tyk-stack/values.yaml

# Default values for tyk-stack.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

global:
  license:
    # The license key needed by Tyk Dashboard to work.
    #
    # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret
    # that stores the dashboard license. Please see `.global.secrets.useSecretName`.
    dashboard: ""
    # The license key needed by Tyk Operator to work.
    #
    # NOTE: If you do not want to store license as a plain text in the file, you can use a Kubernetes secret
    # that stores the operator license. Please see `.global.secrets.useSecretName`.
    operator: ""

  # adminUser specifies credentials for Tyk Dashboard and Dev Portal admin user while bootstrapping.
  # Dashboard and Dev Portal admin information.
  adminUser:
    # If you don't want to store plaintext secrets for admin user in the Helm value file and would
    # rather provide the k8s Secret externally please populate the value below.
    # You can set following fields in the secret:
    # - adminUserFirstName - sets .global.adminUser.firstName
    # - adminUserLastName - sets .global.adminUser.lastName
    # - adminUserEmail- sets .global.adminUser.email
    # - adminUserPassword - sets .global.adminUser.password
    useSecretName: ""

    # firstName corresponds to the first name of the admin user that will be created during the bootstrapping process.
    # It is used to set TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME
    firstName: admin

    # lastName corresponds to the last name of the admin user that will be created during the bootstrapping process.
    # It is used to set TYK_K8SBOOTSTRAP_TYK_ADMIN_LASTNAME
    lastName: user

    # email corresponds to the email of the admin user that will be created during the bootstrapping process.
    # It is used to set TYK_K8SBOOTSTRAP_TYK_ADMIN_EMAILADDRESS
    email: default@example.com
    # Set a password or a random one will be assigned.
    password: "123456"

  components:
    # Determines whether the bootstrap jobs should be run
    # Those jobs verify the presence of the dashboard license and perform various operations to
    # make apps such as tyk-dashboard, tyk-portal and tyk-operator ready to use from the get go
    # If this is set to false, only the hook that checks for dashboard license will be run
    bootstrap: true
    # Determines whether the pump component should be installed.
    pump: true
    # Determines whether Tyk Developer Portal component should be installed.
    devPortal: false
    # operator determines whether Tyk Operator component should be installed or not.
    # Tyk Operator needs cert-manager to be installed beforehand. Make sure that cert-manager is installed.
    # For further details, please refer to https://tyk.io/docs/tyk-stack/tyk-operator/installing-tyk-operator/
    operator: false

  servicePorts:
    # The port at which the dashboard service can be found at
    dashboard: 3000
    # The port at which the gateway service can be found at
    gateway: 8080

  tls:
    # If set to true the Dashboard will use SSL connection.
    dashboard: false
    # When true, sets the gateway protocol to HTTPS.
    gateway: false

    # When true, it will install the certificate present in the templates folder, set to false when using
    # a custom TLS certificate to avoid overwriting yours
    useDefaultTykCertificate: true

  secrets:
    # APISecret sets node_secret and secret in tyk.conf
    # tyk_analytics.conf tyk_api_config.secret
    # tyk_analytics.conf shared_node_secret
    APISecret: CHANGEME
    # tyk_analytics.conf admin_secret
    AdminSecret: "12345"
    # If you don't want to store plaintext secrets in the Helm value file and would
    # rather provide the k8s Secret externally please populate the value below
    # You can set following fields in the secret
    # APISecret - Sets node secret in both dashboard and tyk config
    # AdminSecret - Admin user secret key
    # DashLicense - Tyk Dashboard license key
    # OperatorLicense - Tyk Operator license key
    useSecretName: ""

  redis:
    # The addrs value will allow you to set your Redis addresses.
    #
    # If you are using Redis (e.g. Bitnami Redis at bitnami/redis) then enter single
    # endpoint. If using sentinel connection mode for Redis, please update the port number (typically 26379).
    #
    # If using a Redis Cluster (e.g. bitnami/redis-cluster), you can list
    # the endpoints of the redis instances or use the cluster configuration endpoint.
    #
    # Default value: redis.{{ .Release.Namespace }}.svc:6379
    # addrs:
    #   Example using tyk simple redis chart
    #   - redis.tyk.svc:6379
    #   Example using bitnami/redis
    #   - tyk-redis-master.tyk.svc:6379
    #   Example using bitnami/redis with sentinel
    #   - tyk-redis.tyk.svc:26379
    #   Example using bitnami/redis-cluster
    #   - tyk-redis-redis-cluster.tyk.svc:6379

    # Redis password
    # If you're using Bitnami Redis chart please input your password in the field below
    # pass: ""

    # Enables sentinel connection mode for Redis. If enabled, provide both
    # mandatory values for sentinelPass and masterName.
    # enableSentinel: false

    # Redis sentinel password, only required while enableSentinel is true.
    # For bitnami/redis the same password as Redis above
    # sentinelPass: ""

    # Redis sentinel master name, only required while enableSentinel is true.
    # For bitnami/redis typically redis-master
    # masterName: ""

    # Redis password can also be provided via a secret. Provide the name of the secret and key below.
    # passSecret:
    #   name: ""
    #   keyName: ""

    # Enables SSL for Redis connection. Redis instance will have to support that.
    # Default value: false
    useSSL: false

    # Allows usage of self-signed certificates when connecting to an encrypted Redis database.
    # sslInsecureSkipVerify: false

    # Path to the CA file.
    # sslCAFile: ""

    # The Volume mount path
    # Default value: /etc/certs
    # certificatesMountPath: ""

    # Path to the cert file.
    # sslCertFile: ""

    # Path to the key file.
    # sslKeyFile: ""

    # Maximum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
    # Default value: 1.3
    # tlsMaxVersion: "1.3"

    # Minimum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
    # Default value: 1.2
    # tlsMinVersion: "1.2"

    # Name of the tls secret. A secret needs to be created for this manually using the name as specified here
    # secretName: ""

    # Name of the volume where the secret will be mounted
    # volumeName: ""

    # The enableCluster value will allow you to indicate to Tyk whether you are
    # running a Redis cluster or not.
    # Default value: false
    # enableCluster: true

    # By default, the database index is 0. Setting the database index is not
    # supported with redis cluster. As such, if you have enableCluster: true,
    # then this value should be omitted or explicitly set to 0.
    storage:
      database: 0

  # Please check https://tyk.io/docs/planning-for-production/database-settings/mongodb/#supported-versions
  # for the list of supported MongoDB versions.
  mongo:
    # The mongoURL value will allow you to set your MongoDB address.
    # Default value: mongodb://mongo.{{ .Release.Namespace }}.svc:27017/tyk_analytics
    # mongoURL: mongodb://mongo.tyk.svc:27017/tyk_analytics

    # If your MongoDB has a password you can add the username and password to the url
    # mongoURL: mongodb://root:pass@tyk-mongo-mongodb.tyk.svc:27017/tyk_analytics?authSource=admin

