /opt/xebialabs/xl-deploy-server/centralConfiguration
      - /opt/xebialabs/xl-deploy-server/conf
      - /opt/xebialabs/xl-deploy-server/driver/jdbc
      - /opt/xebialabs/xl-deploy-server/driver/mq
      - /opt/xebialabs/xl-deploy-server/export
      - /opt/xebialabs/xl-deploy-server/log
      - /opt/xebialabs/xl-deploy-server/node-conf
      - /opt/xebialabs/xl-deploy-server/plugins
      - /tmp

  ## @section Master runtime parameters
  ##

  ## @param master.jvmArgs Deploy master JVM arguments
  ##
  jvmArgs: ""

  ## @param master.command Override default container command (useful when using custom images)
  ##
  command:
    - /opt/xebialabs/tini
  ## @param master.args Override default container args (useful when using custom images)
  ##
  args:
    - --
    - /opt/xebialabs/xl-deploy-server/bin/run-in-operator.sh
  ## @param master.lifecycleHooks Overwrite livecycle for the deploy container(s) to automate configuration before or after startup
  ##
  lifecycleHooks: { }
  ## @param master.logback.globalLoggingLevel Global logging level. Possible values: "trace", "debug", "info", "warn", "error".
  ## @param master.logback.scanEnabled Enables scanning of logback.xml.
  ## @param master.logback.scanPeriod Interval for checking logback.xml configuration.
  ##
  logback:
    globalLoggingLevel: "info"
    scanEnabled: true
    scanPeriod: "30 seconds"
  ## @param master.extraEnvVars Extra environment variables to add to deploy pods
  ## E.g:
  ## extraEnvVars:
  ##   - name: FOO
  ##     value: BAR
  ##
  extraEnvVars: [ ]
  ## @param master.extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
  ##
  extraEnvVarsCM: ""
  ## @param master.extraEnvVarsSecret Name of existing Secret containing extra environment variables (in case of sensitive data)
  ##
  extraEnvVarsSecret: ""

  ## Container Ports
  ## @param master.containerPorts.deployHttp Deploy HTTP port value exposed on the master container
  ## @param master.containerPorts.deployHttps Deploy HTTPS port value exposed on the master container
  ## @param master.containerPorts.deployPekko Deploy Pekko port value exposed on the master container
  ## @param master.containerPorts.deployClusterPekko Deploy Pekko cluster port value exposed on the master container
  ## @param master.containerPorts.deployJmxExporter Deploy JMX exporter port value exposed on the master container
  ##
  containerPorts:
    deployHttp: 4516
    deployHttps: 4517
    deployPekko: 8180
    deployClusterPekko: 25520
    deployJmxExporter: 9100

  ## @param master.extraContainerPorts Extra ports to be included in container spec, primarily informational
  ## E.g:
  ## extraContainerPorts:
  ## - name: new_port_name
  ##   containerPort: 1234
  ##
  extraContainerPorts: [ ]

  ## @extra master.configuration Deploy Configuration file content: required cluster configuration
  ## Do not override unless you know what you are doing.
  ## To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead
  ##
  configuration:
    ## @extra master.configuration.bin_run-in-operator-sh The script for starting the master with K8S configuration
    ## @param master.configuration.bin_run-in-operator-sh.path The path for the script for starting the master with K8S configuration
    ## @param master.configuration.bin_run-in-operator-sh.mode The access mode for the script for starting the master with K8S configuration
    ## @param master.configuration.bin_run-in-operator-sh.content Content of the script for starting the master with K8S configuration
    "bin_run-in-operator-sh":
      path: "bin/run-in-operator.sh"
      mode: 0755
      content: |
        #!/bin/bash
        
        {{- if .Values.master.podServiceTemplate.enabled }}
        POD_NUMBER=$(echo $POD_NAME | grep -Eo "[0-9]+$")
        {{- if contains .Values.master.podServiceTemplate.serviceMode "SingleHostname;MultiService" }}
        export SERVER_PORT=$(echo $SERVER_PORT+$POD_NUMBER | bc)
        {{- end }}
        {{- if or .Values.master.podServiceTemplate.overrideHostname .Values.master.podServiceTemplate.overrideHostnames }}
        allMasters=(
        {{- range $podNumber := untilStep 0 (int .Values.master.replicaCount) 1 }}
        {{- $newValues := merge (dict "podNumber" $podNumber) $ }}
        {{- $masterHostname := include "deploy.masterHostname" $newValues }}
        "{{ $masterHostname }}"
        {{- end }}
        )
        export OVERRIDE_HOSTNAME=$(echo ${allMasters[$POD_NUMBER]})
        echo "Using master hostname: $OVERRIDE_HOSTNAME"
        {{- end }}
        {{- end }}
        echo "Using master port: $SERVER_PORT"
        exec /opt/xebialabs/xl-deploy-server/bin/run-in-container.sh $@

  ## @param master.extraConfiguration Configuration file content: extra configuration to be appended to deploy configuration
  ## Use this instead of `configuration` to add more configuration
  ##
  extraConfiguration: {}

  ## @param master.extraVolumeMounts Optionally specify extra list of additional volumeMounts
  ## Examples:
  ## extraVolumeMounts:
  ##   - name: extras
  ##     mountPath: /usr/share/extras
  ##     readOnly: true
  ##
  extraVolumeMounts: [ ]
  ## @param master.extraVolumes Optionally specify extra list of additional volumes .
  ## Example:
  ## extraVolumes:
  ##   - name: extras
  ##     emptyDir: {}
  ##
  extraVolumes: [ ]
  ## @param master.extraSecrets Optionally specify extra secrets to be created by the chart.
  ## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded.
  ## Example:
  ## extraSecrets:
  ##   load-definition:
  ##     load_definition.json: |
  ##       {
  ##         ...
  ##       }
  ##
  extraSecrets: { }
  ## @param master.extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with <release-name> prepended.
  ##
  extraSecretsPrependReleaseName: false

  ## @section Master Exposure parameters
  ##

  ## Kubernetes service types
  ##
  services:
    lb:
      ## @param master.services.lb.type Kubernetes Service type for the HTTP service
      ##
      type: ClusterIP

      ## @param master.services.lb.portEnabled deploy port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`.
      ##
      portEnabled: true
      ## Service ports
      ## @param master.services.lb.ports.deployHttp Deploy master HTTP port value exposed on the service
      ## @param master.services.lb.ports.deployHttps Deploy master HTTPS port value exposed on the service
      ##
      ports:
        deployHttp: 80
        deployHttps: 443
      ## Service ports name
      ## @param master.services.lb.portNames.deployHttp Deploy master HTTP port name
      ## @param master.services.lb.portNames.deployHttps Deploy master HTTPS port name
      ##
      portNames:
        deployHttp: "deploy-http"
        deployHttps: "deploy-https"

      ## Node ports to expose
      ## @param master.services.lb.nodePorts.deployHttp Deploy master HTTP port value exposed on the node (in case of NodePort service)
      ## @param master.services.lb.nodePorts.deployHttps Deploy master HTTPS port value exposed on the node (in case of NodePort service)
      ##
      nodePorts:
        deployHttp: ""
        deployHttps: ""
      ## @param master.services.lb.extraPorts Extra ports to expose in the service
      ## E.g.:
      ## extraPorts:
      ## - name: new_svc_name
      ##   port: 1234
      ##   targetPort: 1234
      ##
      extraPorts: [ ]
      ## @param master.services.lb.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
      ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
      ## e.g:
      ## loadBalancerSourceRanges:
      ## - 10.10.10.0/24
      ##
      loadBalancerSourceRanges: [ ]
      ## @param master.services.lb.externalIPs Set the ExternalIPs
      ##
      externalIPs: [ ]
      ## @param master.services.lb.externalTrafficPolicy Enable client source IP preservation
      ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
      ##
      externalTrafficPolicy: Cluster
      ## @param master.services.lb.loadBalancerIP Set the LoadBalancerIP
      ##
      loadBalancerIP: ""
      ## @param master.services.lb.clusterIP Kubernetes service Cluster IP
      ## e.g.:
      ## clusterIP: None
      ##
      clusterIP: ""
      ## @extra master.services.lb.labels Service labels. Evaluated as a template
      ## @param master.services.lb.labels.app.kubernetes.io/component Label with component name
      ##
      labels:
        "app.kubernetes.io/component": master
      ## @param master.services.lb.annotations Service annotations. Evaluated as a template
      ## Example:
      ## annotations:
      ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      ##
      annotations: { }
      ## @param master.services.lb.publishNotReadyAddresses Enable publishing of the DNS records when Pod is still not ready.
      ##
      publishNotReadyAddresses: true
      ## @param master.services.lb.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
      ## If "ClientIP", consecutive client requests will be directed to the same Pod
      ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
      ##
      sessionAffinity: None
      ## @param master.services.lb.sessionAffinityConfig Additional settings for the sessionAffinity
      ## sessionAffinityConfig:
      ##   clientIP:
      ##     timeoutSeconds: 300
      ##
      sessionAffinityConfig: { }
    pekko:
      ## @param master.services.pekko.type Kubernetes Service type
      ##
      type: ClusterIP

