Values #
The following section contains a series of tabs for commonly used configurations for this section of your values.yml Helm chart.
Options:
pachd:
enabled: true
preflightChecks:
enabled: true # runs kube validation preflight checks.
affinity: {}
annotations: {}
clusterDeploymentID: "" # sets Pachyderm cluster ID.
configJob:
annotations: {}
goMaxProcs: 0 # passed as GOMAXPROCS to the pachd container.
image:
repository: "pachyderm/pachd"
pullPolicy: "IfNotPresent"
tag: "" # sets worker image tag; defaults to appVersion.
logFormat: "json"
logLevel: "info"
lokiDeploy: true
lokiLogging: true
metrics:
enabled: true
endpoint: "" # provide the URL of the metrics endpoint.
priorityClassName: ""
nodeSelector: {}
podLabels: {} # adds labels to the pachd pod.
replicas: 1 # sets the number of pachd running pods
resources: # specifies the resource requests & limits
{}
#limits:
# cpu: "1"
# memory: "2G"
#requests:
# cpu: "1"
# memory: "2G"
requireCriticalServersOnly: false
externalService:
enabled: false # Creates a service that's safe to expose.
loadBalancerIP: ""
apiGRPCPort: 30650
s3GatewayPort: 30600
annotations: {}
service:
labels: {} # adds labels to the pachd service.
type: "ClusterIP" # specifies pachd service's Kubernetes type
annotations: {}
apiGRPCPort: 30650
prometheusPort: 30656
oidcPort: 30657
identityPort: 30658
s3GatewayPort: 30600
#apiGrpcPort:
# expose: true
# port: 30650
activateEnterpriseMember: false # connects to an existing enterprise server.
activateAuth: true # bootstraps auth via the config job.
enterpriseLicenseKey: "" # activates enterprise if provided.
enterpriseLicenseKeySecretName: "" # pulls value from k8s secret key "enterprise-license-key"
rootToken: "" # autogenerated if not provided; stored in k8s secret "pachyderm-bootstrap-config.rootToken"
rootTokenSecretName: "" # passes rooToken value from k8s secret key "root-token"
enterpriseSecret: "" # autogenerated if not provided; stored in k8s secret "pachyderm-bootstrap-config.enterpriseSecret"
enterpriseSecretSecretName: "" # passes value from k8s secret key "enterprise-secret"
oauthClientID: pachd
oauthClientSecret: "" # autogenerated if not provided; stored in k8s secret "pachyderm-bootstrap-config.authConfig.clientSecret"
oauthClientSecretSecretName: "" # passes value from k8s secret key "pachd-oauth-client-secret"
oauthRedirectURI: ""
enterpriseServerToken: "" # authenticates to a enterprise server & registers this cluster as a member if activateEnterpriseMember is true.
enterpriseServerTokenSecretName: "" # passes value from k8s secret key "enterprise-server-token" if activateEnterpriseMember is true.
enterpriseServerAddress: ""
enterpriseCallbackAddress: ""
localhostIssuer: "" # Indicates to pachd whether dex is embedded in its process; "true", "false", or ""
pachAuthClusterRoleBindings: {} # map initial users to their list of roles.
# robot:wallie:
# - repoReader
# robot:eve:
# - repoWriter
additionalTrustedPeers: [] # configures identity service to recognize trusted peers.
# - example-app
serviceAccount:
create: true
additionalAnnotations: {}
name: "pachyderm"
storage:
backend: "" # options: GOOGLE, AMAZON, MINIO, MICROSOFT or LOCAL
amazon:
bucket: "" # sets the S3 bucket to use.
cloudFrontDistribution: "" # sets the CloudFront distribution in the storage secrets.
customEndpoint: ""
disableSSL: false
id: "" # sets the Amazon access key ID
logOptions: "" # case-sensitive comma-separated list: 'Debug', 'Signing', 'HTTPBody', 'RequestRetries', 'EventStreamBody', or 'all'
maxUploadParts: 10000
verifySSL: true
partSize: "5242880" # sets part size for object storage uploads; must be a string.
region: "" # sets AWS region
retries: 10
reverse: true
secret: "" # sets the Amazon secret access key to use.
timeout: "5m" # sets the timeout for object storage requests.
token: "" # sets the Amazon token to use.
uploadACL: "bucket-owner-full-control"
google:
bucket: ""
cred: "" # sets GCP service account private key as string.