    # mongo-go driver is supported for Tyk 5.0.2+.
    # We recommend using the mongo-go driver if you are using MongoDB 4.4.x+.
    # For MongoDB versions prior to 4.4, please use the mgo driver.
    # Since Tyk 5.3 the default driver is mongo-go.
    driver: mongo-go

    # Connection URL can also be set using a secret. Provide the name of the secret and key below.
    # connectionURLSecret:
    #   name: ""
    #   keyName: ""

    # Enables SSL for MongoDB connection. MongoDB instance will have to support that.
    # Default value: false
    useSSL: false

  # Postgres connection string parameters.
  postgres:
    # host corresponds to the host name of postgres
    host: tyk-postgres-postgresql.tyk.svc
    # port corresponds to the port of postgres
    port: 5432
    # user corresponds to the user of postgres
    user: postgres
    # password corresponds to the password of the given postgres user in selected database
    password:
    # database corresponds to the database to be used in postgres
    database: tyk_analytics
    # sslmode corresponds to if postgres runs in sslmode (https)
    sslmode: disable

    # Connection string can also be set using a secret. Provide the name of the secret and key below.
    # connectionStringSecret:
    #   name: ""
    #   keyName: ""

  # Choose the storageType for Tyk. [ "mongo", "postgres" ]
  storageType: &globalStorageType postgres

  # hashKeys specifies if your Tyk Gateway and Dashboard is using hashed keys.
  # It is used to set TYK_GW_HASHKEYS and TYK_DB_HASHKEYS
  # When set to true, Dashboard and gateway will operate in a mode that is compatible with key hashing.
  hashKeys: true

  # Enables validation of examples in the OAS spec. Defaults to false.
  # It is used to set TYK_DB_OAS_VALIDATE_EXAMPLES and TYK_GW_OAS_VALIDATE_EXAMPLES
  oasValidateExamples: false
  # Enables validation of schema defaults in the OAS spec. Defaults to false.
  # It is used to set TYK_DB_OAS_VALIDATE_SCHEMA_DEFAULTS and TYK_GW_OAS_VALIDATE_SCHEMA_DEFAULTS
  oasValidateSchemaDefaults: false

  # streaming configures Tyk Streams
  streaming:
    # enabled configures whether Tyk Streams is enabled or not.
    # It is used to set TYK_GW_STREAMING_ENABLED and TYK_DB_STREAMING_ENABLED.
    enabled: true

tyk-gateway:
  ## Default values for tyk-gateway chart.
  ## This is a YAML-formatted file.
  ## Declare variables to be passed into your templates.
  ## See Tyk Helm documentation for installation details:
  ## https://tyk.io/docs/tyk-oss/ce-helm-chart/
  ## Registry for all Tyk images - https://hub.docker.com/u/tykio

  # nameOverride overrides the Chart name. It is truncated to 63 characters.
  # Default value: tyk-gateway.name
  nameOverride: ""

  # fullnameOverride overrides App name. It is truncated to 63 characters.
  # Default value: tyk-gateway.fullname
  fullnameOverride: ""

  gateway:
    # The hostname to bind the Gateway to.
    hostName: &gwHostName tyk-gw.local

    # EnableFixedWindowRateLimiter enables fixed window rate limiting.
    # FixedWindow will allow requests up to the configured rate limit,
    # and then block traffic for the remainder of the window duration.
    # It has minimal impact on redis, however it will not protect against
    # traffic spikes, it does not have spike arrest behaviour.
    enableFixedWindowRateLimiter: false

    # If this option is set to true, it will enable polling the Dashboard service for API definitions
    useDashboardAppConfig:
      enabled: true
      # Set it to the URL to your Dashboard instance (or a load balanced instance) if and only if
      # Tyk Dashboard runs with custom service name, for instance; using `fullnameOverride` in `tyk-dashboard` section.
      # The URL needs to be formatted as: http://dashboard_host:port
      # It is used to set TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING
      dashboardConnectionString: ""

      # This option is required if Policy source is set to Tyk Dashboard (`service`) if and only if
      # Tyk Dashboard runs with custom service name, for instance; using `fullnameOverride` in `tyk-dashboard` section.
      # Set this to the URL of your Tyk Dashboard installation.
      # The URL needs to be formatted as: http://dashboard_host:port.
      # It is used to set TYK_GW_POLICIES_POLICYCONNECTIONSTRING
      policyConnectionString: ""


    # annotations be added to the Deployment of Tyk Gateway
    annotations: {}
    # podAnnotations is annotations to be added to Tyk Gateway pod.
    # It takes key-value pairs.
    # There are no required annotation field for Tyk Gateway.
    #
    # podAnnotations:
    #   yourkey: value
    #   image: yourhub
    podAnnotations: {}

    # podLabels specifies labels to be added in gateway Pod
    podLabels: {}

    tls:
      # The name of the secret which should contain the TLS certificate you want to use with the gateway deployment
      secretName: tyk-default-tls-secret
      # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
      insecureSkipVerify: false

      # certificatesMountPath corresponds to the mount path of the secret.
      certificatesMountPath: "/etc/certs/tyk-gateway"
      # certificates is an array of strings, used to set TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES
      certificates:
        - domain_name: "*"
          cert_file: "/etc/certs/tyk-gateway/tls.crt"
          key_file: "/etc/certs/tyk-gateway/tls.key"

    # kind is type of k8s object to be created for gateway.
    kind: Deployment

    # replicaCount specifies number of replicas to be created if kind is Deployment.
    replicaCount: 1

    # autoscaling configuration if kind IS NOT DaemonSet
    autoscaling: {}
    #  enabled: true
    #  minReplicas: 1
    #  maxReplicas: 3
    #  averageCpuUtilization: 60
    #  averageMemoryUtilization: null
    #  autoscalingTemplate:
    #   Custom or additional autoscaling metrics
    #   ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
    #    - type: Pods
    #      pods:
    #        metric:
    #          name: nginx_ingress_controller_nginx_process_requests_total
    #        target:
    #          type: AverageValue
    #          averageValue: 10000m
    #  behavior:
    #    scaleDown:
    #      stabilizationWindowSeconds: 300
    #      policies:
    #        - type: Percent
    #          value: 100
    #          periodSeconds: 15
    #    scaleUp:
    #      stabilizationWindowSeconds: 0
    #      policies:
    #        - type: Percent
    #          value: 100
    #          periodSeconds: 15
    #        - type: Pods
    #          value: 4
    #          periodSeconds: 15
    #      selectPolicy: Max

    # analyticsEnabled property is used to enable/disable analytics.
    # If set to empty or nil, analytics will be enabled/disabled based on `global.components.pump`.
    analyticsEnabled: ""

    image:
      # image repository for Tyk Gateway
      repository: tykio/tyk-gateway

