Categories

Versions

Kubernetes deployment with Helm

It has been nearly a year since our Kubernetes documentation was updated, and in the meantime large changes have occurred. It’s past time for an update.

Following some internal experiments at RapidMiner, we have attempted to reduce the complexity of Kubernetes configuration by introducing Helm Charts, but the results are still not what you would call “plug and play”.

Nevertheless, in the interest of progress, knowing that some of our users are already experienced with Kubernetes, we have decided to release some skeletal documentation – “skeletal” in the sense that it is not complete, but perhaps adequate for experienced users who know how to fill in the gaps.

In the weeks ahead, we plan to incrementally improve this documentation, based on feedback. If you made some effort to install and run the software, please let us know what we can do to improve the documentation.

For a simpler, single-host deployment of RapidMiner AI Hub, see Docker-compose deployment or the cloud images.

For RapidMiner AI Hub 9.10, our Docker Images have been improved to meet the latest security guidelines, including those of OpenShift and Rootless Docker. We tested our example configuration with the following Kubernetes services:

To deploy RapidMiner AI Hub with Kubernetes / Helm:

Version 9.10.3 (and later) of the Helm chart addresses the vulnerabilities in Apache log4j described by CVE-2021-44228 and CVE-2021-45046, commonly referred to as Log4Shell.

Table of contents

Before you begin

To deploy the Helm chart, you need basic Kubernetes infrastructure. This documentation will not explain Kubernetes infrastructure setup. The links below are intended as hints for getting started.

  1. Create Kubernetes infrastructure.

  2. As part of your Kubernetes setup, create NFS storage with a root folder:

    whose name we recommend you set to <NAMESPACE-PLACEHOLDER>, the same as your namespace, so that you can support multiple deployments on the same cluster, with the same NFS storage -- see productNS and nfsPath in values.yaml. To enable non-root container users to read and write files in this folder that is dedicated to your RapidMiner stack, set the following permissions:

     chown -R 2011.root <NAMESPACE-PLACEHOLDER>
     chmod g+w <NAMESPACE-PLACEHOLDER>
    
  3. Create a namespace, also with name <NAMESPACE-PLACEHOLDER>.

  4. Have your server certificate ready. Alternatively, use the built-in Let's Encrypt.

Introduction to Helm

Helm is a package manager for Kubernetes. A Helm Chart bundles the Kubernetes YAML files as templates, which you then configure via the file values.yaml. The details of this configuration depend on the details of your Kubernetes deployment. You and I may share the same templates, but our configurations (values.yaml) will differ. A typical Chart is a folder resembling the following:

mychart/
  Chart.yaml
  values.yaml
  charts/
  templates/
Chart.yaml
The Chart.yaml file contains a description of the chart. You can access it from within a template.
values.yaml
The file that defines your configuration, it contains the default values for a chart. These values may be overridden during helm install or helm upgrade.
charts/
The charts/ directory may contain other charts, called subcharts.
templates/
This folder contains the Kubernetes YAML files, as templates. When Helm evaluates a chart, it will send all of the files in the templates/ directory through the template rendering engine. It then collects the results of those templates and sends them on to Kubernetes. The placeholders in the YAML files are defined by values.yaml.

Read more:

Introductory videos:

Instructions

To simplify the configuration of the Kubernetes YAML files, we use Helm, the package manager for Kubernetes.

  1. Make sure that your Kubernetes infrastructure is in place, including Helm.

  2. Download the Helm archive, and extract values.yaml, renaming it to custom-values.yaml:

     helm show values ./rapidminer-aihub-9.10.8-gen2.tgz > custom-values.yaml
    
  3. Edit custom-values.yaml and define your configuration by setting the appropriate values.

  4. Then apply the following command to the Kubernetes cluster:

helm upgrade -n <NAMESPACE-PLACEHOLDER> --install rapidminer-aihub --values custom-values.yaml ./rapidminer-aihub-9.10.8-gen2.tgz

Note that the value <NAMESPACE-PLACEHOLDER> is the same as the one you gave in custom-values.yaml for the key productNS.

EBS volumes are sensitive to multi-attach errors during rolling updates. It is best to scale down all the deployments before the update.

