values.yaml

## Global Docker image parameters.
## Please note that this will override the image parameters, including dependencies, configured to use the global value.
global:
  ## Global Docker image registry
  imageRegistry: ""
  ## Global Docker registry secret names as an array
  ##
  ## @example
  ## imagePullSecrets:
  ##   - myRegistryKeySecretName
  imagePullSecrets: []

## Force target Kubernetes version (using Helm capabilities if not set)
kubeVersion: ""
## String to partially override horizon.fullname
nameOverride: ""
## String to fully override horizon.fullname
fullnameOverride: ""
## String to override the image registry for all containers
imageRegistry: ""
## Labels to add to all deployed objects
commonLabels: {}
## Annotations to add to all deployed objects
commonAnnotations: {}

## By default, we fetch the Horizon image from the Evertrust registry.
## If the tag is null or unset, the default value will be set to the chart appVersion.
## As the official Evertrust registry is not in open-access,
## you should specify an image pull secret that has
## access to Horizon images.
##
## @ref https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
image:
  ## Horizon image registry
  registry: registry.evertrust.io
  ## Horizon image repository
  repository: horizon
  ## Horizon image tag (immutable tags are recommended)
  tag: 2.9.0
  ## Horizon image flavor (for HSM compatible images)
  flavor: ""
  ## Horizon image pull policy
  pullPolicy: IfNotPresent
  ## Horizon image pull secrets
  pullSecrets: []

## @ref https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
## @example
## updateStrategy:
##  type: RollingUpdate
##  rollingUpdate:
##    maxSurge: 25%
##    maxUnavailable: 25%
updateStrategy:
  ## Horizon deployment strategy type
  type: RollingUpdate
  ## Rolling update spec
  rollingUpdate:
    maxUnavailable: 1

## Annotations to add to the deployment object
deploymentAnnotations: {}

## Annotations to add to the deployment object
deploymentLabels: {}

## Horizon pod priority class name
priorityClassName: ""
## Horizon pod host aliases
##
## @ref https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
hostAliases: []
## Optionally specify extra list of additional volumes for Horizon pods
##
## @example
## extraVolumes:
##   - name: extra-volume-name
##     configMap:
##       name: example-configmap
extraVolumes: []
## Optionally specify extra list of additional volumeMounts for Horizon container(s)
##
## @example
## extraVolumeMounts:
##   - name: extra-volume-name
##     mountPath: /mnt/extra-volume
extraVolumeMounts: []
## Add additional sidecar containers to the Horizon pod
##
## @example
## sidecars:
##   - name: your-image-name
##     image: your-image
##     imagePullPolicy: Always
##     ports:
##       - name: portname
##         containerPort: 1234
sidecars: []
## Add lifecycle hooks to the Horizon deployment
lifecycleHooks: {}
## Extra labels for Horizon pods
##
## @ref https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
## Annotations for Horizon pods
##
## @ref https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
podAnnotations: {}
## Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
##
## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinityPreset: ""
## Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
##
## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAntiAffinityPreset: soft
## Node affinity preset
##
## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
nodeAffinityPreset:
  ## Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
  type: ""
  ## Node label key to match. Ignored if `affinity` is set
  key: ""
  ## Node label values to match. Ignored if `affinity` is set
  ##
  ## @example
  ## values:
  ##   - e2e-az1
  ##   - e2e-az2
  values: []
## Number of controller revisions to keep
revisionHistoryLimit: 3
## Replica count when no autoscaler is configured
replicas: 1
## Affinity for pod assignment
##
## NOTE: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set.
##
## @ref https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
affinity: {}
## Node labels for pod assignment
##
## @ref https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
## Tolerations for pod assignment
##
## @ref https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
## Spread Constraints for pod assignment
##
## @ref https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
## @example
## topologySpreadConstraints:
##   - maxSkew: 1
##     topologyKey: node
##     whenUnsatisfiable: DoNotSchedule
topologySpreadConstraints: []
## Horizon containers' resource requests and limits.
## The JVM will automatically adapt the memory allocation pool to the container allocated resources.
##
## @ref https://kubernetes.io/docs/user-guide/compute-resources/
resources:
  ## The resources limits for the Horizon container
  limits: {}
  ## The requested resources for the Horizon container
  requests:
    memory: 512Mi
    cpu: 300m
## Configure Pods Security Context
##
## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
podSecurityContext:
  ## Enabled Horizon pods' Security Context
  enabled: true
  ## Set Horizon pod's Security Context fsGroup
  fsGroup: 1001
## Configure Container Security Context (only main container)
##
## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext:
  ## Enabled Horizon containers' Security Context
  enabled: true
  ## Set Horizon container's Security Context runAsUser
  runAsUser: 1001
  ## Set Horizon container's Security Context runAsNonRoot
  runAsNonRoot: true
## Configure extra options for Horizon containers' liveness probe.
##
## @ref https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
livenessProbe:
  ## Enable livenessProbe
  enabled: true
  ## Initial delay seconds for livenessProbe
  initialDelaySeconds: 0
  ## Period seconds for livenessProbe
  periodSeconds: 10
  ## Timeout seconds for livenessProbe
  timeoutSeconds: 5
  ## Success threshold for livenessProbe
  successThreshold: 1
  ## Failure threshold for livenessProbe
  failureThreshold: 3
## A startup probe allows us to define a shorter period to improve Horizon time-to-liveliness time
## while preserving the Horizon pod from a restart loop when it is slow to start.
##
## @ref https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
startupProbe:
  ## Enable startupProbe. Since Horizon is slow to start, this is highly recommended.
  enabled: true
  ## Failure threshold for startupProbe
  failureThreshold: 60
  ## Period seconds for startupProbe
  periodSeconds: 3
## @ref https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
readinessProbe:
  ## Enable readinessProbe
  enabled: true
  ## Initial delay seconds for readinessProbe
  initialDelaySeconds: 0
  ## Period seconds for readinessProbe
  periodSeconds: 5
  ## Timeout seconds for readinessProbe
  timeoutSeconds: 3
  ## Success threshold for readinessProbe
  successThreshold: 1
  ## Failure threshold for readinessProbe
  failureThreshold: 3