      # image tag for Tyk Gateway
      tag: v5.3.8

      # image pull policy for Tyk Gateway
      pullPolicy: IfNotPresent

    initContainers:
      # image configuration for the initContainer that setups up the tyk directory structure
      setupDirectories:
        repository: busybox
        tag: 1.32
        resources: {}
        # If you do want to specify resources, uncomment the following
        # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
        # limits:
        #   cpu: 100m
        #   memory: 128Mi
        # requests:
        #   cpu: 100m
        #   memory: 128Mi

    # image pull secrets to use when pulling images from repository
    imagePullSecrets: []

    # The port which will be exposed on the container for tyk-gateway
    containerPort: 8080

    service:
      # type of service
      type: ClusterIP

      # external traffic policy of the service. Set it only if you are using LoadBalancer service type
      externalTrafficPolicy: Local

      # specify loadBalancerIP if the service type is load balancer
      loadBalancerIP: ""

      # Sets the firewall rule's source parameter to the IP addresses in the list
      loadBalancerSourceRanges: []
      # - 0.0.0.0/0

      # annotations for service
      annotations: {}

    control:
      # If enabled, exposes control port of the gateway
      # If enabled, ensure tyk-dashboard.dashboard.tykApiPort is set
      enabled: false

      # control port of gateway
      containerPort: 9696

      # port number for control port service
      port: 9696

      # service type for control port service
      type: ClusterIP

      # annotations for control port service
      annotations: {}

    # Creates an ingress object in k8s. Will require an ingress-controller and
    # annotation to that ingress controller.
    ingress:
      # if enabled, creates an ingress resource for the gateway
      enabled: false

      # specify ingress controller class name
      className: ""

      # annotations for ingress
      annotations: {}

      # ingress rules
      hosts:
        - host: chart-example.local
          paths:
            - path: /
              pathType: ImplementationSpecific

      # tls configuration for ingress
      #  - secretName: chart-example-tls
      #    hosts:
      #      - chart-example.local
      tls: []

    # PodDisruptionBudget configuration
    pdb:
      enabled: false
      # minAvailable and maxUnavailable configure thresholds for PodDisruptionBudget resource
      # per PodDisruptionBudget spec they are mutually exclusive, but this chart allows
      # setting them both, in which case minAvailable will take precedence
      minAvailable: ""
      maxUnavailable: ""

    # We usually recommend not to specify default resources and to leave this
    # as a conscious choice for the user. This also increases chances charts
    # run on environments with little resources, such as Minikube. If you do
    # want to specify resources, uncomment the following lines, adjust them
    # as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
    #  cpu: 100m
    #  memory: 128Mi
    resources: {}

    # livenessProbe values for gateway pod. All fields from PodLivenessProbe object can be added here.
    # If set to empty or nil, the default health check on /health will be performed.
    # livenessProbe:
    #   httpGet:
    #     scheme: HTTP
    #     path: /hello
    #     port: 8080
    #   initialDelaySeconds: 5
    #   periodSeconds: 2
    #   timeoutSeconds: 3
    #   failureThreshold: 2
    #   successThreshold: 2
    livenessProbe: {}

    # readinessProbe values for gateway pod. All fields from PodReadinessProbe object can be added here.
    # If set to empty or nil, the default health check on /health will be performed.
    # readinessProbe:
    #   httpGet:
    #     scheme: HTTP
    #     path: /hello
    #     port: 8080
    #  initialDelaySeconds: 1
    #  periodSeconds: 10
    #  timeoutSeconds: 3
    #  failureThreshold: 3
    readinessProbe: {}

    # securityContext values for gateway pod. All fields from PodSecurityContext object can be added here.
    securityContext:
      runAsUser: 1000
      fsGroup: 2000
      runAsNonRoot: true

    # containerSecurityContext values for gateway container. All fields from SecurityContext object can be added here.
    containerSecurityContext:
      runAsNonRoot: true
      runAsUser: 1000
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop:
          - ALL

    # node labels for gateway pod assignment
    nodeSelector: {}

    # tolerations for gateway pod assignment
    tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule

    # affinity for gateway pod assignment
    affinity: {}

    # opentelemetry is used to configure opentelemetry for Tyk Gateway
    opentelemetry:
      # Used to enable/disable opentelemetry
      enabled: false
      # exporter is used to define the type of the exporter to sending data in OTLP protocol
      # Valid values are "grpc" or "http"
      exporter: grpc
      # endpoint defines OpenTelemetry collector endpoint to connect to.
      endpoint: localhost:4317
      # A map of headers that will be sent with HTTP requests to the collector.
      # It should be set to map of string to string
      headers: {}
      # Timeout for establishing a connection to the collector
      connectionTimeout: 1
      # Name of the resource that will be used to identify the resource.
      resourceName: tyk
      # Type of the span processor to use. Valid values are “simple” or “batch”.
      spanProcessorType: batch
      # Type of the context propagator to use. Valid values are "tracecontext" and "b3".
      contextPropagation: tracecontext
      # TLS configuration for the exporter.
      tls:
        # Flag that can be used to enable TLS
        enabled: false
        # Flag that can be used to skip TLS verification if TLS is enabled
        insecureSkipVerify: true
        # Maximum TLS version that is supported.
        maxVersion: 1.3
        # Minimum TLS version that is supported
        minVersion: 1.2
        # Path to the cert file
        certFileName: ""
        # Path to the key file
        keyFileName: ""
        # Path to CA file
        caFileName: ""
        # Existing secret that stores TLS and CA Certificate
        certificateSecretName: ""
        # Mount path on which certificate secret should be mounted
        secretMountPath: ""
      sampling:
        # Refers to the policy used by OpenTelemetry to determine whether a particular trace should be sampled or not.
        type: "AlwaysOn"
        # Parameter for the TraceIDRatioBased sampler type and represents the percentage of traces to be sampled.
        rate: 0.5
        # Rule that ensures that if we decide to record data for a particular operation, we’ll also record data for
        # all the subsequent work that operation causes
        parentBased: false

    # EnablePathPrefixMatching changes the URL matching from wildcard mode to prefix mode.
    # If prefix matching is enabled, the match will be performed
    # - as a prefix match (/json*).
    # - against the full listen path and versioning URL (/listen-path/v4/json)
    # - the stripped listen path URL (/v4/json), and the stripped version information (/json).
    enablePathPrefixMatching: true
    # EnablePathSuffixMatching changes the URL matching to match as a suffix.
    # For example, /json is matched as /json$ against
    # - the full listen path and versioning URL (/listen-path/v4/json)
    # - the stripped listen path URL (/v4/json)
    # - the stripped version information (/json)
    enablePathSuffixMatching: true
    # EnableStrictRoutes changes the routing to avoid nearest-neighbour requests on overlapping routes
    # - if disabled, `/apple` will route to `/app`, the current default behavior,
    # - if enabled, `/app` only responds to `/app`, `/app/` and `/app/*` but not `/apple`
    # Regular expressions and parameterized routes will be left alone regardless of this setting.
    enableStrictRoutes: true

    # extraContainers is a list of containers to be added to the pod
    # - name: sidecar
    #   image: sidecar:latest
    extraContainers: []