# cred: |
# {
# "type": "service_account",
# "project_id": "…",
# "private_key_id": "…",
# "private_key": "-----BEGIN PRIVATE KEY-----\n…\n-----END PRIVATE KEY-----\n",
# "client_email": "…@….iam.gserviceaccount.com",
# "client_id": "…",
# "auth_uri": "https://accounts.google.com/o/oauth2/auth",
# "token_uri": "https://oauth2.googleapis.com/token",
# "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
# "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/…%40….iam.gserviceaccount.com"
# }
local:
hostPath: "" # path where PFS metadata is stored; must end with "/".
requireRoot: true # root required for hostpath, but we run rootless in CI
microsoft:
container: ""
id: ""
secret: ""
minio:
bucket: "" # sets bucket name.
endpoint: "" # format: hostname:port
id: "" # username/id with readwrite access to the bucket.
secret: "" # the secret/password of the user with readwrite access to the bucket.
secure: "false" # enables https for minio if "true"
signature: "" # Enables S3v2 support by setting signature to "1"; being deprecated.
putFileConcurrencyLimit: 100 # sets the maximum number of files to upload or fetch from remote sources uploadConcurrencyLimit sets the maximum number of concurrent; analogous to --put-file-concurrency-limit argument to pachctl
uploadConcurrencyLimit: 100 # object storage uploads per Pachd instance; analogous to --upload-concurrency-limit argument to pachctl
compactionShardSizeThreshold: 0 # the total size of the files in a shard.
compactionShardCountThreshold: 0 # the total number of files in a shard.
memoryThreshold: 0
levelFactor: 0
maxFanIn: 10
maxOpenFileSets: 50
# diskCacheSize and memoryCacheSize are defined in units of 8 Mb chunks. The default is 100 chunks which is 800 Mb.
diskCacheSize: 100
memoryCacheSize: 100
ppsWorkerGRPCPort: 1080
storageGCPeriod: 0 # the number of seconds between PFS's garbage collection cycles; <0 disables garbage collection; 0 defaults to pachyderm's internal config.
storageChunkGCPeriod: 0 # the number of seconds between chunk garbage collection cycles; <0 disables chunk garbage collection; 0 defaults to pachyderm's internal config.
# There are three options for TLS:
# 1. Disabled
# 2. Enabled, existingSecret, specify secret name
# 3. Enabled, newSecret, must specify cert, key and name
tls:
enabled: false
secretName: ""
newSecret:
create: false
crt: ""
key: ""
tolerations: []
worker:
image:
repository: "pachyderm/worker"
pullPolicy: "IfNotPresent"
# Worker tag is set under pachd.image.tag (they should be kept in lock step)
serviceAccount:
create: true
additionalAnnotations: {}
name: "pachyderm-worker" # sets the name of the worker service account; analogous to --worker-service-account argument to pachctl.
rbac:
create: true # indicates whether RBAC resources should be created; analogous to --no-rbac to pachctl
# Set up default resources for pipelines that don't include any requests or limits. The values
# are k8s resource quantities, so "1Gi", "2", etc. Set to "0" to disable setting any defaults.
defaultPipelineCPURequest: ""
defaultPipelineMemoryRequest: ""
defaultPipelineStorageRequest: ""
defaultSidecarCPURequest: ""
defaultSidecarMemoryRequest: ""
defaultSidecarStorageRequest: ""
pachd:
enabled: true
preflightChecks:
# if enabled runs kube validation preflight checks.
enabled: true
affinity: {}
annotations: {}
# clusterDeploymentID sets the Pachyderm cluster ID.
clusterDeploymentID: ""
configJob:
annotations: {}
# goMaxProcs is passed as GOMAXPROCS to the pachd container.
goMaxProcs: 0
image:
repository: "pachyderm/pachd"
pullPolicy: "IfNotPresent"