      ## @param master.services.pekko.portEnabled deploy port.
      ## Cannot be disabled when `auth.tls.enabled` is `false`.
      ## Listener can be disabled with `listeners.tcp = none`.
      ##
      portEnabled: true
      ## Service ports
      ## @param master.services.pekko.ports.deployPekko Deploy master Pekko port value exposed on the service
      ## @param master.services.pekko.ports.deployClusterPekko Deploy master Pekko cluster port value exposed on the service
      ##
      ports:
        deployPekko: 8180
        deployClusterPekko: 25520
      ## Service ports name
      ## @param master.services.pekko.portNames.deployPekko Deploy master Pekko port name
      ## @param master.services.pekko.portNames.deployJmxExporter Deploy master JMX exporter port name
      ## @param master.services.pekko.portNames.deployClusterPekko Deploy master Pekko cluster port name
      ##
      portNames:
        deployPekko: "deploy-pekko"
        deployJmxExporter: "deploy-jmx"
        deployClusterPekko: "cluster-pekko"

      ## Node ports to expose
      ## @param master.services.pekko.nodePorts.deployPekko Deploy master Pekko port value exposed on the node (in case of NodePort service)
      ## @param master.services.pekko.nodePorts.deployClusterPekko Deploy master Pekko cluster port value exposed on the node (in case of NodePort service)
      ##
      nodePorts:
        deployPekko: ""
        deployClusterPekko: ""
      ## @param master.services.pekko.extraPorts Extra ports to expose in the service
      ## E.g.:
      ## extraPorts:
      ## - name: new_svc_name
      ##   port: 1234
      ##   targetPort: 1234
      ##
      extraPorts: [ ]
      ## @param master.services.pekko.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
      ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
      ## e.g:
      ## loadBalancerSourceRanges:
      ## - 10.10.10.0/24
      ##
      loadBalancerSourceRanges: [ ]
      ## @param master.services.pekko.externalIPs Set the ExternalIPs
      ##
      externalIPs: [ ]
      ## @param master.services.pekko.externalTrafficPolicy Enable client source IP preservation
      ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
      ##
      externalTrafficPolicy: Cluster
      ## @param master.services.pekko.loadBalancerIP Set the LoadBalancerIP
      ##
      loadBalancerIP: ""
      ## @param master.services.pekko.clusterIP Kubernetes service Cluster IP
      ## e.g.:
      ## clusterIP: None
      ##
      clusterIP: None
      ## @extra master.services.pekko.labels Service labels. Evaluated as a template
      ## @param master.services.pekko.labels.app.kubernetes.io/component Label with component name
      ##
      labels:
        "app.kubernetes.io/component": master
      ## @param master.services.pekko.annotations Service annotations. Evaluated as a template
      ## Example:
      ## annotations:
      ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      ##
      annotations: { }
      ## @param master.services.pekko.publishNotReadyAddresses Enable publishing of the DNS records when Pod is still not ready.
      ##
      publishNotReadyAddresses: true
      ## @param master.services.pekko.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
      ## If "ClientIP", consecutive client requests will be directed to the same Pod
      ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
      ##
      sessionAffinity: None
      ## @param master.services.pekko.sessionAffinityConfig Additional settings for the sessionAffinity
      ## sessionAffinityConfig:
      ##   clientIP:
      ##     timeoutSeconds: 300
      ##
      sessionAffinityConfig: { }

  ## Kubernetes service type that is created for each master Pod in StatefulSet
  ##
  podServiceTemplate:
    ## @param master.podServiceTemplate.enabled Enable Pod service template, if enabled generates for each pod dedicated service.
    ##
    enabled: false
    ## @param master.podServiceTemplate.type Kubernetes Service type
    ##
    type: NodePort
    ## @param master.podServiceTemplate.name Service name template, by default with dedicated pod number sufix.
    ##
    name: '{{ printf "%s-%d" (include "deploy.names.master" $) .podNumber }}'
    ## @param master.podServiceTemplate.serviceMode Possible values are: SingleHostname (IncrementPort, MultiService), SinglePort (IncrementHostname, MultiService), MultiService (IncrementHostname, IncrementPort), SingleService (IncrementHostname, SinglePort)
    ## it defines the number of hostnames, ports and services
    serviceMode: MultiService
    ## @param master.podServiceTemplate.overrideHostnameSuffix together with overrideHostname composes full hostname of the exposed master pod
    overrideHostnameSuffix: '.{{ include "common.names.namespace" . }}.svc.cluster.local'
    ## @param master.podServiceTemplate.overrideHostname Together with overrideHostnameSuffix composes full hostname of the exposed master pod
    overrideHostname: '{{ include "deploy.names.master" . }}-{{ .podNumber }}'
    ## @param master.podServiceTemplate.overrideHostnames Together with overrideHostnameSuffix composes full hostname of the exposed worker pod
    ##
    overrideHostnames: []
    ## @param master.podServiceTemplate.portEnabled deploy port. Cannot be disabled when `auth.tls.enabled` is `false`. Listener can be disabled with `listeners.tcp = none`.
    ##
    portEnabled: true
    ## Service ports
    ## @param master.podServiceTemplate.ports.deployPekko Deploy master Pekko port value exposed on the service
    ##
    ports:
      deployPekko: 32180
    ## Service ports name
    ## @param master.podServiceTemplate.portNames.deployPekko Deploy master Pekko port name
    ##
    portNames:
      deployPekko: "deploy-pekko"

    ## Node ports to expose
    ## @param master.podServiceTemplate.nodePorts.deployPekko Deploy master Pekko port value exposed on the node (in case of NodePort service)
    ##
    nodePorts:
      deployPekko: 32180
    ## @param master.podServiceTemplate.extraPorts Extra ports to expose in the service
    ## E.g.:
    ## extraPorts:
    ## - name: new_svc_name
    ##   port: 1234
    ##   targetPort: 1234
    ##
    extraPorts: [ ]
    ## @param master.podServiceTemplate.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g:
    ## loadBalancerSourceRanges:
    ## - 10.10.10.0/24
    ##
    loadBalancerSourceRanges: [ ]
    ## @param master.podServiceTemplate.externalIPs Set the ExternalIPs
    ##
    externalIPs: [ ]
    ## @param master.podServiceTemplate.externalTrafficPolicy Enable client source IP preservation
    ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
    ##
    externalTrafficPolicy: Local
    ## @param master.podServiceTemplate.loadBalancerIP Set the LoadBalancerIP
    ##
    loadBalancerIP: ""
    ## @param master.podServiceTemplate.clusterIPs Kubernetes service Cluster IPs
    ## e.g.:
    ## clusterIPs: [ None ]
    ##
    clusterIPs: [ ]
    ## @extra master.podServiceTemplate.labels Service labels. Evaluated as a template
    ## @param master.podServiceTemplate.labels.app.kubernetes.io/component Label with component name
    ##
    labels:
      "app.kubernetes.io/component": master
    ## @param master.podServiceTemplate.annotations Service annotations. Evaluated as a template
    ## Example:
    ## annotations:
    ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    ##
    annotations: { }
    ## @param master.podServiceTemplate.publishNotReadyAddresses Enable publishing of the DNS records when Pod is still not ready.
    ##
    publishNotReadyAddresses: true
    ## @param master.podServiceTemplate.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
    ## If "ClientIP", consecutive client requests will be directed to the same Pod
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
    ##
    sessionAffinity: None
    ## @param master.podServiceTemplate.sessionAffinityConfig Additional settings for the sessionAffinity
    ## sessionAffinityConfig:
    ##   clientIP:
    ##     timeoutSeconds: 300
    ##
    sessionAffinityConfig: { }
    ## @extra master.podServiceTemplate.podLabels Deploy master Pod labels. Evaluated as a template
    ## @param master.podServiceTemplate.podLabels.statefulset.kubernetes.io/pod-name The name of pod put in the service label
    ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
    ##
    podLabels:
      statefulset.kubernetes.io/pod-name: '{{ printf "%s-%d" (include "deploy.names.master" $) .podNumber }}'

## @section Deploy worker parameters
##

worker:
  ## @param worker.overrideName If set the template will override the STS name.
  ##
  overrideName: ""
  ## @param worker.useIpAsHostname Set IP address of the container as the hostname for the instance.
  ## If set to true then IP will be used instead of the container ID. This is useful
  ## when deploying XL Deploy as active-active cluster using docker compose as Pekko cannot resolve aliases within the docker network.
  ##
  useIpAsHostname: false
  ## @param worker.terminationGracePeriodSeconds Default duration in seconds k8s waits for container to exit before sending kill signal.
  ## Any time in excess of 10 seconds will be spent waiting for any synchronization necessary for cluster not to lose data.
  ##
  terminationGracePeriodSeconds: 90