    # extraEnvs is used to set gateway env variables
    # - name: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
    #   value: "true"
    extraEnvs: []

    # extraVolumes is a list of volumes to be added to the pod
    # extraVolumes:
    #   - name: ca-certs
    #     secret:
    #       defaultMode: 420
    #       secretName: ca-certs
    extraVolumes: []

    # extraVolumeMounts is a list of volume mounts to be added to the pod
    # extraVolumeMounts:
    #   - name: ca-certs
    #     mountPath: /etc/ssl/certs/ca-certs.crt
    #     readOnly: true
    extraVolumeMounts: []

    # log is used to configure the log system events
    log:
      # level is used to set the log verbosity. It is used to set TYK_GW_LOGLEVEL
      level: "info"
      # format is used to set the log format. It is used to set TYK_GW_LOGFORMAT
      format: "default"

tyk-operator:
  nameOverride: ""
  fullnameOverride: ""
  # envFrom loads environment variables from the specified resources such as Kubernetes Secret
  # to the Tyk Operator Controller Manager pod.
  envFrom:
    - secretRef:
        name: tyk-operator-conf
  # envVars adds environment variables to the Tyk Operator Controller Manager pod.
  envVars:
    - name: TYK_HTTPS_INGRESS_PORT
      value: "8443"
    - name: TYK_HTTP_INGRESS_PORT
      value: "8080"
  image:
    # image repository for Tyk Operator
    repository: tykio/tyk-operator
    # image pull policy
    pullPolicy: IfNotPresent
    # image tag for Tyk Operator
    tag: "v1.1.0"
  # number for replicas for Tyk Operator deployment.
  replicaCount: 1
  # imagePullSecrets specify imagePullSecrets for ServiceAccount
  imagePullSecrets: []
  # extraVolumes is a list of volumes to be added to the pod
  # extraVolumes:
  #   - name: ca-certs
  #     secret:
  #       secretName: ca-certs
  #   - name: ca-certs
  #     configMap:
  #       name: custom-ca-configmap
  extraVolumes: []

  # extraVolumeMounts is a list of volume mounts to be added to the pod
  # extraVolumeMounts:
  #   - name: ca-certs
  #     mountPath: /etc/ssl/certs/your-cert.pem
  #     subPath: your-cert.pem
  #     readOnly: false
  extraVolumeMounts: []

  # healthProbePort identifies the port the Controller Manager will listen on. Used by liveness and readiness probes
  healthProbePort: 8081
  # metricsPort identifies the port on which Tyk Operator metrics are served
  metricsPort: 8080
  # webhookPort identifies the port on which webhooks are handled
  webhookPort: 9443

  annotations: {}
  podAnnotations: {}
  podSecurityContext:
    allowPrivilegeEscalation: false
  resources: {}
  nodeSelector: {}
  hostNetwork: false

  # rbac specifies necessary resources for kube-rbac-proxy.
  rbac:
    resources: {}
    # specify custom/internal repo name for kube-rbac-proxy container
    image:
      repository: gcr.io/kubebuilder/kube-rbac-proxy
      pullPolicy: IfNotPresent
      tag: "v0.8.0"
    port: 8443

  # serviceMonitor decides deploying ServiceMonitor if Prometheus Operator scrapes /metrics.
  # By default it is set to false and set it to true to enable deploying Service Monitor.
  # Tyk Operator publishes a collection of performance metrics for each controller.
  # These metrics can be scraped by Prometheus Operator, by deploying ServiceMonitor resource.
  serviceMonitor: false

tyk-pump:
  ## Default values for tyk-pump chart.
  ## This is a YAML-formatted file.
  ## Declare variables to be passed into your templates.
  ## See Tyk Helm documentation for installation details:
  ## https://tyk.io/docs/tyk-oss/ce-helm-chart/
  ## Registry for all Tyk images - https://hub.docker.com/u/tykio

  # Overrides chart name. It is truncated to 63 characters.
  # Default value: tyk-pump.name
  nameOverride: ""

  # Overrides app name. IT is truncated to 63 characters.
  # Default value: tyk-pump.fullname
  fullnameOverride: ""

  # If pump is enabled the Gateway will create and collect analytics data to send
  # to a data store of your choice. These can be set up in the pump config. The
  # possible pump configs can be found here:
  # https://github.com/TykTechnologies/tyk-pump#configuration
  pump:
    # number for replicas for pump deployment
    replicaCount: 1

    # annotations be added to the Deployment of Tyk Gateway
    annotations: {}

    # podAnnotations is annotations to be added to Tyk Pump pod.
    # It takes key-value pairs.
    # There are no required annotation field for Tyk Pump.
    #
    # podAnnotations:
    #   yourkey: value
    #   image: yourhub
    podAnnotations: {}

    # podLabels specifies labels to be added in pump Pod
    podLabels: {}

    image:
      # image repository for Tyk pump
      repository: docker.tyk.io/tyk-pump/tyk-pump

      # tag for Tyk pump
      tag: v1.11.1

      # image pull policy
      pullPolicy: IfNotPresent

    # image pull secrets to use when pulling images from repository
    imagePullSecrets: []

    service:
      # Tyk Pump svc is disabled by default. Set it to true to enable it.
      enabled: false

      # type specifies type of the service.
      type: ClusterIP

      # port specifies the port exposed by the service.
      port: 9090

      # externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or
      # cluster-wide endpoints, while using LoadBalancer type of service.
      externalTrafficPolicy: Local

      # annotations specifies annotations to be added Tyk Pump service.
      annotations: {}

    # containerPort represents the port where Tyk Pump serve the metrics, for instance metrics for Prometheus.
    # The default port is 9090.
    containerPort: 9090

    # backend defines the pumps to be created by default, as an array of string.
    # Supported backends are:
    #   - "mongo": Enables Mongo, Mongo Aggregate and Mongo Selective Pump
    #   - "mongo-aggregate": Enables ONLY Mongo Aggregate AND Mongo Graph Pump
    #   - "mongo-selective": Enables ONLY Mongo Selective
    #   - "postgres": Enables Postgres Aggregate, Postgres Graph Aggregate, SQL Pump and SQL graph pump
    #   - "postgres-aggregate": Enables ONLY SQL Aggregate AND SQL Graph Aggregate
    #   - "postgres-pump": Enables ONLY SQL Pump AND SQL graph pump
    #   - "prometheus": Enables Prometheus Pump. See pump.prometheusPump for Prometheus Pump configurations.
    #   - "hybrid": Enables Hybrid Pump
    # If you would like to use other backends such as ElasticSearch, please
    # configure the backend via environment variables.
    backend:
      - "prometheus"
      - *globalStorageType

    # uptimePumpBackend configures uptime Tyk Pump. ["", "mongo", "postgres"].
    # Set it to "" for disabling uptime Tyk Pump. By default, uptime pump is disabled.
    uptimePumpBackend: ""