The HELM configuration file (values.yaml)

common:
# This value is necessary only if you plan to use the certbot client in the letsencrypt container
  domain: "<FQDN-PLACEHOLDER>"
# The public facing URL of your deployment
# If you need to obtain LetsEncrypt certificate first, please temporarly change the protocol to http://
  public_url: "https://<FQDN-PLACEHOLDER>"
# The public facing URL of your deployment's Keycloak service
  sso_public_url: "https://<FQDN-PLACEHOLDER>"
# The namespace of the deployment
  productNS: "<NAMESPACE-PLACEHOLDER>"
# The docker image tag
  mainVersion: "9.10.8-gen2"
# The docker image tag for Coding Environment Storage
  cesVersion: "9.10.8-gen2"
# Docker registry prefix rapidminer/ references our public docker registry, but that can be changed to the fqdn of your internal registry
  dockerURL: "rapidminer/"
# The TZ database name of the deployment's timezone, for example "America/New_York"
# See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
  timeZone: "<TIMEZONE-PLACEHOLDER>"
# platform related Values, please choose one from:
# "OpenShift" : OpenShift related security and other infrastructure settings
# "EKS" : Amazon Elastic Kubernetes related security and other infrastructure settings
# 'AKS' : Azure Kubernetes related security and other infrastructure settings
# 'Other' : Other (like on-prem installations)
  platfrom: "EKS"
# With the nodeSelectors you can instruct the kubernetes scheduer to start your pods on nodes having the provided labels.
# Any label of the worker nodes can be used, if there are no matching nodes, the pod will remain in Pending state
#  nodeSelector:
#    <NODE-LABEL-1-NAME-PLACEHOLDER>: "<NODE-LABEL-1-VALUE-PLACEHOLDER>"
#    <NODE-LABEL-2-NAME-PLACEHOLDER>: "<NODE-LABEL-2-VALUE-PLACEHOLDER>"
  nodeSelector: {}
# If not empthy, this image pull secret name will be referenced at the deployments
# creating the secret itself is out of scope of this chart, it shall be created manually
  imagePullSecret: []
# The name of the kubernetes secret, which contains the RapidMiner License
# If empty, the default admin user can provide it on the webui
  licenseSecret: ""
# the key of the license in the Kubernetes secret, default value is "SERVER_LICENSE"
  licenSecretKey: "SERVER_LICENSE"
# This will be the initial user, which will have admin permission in the deployment.
  initialUser: "admin"
# Initial password for the initial user
  initialPass: "<ADMIN-PASS-PLACEHOLDER>"
# The built in OIDC server realm, this realm will be used by the components in the SSO communication (KeyCloak)
  defaultSSORealm: "master"
# Default SSL requirement to access KeyCloak SSO
  ssoSSL: "external"

storage:
# To disable storageClass creation set this to false
# (requires pre-provisioned storageClasses)
  initStorageClasses: "true"
# To disable NFS storageClass creation set this to false
# (requires pre-provisioned NFS storageClass)
  initNFSStorageClasses: "true"
# To disable PVC creation set this to false
# (requires pre-provisioned PVCs)
  createPVCs: "true"
# To disable the folder cration and initial permission setup set this to false
# (requires pre-provisioned folders)
  initNFSFolders: "true"
# Default storageclass, for example ebs-us-west-2a, see templates/002-storageclasses.yaml
  defaultstorageClass: "<STORAGECLASS-PLACEHOLDER>"
# IP / FQDN of the NFS Server 
# Only required if initStorageClasses and initNFSStorageClasses are both true
  nfsServer: "<NFS-SERVER-PLACEHOLDER>"
# Path on the NFS Server, this folder should exists before deploying
# If you have multiple deployment on the same cluster, it is recommended to include the namespace in that folder name
# Only required if createPVCs is true
  nfsPath: "/<NAMESPACE-PLACEHOLDER>"
  nfsPvcName: "<NAMESPACE-PLACEHOLDER>-nfs-shared-pvc"
  nfsMountOpts:
    - vers=4
    - minorversion=1
    - sec=sys
# The name of the NFS storageclass, to avoid conflicts with other storageclasses on the same cluster, 
# it is recommended to include the namespace in that name
# Only required if initStorageClasses and createPVCs are both true
  nfsStorageName: nfs-<NAMESPACE-PLACEHOLDER>
  CloudProvider:
    AWS:
      allowEBS: "true"
      # initEBSStorageClasses should be true if the storageclasses were created by helm
      initEBSStorageClasses: "false"
      # The region of the ebs volumes, for example us-west-2, this value should align to defaultStorageClass property
      EBSRegion: "<EBS-REGION-PLACEHOLDER>"
    OKD: {}
    AKS:
      initStorageClasses: "false"

