This repository is intended to store a helm chart to create a cluster of Sonatype IQ Server nodes.
- A copy of the helm chart
- A Sonatype IQ Server license that supports the High Availability (HA) feature
- kubectl (1.23+) to run commands against a Kubernetes cluster
- helm (3.9.3+) to install or upgrade the helm chart
- A PostgreSQL (10.7 or newer) database or a PostgreSQL-compatible service
- A Kubernetes cluster to run the helm chart on
- A shared file system to share files between all Sonatype IQ Server pods in the cluster
- A load balancer to distribute requests between the Sonatype IQ Server pods
- A storage class for dynamic provisioning
- Start your Kubernetes cluster if needed
- Open a console/terminal
- Switch to the correct context to use your cluster if needed (e.g.
kubectl config use-context my-context
) - Add the helm chart repository via
helm repo add sonatype https://sonatype.github.io/helm3-charts/
- Install the helm chart via
helm install --namespace <namespace> <name> --dependency-update <overrides> sonatype/nexus-iq-server-ha --version <version>
where<namespace>
can be an existing namespace for the helm chart (created prior viakubectl create namespace <namespace>
, or to create automatically include the flag--create-namespace
)<name>
can be any name for the helm chart<overrides>
is a set of overrides for values in the helm chart (see below)<version>
is the version of the helm chart to use
- Expose the ingress if needed, which uses port
80
for http and port443
for https by default
A Sonatype IQ Server license that supports the HA feature must be installed either before the cluster starts or as it is starting to allow multiple pods to start successfully.
The license file can either be passed directly
--set-file iq_server.license=<license file>
where <license file>
is the path to your Sonatype IQ Server product license file
or via an existing secret
--set iq_server.licenseSecret=<license secret>
An existing database can be configured as follows
--set iq_server.database.hostname=<database hostname>
--set iq_server.database.port=<database port>
--set iq_server.database.name=<database name>
--set iq_server.database.username=<database username>
the database password can either be passed directly
--set iq_server.database.password=<database password>
or via an existing secret
--set iq_server.database.passwordSecret=<database password secret>
By default, the helm chart will create both a Persistent Volume (PV) using the configured storage and a corresponding Persistent Volume Claim (PVC).
However, there are various configuration options.
- If a PV is created, then it will match the configuration.
- If a PVC is created, then it will only bind to a PV that satisfies the configuration.
The capcity or size can be set via
--set iq_server.persistence.size=<storage size, default "1Gi">
The access mode(s) can be set via
--set iq_server.persistence.accessModes[0]=<access mode, default "ReadWriteMany">
Note that this should correspond to the type of PV being used.
If you have multiple nodes in your Kubernetes cluster, and a Sonatype IQ Server pod is running on 2 or more of
them, then this must be set to ReadWriteMany
and you must use a type of PV that supports it.
The storage class name can be set via
--set iq_server.persistence.storageClassName=<storage class name, default "">
The type can be configured as follows.
Note a PV can only have one type, so if multiple are configured, then only one will be used. The priority for which type will be selected if multiple are configured is shown below i.e. a type with a lower number in the below list will be chosen above a type with a higher number.
- csi
--set iq_server.persistence.csi.driver=<csi driver name> --set iq_server.persistence.csi.fsType=<filesystem type> --set iq_server.persistence.csi.volumeHandle=<volume handle> --set iq_server.persistence.csi.volumeAttributes=<volume attributes>
- nfs
--set iq_server.persistence.nfs.server=<nfs server hostname> --set iq_server.persistence.nfs.path=<nfs server path, default "/">
If you have an existing PV and PVC you wish to use, then you only need to set the PVC via
--set iq_server.persistence.existingPersistentVolumeClaimName=<existing persistent volume claim name>
If you have an existing PV you wish to use, then you can set the PV via
--set iq_server.persistence.existingPersistentVolumeName=<existing persistent volume name>
However, you may need to configure the PVC that will be created to allow it to bind to the PV using the previously mentioned configuration options.