    # prometheusPump configures Tyk Pump to expose Prometheus metrics.
    # Please add "prometheus" to .Values.pump.backend in order to enable Prometheus Pump.
    # The container port where Tyk Pump serves the metrics to Prometheus can be configured
    # via .pump.containerPort field.
    prometheusPump:
      # host represents the host without port, where Tyk Pump serve the metrics for Prometheus.
      host: ""
      # path represents the path to the Prometheus collection. For example /metrics.
      path: /metrics
      # customMetrics allows defining custom Prometheus metrics for Tyk Pump.
      # It accepts a string that represents a JSON object. For instance,
      #
      # customMetrics: '[{"name":"tyk_http_requests_total","description":"Total of API requests","metric_type":"counter","labels":["response_code","api_name","method","api_key","alias","path"]},          {              "name":"tyk_http_latency",              "description":"Latency of API requests",              "metric_type":"histogram",              "labels":["type","response_code","api_name","method","api_key","alias","path"]          }]'
      customMetrics: ""
      # If you are using prometheus Operator, set the fields in the section below.
      prometheusOperator:
        # enabled determines whether the Prometheus Operator is in use or not. By default,
        # it is disabled.
        # Tyk Pump can be monitored with PodMonitor Custom Resource of Prometheus Operator.
        # If enabled, PodMonitor resource is created based on .Values.pump.prometheusPump.prometheusOperator.podMonitorSelector
        # for Tyk Pump.
        enabled: false
        # podMonitorSelector represents a podMonitorSelector of your Prometheus resource. So that
        # your Prometheus resource can select PodMonitor objects based on selector defined here.
        # Please set this field to the podMonitorSelector field of your monitoring.coreos.com/v1
        # Prometheus resource's spec.
        #
        # You can check the podMonitorSelector via:
        #   kubectl describe prometheuses.monitoring.coreos.com <PROMETHEUS_POD>
        podMonitorSelector:
          release: prometheus-stack

    # sqlGraphPump configures values to be used to configure tyk sql graph pump.
    sqlGraphPump:
      # tableName is the name of the table that will be created and used by the sql graph pump
      tableName: "tyk_analytics_graphs"

    # mongoGraphPump configures values to be used to configure tyk mongo graph pump.
    mongoGraphPump:
      # collectionName is the name of the collection that will be created and used by the mongo graph pump
      collectionName: "tyk_graph_analytics"

    # We usually recommend not to specify default resources and to leave this
    # as a conscious choice for the user. This also increases chances charts
    # run on environments with little resources, such as Minikube. If you do
    # want to specify resources, uncomment the following lines, adjust them
    # as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
    #  cpu: 100m
    #  memory: 128Mi
    resources: {}

    # securityContext values for pump pod. All fields from PodSecurityContext object can be added here.
    securityContext:
      runAsUser: 1000
      fsGroup: 2000
      runAsNonRoot: true

    # containerSecurityContext values for pump container. All fields from SecurityContext object can be added here.
    containerSecurityContext:
      runAsNonRoot: true
      runAsUser: 1000
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop:
          - ALL

    # node labels for pump pod assignment
    nodeSelector: {}

    # tolerations for pump pod assignment
    tolerations: []

    # affinity for pump pod assignment
    affinity: {}

    # extraContainers is a list of containers to be added to the pod
    # - name: sidecar
    #   image: sidecar:latest
    extraContainers: []

    # extraEnvs is used to set environment variables in pump container
    # - name: TYK_PMP_PURGEDELAY
    #   value: 30
    extraEnvs: []

    # extraVolumes is a list of volumes to be added to the pod
    # extraVolumes:
    #   - name: ca-certs
    #     secret:
    #       defaultMode: 420
    #       secretName: ca-certs
    extraVolumes: []

    # extraVolumeMounts is a list of volume mounts to be added to the pod
    # extraVolumeMounts:
    #   - name: ca-certs
    #     mountPath: /etc/ssl/certs/ca-certs.crt
    #     readOnly: true
    extraVolumeMounts: []

tyk-bootstrap:
  fullnameOverride: ""
  nameOverride: ""

  bootstrap:
    # Trigger to control if we want to bootstrap the Developer Portal component using tyk-bootstrap
    devPortal: true

    # Trigger to control if we want to bootstrap the dashboard component using tyk-bootstrap
    dashboard: true

    # Trigger to control if we want to bootstrap the classic portal component using tyk-bootstrap
    portal: false

    # Skip validating the SSL certificates. Usually needed when using self-signed certs.
    sslInsecureSkipVerify: false

    # Trigger to control if we want to create the tyk-operator secret
    operatorSecret: tyk-operator-conf

    # jobs field includes configurations for Helm Hooks.
    jobs:
      # preInstall configures pre-install Helm hook
      preInstall:
        # image specifies image repository of bootstrap images
        image:
          # repository specifies image repository of pre-install job.
          repository: tykio/tyk-k8s-bootstrap-pre-install
          # tag specifies image tag of pre-install job.
          tag: v2.2.0

        # extraEnvs is used to set extra environment variables to pre-install job.
        # - name: TYK_K8SBOOTSTRAP_TYK_DASHBOARDLICENSE
        #   value: "yourlicense"
        extraEnvs: []

      # postInstall configures post-install Helm hook
      postInstall:
        # image specifies image repository of bootstrap images
        image:
          # repository specifies image repository of post-install job.
          repository: tykio/tyk-k8s-bootstrap-post
          # tag specifies image tag of post-install job.
          tag: v2.2.0

        # extraEnvs is used to set extra environment variables to post-install job.
        # - name: TYK_K8SBOOTSTRAP_TYK_ADMIN_FIRSTNAME
        #   value: "burak"
        extraEnvs: []

      # preDelete configures pre-delete Helm hook
      preDelete:
        # image specifies image repository of bootstrap images
        image:
          # repository specifies image repository of pre-delete job.
          repository: tykio/tyk-k8s-bootstrap-pre-delete
          # tag specifies image tag of pre-delete job.
          tag: v2.2.0

        # extraEnvs is used to set extra environment variables to pre-delete job.
        # - name: TYK_K8SBOOTSTRAP_OPERATORKUBERNETESSECRETNAME
        #   value: "tyk-operator-conf"
        extraEnvs: []

    org:
      # The name for your organization inside Tyk
      name: Default Org
      # The hostname to bind the Portal to.
      cname: tyk-portal.local

    # podAnnotations specifies annotations to be added Tyk Bootstrap job pods.
    # It takes key-value pairs.
    # There are no required annotations for Tyk Bootstrap.
    #
    # podAnnotations:
    #   postInstallPodAnnotations:
    #     key: value
    #     post: install
    #   preDeletePodAnnotations:
    #     key: value
    #     post: install
    podAnnotations:
      # preInstallPodAnnotations specifies annotations to be added to Tyk Bootstrap pre-install hook's job pods.
      preInstallPodAnnotations: {}
      # postInstallPodAnnotations specifies annotations to be added to Tyk Bootstrap post-install hook's job pods.
      postInstallPodAnnotations: {}
      # preDeletePodAnnotations specifies annotations to be added to Tyk Bootstrap pre-delete hook's job pods.
      preDeletePodAnnotations: {}