proxy:
  serviceName: "proxy-svc-pub"
  imageName: "rapidminer-proxy"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "proxy-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "proxy-pvc"
  debug: "false"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    runAsUser: 2011
    runAsGroup: 0
    fsGroup: 0

letsEncrypt:
  imageName: "rm-letsencrypt-client"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "letsencrypt-client-config"
  allowLetsEncrypt: "true"
  certsHome: "/certificates/"
  webMasterEmail: "<WEBMASTER-EMAIL-PLACEHOLDER>"
  resources:
    requests:
      memory: "128M"
      cpu: "0.2"
    limits:
      memory: "128M"
      cpu: "0.2"

landingPage:
  serviceName: "landing-page-svc-priv"
  imageName: "rapidminer-deployment-landing-page"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "landing-page-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "landing-page-uploaded-pvc"
  ssoClientId: "urn:rapidminer:landing-page"
# keycloak client secrets can be generated with the uuidgen command from the uuid package or 
# with using openssl library: echo "$(openssl rand -hex 4)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 6)"
  ssoClientSecret: "<LANDING-PAGE-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  debug: "false"
  resources:
    requests:
      memory: "128M"
      cpu: "0.2"
    limits:
      memory: "128M"
      cpu: "0.5"
  securityContext:
    runAsUser: 33
    runAsGroup: 33
    fsGroup: 33

serverDB:
  serviceName: "rapidminer-server-postgres-svc-priv"
  imageName: "postgres-10"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "rapidminer-server-postgres-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "rapidminer-server-postgres-pvc"
  dbName: "<SERVER-DB-NAME-PLACEHOLDER>"
  dbUser: "<SERVER-DB-USER-PLACEHOLDER>"
  dbPass: "<SERVER-DB-PASS-PLACEHOLDER>"
# Postgres initdb args
# The last parameter is the DB container mountPath
  initdbArgs: "--encoding UTF8 --locale=C /var/lib/postgresql/data"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    runAsUser: 26
    runAsGroup: 0
    fsGroup: 0

server:
  serviceName: "rapidminer-server-svc-priv"
  imageName: "rapidminer-server"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "rapidminer-server-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  homePvcName: "rapidminer-server-home-pvc"
  activeMQServiceName: "rapidminer-server-amq-svc-priv"
  activeMQUser: "<SERVER-AMQ-USER-NAME-PLACEHOLDER>"
  activeMQPass: "<SERVER-AMQ-PASS-PLACEHOLDER>"
  ssoClientId: "urn:rapidminer:server"
# keycloak client secrets can be generated with the uuidgen command from the uuid package or 
# with using openssl library: echo "$(openssl rand -hex 4)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 6)"
  ssoClientSecret: "<SERVER-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  memLimit: "2048M"
  platformAdminSyncDebug: "False"
  legacyRESTBasicAuth: "false"
  resources:
    requests:
      memory: "4G"
      cpu: "2"
    limits:
      memory: "4G"
      cpu: "2"
  securityContext:
    runAsUser: 2011
    runAsGroup: 0
    fsGroup: 0

jobagent:
  imageName: "rapidminer-execution-jobagent"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "job-agents-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  jobLogsPvcName: "job-logs"
  jaHomePvcName: "rapidminer-ja-home-pvc"
# AiHub and JA authenticates using this shared secret, which shall be a random string in base64 encoded format
# echo $RANDOM | md5sum | head -c 20; echo | base64;
  authSecret: "<SERVER-AMQ-SECRET-PLACEHOLDER>"
  jobQueue: "DEFAULT"
  containerCount: "1"
  containerMemLimit: "2048"
  containerJavaOpts: ""
  javaOpts: "-Djobagent.container.jvmCustomProperties=Dlogging.level.com.rapidminer=INFO"
  resources:
    requests:
      memory: "4G"
      cpu: "2"
    limits:
      memory: "4G"
      cpu: "2"
  securityContext:
    runAsUser: 2011
    runAsGroup: 0
    fsGroup: 0

keycloak:
  serviceName: "keycloak-svc-priv"
  imageName: "rapidminer-keycloak"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "keycloak-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  proxyAddrForward: "true"
  resources:
    requests:
      memory: "1G"
      cpu: "0.5"
    limits:
      memory: "1G"
      cpu: "0.5"
  securityContext:
    runAsUser: 1000
    runAsGroup: 0
    fsGroup: 0