An ingress can be enabled with a particular class name to use an existing load balancer as follows
--set ingress.enabled=<true|false, default false>
--set ingress.ingressClassName=<ingress class name, default "nginx">
--set ingress.pathType=<ingress path type, default "Prefix">
--set ingress.hostApplicationPath=<application path, default iq_server.config.server.applicationContextPath>
--set ingress.hostAdminPath=<admin path, default iq_server.config.server.adminContextPath>
--set ingress.hostApplication=<application hostname>
--set ingress.hostAdmin=<admin hostname>
--set ingress.annotations=<ingress annotations>
Note that if you want both the application and admin endpoints to be accessible, then they will need to be set to have either different hostnames via e.g.
--set iq_server.config.server.hostApplication="app.domain"
--set iq_server.config.server.hostAdmin="admin.domain"
or different paths via e.g.
--set iq_server.config.server.applicationContextPath="/"
--set iq_server.config.server.adminContextPath="/admin"
Note that if no hostnames are specified, then any web traffic to the IP address of your ingress controller can be matched without a name based virtual host being required.
If your ingress class supports specifying TLS options directly based on your ingress controller, then you can specify them as follows.
A TLS certificate and private key can either be passed directly
--set ingress.tls[0].certificate=<tls certificate file>
--set ingress.tls[0].key=<tls private key file>
where <tls certificate file>
is the path to your TLS certificate file and <tls private key file>
is the path to your
TLS private key file, or via an existing secret
--set ingress.tls[0].secretName=<tls secret name>
The TLS secret must contain keys named tls.cert
for the TLS certificate and tls.key
for the TLS private key.
Additionally multiple hosts can be specified as follows
--set ingress.tls[0].hosts[0]=<tls hostname>
Alternatively some ingress classes may support specifying TLS options through annotations.
DNS records can be automatically managed using ExternalDNS based on an ingress. This is included in the chart and can be enabled via
--set externalDns.enabled=true
and configured via
--set externalDns.args=<array of arguments>
The number of pods can be specified as follows
--set iq_server.replicas=<number of pods, default 2>
The initial admin password can either be passed directly
--set iq_server.initialAdminPassword=<initial admin password>
or via an existing secret
--set iq_server.initialAdminPasswordSecret=<initial admin password secret>
If planning to use ssh for git operations, enable the following flag to generate a private/public key pair. You can retrieve the public key from the pod at /.ssh/id_rsa.pub.
--set iq_server.useGitSsh=<true/false>
A config.yml
file is required to run. This is generated using the iq_server.config
value. Care should be taken if
updating this as many values within it are fine-tuned to allow the helm chart to function.
Each Sonatype IQ Server pod has a container running Sonatype IQ Server, which outputs the following log files
clm-server.log
request.log
audit.log
policy-violation.log
stderr.log
by default to /var/log/nexus-iq-server
.
A fluentd sidecar container in the same pod tails these log files and forwards the content to a fluentd daemonset aggregator.
For each log file, the aggregator combines its content from each pod into an aggregated log file in
ndjson format, which is output with the current date to the shared file system PV by default to
/log
such that you end up with
clm-server.<yyyyMMdd>.log
request.<yyyyMMdd>.log
audit.<yyyyMMdd>.log
policy-violation.<yyyyMMdd>.log
stderr.<yyyyMMdd>.log
where <yyyyMMdd>
is the current date.
The aggregate log files may be required for a support request and by default will be included when generating a support
zip inside a top-level cluster_log
directory.
By default, aggregate log files that have a last modified time older than 50 days are scheduled to be deleted every day at 1 am. This can be customized as follows
--set aggregateLogFileRetention.deleteCron=<Cron schedule expression, default "0 1 * * *">
--set aggregateLogFileRetention.maxLastModifiedDays=<max last modified time in days, default 7>
Note that setting aggregateLogFileRetention.maxLastModifiedDays
to 0 disables deletion.
Note that the fluentd daemonset aggregator has separate settings for its PVC and should normally be configured to use the same PVC as the Sonatype IQ Server pods as follows
--set fluentd.aggregator.extraVolumes[0].name="iq-server-pod-volume"
--set fluentd.aggregator.extraVolumes[0].persistentVolumeClaim.claimName=<PVC name, default "iq-server-pvc">
By default, the latest publicly available Sonatype IQ Server docker image will be used.