# tag defaults to the chart’s specified appVersion.
# This sets the worker image tag as well (they should be kept in lock step)
tag: ""
logFormat: "json"
logLevel: "info"
# If lokiDeploy is true, a Pachyderm-specific instance of Loki will
# be deployed.
lokiDeploy: true
# lokiLogging enables Loki logging if set.
lokiLogging: true
metrics:
# enabled sets the METRICS environment variable if set.
enabled: true
# endpoint should be the URL of the metrics endpoint.
endpoint: ""
priorityClassName: ""
nodeSelector: {}
# podLabels specifies labels to add to the pachd pod.
podLabels: {}
# resources specifies the resource requests and limits
# replicas sets the number of pachd running pods
replicas: 1
resources:
{}
#limits:
# cpu: "1"
# memory: "2G"
#requests:
# cpu: "1"
# memory: "2G"
# requireCriticalServersOnly only requires the critical pachd
# servers to startup and run without errors. It is analogous to the
# --require-critical-servers-only argument to pachctl deploy.
requireCriticalServersOnly: false
# If enabled, External service creates a service which is safe to
# be exposed externally
externalService:
enabled: false
# (Optional) specify the existing IP Address of the load balancer
loadBalancerIP: ""
apiGRPCPort: 30650
s3GatewayPort: 30600
annotations: {}
service:
# labels specifies labels to add to the pachd service.
labels: {}
# type specifies the Kubernetes type of the pachd service.
type: "ClusterIP"
annotations: {}
apiGRPCPort: 30650
prometheusPort: 30656
oidcPort: 30657
identityPort: 30658
s3GatewayPort: 30600
#apiGrpcPort:
# expose: true
# port: 30650
# DEPRECATED: activateEnterprise is no longer used.
activateEnterprise: false
## if pachd.activateEnterpriseMember is set, enterprise will be activated and connected to an existing enterprise server.
## if pachd.enterpriseLicenseKey is set, enterprise will be activated.
activateEnterpriseMember: false
## if pachd.activateAuth is set, auth will be bootstrapped by the config-job.
activateAuth: true
## the license key used to activate enterprise features
enterpriseLicenseKey: ""
rootToken: ""
enterpriseSecret: ""
# enterpriseSecretSecretName is used to pass the enterprise secret value via an existing k8s secret.
# The value is pulled from the key, "enterprise-secret".
enterpriseSecretSecretName: ""
# if a secret is not provided, a secret will be autogenerated on install and stored in the k8s secret 'pachyderm-bootstrap-config.authConfig.clientSecret'
oauthClientID: pachd
oauthClientSecret: ""
# oauthClientSecretSecretName is used to set the OAuth Client Secret via an existing k8s secret.
# The value is pulled from the key, "pachd-oauth-client-secret".
oauthClientSecretSecretName: ""
oauthRedirectURI: ""
# DEPRECATED: enterpriseRootToken is deprecated, in favor of enterpriseServerToken
# NOTE only used if pachd.activateEnterpriseMember == true
enterpriseRootToken: ""
# enterpriseServerToken represents a token that can authenticate to a separate Enterprise server,
# and is used to complete the enterprise member registration process for this pachyderm cluster.
# The user backing this token should have either the licenseAdmin & identityAdmin roles assigned, or
# the clusterAdmin role.
# NOTE: only used if pachd.activateEnterpriseMember == true
enterpriseServerToken: ""
# enterpriseServerTokenSecretName is used to pass the enterpriseServerToken value via an existing k8s secret.
# The value is pulled from the key, "enterprise-server-token".
enterpriseServerTokenSecretName: ""
# only used if pachd.activateEnterpriseMember == true
enterpriseServerAddress: ""
enterpriseCallbackAddress: ""
# Indicates to pachd whether dex is embedded in its process.
localhostIssuer: "" # "true", "false", or "" (used string as bool doesn't support empty value)
# set the initial pachyderm cluster role bindings, mapping a user to their list of roles
# ex.
# pachAuthClusterRoleBindings:
# robot:wallie:
# - repoReader
# robot:eve:
# - repoWriter
pachAuthClusterRoleBindings: {}
# additionalTrustedPeers is used to configure the identity service to recognize additional OIDC clients as trusted peers of pachd.
