components/tyk-mdcb/values.yaml

global:
  imageRegistry: ""

  # Choose the storageType for Tyk. [ "mongo", "postgres" ]
  storageType: postgres

  postgres:
    # host corresponds to the host name of postgres
    host: tyk-postgres-postgresql.tyk.svc
    # port corresponds to the port of postgres
    port: 5432
    # user corresponds to the user of postgres
    user: postgres
    # password corresponds to the password of the given postgres user in selected database
    password:
    # database corresponds to the database to be used in postgres
    database: tyk_analytics
    # sslmode corresponds to if postgres runs in sslmode (https)
    sslmode: disable

    # Connection string can also be set using a secret. Provide the name of the secret and key below.
    # connectionStringSecret:
    #   name: ""
    #   keyName: ""

  # Please check https://tyk.io/docs/planning-for-production/database-settings/mongodb/#supported-versions
  # for the list of supported MongoDB versions.
  mongo:
    useSSL: false
    # For tyk-simple-mongo (no auth)
    # mongoURL: mongodb://mongo.tyk.svc:27017/tyk_analytics
    # mongo-go driver is supported for Tyk 5.0.2+.
    # We recommend using the mongo-go driver if you are using MongoDB 4.4.x+.
    # For MongoDB versions prior to 4.4, please use the mgo driver.
    # Since MDCB 2.5.0 the default driver is mongo-go.
    driver: mongo-go

    # Connection URL can also be set using a secret. Provide the name of the secret and key below.
    # connectionURLSecret:
    #   name: ""
    #   keyName: ""

  redis:
    # The addrs value will allow you to set your Redis addresses.
    #
    # If you are using Redis (e.g. Bitnami Redis at bitnami/redis) then enter single
    # endpoint. If using sentinel connection mode for Redis, please update the port number (typically 26379).
    #
    # If using a Redis Cluster (e.g. bitnami/redis-cluster), you can list
    # the endpoints of the redis instances or use the cluster configuration endpoint.
    #
    # Default value: redis.{{ .Release.Namespace }}.svc:6379
    # addrs:
    #   Example using tyk simple redis chart
    #   - redis.tyk.svc:6379
    #   Example using bitnami/redis
    #   - tyk-redis-master.tyk.svc:6379
    #   Example using bitnami/redis with sentinel
    #   - tyk-redis.tyk.svc:26379
    #   Example using bitnami/redis-cluster
    #   - tyk-redis-redis-cluster.tyk.svc:6379

    # Redis password
    # If you're using Bitnami Redis chart (e.g. bitnami/redis) please input
    # your password in the field below
    # pass: ""

    # Redis password can also be provided via a secret. Provide the name of the secret and key below.
    # passSecret:
    #   name: ""
    #   keyName: ""

    # Enables SSL for Redis connection. Redis instance will have to support that.
    # Default value: false
    useSSL: false

    # Allows usage of self-signed certificates when connecting to an encrypted Redis database.
    # It is used to set TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY
    # sslInsecureSkipVerify: false    

    # Path to the CA file.
    # sslCAFile: "/etc/certs/ca.crt"

    # The Volume mount path
    # Default value: /etc/certs 
    # certificatesMountPath: "/etc/certs"    

    # Path to the cert file.
    # sslCertFile: "/etc/certs/redis.crt"  

    # Path to the key file.
    # sslKeyFile: "/etc/certs/redis.key"

    # Maximum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
    # Default value: 1.3
    # tlsMaxVersion: "1.3"

    # Minimum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
    # Default value: 1.2
    # tlsMinVersion: "1.2"

    # Name of the tls secret. A secret needs to be created for this manually using the name as specified here
    # Default value: mdcb-tls-secret 
    # secretName: "mdcb-tls-secret"

    # Name of the volume where the secret will be mounted
    # Default value: mdcb-tls-secret-volume 
    # volumeName: "mdcb-tls-secret-volume"

    # If using "Redis Cluster" set enableCluster to true
    # (e.g. if using bitnami/redis-cluster)
    # enableCluster: true

    # Enables sentinel connection mode for Redis. If enabled, provide both
    # mandatory values for pass and masterName.
    # enableSentinel: false

    # Redis sentinel master name, only required while enableSentinel is true.
    # masterName: ""

    # By default, the database index is 0. Setting the database index is not
    # supported with redis cluster. As such, if you have enableCluster: true,
    # then this value should be omitted or explicitly set to 0.
    storage:
      database: 0

  mdcbSynchronizer:
    # Enable the MDCB Synchroniser
    # It will be used to set TYK_MDCB_SYNCWORKER_ENABLED in Tyk MDCB deployment.
    enabled: false