    # podLabels specifies labels to be added in bootstrap Pod
    podLabels:
      # preInstallPodLabels specifies labels to be added to Tyk Bootstrap pre-install hook's job pods.
      preInstallPodLabels: {}
      # postInstallPodLabels specifies labels to be added to Tyk Bootstrap post-install hook's job pods.
      postInstallPodLabels: {}
      # preDeletePodLabels specifies labels to be added to Tyk Bootstrap pre-delete hook's job pods.
      preDeletePodLabels: {}

    # extraVolumes is a list of volumes to be added to the pod
    # extraVolumes:
    #   - name: ca-certs
    #     secret:
    #       defaultMode: 420
    #       secretName: ca-certs
    extraVolumes: []

    # extraVolumeMounts is a list of volume mounts to be added to the pod
    # extraVolumeMounts:
    #   - name: ca-certs
    #     mountPath: /etc/ssl/certs/ca-certs.crt
    #     readOnly: true
    extraVolumeMounts: []

tyk-dashboard:
  # nameOverride overrides the Chart name. It is truncated to 63 characters.
  nameOverride: ""

  # fullnameOverride overrides App name. It is truncated to 63 characters.
  fullnameOverride: ""

  dashboard:
    # This is the URL of your Tyk Gateway node, which is used to set TYK_DB_TYKAPI_HOST.
    # The Dashboard controls Tyk using the Gateway API and only requires visibility to one node. In a sharded environment,
    # the Gateway node specified here must not be sharded.
    # - If you are using tyk-stack chart, it is automatically set to the gateway service URL.
    #   HOWEVER, if Tyk Gateway runs with custom service name, please override with the correct URL using this field.
    # - If you are using tyk-dashboard chart, you need to set the correct Gateway URL here too.
    # The URL needs to be formatted as: http://gateway_host
    tykApiHost: ""
    # The port gateway is running on.
    # If you are using control port for gateway, set the value to control port.
    # It is used to set TYK_DB_TYKAPI_PORT
    # tykApiPort: 9696
    # enableOwnership specifies if API Ownership for Self-Managed installations is enabled or not.
    # It is used to set TYK_DB_ENABLEOWNERSHIP
    enableOwnership: true
    # defaultPageSize specifies the page size that the dashboard should use.
    # It is used to set TYK_DB_PAGESIZE
    defaultPageSize: 10
    # notifyOnChange specifies whether the Tyk Dashboard will notify all Tyk Gateway nodes to hot-reload when an API definition is changed.
    # It is used to set TYK_DB_NOTIFYONCHANGE
    notifyOnChange: true
    # Deprecated:
    #   This field is deprecated in from v1.4.0, please set `global.hashKeys` for configuring hash keys feature
    hashKeys: true
    # enableDuplicateSlugs configures the dashboard whether validate against other listen paths.
    # Setting this option to true will cause the dashboard to NOT validate against other listen paths.
    # It is used to set TYK_DB_ENABLEDUPLICATESLUGS
    enableDuplicateSlugs: true
    # showOrgId determines whether the Org ID will be shown in the Users -> Username detail page.
    # This can be useful for quickly identifying your Org ID.
    # It is used to set TYK_DB_SHOWORGID
    showOrgId: true
    hostConfig:
      # Enable this option to have the Dashboard only allow access on a specific domain and 404 on any other host access
      # It is used to set TYK_DB_HOSTCONFIG_ENABLEHOSTNAMES
      enableHostNames: true
      # By default, for developer portal, Tyk will add orgID prefix. Set to true if you have single tenant application or each portal on separate domain.
      # It is used to set TYK_DB_HOSTCONFIG_DISABLEORGSLUGPREFIX
      disableOrgSlugPrefix: true
      # Set this value to whatever hostname your Tyk Gateway is running on.
      # It is used to set TYK_DB_HOSTCONFIG_GATEWAYHOSTNAME
      overrideHostname: *gwHostName
    # The path to the home directory of Tyk Dashboard, this must be set in order for Portal templates and other files to be loadable.
    # It is used to set TYK_DB_HOMEDIR
    homeDir: "/opt/tyk-dashboard"
    # If using the mongo-pump-selective pump, where data is written to org-id-specific collections in MongoDB,
    # then enabling this option will switch querying for analytics over to the independent collection entries.
    # It is used to set TYK_DB_USESHARDEDANALYTICS
    useShardedAnalytics: true
    # If using the new Aggregate Pump, Tyk Analytics can make use of the newer, faster Analytics lookup,
    # to ensure that this can be made backwards compatible.This option must be set to true,
    # in conjunction with the aggregate_lookup_cutoff value.
    # It is used to set TYK_DB_ENABLEAGGREGATELOOKUPS
    enableAggregateLookups: true
    # enableAnalyticsCache enables the caching of analytics data queries.
    # When this field is set to true, the Tyk Dashboard will cache the results of analytics queries in Redis,
    # which can significantly improve performance by reducing the load on the underlying MongoDB or PostgreSQL database
    # that stores this data.
    # It is used to set TYK_DB_ENABLEANALYTICSCACHE
    enableAnalyticsCache: true
    # Set this value to true if you are planning to use Tyk Sync or Tyk Operator
    # It is used to set TYK_DB_ALLOWEXPLICITPOLICYID
    allowExplicitPolicyId: true
    # oAuth redirect URI separator
    # It is used to set TYK_DB_OAUTHREDIRECTURISEPARATOR
    oauthRedirectUriSeparator: ";"
    # keyRequestFields enables administrators to collect necessary information for API key issuance, enforce policies,
    # and provide the flexibility to customize the key request process according to evolving business needs.
    # It is used to set TYK_DB_KEYREQUESTFIELDS
    keyRequestFields: "appName;appType"
    # Dashboard session lifetime
    # It is used to set TYK_DB_DASHBOARDSESSIONLIFETIME
    dashboardSessionLifetime: 43200
    # When enabled, if dashboard already have user with given email found, it will be used for the login process
    # It is used to set TYK_DB_SSOENABLEUSERLOOKUP
    ssoEnableUserLookup: true
    # notificationsListenPort specifies the port that the Tyk Dashboard listens on for webhook notifications sent from Tyk Gateways.
    # It is used to set TYK_DB_NOTIFICATIONSLISTENPORT
    notificationsListenPort: 5000
    # To delete a key by its hash, set this option to true
    # It is used to set TYK_DB_ENABLEDELETEKEYBYHASH
    enableDeleteKeyByHash: true
    # To update a key by its hash, set this option to true.
    # It is used to set TYK_DB_ENABLEUPDATEKEYBYHASH
    enableUpdateKeyByHash: true
    # To retrieve a list of all key hash listings, set this option to true.
    # It is used to set TYK_DB_ENABLEHASHEDKEYSLISTING
    enableHashedKeysListing: true
    # Enable support for users with the same email for multiple organisations
    # It is used to set TYK_DB_ENABLEMULTIORGUSERS
    enableMultiOrgUsers: true
    auditLogs:
      # Enables audit logging.
      # It is used to set TYK_DB_AUDIT_ENABLED
      enabled: false
      # Allow users to configure how dashboard store the audit logs.
      # Possible values are db and file.
      # It is used to set TYK_DB_AUDIT_STORETYPE
      type: "file"
      # Format of audit log file. Possible values are json and text
      # It is used to set TYK_DB_AUDIT_FORMAT
      format: "text"
      # Path to the audit log
      # It is used to set TYK_DB_AUDIT_PATH
      path: ""
      # Enables detailed records in the audit log.
      # If set to true then audit log records will contain the http-request (without body) and full http-response including the body.
      # It is used to set TYK_DB_AUDIT_DETAILEDRECORDING
      enableDetailedRecording: false
    # Manage dashboard API Open Policy Agent(OPA) support
    opa:
      # Enables OPA support.
      # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLED
      enabled: false
      # Enables OPA debug mode which will allow more detailed logs about the policy execution.
      # It is used to set TYK_DB_SECURITY_OPENPOLICY_DEBUG
      debug: false
      # Enables OPA API mode which allows you to manage the OPA policies via the Dashboard API
      # It is used to set TYK_DB_SECURITY_OPENPOLICY_ENABLEAPI
      api: false
      # If OPA is enabled with its default policies you will need to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
      # to avoid bootstrap job failure because of the OPA policy restrictions.
      # It is used to set TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
      allowAdminPasswordReset: true