keycloakDB:
  serviceName: "keycloak-postgres-svc-priv"
  imageName: "postgres-10"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "keycloak-postgres-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "keycloak-postgres-pvc"
  vendor: "POSTGRES"
  dbName: "<KEYCLOAK-DB-NAME-PLACEHOLDER>"
  dbUser: "<KEYCLOAK-DB-USER-PLACEHOLDER>"
  dbPass: "<KEYCLOAK-DB-PASS-PLACEHOLDER>"
# Postgres initdb args
# The last parameter is the DB container mountPath
  initdbArgs: "--encoding UTF8 --locale=C /var/lib/postgresql/data"
  dbSchema: "public"
  useSSL: "false"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    runAsUser: 26
    runAsGroup: 0
    fsGroup: 0

rmInit:
  imageName: "rapidminer-deployment-init"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "rm-deployment-init-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "rm-deployment-init-pvc"
  debug: "false"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    #runAsUser: 1000
    #runAsGroup: 3000
    fsGroup: 1000

platformAdmin:
  serviceName: "platform-admin-webui-svc-priv"
  imageName: "rapidminer-platform-admin-webui"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "platform-admin-webui-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "platform-admin-webui-uploaded-pvc"
  proxyURLSuffix: "/platform-admin"
  proxyRTSWebUISuffix: "/rts-admin"
  ssoClientId: "urn:rapidminer:platform-admin"
# keycloak client secrets can be generated with the uuidgen command from the uuid package or 
# with using openssl library: echo "$(openssl rand -hex 4)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 6)"
  ssoClientSecret: "<PLATFORM-ADMIN-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  disablePython: "false"
  disableRTS: "false"
  debug: "false"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    runAsUser: 2011
    runAsGroup: 0
    fsGroup: 0

ces:
  imageName: "rapidminer-coding-environment-storage"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "rapidminer-coding-environment-storage-config"
  pythonPackageLink: "git+https://github.com/rapidminer/python-rapidminer.git@9.9.0.0"
  ubuntuUid: "9999"
  ubuntuGid: "9999"
  rapidMinerUser: "rapidminer"
  resources:
    requests:
      memory: "256M"
      cpu: "0.1"
    limits:
      memory: "2G"
      cpu: "1"
  securityContext:
    runAsUser: 2011
    runAsGroup: 0
    fsGroup: 0

rts:
  serviceName: "rts-agent-svc-priv"
  imageName: "rapidminer-execution-scoring"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "rts-agent-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  deploymentsPvcName: "rts-deployment-pvc"
  licensesPvcName: "rts-licenses-pvc"
  proxyURLSuffix: "/rts"
  initSharedCondaSettings: "true"
  waitForLicenses: "1"
  basicAuth: "true"
  rtsServerLicense: "false"
  resources:
    requests:
      memory: "1G"
      cpu: "1"
    limits:
      memory: "4G"
      cpu: "2"
  securityContext:
    runAsUser: 2011
    runAsGroup: 0
    fsGroup: 0

jupyterDB:
  serviceName: "rm-jupyterhub-db-svc"
  imageName: "rapidminer-jupyterhub-postgres"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "jupyterhub-postgres-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "jupyterhub-postgres-pvc"
  vendor: "POSTGRES"
  dbName: "<JUPYTERHUB-DB-NAME-PLACEHOLDER>"
  dbUser: "<JUPYTERHUB-DB-USER-PLACEHOLDER>"
  dbPass: "<JUPYTERHUB-DB-PASS-PLACEHOLDER>"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    runAsUser: 26
    runAsGroup: 0
    fsGroup: 0