## @ref https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
horizontalAutoscaler:
  ## Enable Horizontal POD autoscaling for Horizon
  enabled: false
  ## Minimum number of Horizon replicas
  minReplicas: 1
  ## Maximum number of Horizon replicas
  maxReplicas: 3
  ## Target CPU utilization percentage
  targetCPU: 50
  ## Target Memory utilization percentage
  targetMemory: 50

## @ref https://kubernetes.io/docs/tasks/run-application/configure-pdb/
disruptionBudget:
  ## Created a PodDisruptionBudget
  enabled: false
  ## Min number of pods that must still be available after the eviction
  minAvailable: 1
  ## Max number of pods that can be unavailable after the eviction
  maxUnavailable: 0

## Configure environment variable injections into Horizon's pods.
## This is the way you should inject secrets into the app if you wish to use the Kubernetes secrets implementation.
##
## @ref https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
## @example
##   environment:
##     - name: KEY
##       value: VALUE
environment: []

## This value is useful if you need to resolve your custom domain for ACME challenges.
##
## @ref https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
## @example
##  nameservers:
##    - 1.2.3.4
##  searches:
##    - ns1.svc.cluster-domain.example
##    - my.dns.search.suffix
##  options:
##    - name: ndots
##      value: "2"
dnsConfig: {}

## @ref https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ""

## Service configuration
service:
  ## Kubernetes service type
  type: ClusterIP
  ## Horizon service clusterIP IP
  ##
  ## @example
  ## clusterIP: None
  clusterIP: ""
  ## Load balancer IP for the Horizon Service (optional, cloud specific)
  ##
  ## @ref https://kubernetes.io/docs/user-guide/services/#type-loadbalancer
  loadBalancerIP: ""
  ## Address that are allowed when service is LoadBalancer
  ##
  ## @ref https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
  ## @example
  ## loadBalancerSourceRanges:
  ##   - 10.10.10.0/24
  loadBalancerSourceRanges: []
  ## Enable client source IP preservation
  ##
  ## @ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
  externalTrafficPolicy: Cluster
  ## Extra port to expose on Horizon service
  extraPorts: []
  ## Annotations for Horizon service
  annotations: {}