    # replicaCount specifies number of replicas to be created if kind is Deployment.
    replicaCount: 1

    # annotations be added to the Deployment of Tyk Dashboard
    annotations: {}

    # podAnnotations is annotations to be added to Tyk Dashboard pod.
    # It takes key-value pairs.
    # There are no required annotation field for Tyk Dashboard.
    #
    # podAnnotations:
    #   yourkey: value
    #   image: yourhub
    podAnnotations: {}

    # podLabels specifies labels to be added in dashboard Pod
    podLabels: {}

    image:
      # image repository for Tyk Dashboard.
      repository: tykio/tyk-dashboard

      # tag for Tyk Dashboard
      tag: v5.3.8

      # image pull policy
      pullPolicy: Always

    # image pull secrets to use when pulling images from repository
    imagePullSecrets: []

    service:
      type: ClusterIP
      externalTrafficPolicy: Local
      # specify loadBalancerIP if the service type is load balancer
      loadBalancerIP: ""
      annotations: {}

    # We usually recommend not to specify default resources and to leave this
    # as a conscious choice for the user. This also increases chances charts
    # run on environments with little resources, such as Minikube. If you do
    # want to specify resources, uncomment the following lines, adjust them
    # as necessary, and remove the curly braces after 'resources:'.
    #  resources:
    #   limits:
    #    cpu: 100m
    #    memory: 128Mi
    #   requests:
    #    cpu: 100m
    #    memory: 128Mi
    resources: {}

    # securityContext holds pod-level security attributes for Tyk Dashboard pod. All fields from PodSecurityContext object can be added here.
    securityContext:
      runAsUser: 1000
      fsGroup: 2000
      runAsNonRoot: true

    # containerSecurityContext holds container-level security attributes for Tyk Dashboard container. All fields from SecurityContext object can be added here.
    containerSecurityContext:
      runAsNonRoot: true
      runAsUser: 1000
      allowPrivilegeEscalation: false
      privileged: false
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
      capabilities:
        drop:
          - ALL

    # nodeSelector is a selector which must be true for Tyk Dashboard pod to fit on a specific node.
    nodeSelector: {}
    # tolerations specifies tolerations to be applied on Tyk Dashboard pods.
    tolerations: []
    # affinity specifies affinity and anti-affinity constraints.
    affinity: {}

    # extraContainers is a list of containers to be added to the pod
    # - name: sidecar
    #   image: sidecar:latest
    extraContainers: []

    # extraEnvs is used to set extra environment variables to Tyk Dashboard pod.
    # - name: TYK_DB_PAGESIZE
    #   value: "10"
    extraEnvs: []

    # extraVolumes is a list of volumes to be added to the pod
    # extraVolumes:
    #   - name: ca-certs
    #     secret:
    #       defaultMode: 420
    #       secretName: ca-certs
    extraVolumes: []

    # extraVolumeMounts is a list of volume mounts to be added to the pod
    # extraVolumeMounts:
    #   - name: ca-certs
    #     mountPath: /etc/ssl/certs/ca-certs.crt
    #     readOnly: true
    extraVolumeMounts: []

    # The hostname to bind the Dashboard to.
    hostName: tyk-dashboard.local

    tls:
      # The name of the secret which should contain the TLS certificate you want to use with the dashboard deployment
      secretName: tyk-default-tls-secret
      # This options allows you to skip verifying the TLS certificate. This is typically enabled when using self-signed certs.
      insecureSkipVerify: false

      # certificatesMountPath corresponds to the mount path of the secret.
      certificatesMountPath: "/etc/certs/tyk-dashboard"
      # certificates is an array of strings, used to set TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES
      certificates:
        - domain_name: "*"
          cert_file: "/etc/certs/tyk-dashboard/tls.crt"
          key_file: "/etc/certs/tyk-dashboard/tls.key"

    # ingress specifies Ingress rules for Tyk Dashboard Service.
    # Ingress is disabled by default.
    ingress:
      enabled: false
      # specify your ingress controller class name below
      className: ""
      annotations: {}
        # kubernetes.io/ingress.class: nginx
        # kubernetes.io/tls-acme: "true"
      hosts:
        - host: chart-example.local
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls: []

  portal:
    ingress:
      enabled: false
      # specify your ingress controller class name below
      className: ""
      annotations: {}
        # kubernetes.io/ingress.class: nginx
        # kubernetes.io/tls-acme: "true"
      hosts:
        - host: chart-example.local
          paths:
            - path: /
              pathType: ImplementationSpecific
      tls: []
  # tib is used to configure Tyk Identity Broker(TIB) connection details
  tib:
    # enabled is used to enable/disable embedded TIB
    enabled: false