The image registry, image, tag, and imagePullPolicy can be overridden using
--set iq_server.imageRegistry=<image registry, default nil meaning use the Docker public registry>
--set iq_server.image=<image, default "sonatype/nexus-iq-server">
--set iq_server.tag=<tag, default most recent version of Sonatype IQ Server>
--set iq_server.imagePullPolicy=<imagePullPolicy, default "IfNotPresent">
- Relational Database Service (RDS) for PostgreSQL for a PostgreSQL database
- Elastic Kubernetes Service (EKS) for a cluster
- Elastic File System (EFS) with mount targets for a shared file system
- Application Load Balancer (ALB) for a load balancer
- Virtual Private Cloud for the AWS resources to communicate with each other
- Amazon EFS CSI driver pre-installed and configured in the cluster
- EFS Storage Class pre-installed and configured in the cluster for dynamic provisioning
- AWS Load Balancer Controller add-on pre-installed and configured in the cluster to automatically provision an ALB based on an ingress
- ExternalDNS pre-installed/enabled and configured in the cluster to automatically provision DNS records for AWS Route 53 based on an ingress.
- Kubernetes Secrets Store CSI Driver
pre-installed and configured in the cluster to enable AWS Secrets Manager access i.e. via
helm repo add secrets-store-csi-driver https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts
helm repo update
helm upgrade --install --namespace kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set grpcSupportedProviders="aws" --set syncSecret.enabled=true
kubectl apply -f https://raw.githubusercontent.com/aws/secrets-store-csi-driver-provider-aws/main/deployment/aws-provider-installer.yaml
- AWS CloudWatch configuration for fluentd to send aggregated logs to
aws-vault
pre-installed and configured to ease authentication, in which case prefix the aws/kubectl/helm commands below withaws-vault exec <aws-profile> -- <command>
.
An existing EKS cluster is required to run the helm chart on.
To lookup existing clusters, run aws eks --region <aws_region> list-clusters
.
To import the context for a cluster into your kubeconfig file, run
aws eks --region <aws_region> update-kubeconfig --name <cluster_name>
.
An existing EFS drive with mount targets can be used for the PV.
The PV can be provisioned statically or dynamically.
In either case, a CSI volume should be configured with
--set iq_server.persistence.csi.driver="efs.csi.aws.com"
--set iq_server.persistence.csi.fsType=""
and the access modes should be set as follows
--set iq_server.persistence.accessModes[0]="ReadWriteMany"
To statically provision the PV use the following
--set iq_server.persistence.csi.volumeHandle=<EFS file system ID>[:<EFS file system path>]
where <EFS file system ID>
is your EFS file system ID, which typically looks like e.g. "fs-0ac8d13f38bfc99df" and
<EFS file system path>
is an optional path into the file system e.g. ":/".
To dynamically provision the PV via an EFS storage class use the following
--set iq_server.persistence.persistentVolumeName=""
--set iq_server.persistence.storageClassName=<EFS storage class name>
The AWS Secrets Manager can be used to store AWS secrets, which can be used to pass the following
The product license file
--set secret.license.arn=<aws secret arn containing product license file binary content>
The database settings
--set secret.rds.arn=<aws secret arn containing database host, port, name, username, and password keys>
The initial admin password
--set secret.license.arn=<aws secret arn containing the initial admin password in an initial_admin_password key>
For an ALB load balancer to work you will need to change the Sonatype IQ Server service type
from its default of ClusterIP
to NodePort
via the following
--set iq_server.serviceType=NodePort
To use an existing ALB and target groups via the AWS Load Balancer Controller add-on use the following
For the application endpoints
--set existingApplicationLoadBalancer.applicationTargetGroupARN=<application target group arn>
For the admin endpoints
--set existingApplicationLoadBalancer.adminTargetGroupARN=<admin target group arn>
Each command will create a target group binding, which will automatically synchronize targets to the given target group pointing to the application/admin Sonatype IQ Server service endpoints.