  ## @param worker.replicaCount Number of Deploy worker replicas to deploy
  ##
  replicaCount: 3

  ## @section Deploy Worker Image parameters
  ## deploy image version
  ## ref: https://hub.docker.com/r/xebialabs/xl-deploy/tags/
  ## @param worker.image.registry deploy worker image registry
  ## @param worker.image.repository deploy worker image repository
  ## @param worker.image.tag deploy worker image tag (immutable tags are recommended)
  ## @param worker.image.pullPolicy deploy worker image pull policy
  ## @param worker.image.pullSecrets Specify docker-registry secret names as an array
  ##
  image:
    registry: docker.io
    repository: xebialabsunsupported/deploy-task-engine
    tag: "{{ .Chart.AppVersion }}"
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## Example:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []

  ## @section Worker debug parameters
  ##

  ## Enable diagnostic mode in the deployment
  ##
  diagnosticMode:
    ## @param worker.diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
    ##
    enabled: false
    ## @param worker.diagnosticMode.command Command to override all containers in the deployment
    ##
    command:
      - /opt/xebialabs/tini
    ## @param worker.diagnosticMode.args Args to override all containers in the deployment
    ##
    args:
      - --
      - sleep
      - infinity
  ## Enable debug mode in the deployment
  ##
  debugMode:
    ## @param worker.debugMode.enabled Enable debug mode (it starts all process with debug agent)
    ##
    enabled: false
    ## @param worker.debugMode.remoteJvmParams Agent lib configuration line with port. Do port forwarding to the port you would like to use.
    ##
    remoteJvmParams: "{{- if .Values.worker.debugMode.enabled }} -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:8001{{- end }}" 

  ## @section Worker DNS parameters
  ##

  ## @param worker.hostAliases Deployment pod host aliases
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
  hostAliases: [ ]
  ## @param worker.dnsPolicy DNS Policy for pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
  ## E.g.
  ## dnsPolicy: ClusterFirst
  dnsPolicy: ""
  ## @param worker.dnsConfig DNS Configuration pod
  ## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/
  ## E.g.
  ## dnsConfig:
  ##   options:
  ##   - name: ndots
  ##     value: "4"
  dnsConfig: { }

  ## @section Worker resource parameters
  ##

  ## Deploy worker containers' resource requests and limits
  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  ## We usually recommend not to specify default resources and to leave this as a conscious
  ## choice for the user. This also increases chances charts run on environments with little
  ## resources, such as Minikube. If you do want to specify resources, uncomment the following
  ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  ## @param worker.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
  ##
  resourcesPreset: "micro"
  ## @param worker.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
  ## Example:
  ## resources: 
  ##   limits:
  ##     cpu: 1000m
  ##     memory: 2Gi
  ##   requests:
  ##     cpu: 1000m
  ##     memory: 2Gi
  ##
  resources: {}

  ## @section Worker Statefulset parameters
  ##

  ## Configure containers' extra options for liveness and readiness probe for the Deploy worker
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
  ## @param worker.health.enabled Enable probes
  ## @param worker.health.periodScans Period seconds for probe
  ## @param worker.health.probeFailureThreshold Failure threshold for probe
  ## @param worker.health.probesLivenessTimeout Initial delay seconds for livenessProbe
  ## @param worker.health.probesReadinessTimeout Initial delay seconds for readinessProbe
  ##
  health:
    enabled: true
    periodScans: 10
    probeFailureThreshold: 12
    probesLivenessTimeout: 60
    probesReadinessTimeout: 60

  ## @param worker.schedulerName Use an alternate scheduler, e.g. "stork".
  ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
  ##
  schedulerName: ""
  ## deploy should be initialized one by one when building cluster.
  ## Therefore, the default value of podManagementPolicy is 'OrderedReady'
  ## @param worker.podManagementPolicy Pod management policy
  ##
  podManagementPolicy: OrderedReady
  ## @extra worker.podLabels deploy Pod labels. Evaluated as a template
  ## @param worker.podLabels.app.kubernetes.io/component Label with component name
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  podLabels:
    "app.kubernetes.io/component": worker
  ## @param worker.podAnnotations deploy Pod annotations. Evaluated as a template
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  podAnnotations: {}
  ## @param worker.updateStrategy.type Update strategy type for deploy statefulset
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
  ##
  updateStrategy:
    ## StrategyType - for Deploy worker is set OnDelete update strategy because Deploy worker needs to start after master was restarted
    ## Can be set to RollingUpdate or OnDelete
    ##
    type: OnDelete
  ## @extra worker.statefulsetLabels deploy statefulset labels. Evaluated as a template
  ## @param worker.statefulsetLabels.app.kubernetes.io/component Label with component name
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  statefulsetLabels:
    "app.kubernetes.io/component": worker
  ## @param worker.statefulsetAnnotations Deploy worker statefulset annotations. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  statefulsetAnnotations: {}
  ## @param worker.priorityClassName Name of the priority class to be used by deploy pods, priority class needs to be created beforehand
  ## Ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
  ##
  priorityClassName: ""
  ## @param worker.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  ##
  podAffinityPreset: ""
  ## @param worker.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
  ##
  podAntiAffinityPreset: soft
  ## Node affinity preset
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
  ##
  nodeAffinityPreset:
    ## @param worker.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
    ##
    type: ""
    ## @param worker.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
    ## E.g.
    ## key: "kubernetes.io/e2e-az-name"
    ##
    key: ""
    ## @param worker.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
    ## E.g.
    ## values:
    ##   - e2e-az1
    ##   - e2e-az2
    ##
    values: []

  ## @param worker.affinity Affinity for pod assignment. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ## Note: podAffinityPreset, podAntiAffinityPreset, and  nodeAffinityPreset will be ignored when it's set
  ##
  affinity: { }
  ## @param worker.nodeSelector Node labels for pod assignment. Evaluated as a template
  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
  ##
  nodeSelector: { }
  ## @param worker.tolerations Tolerations for pod assignment. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  tolerations: [ ]
  ## @param worker.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
  ##
  topologySpreadConstraints: [ ]

  ## deploy pods' Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param worker.podSecurityContext.enabled Enable deploy pods' Security Context
  ## @param worker.podSecurityContext.runAsUser Set Deploy pod's Security Context runAsUser
  ## @param worker.podSecurityContext.fsGroup Set deploy pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    runAsUser: 10001
    fsGroup: 10001

  ## @param worker.containerSecurityContext.enabled Enabled deploy containers' Security Context
  ## @param worker.containerSecurityContext.runAsNonRoot Set deploy container's Security Context runAsNonRoot
  ## @param worker.containerSecurityContext.allowPrivilegeEscalation Set deploy container's Security Context allowPrivilegeEscalation
  ## @param worker.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only    
  ## @extra worker.containerSecurityContext.capabilities Set deploy container's Security Context capabilities
  ## @skip worker.containerSecurityContext.capabilities
  ## @extra worker.containerSecurityContext.seccompProfile Set deploy container's Security Context seccompProfile
  ## @skip worker.containerSecurityContext.seccompProfile
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## Example:
  ##   containerSecurityContext:
  ##     capabilities:
  ##       drop: ["NET_RAW"]
  ##     readOnlyRootFilesystem: true
  ##
  containerSecurityContext:
    enabled: true
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
      - ALL
    seccompProfile:
      type: RuntimeDefault

  ## Default init containers for the worker pod
  defaultInitContainers:
    ## @extra worker.defaultInitContainers.resources Set default init container requests and limits for different resources like CPU or memory (essential for production workloads)
    ## @skip worker.defaultInitContainers.resources.limits
    ## @skip worker.defaultInitContainers.resources.requests
    ##
    resources:
      limits:
        cpu: "150m"
        memory: "192Mi"
        ephemeral-storage: "2Gi"
      requests:
        cpu: "100m"
        memory: "128Mi"
        ephemeral-storage: "50Mi"
  ## @param worker.initContainers Add init containers to the Deploy worker pod
  ## Example:
  ## initContainers:
  ##   - name: your-image-name
  ##     image: your-image
  ##     imagePullPolicy: Always
  ##     ports:
  ##       - name: portname
  ##         containerPort: 1234
  ##     resources: {}
  ##
  initContainers: []
  ## @param worker.sidecars Add sidecar containers to the Deploy worker pod
  ## Example:
  ## sidecars:
  ##   - name: your-image-name
  ##     image: your-image
  ##     imagePullPolicy: Always
  ##     ports:
  ##       - name: portname
  ##         containerPort: 1234
  ##     resources: {}
  ##
  sidecars: []