## Ingress configuration
##
## @ref https://kubernetes.io/docs/concepts/services-networking/ingress/
ingress:
  ## Set to true to enable ingress record generation
  enabled: false
  ## Ingress type
  ##
  ## Automatically configure your ingress for an ingress controller. Accepted values are nginx, traefik.
  ## This will override the clientCertificateHeader if set, and generate annotations, resources, and
  ## ingresses resources to ensure Horizon works correctly.
  type: ""
  ## Client certificate authentication
  ##
  ## When ingress.type is set, determines whether the ingress controller should request client certificates.
  clientCertificateAuth: false
  ## Client certificate CA secrets
  ##
  ## If set, the ingress controller will only request client certificates signed by these CAs.
  ## Each secret should contain a `ca.crt` key containing the PEM-encoded AC certificate.
  clientCertificateCASecrets: []
  ## SCEP compatibility mode
  ##
  ## Adds a secondary ingress for SCEP support over HTTP.
  scepCompatibilityMode: false
  ## IngressClass that will be used to implement the Ingress (Kubernetes 1.18+)
  ingressClassName: ""
  ## Default host for the ingress resource
  ##
  ## @example
  ## hostname: "horizon.local"
  hostname: ""
  ## Default path for the ingress record
  ##
  ## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers.
  path: /
  ## Ingress path type
  pathType: Prefix
  ## Additional annotations for the Ingress resource
  ##
  ## To enable certificate autogeneration, place here your cert-manager annotations.
  ##
  ## @example
  ## annotations:
  ##   cert-manager.io/cluster-issuer: cluster-issuer-name
  annotations: {}
  ## Enable TLS configuration for the hostname defined at ingress.hostname parameter
  ##
  ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
  ## You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or
  ## let the chart create self-signed certificates for you.
  tls: false
  ## The list of additional hostnames to be covered with this ingress record
  ##
  ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array.
  ##
  ## @example
  ## extraHosts:
  ## - name: horizon.local
  ##   path: /
  extraHosts: []
  ## An array with additional arbitrary paths that may need to be added to the ingress under the main host
  ##
  ## @example
  ## extraPaths:
  ## - path: /*
  ##   backend:
  ##     serviceName: ssl-redirect
  ##     servicePort: use-annotation
  extraPaths: []
  ## The tls configuration for additional hostnames to be covered with this ingress record
  ##
  ## @ref https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
  ## @example
  ## extraTls:
  ## - hosts:
  ##     - horizon.local
  ##   secretName: horizon.local-tls
  extraTls: []
  ## Additional rules to be covered with this ingress record
  ##
  ## @ref https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
  ## @example
  ## extraRules:
  ## - host: horizon.local
  ##     http:
  ##       path: /
  ##       backend:
  ##         service:
  ##           name: horizon
  ##           port:
  ##             name: http
  extraRules: []

## Prometheus monitor configuration
monitoring:
  ## Enable the creation of a ServiceMonitor object for Horizon if the cluster has the monitoring.coreos.com/v1 capability
  enabled: true

## Configure the Play secret for the Horizon instance.
## As this is used for cryptographic purposes, it should be fetched from the environment.
##
## @ref https://www.playframework.com/documentation/2.8.x/ApplicationSecret Play Framework Application Secret
## @example
## appSecret:
##   valueFrom:
##     secretKeyRef:
##       name: horizon-secret
##       key: appSecret
appSecret: {}

## A valid Horizon license is required for the software to run.
## You should store it (base64-encoded) in a Kubernetes secret and specify the secret details here.
##
## @ref README.md
license:
  ## Existing secret name where the Horizon license is stored
  secretName: ""
  ## Existing secret key where the Horizon license is stored
  secretKey: ""

## Set up initial admin user.
initialAdminHashPassword:
  ## Whether to enable the initial admin user
  enabled: false
  ## Existing secret name where the initial admin password is stored
  secretName: ""
  ## Existing secret key where the initial admin password is stored
  secretKey: ""