  # Set to true if you are using a hashed configuration installation of Tyk, otherwise set to false.
  # It is used to set TYK_MDCB_HASHKEYS and TYK_MDCB_SYNCWORKER_HASHKEYS
  hashKeys: true

  mtls:
    # Sets the AES256 secret which is used to encode certificate private keys when
    # they are uploaded via certificate storage.
    # It is used to set TYK_MDCB_SECURITY_PRIVATECERTIFICATEENCODINGSECRET
    privateCertificateEncodingSecret: ""

mdcb:
  # nameOverride overrides the Chart name. It is truncated to 63 characters.
  nameOverride: ""
  # fullnameOverride overrides App name. It is truncated to 63 characters.
  fullnameOverride: ""

  # useSecretName can be used if you don't want to store plaintext values for MDCB license and security secret in
  # the Helm values file and would rather provide the k8s Secret externally.
  # You should set following fields in the secret
  # - MDCBLicense - Sets MDCB license key
  # - securitySecret - Sets secret required for accessing secure HTTP endpoints
  useSecretName: ""

  # Tyk MDCB license
  # It is used to set TYK_MDCB_LICENSE
  license: ""

  # The rpc port which worker gateways will connect to.
  # This opens a port on MDCB container and MDCB service targets this port.
  # It is used to set TYK_MDCB_LISTENPORT
  listenPort: 9091

  # When it is set to true, instead of sending analytics directly to MongoDB / SQL
  # MDCB can send analytics to Redis. This will allow tyk-pump to pull
  # analytics from Redis and send to your own data sinks.
  # It is used to set TYK_MDCB_FORWARDANALYTICSTOPUMP
  forwardAnalyticsToPump: false

  # This enables saving analytics in multiple keys as oppose to just having one.
  # It is useful when using a Redis cluster.
  # It also only works when TYK_MDCB_FORWARDANALYTICSTOPUMP is set to true.
  enableMultipleAnalyticsKey: true

  # This should be set to true if you choose not to store selective analytics
  dontStoreSelective: false

  # This should be set to true if you choose not to store aggregate analytics
  dontStoreAggregate: false

  # If set to true then it will not store analytics for tags having prefix specified in the list.
  # NB: Prefix “key-” is added in the list by default. This tag is added by gateway for keys.
  ignoreTagPrefixList: []

  # If enabled, it will store analytics for all the endpoints, irrespective of Track Endpoint plugin.
  trackAllPaths: false

  # If enabled, aggregate data will be generated per minute.
  storeAnalyticsPerMinute: false
  
  # Configures MDCB security settings, including Mutual TLS, secure HTTP endpoints, and authentication secret.
  security:
    # Secret is the key required for accessing secure HTTP endpoints and must be included as the `X-Tyk-Authorization` header.
    # Ensure confidentiality of the key and avoid exposing management endpoints publicly.
    # This field can be set using k8s secret. Please refer `mdcb.useSecretName` field.
    secret: CHANGEME
    # EnableHTTPSecureEndpoints enables HTTP endpoints for monitoring and debugging MDCB.
    # Secure endpoints providing critical system information are disabled by default for security enhancement.
    # Authentication via the `Secret` is required for access, e.g., /dataplanes for dataplane details.
    enableHttpSecureEndpoints: false
 
  # defines the SSL/TLS settings for the http server where the healthcheck is exposed
  httpServerOptions:
    # if enabled then the endpoints will be served over https
    useSSL: false
    # certificateKeyFile: /path-to-cert-keyfile
    # certificateCertFile: /path-to-certfile
    
    # For TLS 1.0 use 769, for TLS 1.1 use 770, for TLS 1.2 use 771, for TLS 1.3 use 772
    # minVersion: 771

  # This is the preferred port setting for MDCB >= v2.6.0.
  # Users should use httpPort instead of probes.healthCheckPort for newer versions.
  httpPort: 8181
  
  # settings for the health checker
  healthcheck:
    # represents the time interval (in seconds) at which the healthchecker refreshes its cached health status information (redis and DB).
    cache_renewal_period: 10
  probes:
    # This port lets MDCB allow standard health checks.
    # It also defines the path for liveness and readiness probes.
    # It is used to set TYK_MDCB_HEALTHCHECKPORT and TYK_MDCB_HTTPPORT when mdcb >= v2.6.0
    # This field will be deprecated in upcoming release. Use `httpPort` instead.
    # healthCheckPort: 8181

    # liveness includes details about liveness probe used in MDCB Deployment.
    liveness:
      # path represents the http path to be used in liveness probe in MDBC deployment.
      path: "/liveness"
      # initialDelaySeconds specifies duration in seconds used in liveness probe as initial delay.
      initialDelaySeconds: 5
      # The periodSeconds specifies the duration in seconds to perform a liveness probe.
      periodSeconds: 2
      # timeoutSeconds represents the number of seconds after which the probe times out.
      timeoutSeconds: 3
      # failureThreshold represents the consecutive number of failures in a row for Kubernetes to consider that the overall check has failed.
      failureThreshold: 2
    # readiness includes details about readiness probe used in MDCB Deployment.
    readiness:
      # path represents the http path to be used in readiness probe in MDBC deployment.
      path: "/readiness"
      # initialDelaySeconds specifies the seconds used in readiness probe as initial delay.
      initialDelaySeconds: 1
      # The periodSeconds specifies the duration in seconds to perform a readiness probe.
      periodSeconds: 10
      # timeoutSeconds represents the number of seconds after which the probe times out.
      timeoutSeconds: 3
      # failureThreshold represents the consecutive number of failures in a row for Kubernetes to consider that the overall check has failed.
      failureThreshold: 3