  ## @section Master Init Container parameters
  ##

  ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
  ## values from the securityContext section of the component
  ##
  volumePermissions:
    ## @param worker.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
    ##
    enabled: false
    ## @param worker.volumePermissions.image.registry Init container volume-permissions image registry
    ## @param worker.volumePermissions.image.repository Init container volume-permissions image repository
    ## @param worker.volumePermissions.image.tag Init container volume-permissions image tag
    ## @param worker.volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
    ## @param worker.volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
    ## @param worker.volumePermissions.image.pullSecrets Specify docker-registry secret names as an array
    ##
    image:
      registry: docker.io
      repository: bitnami/os-shell
      tag: 12-debian-12-r31
      digest: ""
      ## Specify a imagePullPolicy
      ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
      ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
      ##
      pullPolicy: IfNotPresent
      ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
      ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
      ## Example:
      ## pullSecrets:
      ##   - myRegistryKeySecretName
      ##
      pullSecrets: []
    ## @param worker.volumePermissions.script Script for changing the owner and group of the persistent volume(s). Paths are declared in the 'paths' variable.
    script: |
      #!/bin/bash

      declare -a paths=( {{ range $path := .Values.worker.persistence.paths }} "{{ $path }}"{{ end }} )
      for path in "${paths[@]}"; do
        echo "Changing ownership to {{ .Values.worker.containerSecurityContext.runAsUser }}:{{ .Values.worker.podSecurityContext.fsGroup }} for ${path}"
        chown "{{ .Values.worker.containerSecurityContext.runAsUser }}:{{ .Values.worker.podSecurityContext.fsGroup }}" "${path}"
        find "${path}" -mindepth 1 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \
          xargs -r chown -R "{{ .Values.worker.containerSecurityContext.runAsUser }}:{{ .Values.worker.podSecurityContext.fsGroup }}"
      done
    ## Init Container resource requests and limits
    ## @extra worker.volumePermissions.resources.limits Init container volume-permissions resource limits
    ## @skip worker.volumePermissions.resources.limits 
    ## @extra worker.volumePermissions.resources.requests Init container volume-permissions resource requests
    ## @skip worker.volumePermissions.resources.requests 
    ##
    resources:
      limits:
        cpu: "150m"
        memory: "192Mi"
        ephemeral-storage: "2Gi"
      requests:
        cpu: "100m"
        memory: "128Mi"
        ephemeral-storage: "50Mi"
    ## Init container' Security Context
    ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
    ## and not the below volumePermissions.containerSecurityContext.runAsUser
    ## @param worker.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process
    ## @param worker.volumePermissions.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only    
    ## @param worker.volumePermissions.containerSecurityContext.runAsUser User ID for the init container
    ## @param worker.volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
    ## @param worker.volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
    ## @extra worker.volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
    ## @skip worker.volumePermissions.containerSecurityContext.seccompProfile
    ##
    containerSecurityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsUser: 0
      runAsGroup: 0
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault

  ## @section Worker Pod Disruption Budget configuration
  ##

  ## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
  ##
  pdb:
    ## @param worker.pdb.create Enable/disable a Pod Disruption Budget creation
    ##
    create: false
    ## @param worker.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
    ##
    minAvailable: 1
    ## @param worker.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable
    ##
    maxUnavailable: ""

  ## @section Worker Persistence parameters
  ##

  persistence:
    ## @param worker.persistence.enabled Enable deploy data persistence using PVC
    ##
    enabled: true
    ## @param worker.persistence.single Enable deploy data to use single PVC
    ##
    single: false
    ## @param worker.persistence.storageClass PVC Storage Class for deploy data volume
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: ""
    ## @param worker.persistence.selector Selector to match an existing Persistent Volume
    ## selector:
    ##   matchLabels:
    ##     app: my-app
    ##
    selector: { }
    ## @param worker.persistence.accessModes PVC Access Modes for deploy data volume
    ##
    accessModes:
      - ReadWriteOnce
    ## @param worker.persistence.existingClaim Provide an existing PersistentVolumeClaims
    ## The value is evaluated as a template
    ## So, for example, the name can depend on .Release or .Chart
    ##
    existingClaim: ""
    ## @param worker.persistence.size PVC Storage Request for deploy data volume
    ##
    size: 8Gi
    ## @extra worker.persistence.annotations Persistence annotations. Evaluated as a template
    ## @param worker.persistence.annotations.helm.sh/resource-policy Persistence annotation for keeping created PVCs
    ## Example:
    ## annotations:
    ##   example.io/disk-volume-type: SSD
    ##
    annotations:
      helm.sh/resource-policy: "keep"
    ## @param worker.persistence.paths mounted paths for the Deploy worker
    paths:
      - /opt/xebialabs/deploy-task-engine/work
    ## @param worker.persistence.emptyDirPaths mounted empty-dir mounts to have wrtieable paths
    emptyDirPaths:
      - /opt/xebialabs/deploy-task-engine/cache
      - /opt/xebialabs/deploy-task-engine/conf
      - /opt/xebialabs/deploy-task-engine/driver/jdbc
      - /opt/xebialabs/deploy-task-engine/driver/mq
      - /opt/xebialabs/deploy-task-engine/export
      - /opt/xebialabs/deploy-task-engine/log
      - /opt/xebialabs/deploy-task-engine/node-conf
      - /opt/xebialabs/deploy-task-engine/plugins
      - /tmp

  ## @section Worker runtime parameters
  ##

  ## @param worker.jvmArgs Deploy worker JVM arguments
  ##
  jvmArgs: ""

  ## @param worker.command Override default container command (useful when using custom images)
  ##
  command:
    - /opt/xebialabs/tini
  ## @param worker.args Override default container args (useful when using custom images)
  ##
  args: |-
    - --
    - /opt/xebialabs/deploy-task-engine/bin/run-in-operator.sh

  ## @param worker.lifecycleHooks Overwrite livecycle for the deploy container(s) to automate configuration before or after startup
  ##
  lifecycleHooks: { }
  ## @param worker.logback.globalLoggingLevel Global logging level. Possible values: "trace", "debug", "info", "warn", "error".
  ## @param worker.logback.scanEnabled Enables scanning of logback.xml.
  ## @param worker.logback.scanPeriod Interval for checking logback.xml configuration.
  ##
  logback:
    globalLoggingLevel: "info"
    scanEnabled: true
    scanPeriod: "30 seconds"
  ## @param worker.extraEnvVars Extra environment variables to add to deploy pods
  ## E.g:
  ## extraEnvVars:
  ##   - name: FOO
  ##     value: BAR
  ##
  extraEnvVars: [ ]
  ## @param worker.extraEnvVarsCM Name of existing ConfigMap containing extra environment variables
  ##
  extraEnvVarsCM: ""
  ## @param worker.extraEnvVarsSecret Name of existing Secret containing extra environment variables (in case of sensitive data)
  ##
  extraEnvVarsSecret: ""

  ## Container Ports
  ## @param worker.containerPorts.deployPekko Deploy Pekko port value exposed on the worker container
  ## @param worker.containerPorts.deployJmxExporter Deploy JMX exportet port value exposed on the worker container
  ##
  containerPorts:
    deployPekko: 8180
    deployJmxExporter: 9100

  ## @param worker.extraContainerPorts Extra ports to be included in container spec, primarily informational
  ## E.g:
  ## extraContainerPorts:
  ## - name: new_port_name
  ##   containerPort: 1234
  ##
  extraContainerPorts: [ ]

  ## @extra worker.configuration Deploy configuration file content: required cluster configuration
  ## Do not override unless you know what you are doing.
  ## To add more configuration, use `extraConfiguration` of `advancedConfiguration` instead
  ##
  configuration:
    ## @extra worker.configuration.bin_run-in-operator-sh The script for starting the worker with K8S configuration
    ## @param worker.configuration.bin_run-in-operator-sh.path The path for the script for starting the worker with K8S configuration
    ## @param worker.configuration.bin_run-in-operator-sh.mode The access mode for the script for starting the worker with K8S configuration
    ## @param worker.configuration.bin_run-in-operator-sh.content Content of the script for starting the worker with K8S configuration
    "bin_run-in-operator-sh":
      path: "bin/run-in-operator.sh"
      mode: 0755
      content: |
        #!/bin/bash
        
        {{- if .Values.worker.podServiceTemplate.enabled }}
        POD_NUMBER=$(echo $POD_NAME | grep -Eo "[0-9]+$")
        {{- if contains .Values.worker.podServiceTemplate.serviceMode "SingleHostname;MultiService" }}
        export SERVER_PORT=$(echo $SERVER_PORT+$POD_NUMBER | bc)
        {{- end }}
        {{- if or .Values.worker.podServiceTemplate.overrideHostname .Values.worker.podServiceTemplate.overrideHostnames }}
        allWorkers=(
        {{- range $podNumber := untilStep 0 (int .Values.worker.replicaCount) 1 }}
        {{- $newValues := merge (dict "podNumber" $podNumber) $ }}
        {{- $workerHostname := include "deploy.workerHostname" $newValues }}
        "{{ $workerHostname }}"
        {{- end }}
        )
        export OVERRIDE_HOSTNAME=$(echo ${allWorkers[$POD_NUMBER]})
        echo "Using worker hostname: $OVERRIDE_HOSTNAME"
        {{- end }}
        {{- end }}
        echo "Using worker port: $SERVER_PORT"
        exec /opt/xebialabs/deploy-task-engine/bin/run-in-container.sh \
          -name "$POD_NAME" \
          {{- if .Values.worker.podServiceTemplate.enabled }}
          {{- if or .Values.worker.podServiceTemplate.overrideHostname .Values.worker.podServiceTemplate.overrideHostnames }}
          -hostname "$OVERRIDE_HOSTNAME$HOSTNAME_SUFFIX" \
          {{- else }}
          -hostname "$POD_NAME$HOSTNAME_SUFFIX" \
          {{- end }}
          {{- end }}
          {{- include "deploy.workerMasters" $ }}
          -api "{{ include "deploy.masterLbUrl" . }}" \
          $@