## Horizon Default vault configuration
defaultVault:
  type: tink
  masterKeyURI: ""
  ## Keyset
  ##
  ## A reference to a secret that contains the keyset.
  ## You should store it (base64-encoded) in a Kubernetes secret and specify the secret details here.
  ##
  ## @ref README.md
  ## @example
  ## keyset:
  ##  secretName: ""
  ##  secretKey: ""
  keyset: {}

## Horizon legacy SSV password (Optional).
## Should be set if upgrading from Horizon 2.7 or earlier to Horizon 2.8 or later.
##
## @example
## legacySsvPassword:
##   secretName: horizon-legacy-ssv-password
##   secretKey: legacySsvPassword
legacySsvPassword: {}

## Additional allowed hosts that are whitelisted to access the Horizon UI.
## Configured ingresses will automatically be added to the list, this should
## only be used when port forwarding or when an ingress is created manually.
##
## @example
## allowedHosts:
##   - localhost:9000
##   - demo.example.org
allowedHosts:
  - localhost:9000

## Depending on your Kubernetes environment, Ingress IPs may be unpredictable.
## In that case, you should whitelist every IP in your local addressing space.
##
## @example
## trustedProxies:
##   - 0.0.0.0/0
##   - ::/0
trustedProxies:
  - 0.0.0.0/0
  - ::/0

## Configuration for Horizon events
events:
  ## Whether Horizon events should be signed and chained using the event seal secret
  chainsign: true
  ## Secret used to sign and chain events
  ##
  ## Can be a reference to a Kubernetes secret.
  ##
  ## @example
  ##   secret:
  ##     valueFrom:
  ##       secretKeyRef:
  ##         name: horizon-secret
  ##         key: eventSealSecret
  secret: {}
  ## Duration during which events are kept in database
  ttl: ""
  ## Duration during which discovery events are kept in database
  discoveryTtl: ""

## Format in which logs will be outputted. Can be set either to "console" or "json" for structured logging.
logFormat: console

## TLS configuration
tls:
  ## Whether to use the HTTPS port by default on ingresses and other services
  enabled: false
  ## Existing secret name where a PKCS12 certificate is stored
  secretName: ""
  ## Existing secret key where the PKCS12 certificate is stored
  secretKey: ""

## Configuration for the Horizon mailer.
## You should configure this if you want your Horizon instance to be able to send emails.
## You should fetch credentials from the environment if they are required.
mailer:
  ## SMTP host
  host: ""
  ## SMTP host port
  port: ""
  ## Enable TLS for this SMTP host
  tls: ""
  ## Enable SSL for this SMTP host
  ssl: ""
  ## Authentication username for this SMTP host
  user: ""
  ## Authentication password for this SMTP host
  ##
  ## Can be a reference to a Kubernetes secret.
  ##
  ## @example
  ##   password:
  ##     valueFrom:
  ##       secretKeyRef:
  ##         name: horizon-secret
  ##         key: mailerPassword
  password: {}

## Configure the logger for this Horizon instance.
## Sensible defaults are set, but you may need a more verbose logging experience when debugging the application.
##
## @ref https://www.playframework.com/documentation/2.8.x/ScalaLogging Play Framework Logging
logback:
  ## Global logging level for all loggers
  level: info
  ## Log messages pattern
  pattern: "%date{yyyy-MM-dd HH:mm:ss} - [%logger] - [%traceID] - [%level] - %message%n%xException{full}"
  ## Logging level overrides for specific loggers
  ##
  ## @example You might want to use the following loggers to gather more info about your Horizon instance
  ## loggers:
  ##   - name: actors
  ##     level: debug
  ##   - name: actions
  ##     level: debug
  ##   - name: controllers
  ##     level: debug
  ##   - name: filters
  ##     level: debug
  ##   - name: models
  ##     level: debug
  ##   - name: modules
  ##     level: debug
  ##   - name: pki-connectors
  ##     level: debug
  ##   - name: racs-connectors
  ##     level: debug
  loggers:
    - name: events
      level: warn
    - name: json_events
      level: info

rbac:
  ## Whether to create RBAC resources
  create: true

## @ref https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
serviceAccount:
  ## Enable the creation of a ServiceAccount for Horizon pods
  create: true
  ## Name of the created ServiceAccount
  ##
  ## If not set and create is true, a name is generated using the horizon.fullname template.
  name: ""
  ## Annotations for Horizon Service Account
  annotations:
    helm.sh/hook: pre-install, pre-upgrade, pre-rollback
    helm.sh/hook-delete-policy: before-hook-creation
    helm.sh/hook-weight: "0"
  ## Automount service account token for the server service account
  automountServiceAccountToken: true

leases:
  ## Whether leases should be used when launching multiple replicas of Horizon pods
  enabled: true