  # replicaCount specifies number of replicas to be created.
  replicaCount: 1

  image:
    # image repository for Tyk MDCB
    repository: tykio/tyk-mdcb-docker
    # image tag for Tyk MDCB
    tag: v2.7.2
    # image pull policy
    pullPolicy: IfNotPresent

  # image pull secrets to use when pulling images from repository
  imagePullSecrets: []

  # annotations be added to the Deployment / Statefulset of MDCB
  annotations: {}

  # podAnnotations specifies annotations to be added in MDCB Pod
  podAnnotations: {}
  # podLabels specifies labels to be added in MDCB Pod
  podLabels: {}

  serviceAccount:
    # Specifies whether a service account should be created
    enabled: false
    # Automatically mount a ServiceAccount's API credentials?
    automount: true
    # Annotations to add to the service account
    annotations: {}
    # The name of the service account to use.
    # If not set and create is true, a name is generated using the fullname template
    name: ""


  # securityContext holds pod-level security attributes for Tyk MDCB pod. All fields from PodSecurityContext object can be added here.
  podSecurityContext: {}
  # fsGroup: 2000

  # containerSecurityContext holds container-level security attributes for Tyk MDCB container. All fields from SecurityContext object can be added here.
  containerSecurityContext: {}
    # runAsNonRoot: true
    # runAsUser: 1000
    # allowPrivilegeEscalation: false
    # privileged: false
    # readOnlyRootFilesystem: true
    # seccompProfile:
    #   type: RuntimeDefault
    # capabilities:
    #   drop:
    #     - ALL

  service:
    # type corresponds to the service type of Tyk MDCB Service.
    type: ClusterIP
    # The port at which the MDCB service can be found
    port: 9091
    # externalTrafficPolicy corresponds to the external traffic policy if the service type is load balancer
    externalTrafficPolicy: Local
    # annotations corresponds to the annotations which will be added into Tyk Dashboard Service.
    annotations: {}
  
  # ingress specifies Ingress rules for Tyk MDCB Service.
  # Ingress is disabled by default.
  ingress:
    # enabled specifies whether ingress is enabled or not.
    # Set it to true to enable Ingress for Tyk MDCB Service.
    enabled: false
    # className specifies your ingress controller class name below
    className: ""
    # annotations specifies annotations to be added on Ingress resource.
    annotations: {}
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    # hosts corresponds to the rules to be added on Ingress rules.
    hosts:
      - host: chart-example.local
        paths:
          - path: /
            pathType: ImplementationSpecific
    # tls corresponds to the tls configuration if Ingress rules use TLS
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  
  # New HTTP ingress for port 8181
  http_ingress:
    enabled: false
    # className specifies your ingress controller class name below
    className: ""
    # annotations specifies annotations to be added on Ingress resource.
    annotations: { }
      # kubernetes.io/ingress.class: nginx
      # kubernetes.io/tls-acme: "true"
    # hosts corresponds to the rules to be added on Ingress rules.
    hosts:
      - host: mdcb-http.example.com
        paths:
          - path: /
            pathType: ImplementationSpecific
    # tls corresponds to the tls configuration if Ingress rules use TLS
    tls: []
    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
    
  resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

  # autoscaling configuration
  autoscaling:
    enabled: false
    minReplicas: 1
    maxReplicas: 100
    targetCPUUtilizationPercentage: 80
    # targetMemoryUtilizationPercentage: 80

  # extraContainers is a list of containers to be added to the pod
  # - name: sidecar
  #   image: sidecar:latest
  extraContainers: []
  
  extraEnvs: []

  # Additional volumes on the output MDCB Deployment definition.
  extraVolumes: []
  # - name: foo
  #   secret:
  #     secretName: mysecret
  #     optional: false

  # Additional volumeMounts on the output MDCB Deployment definition.
  extraVolumeMounts: []
  # - name: foo
  #   mountPath: "/etc/foo"
  #   readOnly: true

  # node labels for MDCB pod assignment
  nodeSelector: {}

  # tolerations for MDCB pod assignment
  tolerations: []

  # affinity for MDCB pod assignment
  affinity: {}

  tls:
    # enables ssl for mdcb
    useSSL: false

    # the path to where the keys will be mounted in the pod
    certificatesMountPath: "/etc/certs"

    # location to pem encoded private key
    certificateKeyFile: "/etc/certs/tls.key"

    # location to pem encoded certificate
    certificateCertFile: "/etc/certs/tls.crt"

    # the name of the secret
    secretName: "mdcb-tls-secret"

    # the name of the volume
    volumeName: "mdcb-tls-secret-volume"    