Note that with static provisioning, you do not need to enable an ingress.
To dynamically provision an ALB via the AWS Load Balancer Controller add-on use the following
--set ingress.enabled=true
--set ingress.ingressClassName=alb
and ensure that the appropriate annotations are set e.g.
--set ingress.annotations."alb\.ingress\.kubernetes\.io/scheme"="internet-facing"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/target-type"="ip"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/healthcheck-path"="/ping"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/certificate-arn"="arn:aws:acm:<region>:<aws_account_id>:certificate/<certificate_id>"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/ssl-policy"="ELBSecurityPolicy-FS-1-2-Res-2020-10"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/listen-ports"='\[\{\"HTTPS\":80\}\,\{\"HTTPS\":443\}\]'
--set ingress.annotations."alb\.ingress\.kubernetes\.io/actions\.ssl-redirect"='\{\"Type\": \"redirect\"\,\"RedirectConfig\":\{\"Protocol\":\"HTTPS\"\,\"Port\":\"443\"\,\"StatusCode\":\"HTTP_301\"\}\}'
--set ingress.annotations."alb\.ingress\.kubernetes\.io/actions\.response-404"='\{\"type\":\"fixed-response\"\,\"fixedResponseConfig\":\{\"contentType\":\"text/plain\"\,\"statusCode\":\"404\"\,\"messageBody\":\"404_Not_Found\"\}\}'
--set ingress.annotations."alb\.ingress\.kubernetes\.io/actions\.redirect-domain"='\{\"Type\":\"redirect\"\,\"RedirectConfig\":\{\"Host\":\"domain\"\,\"Path\":\"/#\{path\}\"\,\"Port\":\"443\"\,\"Protocol\":\"HTTPS\"\,\"Query\":\"#\{query\}\"\,\"StatusCode\":\"HTTP_301\"\}\}'
--set ingress.annotations."alb\.ingress\.kubernetes\.io/load-balancer-attributes"="idle_timeout.timeout_seconds=600"
Note that if the application and admin services are separated by path rather than hostname, then multiple healthchecks will need to be configured. This can be achieved by adding the healthcheck annotations at the service level rather than the ingress level e.g.
--set iq_server.applicationServiceAnnotations."alb\.ingress\.kubernetes\.io/healthcheck-path"="/ping"
--set iq_server.adminServiceAnnotations."alb\.ingress\.kubernetes\.io/healthcheck-path"="/admin/ping"
If you want to use dynamic provisioning, then an EFS storage class should be pre-installed and configured in the cluster with the correct settings to allow read/write access to the Sonatype IQ Server pod users, which have UID 1000 and GID 1000 by default e.g.
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: efs-sc
provisioner: efs.csi.aws.com
parameters:
provisioningMode: efs-ap
fileSystemId: <EFS file system ID>
directoryPerms: "777"
gidRangeStart: "1000"
gidRangeEnd: "1000"
basePath: "/"
The fluentd aggregator can be configured to send aggregated logs to CloudWatch using the fluent-plugin-cloudwatch-logs plugin.
This requires fluentd aggregator pods to have the correct permissions , which can either be associated with a service account the fluentd aggregator uses, or with the EKS worker nodes.
Once the permissions are established, you can enable sending aggregated logs to CloudWatch, set the AWS region, log group name, and log stream name as follows
--set cloudwatch.enabled=true
--set cloudwatch.region=<AWS region>
--set cloudwatch.logGroupName=<CloudWatch log group name>
--set cloudwatch.logStreamName=<CloudWatch log stream name>
Some example commands are shown below.