## Indicates to Horizon in which header the client certificate will be passed.
## Will be automatically set by the ingress.clientCertificateAuth value if set.
clientCertificateHeader: ""

## Whether Horizon pods should connect to each other directly via IP, or through a DNS record generated by a Kubernetes DNS server.
## Useful if the kube-dns server is configured with "pods disabled" or if you use GKE Cloud DNS.
## NOTE: This is not supported by Istio.
podsDirectConnect: false

## Additional configuration for Horizon.
## Injecting arbitrary config could result in unexpected behavior. Proceed with caution.
##
## @ref https://docs.evertrust.fr/horizon/-/install-guide/advanced_config Horizon Configuration Parameters
## @example
## extraConfig: |
##   horizon {
##     notification.mail.attachment.extension.der = "der"
##   }
extraConfig: ""

temporaryDatabase:
  ## Whether to enable the deployment of a temporary MongoDB instance
  enabled: true

  ## MongoDB image
  image:
    ## MongoDB image registry
    registry: ~
    ## MongoDB image repository
    repository: mongo
    ## MongoDB image tag (immutable tags are recommended)
    tag: 7
    ## MongoDB image pull policy
    pullPolicy: IfNotPresent
    ## MongoDB image pull secrets
    pullSecrets: []

  persistence:
    ## Whether to enable persistence on the temporary MongoDB
    enabled: true
    ## Extra annotations to add to the PVC
    annotations: {}
    ## Storage class of backing PVC
    storageClass: ""
    ## Access modes of the PVC
    accessModes:
      - ReadWriteOnce
    ## Size of data volume for MongoDB
    size: "1Gi"

  ## Optionally specify extra list of additional volumes for MongoDB pods
  ##
  ## @example
  ## extraVolumes:
  ##   - name: extra-volume-name
  ##     configMap:
  ##       name: example-configmap
  extraVolumes: []

  ## Optionally specify extra list of additional volumeMounts for MongoDB container(s)
  ##
  ## @example
  ## extraVolumeMounts:
  ##   - name: extra-volume-name
  ##     mountPath: /mnt/extra-volume
  extraVolumeMounts: []

  ## MongoDB container resources
  ##
  ## @ref https://kubernetes.io/docs/user-guide/compute-resources/
  resources:
    ## The resources limits for the MongoDB container
    limits:
      memory: 512Mi
      cpu: 500m
    ## The requested resources for the MongoDB container
    requests:
      memory: 512Mi
      cpu: 500m

  ## Configure Pods Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  podSecurityContext:
    ## Enabled Horizon pods' Security Context
    enabled: true
    ## Set Horizon pod's Security Context fsGroup
    fsGroup: 1001
  ## Configure Container Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  containerSecurityContext:
    ## Enabled Horizon containers' Security Context
    enabled: true
    ## Set Horizon container's Security Context runAsUser
    runAsUser: 1001
    ## Set Horizon container's Security Context runAsNonRoot
    runAsNonRoot: true