  ## @param worker.extraConfiguration Configuration file content: extra configuration to be appended to deploy configuration
  ## Use this instead of `configuration` to add more configuration
  ##
  extraConfiguration: {}

  ## @param worker.extraVolumeMounts Optionally specify extra list of additional volumeMounts
  ## Examples:
  ## extraVolumeMounts:
  ##   - name: extras
  ##     mountPath: /usr/share/extras
  ##     readOnly: true
  ##
  extraVolumeMounts: [ ]
  ## @param worker.extraVolumes Optionally specify extra list of additional volumes .
  ## Example:
  ## extraVolumes:
  ##   - name: extras
  ##     emptyDir: {}
  ##
  extraVolumes: [ ]
  ## @param worker.extraSecrets Optionally specify extra secrets to be created by the chart.
  ## This can be useful when combined with load_definitions to automatically create the secret containing the definitions to be loaded.
  ## Example:
  ## extraSecrets:
  ##   load-definition:
  ##     load_definition.json: |
  ##       {
  ##         ...
  ##       }
  ##
  extraSecrets: { }
  ## @param worker.extraSecretsPrependReleaseName Set this flag to true if extraSecrets should be created with <release-name> prepended.
  ##
  extraSecretsPrependReleaseName: false

  ## @section Worker Exposure parameters
  ##

  ## Kubernetes service type for the Deploy worker
  ##
  services:
    pekko:
      ## @param worker.services.pekko.type Kubernetes Service type for the Deploy worker
      ##
      type: ClusterIP

      ## @param worker.services.pekko.portEnabled Enable Deploy worker port.
      ## Cannot be disabled when `auth.tls.enabled` is `false`.
      ## Listener can be disabled with `listeners.tcp = none`.
      ##
      portEnabled: true
      ## Service ports
      ## @param worker.services.pekko.ports.deployPekko Deploy worker Pekko port value exposed on the service
      ##
      ports:
        deployPekko: 8180
      ## Service ports name
      ## @param worker.services.pekko.portNames.deployPekko Deploy worker Pekko port name
      ## @param worker.services.pekko.portNames.deployJmxExporter Deploy worker JMX exporter port name
      ##
      portNames:
        deployPekko: "deploy-pekko"
        deployJmxExporter: "deploy-jmx"

      ## Node ports to expose
      ## @param worker.services.pekko.nodePorts.deployPekko Deploy worker Pekko port value exposed on the node (in case of NodePort service)
      ##
      nodePorts:
        deployPekko: ""
      ## @param worker.services.pekko.extraPorts Extra ports to expose in the service
      ## E.g.:
      ## extraPorts:
      ## - name: new_svc_name
      ##   port: 1234
      ##   targetPort: 1234
      ##
      extraPorts: [ ]
      ## @param worker.services.pekko.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
      ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
      ## e.g:
      ## loadBalancerSourceRanges:
      ## - 10.10.10.0/24
      ##
      loadBalancerSourceRanges: [ ]
      ## @param worker.services.pekko.externalIPs Set the ExternalIPs
      ##
      externalIPs: [ ]
      ## @param worker.services.pekko.externalTrafficPolicy Enable client source IP preservation
      ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
      ##
      externalTrafficPolicy: Cluster
      ## @param worker.services.pekko.loadBalancerIP Set the LoadBalancerIP
      ##
      loadBalancerIP: ""
      ## @param worker.services.pekko.clusterIP Kubernetes service Cluster IP
      ## e.g.:
      ## clusterIP: None
      ##
      clusterIP: None
      ## @extra worker.services.pekko.labels Service labels. Evaluated as a template
      ## @param worker.services.pekko.labels.app.kubernetes.io/component Label with component name
      ##
      labels:
        "app.kubernetes.io/component": worker
      ## @param worker.services.pekko.annotations Service annotations. Evaluated as a template
      ## Example:
      ## annotations:
      ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
      ##
      annotations: { }
      ## @param worker.services.pekko.publishNotReadyAddresses Enable publishing of the DNS records when Pod is still not ready.
      ##
      publishNotReadyAddresses: true
      ## @param worker.services.pekko.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
      ## If "ClientIP", consecutive client requests will be directed to the same Pod
      ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
      ##
      sessionAffinity: None
      ## @param worker.services.pekko.sessionAffinityConfig Additional settings for the sessionAffinity
      ## sessionAffinityConfig:
      ##   clientIP:
      ##     timeoutSeconds: 300
      ##
      sessionAffinityConfig: { }

  ## Kubernetes service type that is created for each worker Pod in StatefulSet
  ##
  podServiceTemplate:
    ## @param worker.podServiceTemplate.enabled Enable Pod service template, if enabled generates for each pod dedicated service.
    ##
    enabled: false
    ## @param worker.podServiceTemplate.type Kubernetes Service type
    ##
    type: NodePort
    ## @param worker.podServiceTemplate.name Service name template, by default with dedicated pod number sufix.
    ##
    name: '{{ printf "%s-%d" (include "deploy.names.worker" $) .podNumber }}'
    ## @param worker.podServiceTemplate.serviceMode Possible values are: SingleHostname (IncrementPort, MultiService),
    ## SinglePort (IncrementHostname, MultiService), MultiService (IncrementHostname, IncrementPort), SingleService (IncrementHostname, SinglePort)
    ## it defines the number of hostnames, ports and services
    ##
    serviceMode: MultiService
    ## @param worker.podServiceTemplate.overrideHostnameSuffix together with overrideHostname composes full hostname of the exposed worker pod
    ##
    overrideHostnameSuffix: '.{{ include "common.names.namespace" . }}.svc.cluster.local'
    ## @param worker.podServiceTemplate.overrideHostname  together with overrideHostnameSuffix composes full hostname of the exposed worker pod
    ##
    overrideHostname: '{{ include "deploy.names.worker" . }}-{{ .podNumber }}'
    ## @param worker.podServiceTemplate.overrideHostnames Together with overrideHostnameSuffix composes full hostname of the exposed worker pod
    ##
    overrideHostnames: []
    ## @param worker.podServiceTemplate.portEnabled deploy port.
    ## Cannot be disabled when `auth.tls.enabled` is `false`.
    ## Listener can be disabled with `listeners.tcp = none`.
    ##
    portEnabled: true
    ## Service ports
    ## @param worker.podServiceTemplate.ports.deployPekko Deploy worker Pekko port value exposed on the service
    ##
    ports:
      deployPekko: 32185
    ## Service ports name
    ## @param worker.podServiceTemplate.portNames.deployPekko Deploy worker Pekko port name
    ##
    portNames:
      deployPekko: "deploy-pekko"

    ## Node ports to expose
    ## @param worker.podServiceTemplate.nodePorts.deployPekko Deploy worker Pekko port value exposed on the node (in case of NodePort service)
    ##
    nodePorts:
      deployPekko: 32185
    ## @param worker.podServiceTemplate.extraPorts Extra ports to expose in the service
    ## E.g.:
    ## extraPorts:
    ## - name: new_svc_name
    ##   port: 1234
    ##   targetPort: 1234
    ##
    extraPorts: [ ]
    ## @param worker.podServiceTemplate.loadBalancerSourceRanges Address(es) that are allowed when service is `LoadBalancer`
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g:
    ## loadBalancerSourceRanges:
    ## - 10.10.10.0/24
    ##
    loadBalancerSourceRanges: [ ]
    ## @param worker.podServiceTemplate.externalIPs Set the ExternalIPs
    ##
    externalIPs: [ ]
    ## @param worker.podServiceTemplate.externalTrafficPolicy Enable client source IP preservation
    ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
    ##
    externalTrafficPolicy: Local
    ## @param worker.podServiceTemplate.loadBalancerIP Set the LoadBalancerIP
    ##
    loadBalancerIP: ""
    ## @param worker.podServiceTemplate.clusterIPs Kubernetes service Cluster IPs
    ## e.g.:
    ## clusterIPs: [ None ]
    ##
    clusterIPs: [ ]
    ## @extra worker.podServiceTemplate.labels Service labels. Evaluated as a template
    ## @param worker.podServiceTemplate.labels.app.kubernetes.io/component Label with component name
    ##
    labels:
      "app.kubernetes.io/component": worker
    ## @param worker.podServiceTemplate.annotations Service annotations. Evaluated as a template
    ## Example:
    ## annotations:
    ##   service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
    ##
    annotations: { }
    ## @param worker.podServiceTemplate.publishNotReadyAddresses Enable publishing of the DNS records when Pod is still not ready.
    ##
    publishNotReadyAddresses: true
    ## @param worker.podServiceTemplate.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
    ## If "ClientIP", consecutive client requests will be directed to the same Pod
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
    ##
    sessionAffinity: None
    ## @param worker.podServiceTemplate.sessionAffinityConfig Additional settings for the sessionAffinity
    ## sessionAffinityConfig:
    ##   clientIP:
    ##     timeoutSeconds: 300
    ##
    sessionAffinityConfig: { }
    ## @extra worker.podServiceTemplate.podLabels Deploy worker Pod labels. Evaluated as a template
    ## @param worker.podServiceTemplate.podLabels.statefulset.kubernetes.io/pod-name The name of pod put in the service label
    ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
    ##
    podLabels:
      statefulset.kubernetes.io/pod-name: '{{ printf "%s-%d" (include "deploy.names.worker" $) .podNumber }}'