helm install --namespace staging mycluster --dependency-update
--set-file iq_server.license="license.lic"
--set iq_server.database.hostname=myhost
--set iq_server.database.port=5432
--set iq_server.database.name=iq
--set iq_server.database.username=postgres
--set iq_server.database.password=admin123
--set iq_server.config.server.adminContextPath="/admin"
--set iq_server.persistence.accessModes[0]="ReadWriteMany"
--set iq_server.persistence.csi.driver="efs.csi.aws.com"
--set iq_server.persistence.csi.fsType=""
--set iq_server.persistence.csi.volumeHandle="fs-0ac8d13f38bfc99df:/"
--set iq_server.serviceType=NodePort
--set ingress.enabled=true
--set ingress.ingressClassName=alb
--set ingress.annotations."alb\.ingress\.kubernetes\.io/scheme"="internet-facing"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/healthcheck-path"="/ping"
sonatype/nexus-iq-server-ha --version <version>
helm install --namespace staging mycluster --dependency-update
--set iq_server.serviceAccountName=<service account name, default "default">
--set serviceAccount.create=true
--set serviceAccount.annotations."eks\.amazonaws\.com/role-arn"="arn:aws:iam::<aws_account_id>:role/<role_name>"
--set secret.arn="arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>"
--set secret.license.arn="arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<secret_name>"
--set secret.rds.arn="arn:aws:secretsmanager:<region>:<aws_account_id>:secret:<rds_secret_name>"
--set iq_server.config.server.adminContextPath="/admin"
--set iq_server.persistence.accessModes[0]="ReadWriteMany"
--set iq_server.persistence.persistentVolumeName=""
--set iq_server.persistence.storageClassName="efs-storage-class-name"
--set iq_server.persistence.csi.driver="efs.csi.aws.com"
--set iq_server.persistence.csi.fsType=""
--set iq_server.serviceType=NodePort
--set ingress.enabled=true
--set ingress.ingressClassName=alb
--set ingress.annotations."alb\.ingress\.kubernetes\.io/scheme"="internet-facing"
--set ingress.annotations."alb\.ingress\.kubernetes\.io/healthcheck-path"="/ping"
sonatype/nexus-iq-server-ha --version <version>
Sonatype IQ Server HA helm chart includes support for Kubernetes Horizontal Pod Autoscaling (HPA). With this enabled you can set the cluster to automatically scale up/down based on cpu and/or memory utilization.
Horizontal Pod Autoscaler depends on metrics-server being installed and available in the cluster. Please refer to the metrics-server requirements and installation instructions for setting it up
(Note: When setting auto-scaling parameters please make sure to have sufficient hardware resources available in the underlying nodes meet the max pod demands.)
HPA is disabled by default. If you want to enable it, you need to set the hpa.enabled
parameter to true
.
--set hpa.enabled=true
Defined resources requests for all the containers in the IQ Server pod are required for HPA to be able to compute metrics. As a result, if you are scaling based on CPU usage you need to specify CPU requests for the IQ server and fluentd sidecar.
Please refer to the "Chart Configuration Options" table below for detailed parameters for adjusting HPA configuration to match your needs.
Some example commands are shown below.
helm install --namespace staging mycluster --dependency-update
...
--set hpa.enabled=true
--set iq_server.resources.requests.cpu="500m"
--set iq_server.resources.limits.cpu="1000m"
--set fluentd.sidecar_forwarder.resources.requests.cpu="200m"
--set fluentd.sidecar_forwarder.resources.requests.cpu="500m"
...
sonatype/nexus-iq-server-ha --version <version>
- Any PostgreSQL database, we recommend one setup for HA
- Any Kubernetes cluster, we recommend a multi-node cluster setup for HA
- Any shared file system, we recommend a Network File System (NFS)
- Any ingress controller pre-installed and configured in the cluster, we recommend the ingress-nginx controller
An example command is shown below.
helm install --namespace staging mycluster --dependency-update
--set-file iq_server.license="license.lic"
--set iq_server.database.hostname=myhost
--set iq_server.database.port=5432
--set iq_server.database.name=iq
--set iq_server.database.username=postgres
--set iq_server.database.password=admin123
--set iq_server.config.server.adminContextPath="/admin"
--set iq_server.persistence.accessModes[0]="ReadWriteMany"
--set iq_server.persistence.nfs.server=10.109.77.85
--set iq_server.persistence.nfs.path=/
--set iq_server.serviceType=NodePort
--set ingress.enabled=true
--set ingress-nginx.enabled=true
sonatype/nexus-iq-server-ha --version <version>
An example command with a persistence host path set useful for testing is shown below.