## Upgrade job
upgrade:
  ## If true, an upgrade job will be run when upgrading the release, modifying your database schema. This works even if `mongodb.enabled` is set to false.
  enabled: true
  ## If true, an upgrade job will be run every time the Chart is installed or upgraded.
  force: false
  ## Extra annotations to add to the upgrade job
  annotations:
    helm.sh/hook: post-upgrade
    helm.sh/hook-delete-policy: before-hook-creation
    helm.sh/hook-weight: "0"
  ## Upgrade image
  image:
    ## Horizon Migration image registry
    registry: registry.evertrust.io
    ## Horizon Migration image repository
    repository: horizon-migration
    ## Horizon Migration image tag (immutable tags are recommended)
    tag: 1.13.0
    ## Horizon Migration image pull policy
    pullPolicy: IfNotPresent
    ## Horizon Migration image pull secrets
    pullSecrets: []
  ## horizon-migration container resources
  ##
  ## @ref https://kubernetes.io/docs/user-guide/compute-resources/
  resources:
    limits:
      memory: 512Mi
      cpu: 500m
    requests:
      memory: 512Mi
      cpu: 500m
  ## Sets the version you're upgrading from. If empty, the chart will try to infer the version from the database.
  from: ""
  ## Sets the version you're upgrading to. If empty, the chart will use Chart.AppVersion.
  to: ""
  ## Node labels for upgrade pod assignment
  ##
  ## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  nodeSelector: {}
  ## Tolerations for upgrade pod assignment
  ##
  ## @ref https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  tolerations: []
  ## Configure Pods Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  podSecurityContext:
    ## Enabled upgrade pod Security Context
    enabled: true
    ## Set upgrade pod Security Context fsGroup
    fsGroup: 1001
  ## Configure Container Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  containerSecurityContext:
    ## Enabled upgrade container Security Context
    enabled: true
    ## Set upgrade container Security Context runAsUser
    runAsUser: 1001
    ## Set upgrade container Security Context runAsNonRoot
    runAsNonRoot: true
  ## Optionally specify extra list of additional volumes for the upgrade pod
  ##
  ## @example
  ## extraVolumes:
  ##   - name: extra-volume-name
  ##     configMap:
  ##       name: example-configmap
  extraVolumes: []
  ## Optionally specify extra list of additional volumeMounts for the upgrade container
  ##
  ## @example
  ## extraVolumeMounts:
  ##   - name: extra-volume-name
  ##     mountPath: /mnt/extra-volume
  extraVolumeMounts: []
  ## Ignore empty from
  ignoreEmptyFrom: false

upgradeCompatibilityCheck:
  ## If true, a check job will be run before upgrading the release.
  enabled: true
  ## Extra annotations to add to the upgrade compatibility check job
  annotations:
    helm.sh/hook: pre-upgrade
    helm.sh/hook-delete-policy: before-hook-creation
    helm.sh/hook-weight: "0"
  ## horizon-migration container resources
  ##
  ## @ref https://kubernetes.io/docs/user-guide/compute-resources/
  resources:
    limits:
      memory: 512Mi
      cpu: 500m
    requests:
      memory: 512Mi
      cpu: 500m
  ## Node labels for upgrade pod assignment
  ##
  ## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  nodeSelector: {}
  ## Tolerations for upgrade pod assignment
  ##
  ## @ref https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  tolerations: []
  ## Configure Pods Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  podSecurityContext:
    ## Enabled upgrade compatibility check pod Security Context
    enabled: true
    ## Set upgrade compatibility check pod Security Context fsGroup
    fsGroup: 1001
  ## Configure Container Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  containerSecurityContext:
    ## Enabled upgrade compatibility check container Security Context
    enabled: true
    ## Set upgrade compatibility check container Security Context runAsUser
    runAsUser: 1001
    ## Set upgrade compatibility check container Security Context runAsNonRoot
    runAsNonRoot: true
  ## Optionally specify extra list of additional volumes for the upgrade compatibility check pod
  ##
  ## @example
  ## extraVolumes:
  ##   - name: extra-volume-name
  ##     configMap:
  ##       name: example-configmap
  extraVolumes: []
  ## Optionally specify extra list of additional volumeMounts for the upgrade compatibility check container
  ##
  ## @example
  ## extraVolumeMounts:
  ##   - name: extra-volume-name
  ##     mountPath: /mnt/extra-volume
  extraVolumeMounts: []
  ## Ignore empty from
  ignoreEmptyFrom: false