## @section Deploy Network Policy configuration
##

## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
networkPolicy:
  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
  ##
  enabled: false
  ## @param networkPolicy.allowExternal Don't require client label for connections
  ## The Policy model to apply. When set to false, only pods with the correct
  ## client label will have network access to the port deploy is listening
  ## on. When true, deploy will accept connections from any source
  ## (with the correct destination port).
  ##
  allowExternal: true
  ## @param networkPolicy.additionalRules Additional NetworkPolicy Ingress "from" rules to set. Note that all rules are OR-ed.
  ## e.g:
  ## additionalRules:
  ##  - matchLabels:
  ##    - role: frontend
  ##  - matchExpressions:
  ##    - key: role
  ##      operator: In
  ##      values:
  ##        - frontend
  ##
  additionalRules: []

## @section Deploy Metrics Parameters
##

## Metrics
##
metrics:
  ## @param metrics.enabled Enable exposing Deploy metrics to be gathered.
  ## Flag to expose internal and system metrics over Java Management Extensions (JMX).
  ## This is to enable the use of monitoring systems that can read JMX data, with XL Products.
  ##
  enabled: false

## @section Deploy OIDC parameters
##

oidc:
  ## @param oidc.enabled Enable the OIDC configuration
  enabled: false
  ## @param oidc.clientId Client ID
  clientId:
  ## @param oidc.clientSecret Client secret
  clientSecret:
  ## @param oidc.clientAuthMethod Client authentication method
  clientAuthMethod:
  clientAuthJwt:
    ## @param oidc.clientAuthJwt.enable Enable Client Authentication Using private_key_jwt
    enable: false
    ## @param oidc.clientAuthJwt.jwsAlg Expected JSON Web Algorithm
    jwsAlg:
    ## @param oidc.clientAuthJwt.tokenKeyId Token key identifier 'kid' header - set it if your OpenID Connect provider requires it
    tokenKeyId:
    keyStore:
      ## @param oidc.clientAuthJwt.keyStore.enable Enable keystore
      enable: false
      ## @param oidc.clientAuthJwt.keyStore.path The key store file path
      path:
      ## @param oidc.clientAuthJwt.keyStore.password The key store password
      password:
      ## @param oidc.clientAuthJwt.keyStore.type The type of keystore
      type:
    key:
      ## @param oidc.clientAuthJwt.key.enable Enable private key
      enable: false
      ## @param oidc.clientAuthJwt.key.alias Private key alias inside the key store
      alias:
      ## @param oidc.clientAuthJwt.key.password Private key password
      password:
  ## @param oidc.emailClaim Email claim
  emailClaim:
  ## @param oidc.issuer OpenID Provider Issuer here
  issuer:
  ## @param oidc.keyRetrievalUri The jwks_uri to retrieve keys
  keyRetrievalUri:
  ## @param oidc.accessTokenUri The redirect URI to use for returning the access token
  accessTokenUri:
  ## @param oidc.userAuthorizationUri The authorize endpoint to request tokens or authorization codes via the browser
  userAuthorizationUri:
  ## @param oidc.logoutUri The logout endpoint to revoke token via the browser
  logoutUri:
  ## @param oidc.redirectUri The redirectUri endpoint must always point to the /login/external-login Deploy endpoint.
  ## The redirectUri is an endpoint where authentication responses can be sent and received by Deploy.
  ## It must exactly match one of the redirect_uris you registered in the OKTA and Azure AD portal and it must be URL encoded.
  ## For Keycloak you can register a pattern for redirect_uri from the Keycloak Admin Panel.
  ## For example, you can provide a mask such as: http://example.com/mask** that matches http://example.com/mask/ or http://example.com/mask.
  redirectUri:
  ## @param oidc.postLogoutRedirectUri If you need to redirect to the login page after logout, you can use your redirectUri as the postLogoutRedirectUri
  postLogoutRedirectUri:
  ## @param oidc.rolesClaimName Roles claim
  rolesClaimName:
  ## @param oidc.userNameClaimName A unique username for both internal and external users.
  ## You cannot sign in with a user if a local account with the same username exists.
  userNameClaimName:
  ## @param oidc.scopes Fields described here must be present in the scope.
  scopes:
  ## @param oidc.idTokenJWSAlg The ID token signature verification algorithm
  idTokenJWSAlg:
  accessToken:
    ## @param oidc.accessToken.enable Enable access token
    enable: false
    ## @param oidc.accessToken.issuer Expected issuer 'iss' claim value
    issuer:
    ## @param oidc.accessToken.audience Expected audience 'aud' claim value
    audience:
    ## @param oidc.accessToken.keyRetrievalUri The jwks_uri to retrieve keys for the token
    keyRetrievalUri:
    ## @param oidc.accessToken.jwsAlg Expected JSON Web Algorithm
    jwsAlg:
    ## @param oidc.accessToken.secretKey The secret key if MAC based algorithms is used for the token
    secretKey:
  ## @param oidc.loginMethodDescription Description of the method used
  loginMethodDescription:
  ## @param oidc.proxyHost Proxy host
  proxyHost:
  ## @param oidc.proxyPort Proxy port
  proxyPort:

## @section Deploy Common parameters
##

## @param nameOverride String to partially override deploy.fullname template (will maintain the deploy name)
##
nameOverride: ""
## @param fullnameOverride String to fully override deploy.fullname template
##
fullnameOverride: ""
## @param namespaceOverride String to fully override common.names.namespace
##
namespaceOverride: ""
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
##
kubeVersion: ""
## @param clusterDomain Kubernetes Cluster Domain
##
clusterDomain: cluster.local
## @param extraDeploy Array of extra objects to deploy with the deploy
##
extraDeploy: [ ]
## @param commonAnnotations Annotations to add to all deployed objects
##
commonAnnotations: { }

## @param commonLabels Labels to add to all deployed objects
## Eg. app.kubernetes.io/version: "{{ .Chart.AppVersion }}"
##
commonLabels: { }

## @section Ingress parameters
##

## Configure the ingress resource that allows you to access the
## deploy installation. Set up the URL
## ref: https://kubernetes.io/docs/user-guide/ingress/
##
ingress:
  ## @param ingress.enabled Enable ingress resource for Management console
  ##
  enabled: false

  ## @param ingress.path Path for the default host. You may need to set this to '/*' in order to use this with ALB ingress controllers.
  ##
  path: /

  ## @param ingress.pathType Ingress path type
  ##
  pathType: ImplementationSpecific
  ## @param ingress.hostname Default host for the ingress resource
  ##
  hostname: ""
  ## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
  ## For a full list of possible ingress annotations, please see
  ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
  ## Use this parameter to set the required annotations for cert-manager, see
  ## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
  ##
  ## e.g:
  ## annotations:
  ##   kubernetes.io/ingress.class: nginx
  ##   cert-manager.io/cluster-issuer: cluster-issuer-name
  ##
  ## - generic
  ##  ingress.kubernetes.io/tls-acme: "true"
  ##
  ## nginx
  ## kubernetes.io/ingress.class: "nginx-daid"
  ## nginx.ingress.kubernetes.io/ssl-redirect: "false"
  ## nginx.ingress.kubernetes.io/rewrite-target: /
  ## nginx.ingress.kubernetes.io/affinity: cookie
  ## nginx.ingress.kubernetes.io/session-cookie-name: ROUTE
  ## nginx.ingress.kubernetes.io/proxy-body-size: "0"
  ## nginx.ingress.kubernetes.io/proxy-connect-timeout: "120"
  ## nginx.ingress.kubernetes.io/proxy-read-timeout: "120"
  ## nginx.ingress.kubernetes.io/proxy-send-timeout: "120"
  ##
  ## haproxy
  ## kubernetes.io/ingress.class: "haproxy-daid"
  ## haproxy-ingress.github.io/ssl-redirect: "false"
  ## haproxy-ingress.github.io/rewrite-target: /
  ## haproxy-ingress.github.io/affinity: cookie
  ## haproxy-ingress.github.io/session-cookie-name: SESSION_XLD
  ## haproxy-ingress.github.io/session-cookie-strategy: prefix
  ## haproxy-ingress.github.io/timeout-client: "120s"
  ## haproxy-ingress.github.io/timeout-http-request: "120s"
  ##
  annotations:

  ## @param ingress.tls Enable TLS configuration for the hostname defined at `ingress.hostname` parameter
  ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-ingress-tls" .Values.ingress.hostname }}
  ## You can:
  ##   - Use the `ingress.secrets` parameter to create this TLS secret
  ##   - Relay on cert-manager to create it by setting the corresponding annotations
  ##   - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
  ##
  tls: false
  ## @param ingress.selfSigned Set this to true in order to create a TLS secret for this ingress record
  ## using self-signed certificates generated by Helm
  ##
  selfSigned: false
  ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
  ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
  ## e.g:
  ## extraHosts:
  ##   - name: release.local
  ##     path: /
  ##
  extraHosts: []
  ## @param ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
  ## e.g:
  ## extraPaths:
  ## - path: /*
  ##   backend:
  ##     serviceName: ssl-redirect
  ##     servicePort: use-annotation
  ##
  extraPaths: []
  ## @param ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template
  ## Useful when looking for additional customization, such as using different backend
  ##
  extraRules: []
  ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
  ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
  ## e.g:
  ## extraTls:
  ##   - hosts:
  ##       - release.local
  ##     secretName: release.local-ingress-tls
  ##
  extraTls: []
  ## @param ingress.secrets Custom TLS certificates as secrets
  ## NOTE: 'key' and 'certificate' are expected in PEM format
  ## NOTE: 'name' should line up with a 'secretName' set further up
  ## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
  ## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
  ## It is also possible to create and manage the certificates outside of this helm chart
  ## Please see README.md for more information
  ## e.g:
  ## secrets:
  ##   - name: release.local-ingress-tls
  ##     key: |-
  ##       -----BEGIN RSA PRIVATE KEY-----
  ##       ...
  ##       -----END RSA PRIVATE KEY-----
  ##     certificate: |-
  ##       -----BEGIN CERTIFICATE-----
  ##       ...
  ##       -----END CERTIFICATE-----
  ##
  secrets: []
  ## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
  ## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
  ## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
  ##
  ingressClassName: ""

## @section OpenShift Route parameters
##

route:
  ## @param route.enabled Enable route resource
  ##
  enabled: false
  ## @param route.path Path for the default host.
  ##
  path: /
  ## @param route.hostname Default host for the route resource
  ##
  hostname: ""
  ## @extra route.annotations Additional annotations for the route resource.
  ## @skip route.annotations
  annotations:
    haproxy.router.openshift.io/cookie_name: SESSION_XLD
    haproxy.router.openshift.io/disable_cookies: "false"
    haproxy.router.openshift.io/rewrite-target: /
  tls:
    ## @param route.tls.enabled Enable the route TLS configuration
    enabled: false
    ## @param route.tls.secretName Name of the secret to use with Route TLS setup
    secretName: ""
    ## @param route.tls.key key in PEM-encoded format
    key: ""
    ## @param route.tls.certificate certificate in PEM-encoded format
    certificate: ""
    ## @param route.tls.caCertificate CA certificate in a PEM-encoded format
    caCertificate: ""
    ## @param route.tls.destinationCACertificate destination CA certificate in a PEM-encoded format (the Deploy master certificate)
    destinationCACertificate: ""
    ## @param route.tls.insecureEdgeTerminationPolicy Redirect HTTP to HTTPS. The only valid values are None, Redirect, or empty for disabled.
    insecureEdgeTerminationPolicy: ""
    ## @param route.tls.termination The accepted values are edge, passthrough and reencrypt.
    ## All other values are silently ignored.
    ## When the annotation value is unset, edge is the default route.
    ## The TLS certificate details must be defined in the template file to implement the default edge route.
    termination: edge
    ## @param route.tls.selfSigned if set to `true` the key and certificate will be auto generated and set in the route configuration
    selfSigned: false

## @section Deploy RBAC parameters
##

## deploy pods ServiceAccount
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
##
serviceAccount:
  ## @param serviceAccount.create Enable creation of ServiceAccount for deploy pods
  ##
  create: true
  ## @param serviceAccount.name Name of the created serviceAccount
  ## If not set and create is true, a name is generated using the deploy.fullname template
  ##
  name: ""
  ## @param serviceAccount.automountServiceAccountToken Auto-mount the service account token in the pod
  ##
  automountServiceAccountToken: true
  ## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
  ##
  annotations: { }

## Role Based Access
## ref: https://kubernetes.io/docs/admin/authorization/rbac/
##
rbac:
  ## @param rbac.create Whether RBAC rules should be created
  ## binding deploy ServiceAccount to a role
  ## that allows deploy pods querying the K8s API
  ##
  create: true

## @section Deploy Busy-box parameters
##

## @param busyBox.image.registry busyBox container image registry
## @param busyBox.image.repository busyBox container image repository
## @param busyBox.image.tag busyBox container image tag
## @param busyBox.image.pullPolicy busyBox container image pull policy
## @param busyBox.image.pullSecrets Specify docker-registry secret names as an array
##
busyBox:
  image:
    registry: docker.io
    repository: library/busybox
    tag: stable
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets (secrets must be manually created in the namespace)
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## Example:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []

## @section Ingress HAProxy
##

## Install haproxy subchart. If you have haproxy already installed, set 'install' to 'false'.
## If you have any other ingress controller installed, you can set the 'install' to 'false'.
haproxy-ingress:
  ## @param haproxy-ingress.install Enable Haproxy Ingress helm subchart installation
  install: false
  controller:
    ## @param haproxy-ingress.controller.ingressClass Name of the ingress class to route through this controller
    ##
    ingressClass: haproxy-daid
    service:
      ## @param haproxy-ingress.controller.service.type Kubernetes Service type for Controller
      ##
      type: LoadBalancer
    ## @param haproxy-ingress.controller.legacySecurityContext Use latest security context implementation
    legacySecurityContext: false
    ## @param haproxy-ingress.controller.securityContext.allowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process
    ## @param haproxy-ingress.controller.securityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
    ## @extra haproxy-ingress.controller.securityContext.seccompProfile Set deploy container's Security Context seccompProfile
    ## @skip haproxy-ingress.controller.securityContext.seccompProfile
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
    ## @extra haproxy-ingress.controller.extraVolumes set empty-dir volume
    ## @skip haproxy-ingress.controller.extraVolumes
    extraVolumes: 
    - name: empty-dir
      emptyDir: {}
    ## @extra haproxy-ingress.controller.extraVolumeMounts set empty-dir volume mounts to have wrtieable paths
    ## @skip haproxy-ingress.controller.extraVolumeMounts
    extraVolumeMounts: 
    - name: empty-dir
      mountPath: /etc/haproxy
      subPath: haproxy
    - name: empty-dir
      mountPath: /var/lib/haproxy
      subPath: haproxy
    - name: empty-dir
      mountPath: /var/run/haproxy
      subPath: haproxy

## @section Ingress Nginx
##

## Install nginx subchart. If you have nginx already installed, set 'install' to 'false'.
## If you have any other ingress controller installed, you can set the 'install' to 'false'.
## Ref: https://github.com/bitnami/charts/blob/master/bitnami/nginx-ingress-controller/README.md
nginx-ingress-controller:
  ## @param nginx-ingress-controller.install Enable NGINX Ingress Controller helm subchart installation
  install: false
  ## @param nginx-ingress-controller.image.tag NGINX Ingress Controller image tag (immutable tags are recommended)
  image:
    tag: 1.11.3-debian-12-r1
  ## Default 404 backend
  ##
  defaultBackend:
    ## @param nginx-ingress-controller.defaultBackend.image.tag Default backend image tag (immutable tags are recommended)
    image:
      tag: 1.27.2-debian-12-r1
  ## @extra nginx-ingress-controller.extraArgs Additional command line arguments to pass to nginx-ingress-controller
  ## E.g. to specify the default SSL certificate you can use
  ## extraArgs:
  ##   default-ssl-certificate: "<namespace>/<secret_name>"
  ##   ingress-class: nginx
  ##
  extraArgs:
    ## @param nginx-ingress-controller.extraArgs.ingress-class Name of the IngressClass resource
    ingress-class: "nginx-daid"
  ## Configuring this doesn't affect `kubernetes.io/ingress.class` annotation. See `extraArgs` below how to configure processing of custom annotation.
  ## @param nginx-ingress-controller.ingressClassResource.name Name of the IngressClass resource
  ## @param nginx-ingress-controller.ingressClassResource.controllerClass IngressClass identifier for the controller
  ##
  ingressClassResource:
    controllerClass: "k8s.io/ingress-nginx-daid"
    name: "nginx-daid"
  ## @param nginx-ingress-controller.replicaCount Desired number of Controller pods
  ##
  replicaCount: 1
  ## @section Traffic exposure parameters

  ## Service parameters
  ##
  service:
    ## @param nginx-ingress-controller.service.type Kubernetes Service type for Controller
    ##
    type: LoadBalancer

## @section Postgresql
##

## Ref: https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md
## Install postgresql chart. If you have an existing database deployment, set 'install' to 'false'.
postgresql:
  ## @param postgresql.install Enable PostgreSQL helm subchart installation
  install: true
  ## @param postgresql.image.tag PostgreSQL image tag (immutable tags are recommended)
  image:
    tag: 16.3.0-debian-12-r23
  ## @param postgresql.hasReport Indicating that reporting database is enabled
  ##
  hasReport: true