helm upgrade --namespace iq-ha iq-cluster \
--set-file iq_server.license="license.lic"
--set iq_server.database.hostname=myhost
--set iq_server.database.port=5432
--set iq_server.database.name=iq
--set iq_server.database.username=postgres
--set iq_server.database.password=admin123
--set iq_server.persistence.hostPath.path="/mnt/iq-server"
--set iq_server.persistence.hostPath.type="DirectoryOrCreate"
--set iq_server.persistence.accessModes[0]="ReadWriteOnce"
--set iq_server.serviceType=NodePort
--set ingress.enabled=true
--set ingress-nginx.enabled=true
sonatype/nexus-iq-server-ha --version <version>
To upgrade Sonatype IQ Server and ensure a successful data migration, the following steps are recommended:
- Scale your pods down to zero. This will delete the existing pods.
- Backup the database. See the IQ server backup guidelines for more details.
- Update the helm chart. Typically, this will also update the Sonatype IQ Server version.
- Run your helm chart upgrade command. The deleted pods will be re-created with the updates.
In this version all the fluentd sidecar options have been moved under the fluentd.sidecar_forwarder
prefix to avoid confusion.
- Moved iq_server.fluentd.forwarder.enabled to fluentd.sidecar_forwarder.enabled
- Moved fluentd.securityContext to fluentd.sidecar_forwarder.securityContext
- Moved fluentd.resources.requests.cpu to fluentd.sidecar_forwarder.resources.requests.cpu
- Moved fluentd.resources.requests.memory to fluentd.sidecar_forwarder.resources.requests.memory
- Moved fluentd.resources.limits.cpu to fluentd.sidecar_forwarder.resources.limits.cpu
- Moved fluentd.resources.limits.memory to fluentd.sidecar_forwarder.resources.limits.memory
Parameter | Description | Default |
---|---|---|
iq_server.imageRegistry |
Container image registry, if not specified the Docker public registry will be used | nil |
iq_server.image |
Sonatype IQ Server docker image | sonatype/nexus-iq-server |
iq_server.imagePullPolicy |
Sonatype IQ Server image pull policy | IfNotPresent |
iq_server.tag |
Sonatype IQ Server image tag | See values.yaml |
iq_server.resources.requests.cpu |
Sonatype IQ Server request for CPU resources in CPU units | nil |
iq_server.resources.requests.memory |
Sonatype IQ Server request for memory resources in bytes | nil |
iq_server.resources.limits.cpu |
Sonatype IQ Server limit for CPU resources in CPU units | nil |
iq_server.resources.limits.memory |
Sonatype IQ Server limit for memory resources in bytes | nil |
iq_server.javaOpts |
Value for the JAVA_OPTS environment variable to pass custom settings to the JVM | nil |
iq_server.license |
Path to your Sonatype IQ Server product license file | nil |
iq_server.licenseSecret |
The name of the license secret | nil |
iq_server.serviceType |
Sonatype IQ Server service type | ClusterIP |
iq_server.database.hostname |
Database hostname | nil |
iq_server.database.port |
Database port | 5432 |
iq_server.database.name |
Database name | nil |
iq_server.database.username |
Database username | postgres |
iq_server.database.password |
Database password | nil |
iq_server.database.passwordSecret |
Database password secret | nil |
iq_server.persistence.existingPersistentVolumeClaimName |
Existing persistent volume claim name | nil |
iq_server.persistence.existingPersistentVolumeName |
Existing persistent volume name | nil |
iq_server.persistence.persistentVolumeName |
Persistent volume name | iq-server-pv |
iq_server.persistence.persistentVolumeClaimName |
Persistent volume claim name | iq-server-pvc |
iq_server.persistence.persistentVolumeRetainPolicy |
Persistent volume retain policy | keep |
iq_server.persistence.persistentVolumeClaimRetainPolicy |
Persistent volume claim retain policy | keep |
iq_server.persistence.size |
Storage capacity for PV/PVC to provision/request | 1Gi |
iq_server.persistence.storageClassName |
Storage class name for the PV/PVC | "" |