jupyterHub:
  proxyServiceName: "jupyterhub-proxy-svc-priv"
  proxyAPIServiceName: "jupyterhub-proxy-api-svc-priv"
  serviceName: "jupyterhub-hub-svc-priv"
  imageName: "rapidminer-jupyterhub-jupyterhub"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "jupyterhub-config"
  createServiceAccount: "true"
  initRBAC: "true"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  proxyURLSuffix: "/jupyter"
# Jupyterhub crypt key can be generated with the command: openssl rand -hex 32
  cryptKey: "<JUPYTERHUB-CRYPT-KEY-PLACEHOLDER>"
  debug: "False"
  tokenDebug: "False"
  proxyDebug: "False"
  dbDebug: "False"
  spawnerDebug: "False"
  stackName: "default"
  ssoClientId: "urn:rapidminer:jupyterhub"
# keycloak client secrets can be generated with the uuidgen command from the uuid package or 
# with using openssl library: echo "$(openssl rand -hex 4)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 6)"
  ssoClientSecret: "<JUPYTERHUB-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  ssoUserNameKey: "preferred_username"
  ssoResourceAccKey: "resource_access"
  spawner: "kubespawner"
  apiProtocol: "http"
  k8sCMD: "/entrypoint.sh"
  k8sArgs: "[]"
  proxyPort: "8000"
  apiPort: "8001"
  appPort: "8081"
  envVolumeName: "rm-coding-shared-vol"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "0.5"
  securityContext:
    runAsUser: 33
    runAsGroup: 0
    fsGroup: 0

jupyterNoteBook:
  imageName: "rapidminer-jupyter_notebook"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  memLimit: "2G"
  cpuLimit: "100"
  ssoUidKey: "X_NB_UID"
  ssoGidKey: "X_NB_GID"
  ssoCustomBindMountsKey: "X_NB_CUSTOM_BIND_MOUNTS"
  customBindMounts: ""
  storageAccessMode: "ReadWriteOnce"
  storageSize: "5Gi"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
# Should be the name of the CES pvc ()
  pvcName: "<NAMESPACE-PLACEHOLDER>-nfs-shared-pvc"
  pvcSubPath: "coding-shared"
  imagePullAtStartup: "False"
#  nodeSelector:  
#    key: "<NODE-LABEL-1-NAME-PLACEHOLDER>"
#    value: "<NODE-LABEL-1-VALUE-PLACEHOLDER>"
  nodeSelector: {}

grafanaProxy:
  serviceName: "grafana-proxy-svc-priv"
  imageName: "rapidminer-grafana-proxy"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "grafana-proxy-config"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "1"
  securityContext:
    runAsUser: 1000
    runAsGroup: 0
    fsGroup: 0

grafanaAnonProxy:
  serviceName: "grafana-anonymous-proxy-svc-priv"
  imageName: "rapidminer-grafana-proxy"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "grafana-anonymous-proxy-config"
  resources:
    requests:
      memory: "256M"
      cpu: "0.5"
    limits:
      memory: "256M"
      cpu: "1"
securityContext:
    runAsUser: 1000
    runAsGroup: 0
    fsGroup: 0

grafana:
  serviceName: "grafana-svc-priv"
  imageName: "rapidminer-grafana"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "grafana-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "grafana-home-pvc"
  proxyURLSuffix: "/grafana"
  ssoClientId: "urn:rapidminer:grafana"
# keycloak client secrets can be generated with the uuidgen command from the uuid package or 
# with using openssl library: echo "$(openssl rand -hex 4)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 6)"
  ssoClientSecret: "<GRAFANA-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  disableSanitizeHTML: "true"
  resources:
    requests:
      memory: "256M"
      cpu: "1"
    limits:
      memory: "2048M"
      cpu: "2"
  securityContext:
    runAsUser: 472
    runAsGroup: 472
    fsGroup: 472

tokenTool:
  serviceName: "token-tool-svc-priv"
  imageName: "rapidminer-deployment-landing-page"
# You can overwrite the mainVersion value for this component
# version: "9.10.6-gen2"
  configName: "token-tool-config"
# You can overwrite the defaultstorageClass value for this component
# storageClass: "<STORAGECLASS-PLACEHOLDER>"
  pvcName: "token-tool-uploaded-pvc"
  proxyURLSuffix: "/get-token"
  ssoClientId: "urn:rapidminer:token-tool"
# keycloak client secrets can be generated with the uuidgen command from the uuid package or 
# with using openssl library: echo "$(openssl rand -hex 4)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 2)-$(openssl rand -hex 6)"
  ssoClientSecret: "<TOKEN-TOOL-OIDC-CLIENT-SECRET-PLACEHOLDER>"
  ssoCustomScope: "openid info offline_access"
  customContent: "get-token"
  debug: "false"
  resources:
    requests:
      memory: "128M"
      cpu: "0.2"
    limits:
      memory: "128M"
      cpu: "0.5"
  securityContext:
    runAsUser: 33
    runAsGroup: 33
    fsGroup: 33

volumeInit:
  resources:
    requests:
      memory: "128M"
      cpu: "0.2"
    limits:
      memory: "128M"
      cpu: "0.2"