  ## @section PostgreSQL Primary parameters
  ##

  primary:
    ## Initdb configuration
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments
    ##
    initdb:
      ## @param postgresql.primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information)
      ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap`
      ##
      scriptsSecret: '{{ include "postgresql.v1.primary.fullname" . }}-deploy'
    ## @param postgresql.primary.configuration Extended PostgreSQL Primary configuration (appended to main or default configuration)
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf
    ##
    configuration: |-
      port = '5432'
      wal_level = 'replica'
      max_wal_size = '400MB'
      max_wal_senders = '16'
      wal_keep_size = '128MB'
      hot_standby = 'on'
      fsync = 'on'
      shared_preload_libraries = 'pgaudit'
      pgaudit.log_catalog = 'off'
      log_connections = 'false'
      log_disconnections = 'false'
      log_hostname = 'false'
      client_min_messages = 'error'
      listen_addresses = '*'
      max_connections = 300
      shared_buffers = 80MB

    ## PostgreSQL Primary resource requests and limits
    ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
    ## @param postgresql.primary.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if primary.resources is set (primary.resources is recommended for production).
    ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
    ##
    resourcesPreset: "medium"
    ## PostgreSQL Primary persistence configuration
    ##
    persistence:
      ## @param postgresql.primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC
      ##
      enabled: true
      ## @param postgresql.primary.persistence.accessModes PVC Access Mode for PostgreSQL volume
      ##
      accessModes:
        - ReadWriteOnce
      ## @param postgresql.primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume
      ## If defined, storageClassName: <storageClass>
      ## If set to "-", storageClassName: "", which disables dynamic provisioning
      ## If undefined (the default) or set to null, no storageClassName spec is
      ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
      ##   GKE, AWS & OpenStack)
      ##
      storageClass: ""
      ## @param postgresql.primary.persistence.size PVC Storage Request for PostgreSQL volume
      ##
      size: 8Gi
      ## @param postgresql.primary.persistence.existingClaim Name of an existing PVC to use
      ##
      existingClaim: ""

    ## PostgreSQL Primary service configuration
    ##
    service:
      ## @param postgresql.primary.service.ports.postgresql PostgreSQL service port
      ##
      ports:
        postgresql: 5432
      ## @param postgresql.primary.service.type Kubernetes Service type
      ##
      type: ClusterIP

  ## @section Postgresql Authentication parameters
  ##

  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run
  ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run
  ##
  auth:
    ## @param postgresql.auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user
    ##
    enablePostgresUser: true
    ## @param postgresql.auth.username Name for a custom user to create
    ##
    username: postgres
    ## @param postgresql.auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` is provided
    ##
    postgresPassword: postgres
  ## Service account for PostgreSQL to use.
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
  ##
  serviceAccount:
    ## @param postgresql.serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod
    ##
    create: true

  ## @section Postgresql Volume Permissions parameters
  ##

  ## Init containers parameters:
  ## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node
  ##
  volumePermissions:
    ## @param postgresql.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume
    ##
    enabled: true
    ## @param postgresql.volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
    image:
      tag: 12-debian-12-r31

    ## @param postgresql.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Controls whether a process can gain more privileges than its parent process
    ## @param postgresql.volumePermissions.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only    
    ## @param postgresql.volumePermissions.containerSecurityContext.runAsUser User ID for the init container
    ## @param postgresql.volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
    ## @param postgresql.volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
    ## @extra postgresql.volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
    ## @skip postgresql.volumePermissions.containerSecurityContext.seccompProfile
    containerSecurityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsUser: 0
      runAsGroup: 0
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault

## @section RabbitMQ
##

## Install rabbitmq chart. If you have an existing message queue deployment, set 'install' to 'false'.
## ref: https://github.com/bitnami/charts/blob/master/bitnami/rabbitmq/README.md
rabbitmq:
  ## @param rabbitmq.install Enable Rabbitmq helm subchart installation
  install: true
  ## @param rabbitmq.image.tag RabbitMQ image tag (immutable tags are recommended)
  image:
    tag: 3.13.7-debian-12-r5
  ## Clustering settings
  ##
  clustering:
    ## @param rabbitmq.clustering.forceBoot Force boot of an unexpectedly shut down cluster (in an unexpected order).
    ## forceBoot executes 'rabbitmqctl force_boot' to force boot cluster shut down unexpectedly in an unknown order
    ## ref: https://www.rabbitmq.com/rabbitmqctl.8.html#force_boot
    ##
    forceBoot: true
  ## @param rabbitmq.replicaCount Number of RabbitMQ replicas to deploy
  ##
  replicaCount: 3
  ## RabbitMQ Authentication parameters
  ##
  auth:
    ## @param rabbitmq.auth.username RabbitMQ application username
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
    ##
    username: guest
    ## @param rabbitmq.auth.password RabbitMQ application password
    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
    ##
    password: guest
    ## @param rabbitmq.auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key)
    ## e.g:
    ## existingErlangSecret: name-of-existing-secret
    ##
    existingErlangSecret: '{{ include "common.names.fullname" . }}-deploy'
  ## @param rabbitmq.extraPlugins Extra plugins to enable (single string containing a space-separated list)
  ## Use this instead of `plugins` to add new plugins
  ##
  extraPlugins: 'rabbitmq_jms_topic_exchange'
  ## Loading a RabbitMQ definitions file to configure RabbitMQ
  ##
  loadDefinition:
    ## @param rabbitmq.loadDefinition.enabled Enable loading a RabbitMQ definitions file to configure RabbitMQ
    ##
    enabled: true
    ## @param rabbitmq.loadDefinition.file Name of the definitions file
    ##
    file: /app/deploy_load_definition.json
    ## @param rabbitmq.loadDefinition.existingSecret Existing secret with the load definitions file
    ## Can be templated if needed, e.g:
    ## existingSecret: "{{ .Release.Name }}-load-definition"
    ##
    existingSecret: '{{ include "common.names.fullname" . }}-deploy'
  ## @param rabbitmq.extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
  ## Use this instead of `configuration` to add more configuration
  ## Do not use simultaneously with `extraConfigurationExistingSecret`
  ##
  extraConfiguration: |
    raft.wal_max_size_bytes = 1048576

  ## @section RabbitMQ persistence parameters
  ##
  persistence:
    ## @param rabbitmq.persistence.enabled Enable RabbitMQ data persistence using PVC
    ##
    enabled: true
    ## @param rabbitmq.persistence.accessModes PVC Access Modes for RabbitMQ data volume
    ##
    accessModes:
      - ReadWriteOnce
    ## @param rabbitmq.persistence.storageClass PVC Storage Class for RabbitMQ data volume
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass: ""
    ## @param rabbitmq.persistence.size PVC Storage Request for RabbitMQ data volume
    ## If you change this value, you might have to adjust `rabbitmq.diskFreeLimit` as well
    ##
    size: 8Gi

  ## @param rabbitmq.containerSecurityContext.allowPrivilegeEscalation Set volume permissions init container's Security Context allowPrivilegeEscalation
  ## @param rabbitmq.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
  ## @extra rabbitmq.containerSecurityContext.capabilities Set volume permissions init container's Security Context capabilities
  ## @skip rabbitmq.containerSecurityContext.capabilities
  ## @extra rabbitmq.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
  ## @skip rabbitmq.containerSecurityContext.seccompProfile
  containerSecurityContext:
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
      - ALL
    seccompProfile:
      type: RuntimeDefault

  ## @section RabbitMQ Exposure parameters
  ##

  ## Kubernetes service type
  ##
  service:
    ## @param rabbitmq.service.type Kubernetes Service type
    ##
    type: ClusterIP

  ## @section RabbitMQ Init Container Parameters
  ##

  ## Init Container parameters
  ## Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each component
  ## values from the securityContext section of the component
  ##
  volumePermissions:
    ## @param rabbitmq.volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume(s) mountpoint to `runAsUser:fsGroup`
    ##
    enabled: true
    ## @param rabbitmq.volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended)
    image:
      tag: 12-debian-12-r31

    ## Init container' Security Context
    ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser
    ## and not the below volumePermissions.containerSecurityContext.runAsUser
    ## @param rabbitmq.volumePermissions.containerSecurityContext.allowPrivilegeEscalation Set volume permissions init container's Security Context allowPrivilegeEscalation
    ## @param rabbitmq.volumePermissions.containerSecurityContext.readOnlyRootFilesystem Mounts the container's root filesystem as read-only
    ## @param rabbitmq.volumePermissions.containerSecurityContext.runAsUser User ID for the init container
    ## @param rabbitmq.volumePermissions.containerSecurityContext.runAsGroup Group ID for the init container
    ## @param rabbitmq.volumePermissions.containerSecurityContext.runAsNonRoot Set volume permissions init container's Security Context runAsNonRoot
    ## @extra rabbitmq.volumePermissions.containerSecurityContext.seccompProfile Set volume permissions init container's Security Context seccompProfile
    ## @skip rabbitmq.volumePermissions.containerSecurityContext.seccompProfile
    containerSecurityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      runAsUser: 0
      runAsGroup: 0
      runAsNonRoot: false
      seccompProfile:
        type: RuntimeDefault