iq_server.persistence.accessModes[0] |
Access mode for the PV/PVC | ReadWriteOnce |
iq_server.persistence.csi.driver |
CSI driver name | nil |
iq_server.persistence.csi.fsType |
File system type | nil |
iq_server.persistence.csi.volumeHandle |
Volume handle | nil |
iq_server.persistence.nfs.server |
NFS server hostname | nil |
iq_server.persistence.nfs.path |
NFS server path | / |
iq_server.podAnnotations |
Annotations for the Sonatype IQ Server pods | nil |
iq_server.serviceAccountName |
Sonatype IQ Server service account name | default |
iq_server.serviceType |
Sonatype IQ Server service type | ClusterIP |
iq_server.applicationServiceAnnotations |
Annotations for the Sonatype IQ Server application service | nil |
iq_server.adminServiceAnnotations |
Annotations for the Sonatype IQ Server admin service | nil |
iq_server.replicas |
Number of replicas | 2 |
iq_server.initialAdminPassword |
Initial admin password | admin123 |
iq_server.initialAdminPasswordSecret |
Initial admin password secret | nil |
iq_server.readinessProbe.initialDelaySeconds |
Initial delay seconds for readiness probe | 45 |
iq_server.readinessProbe.periodSeconds |
Period seconds for readiness probe | 15 |
iq_server.readinessProbe.timeoutSeconds |
Timeout seconds for readiness probe | 5 |
iq_server.readinessProbe.failureThreshold |
Failure threshold for readiness probe | 4 |
iq_server.livenessProbe.initialDelaySeconds |
Initial delay seconds for liveness probe | 180 |
iq_server.livenessProbe.periodSeconds |
Period seconds for liveness probe | 20 |
iq_server.livenessProbe.timeoutSeconds |
Timeout seconds for liveness probe | 3 |
iq_server.livenessProbe.failureThreshold |
Failure threshold for liveness probe | 3 |
iq_server.config |
A YAML block which will be used as a configuration block for IQ Server | See values.yaml |
iq_server.useGitSsh |
Use SSH to execute git operations for SCM integrations | false |
iq_server.sshPrivateKey |
SSH private key file to store on the nodes for ssh git operations | nil |
iq_server.sshPrivateKeySecret |
SSH private key stored in k8s secret to be used for ssh git operations | nil |
iq_server.sshKnownHosts |
SSH known hosts file to store on the nodes for ssh git operations | nil |
iq_server.sshKnownHostsSecret |
SSH known hosts stored in k8s secret to be used for ssh git operations | nil |
iq_server.pvOwnershipOverride |
Specify a custom 'chown' command to modify ownership of directories | See values.yaml |
iq_server.pvOwnershipOverrideResources.resources.requests.cpu |
Persistence ownership initContainer request for CPU resources in CPU units | nil |
iq_server.pvOwnershipOverrideResources.resources.requests.memory |
Persistence ownership initContainer request for memory resources in bytes | nil |
iq_server.pvOwnershipOverrideResources.resources.limits.cpu |
Persistence ownership initContainer limit for CPU resources in CPU units | nil |
iq_server.pvOwnershipOverrideResources.resources.limits.memory |
Persistence ownership initContainer limit for memory resources in bytes | nil |
iq_server_jobs.migrationJobAnnotations |
Sonatype IQ DB Migration job Annotations | nil |
iq_server_jobs.env |
Sonatype IQ DB Migration job environment variables | nil |
iq_server_jobs.resources.requests.cpu |
Sonatype IQ DB Migration job request for CPU resources in CPU units | nil |
iq_server_jobs.resources.requests.memory |
Sonatype IQ DB Migration job request for memory resources in bytes | nil |
iq_server_jobs.resources.limits.cpu |
Sonatype IQ DB Migration job limit for CPU resources in CPU units | nil |
iq_server_jobs.resources.limits.memory |
Sonatype IQ DB Migration job limit for memory resources in bytes | nil |
ingress.enabled |
Enable ingress | false |
ingress.className |
Ingress class name | nginx |
ingress.pathType |
Ingress path type | Prefix |
ingress.annotations |
Ingress annotations | nil |
ingress.hostApplication |