tyk-dev-portal:
  # Sensitive configuration of Portal could be set using k8s secret
  # You can set following fields:
  # - DevPortalLicense - Sets LicenseKey for Developer Portal
  # - DevPortalDatabaseConnectionString - Sets database connectionString for Developer Portal
  # - DevPortalAwsAccessKeyId - Sets AWS S3 Access Key ID
  # - DevPortalAwsSecretAccessKey - Sets AWS S3 Secret Access Key
  useSecretName: ""
  # The hostname to bind the Developer Portal to.
  hostName: tyk-dev-portal.local
  # Developer Portal license.
  license: ""
  # Developer portal can be deployed as StatefulSet or as Deployment
  kind: StatefulSet
  storage:
    # User can set the storage type for portal.
    # Supported types: fs, s3, db
    type: "db"
    # Configuration values for using s3 as storage for Tyk Developer Portal
    # In case you want to provide the key ID and access key via secrets please
    # refer to the existing secret inside the helm chart or the
    # .Values.useSecretName field
    s3:
      awsAccessKeyid: your-access-key
      awsSecretAccessKey: your-secret-key
      region: sa-east-1
      endpoint: https://s3.sa-east-1.amazonaws.com
      bucket: your-portal-bucket
      acl: private
      presign_urls: true
    persistence:
      mountExistingPVC: ""
      storageClass: ""
      accessModes:
        - ReadWriteOnce
      size: 8Gi
      annotations: {}
      labels: {}
      selector: {}
  database:
    # This selects the SQL dialect to be used
    # The supported values are mysql, postgres and sqlite3
    dialect: "sqlite3"
    connectionString: "db/portal.db"
    enableLogs: false
    maxRetries: 3
    retryDelay: 5000

  # replicaCount specifies number of replicas to be created if kind is Deployment.
  replicaCount: 1

  # containerPort specifies the container port for Tyk Developer Portal container.
  # Also, it is used to set PORTAL_HOST_PORT
  containerPort: 3001
  image:
    # image repository for Tyk Developer Portal.
    repository: tykio/portal

    # Developer portal < v1.2 is not supported
    tag: v1.12.0
    # image pull policy
    pullPolicy: Always

  # image pull secrets to use when pulling images from repository
  imagePullSecrets: []

  service:
    # type corresponds to the service type of Tyk Developer Portal Service.
    type: ClusterIP
    # The port at which Tyk Developer Portal service can be found
    port: 3001
    # externalTrafficPolicy corresponds to the external traffic policy if the service type is load balancer
    externalTrafficPolicy: Local
    # annotations corresponds to the annotations which will be added into Tyk Dashboard Service.
    annotations: {}

  # ingress specifies Ingress rules for Tyk Developer Portal Service.
  # Ingress is disabled by default.
  ingress:
    # enabled specifies whether ingress is enabled or not.
    # Set it to true to enable Ingress for Tyk Dashboard Service.
    enabled: false
    # specify your ingress controller class name below
    className: ""

    # annotations specifies annotations to be added on Ingress resource.
    annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"

    # hosts corresponds to the rules to be added on Ingress rules.
    hosts:
      - host: chart-example.local
        paths:
          - path: /
            pathType: ImplementationSpecific

    # tls corresponds to the tls configuration if Ingress rules use TLS
    tls: []

  resources: {}
    # We usually recommend not to specify default resources and to leave this
    # as a conscious choice for the user. This also increases chances charts
    # run on environments with little resources, such as Minikube. If you do
    # want to specify resources, uncomment the following lines, adjust them
    # as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
    #  cpu: 100m
    #  memory: 128Mi

  # securityContext holds pod-level security attributes for Tyk Developer Portal pod. All fields from PodSecurityContext object can be added here.
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
    runAsNonRoot: true
  # containerSecurityContext holds container-level security attributes for Tyk Developer Portal pod. All fields from SecurityContext object can be added here.
  containerSecurityContext:
    runAsNonRoot: true
    runAsUser: 1000
    allowPrivilegeEscalation: false
    privileged: false
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL
  # nodeSelector is a selector which must be true for Tyk Developer Portal pod to fit on a specific node.
  nodeSelector: {}
  # tolerations specifies tolerations to be applied on Tyk Developer Portal pods.
  tolerations: []
  # affinity specifies affinity and anti-affinity constraints.
  affinity: {}

  # extraContainers is a list of containers to be added to the pod
  # - name: sidecar
  #   image: sidecar:latest
  extraContainers: []

  # extraEnvs is used to set extra environment variables to Tyk Developer Portal pod.
  # - name: PORTAL_REFRESHINTERVAL
  #   value: "10"
  extraEnvs: []
  # extraVolumes is a list of volumes to be added to the pod
  # extraVolumes:
  #   - name: ca-certs
  #     secret:
  #       defaultMode: 420
  #       secretName: ca-certs
  extraVolumes: []
  # extraVolumeMounts is a list of volume mounts to be added to the pod
  # extraVolumeMounts:
  #   - name: ca-certs
  #     mountPath: /etc/ssl/certs/ca-certs.crt
  #     readOnly: true
  extraVolumeMounts: []

  # livenessProve includes details about liveness probe used in Tyk Developer Portal
  livenessProbe:
    # initialDelaySeconds specifies the seconds used in liveness probe as initial delay.
    initialDelaySeconds: 60

  # readinessProbe includes details about readiness probe used in Tyk Developer Portal
  readinessProbe:
    # initialDelaySeconds specifies the seconds used in readiness probe as initial delay.
    initialDelaySeconds: 60

  # annotations be added to the Deployment of Tyk Developer Portal
  annotations: {}
  # podAnnotations specifies annotations to be added in Tyk Developer Portal Pod.
  # It takes key-value pairs.
  # There are no required annotation field for Tyk Developer Portal Pod.
  #
  # podAnnotations:
  #   yourkey: value
  #   image: yourhub
  podAnnotations: {}

  # podLabels specifies labels to be added in Tyk Developer Portal Pod
  podLabels: {}
tests:
  enabled: true
  resources: {}
    # We usually recommend not to specify default resources and to leave this
    # as a conscious choice for the user. This also increases chances charts
    # run on environments with little resources, such as Minikube. If you do
    # want to specify resources, uncomment the following lines, adjust them
    # as necessary, and remove the curly braces after 'resources:'.
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
    # requests:
  #  cpu: 100m
  #  memory: 128Mi

  # securityContext holds pod-level security attributes for Tyk tests pod. All fields from PodSecurityContext object can be added here.
  securityContext:
    runAsUser: 1000
    fsGroup: 2000
    runAsNonRoot: true
  # containerSecurityContext holds container-level security attributes for Tyk tests pod. All fields from SecurityContext object can be added here.
  containerSecurityContext:
    runAsNonRoot: true
    runAsUser: 1000
    allowPrivilegeEscalation: false
    privileged: false
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault
    capabilities:
      drop:
        - ALL
  # nodeSelector is a selector which must be true for Tyk tests pod to fit on a specific node.
  nodeSelector: {}
  # tolerations specifies tolerations to be applied on Tyk tests pods.
  tolerations: []
  # affinity specifies affinity and anti-affinity constraints.
  affinity: {}
  # podAnnotations specifies annotations to be added in Tyk tests Pod.
  # It takes key-value pairs.
  # There are no required annotation field for Tyk tests Pod.
  #
  # podAnnotations:
  #   yourkey: value
  #   image: yourhub
  podAnnotations: {}
  # podLabels specifies labels to be added in Tyk tests Pod
  podLabels: {}