backup:
  ## Whether to enable backup
  enabled: false
  ## Extra annotations to add to the backup job
  annotations: {}
  ## Extra labels to add to the backup job
  labels: {}
  ## Whether to suspend backup scheduling
  suspended: false
  ## Cron expression for the backup job
  schedule: "0 * * * *"
  ## Successful jobs history limit
  successfulJobsHistoryLimit: 1
  ## Failed jobs history limit
  failedJobsHistoryLimit: 3
  ## Backoff limit for the backup job
  backoffLimit: 3
  ## Toolbox image
  image:
    registry: quay.io/evertrust
    ## Toolbox image repository
    repository: toolbox
    ## Toolbox image tag (immutable tags are recommended)
    tag: v0.6.1
    ## Toolbox image pull policy
    pullPolicy: IfNotPresent
    ## Toolbox image pull secrets
    pullSecrets: []
  ## Configure Pods Security Context
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  podSecurityContext:
    ## Enabled Horizon pods' Security Context
    enabled: true
    ## Set Horizon pod's Security Context fsGroup
    fsGroup: 1001
  ## Configure Container Security Context (only main container)
  ##
  ## @ref https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  containerSecurityContext:
    ## Enabled Horizon containers' Security Context
    enabled: true
    ## Set Horizon container's Security Context runAsUser
    runAsUser: 1001
    ## Set Horizon container's Security Context runAsNonRoot
    runAsNonRoot: true
  ## Optionally specify extra list of additional volumes for the backup pod
  ##
  ## @example
  ## extraVolumes:
  ##   - name: extra-volume-name
  ##     configMap:
  ##       name: example-configmap
  extraVolumes: []
  ## Optionally specify extra list of additional volumeMounts for the backup container
  ##
  ## @example
  ## extraVolumeMounts:
  ##   - name: extra-volume-name
  ##     mountPath: /mnt/extra-volume
  extraVolumeMounts: []
  ## Backup container resources
  ##
  ## @ref https://kubernetes.io/docs/user-guide/compute-resources/
  resources:
    limits:
      cpu: 500m
      memory: 512Mi
    requests:
      cpu: 500m
      memory: 512Mi
  ## Environment variable injections into the backup pods
  ##
  ## This is the way you should inject secrets into the app if you wish to use the Kubernetes secrets implementation.
  ##
  ## @ref https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/
  environment: []
  ## Extra env vars passed to the backup pods
  envFrom: []
  ## Node labels for backup pod assignment
  ##
  ## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  nodeSelector: {}
  ## Tolerations for backup pod assignment
  ##
  ## @ref https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  tolerations: []
  ## Affinity for the backup job (e.g., nodeAffinity, podAffinity, podAntiAffinity)
  ##
  ## @ref https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}

## Configuration for an Horizon external database
##
## Refer to the Horizon installation guide to configure the installation correctly.
externalDatabase:
  ## External MongoDB URI
  ##
  ## For an external database to be used, `mongodb.enabled` must be set to `false`.
  ## Can be a reference to a Kubernetes secret.
  ##
  ## @example
  ##   uri:
  ##     valueFrom:
  ##       secretKeyRef:
  ##         name: horizon-secret
  ##         key: mongoDBUri
  uri: {}

## Create dynamic manifests via values
##
## @example
## extraObjects:
##   - apiVersion: "kubernetes-client.io/v1"
##     kind: ExternalSecret
##     metadata:
##       name: horizon-secrets
##     spec:
##       backendType: gcpSecretsManager
##       data:
##         - key: horizon-secret-key
##           name: horizon-secret-name
extraObjects: []

## Enable Prometheus metrics
metrics:
  ## Whether to enable Prometheus metrics
  enabled: false
  ## Prometheus metrics port
  port: 9095

## Enable analytics engine
##
## Refer to the Horizon installation guide to configure the installation correctly.
##
## @ref https://docs.evertrust.fr/horizon/-/install-guide/analytics Analytics guide
## @ref https://docs.evertrust.fr/horizon/-/install-guide/docker#_docker_analytics_environment Analytics for docker guide
analytics:
  ## Whether to enable analytics
  enabled: false

## Enable Persistence
##
## When enabled, Horizon will be deployed as a statefulset.
persistence:
  ## Whether to enable persistence
  enabled: false
  ## Persistent Volume Claim Retention Policy
  ##
  ## @ref https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Delete
    whenScaled: Retain
  volumeClaimTemplates:
    analytics:
      annotations: {}
      storageClass: "standard-rwo"
      accessModes:
        - ReadWriteOnce
      size: "1Gi"
      mountPath: "/opt/horizon/var"