Ingress host for application | nil |
ingress.hostApplicationPath |
Ingress path for application | nil |
ingress.hostAdmin |
Ingress host for admin application | nil |
ingress.hostAdminPath |
Ingress path for admin application | nil |
ingress.tls |
Ingress TLS configuration | nil |
ingress-nginx.enable |
Enable ingress-nginx | false |
ingress-nginx.controller |
Ingress controller configuration for Nginx | See values.yaml |
externalDns.enabled |
Enable external-dns | false |
externalDns.args |
Array of arguments to pass to the external-dns container | See values.yaml |
serviceAccount.create |
Create service account | false |
serviceAccount.labels |
Service account labels | nil |
serviceAccount.annotations |
Service account annotations | nil |
serviceAccount.autoMountServiceAccountToken |
Auto mount service account token | false |
secret.arn |
AWS secret arn containing initial admin password in a initial_admin_password key | nil |
secret.license.arn |
AWS secret arn containing the binary content of your Sonatype IQ Server license | nil |
secret.rds.arn |
AWS secret arn containing host, port, name (database name), username, and password keys | nil |
secret.sshPrivateKey.arn |
AWS secret arn containing the binary content of your SSH private key for use with ssh git operations | nil |
secret.sshKnownHosts.arn |
AWS secret arn containing the binary content of your SSH known hosts for use with ssh git operations | nil |
cloudwatch.enabled |
Enable CloudWatch logging | false |
cloudwatch.region |
CloudWatch region | nil |
cloudwatch.logGroupName |
CloudWatch log group name | nil |
cloudwatch.logStreamName |
CloudWatch log stream name | nil |
existingApplicationLoadBalancer.applicationTargetGroupARN |
Target group ARN for target synchronization with application endpoints | nil |
existingApplicationLoadBalancer.adminTargetGroupARN |
Target group ARN for target synchronization with admin endpoints | nil |
aggregateLogFileRetention.deleteCron |
Cron schedule expression for when to delete old aggregate log files if needed | 0 1 * * * |
aggregateLogFileRetention.maxLastModifiedDays |
Maximum last modified time of an aggregate log file in days (0 disables deletion) | 50 |
fluentd.enabled |
Enable Fluentd | true |
fluentd.config |
Fluentd configuration | See values.yaml |
fluentd.sidecar_forwarder.enabled |
Enable Fluentd sidecar forwarder | true |
fluentd.sidecar_forwarder.resources.requests.cpu |
Fluentd sidecar forwarder cpu request | nil |
fluentd.sidecar_forwarder.resources.limits.cpu |
Fluentd sidecar forwarder cpu limit | nil |
fluentd.sidecar_forwarder.resources.requests.memory |
Fluentd sidecar forwarder memory request | nil |
fluentd.sidecar_forwarder.resources.limits.memory |
Fluentd sidecar forwarder memory limit | nil |
fluentd.sidecar_forwarder.daemonUser |
Fluentd sidecar forwarder daemon user (set to root by default because it reads from host paths) | root |
fluentd.sidecar_forwarder.daemonGroup |
Fluentd sidecar forwarder daemon group (set to root by default because it reads from host paths) | root |
fluentd.sidecar_forwarder.securityContext |
Fluentd sidecar forwarder security context (See values.yaml for non root example) |
nil |
hpa.enabled |
Enable Horizontal Pod Autoscaler | false |
hpa.minReplicas |
Minimum number of replicas | 2 |
hpa.maxReplicas |
Maximum number of replicas | 4 |
hpa.resource.cpu.enabled |
Enable CPU-based autoscaling | true |
hpa.resource.cpu.average.threshold |
Average CPU threshold for autoscaling | 50 |
hpa.resource.memory.enabled |
Enable memory-based autoscaling | false |
hpa.resource.memory.average.threshold |
Average memory threshold for autoscaling | 50 |
global.busybox.imageRegistry |
Container image registry, if not specified the Docker public registry will be used | nil |
global.busybox.image |
BusyBox docker image | busybox |
global.busybox.tag |
BusyBox image tag | See values.yaml |