# For example, see the following example or the dex docs (https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party).
# additionalTrustedPeers:
# - example-app
additionalTrustedPeers: []
serviceAccount:
create: true
additionalAnnotations: {}
name: "pachyderm" #TODO Set default in helpers / Wire up in templates
storage:
# backend configures the storage backend to use. It must be one
# of GOOGLE, AMAZON, MINIO, MICROSOFT or LOCAL. This is set automatically
# if deployTarget is GOOGLE, AMAZON, MICROSOFT, or LOCAL
backend: ""
amazon:
# bucket sets the S3 bucket to use.
bucket: ""
# cloudFrontDistribution sets the CloudFront distribution in the
# storage secrets. It is analogous to the
# --cloudfront-distribution argument to pachctl deploy.
cloudFrontDistribution: ""
customEndpoint: ""
# disableSSL disables SSL. It is analogous to the --disable-ssl
# argument to pachctl deploy.
disableSSL: false
# id sets the Amazon access key ID to use. Together with secret
# and token, it implements the functionality of the
# --credentials argument to pachctl deploy.
id: ""
# logOptions sets various log options in Pachyderm’s internal S3
# client. Comma-separated list containing zero or more of:
# 'Debug', 'Signing', 'HTTPBody', 'RequestRetries',
# 'RequestErrors', 'EventStreamBody', or 'all'
# (case-insensitive). See 'AWS SDK for Go' docs for details.
# logOptions is analogous to the --obj-log-options argument to
# pachctl deploy.
logOptions: ""
# maxUploadParts sets the maximum number of upload parts. It is
# analogous to the --max-upload-parts argument to pachctl
# deploy.
maxUploadParts: 10000
# verifySSL performs SSL certificate verification. It is the
# inverse of the --no-verify-ssl argument to pachctl deploy.
verifySSL: true
# partSize sets the part size for object storage uploads. It is
# analogous to the --part-size argument to pachctl deploy. It
# has to be a string due to Helm and YAML parsing integers as
# floats. Cf. https://github.com/helm/helm/issues/1707
partSize: "5242880"
# region sets the AWS region to use.
region: ""
# retries sets the number of retries for object storage
# requests. It is analogous to the --retries argument to
# pachctl deploy.
retries: 10
# reverse reverses object storage paths. It is analogous to the
# --reverse argument to pachctl deploy.
reverse: true
# secret sets the Amazon secret access key to use. Together with id
# and token, it implements the functionality of the
# --credentials argument to pachctl deploy.
secret: ""
# timeout sets the timeout for object storage requests. It is
# analogous to the --timeout argument to pachctl deploy.
timeout: "5m"
# token optionally sets the Amazon token to use. Together with
# id and secret, it implements the functionality of the
# --credentials argument to pachctl deploy.
token: ""
# uploadACL sets the upload ACL for object storage uploads. It
# is analogous to the --upload-acl argument to pachctl deploy.
uploadACL: "bucket-owner-full-control"
google:
bucket: ""
# cred is a string containing a GCP service account private key,
# in object (JSON or YAML) form. A simple way to pass this on
# the command line is with the set-file flag, e.g.:
#
# helm install pachd -f my-values.yaml --set-file storage.google.cred=creds.json pachyderm/pachyderm
cred: ""
# Example:
# cred: |
# {
# "type": "service_account",
# "project_id": "…",
# "private_key_id": "…",
# "private_key": "-----BEGIN PRIVATE KEY-----\n…\n-----END PRIVATE KEY-----\n",
# "client_email": "…@….iam.gserviceaccount.com",
# "client_id": "…",
# "auth_uri": "https://accounts.google.com/o/oauth2/auth",
# "token_uri": "https://oauth2.googleapis.com/token",
# "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
# "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/…%40….iam.gserviceaccount.com"
# }
local:
# hostPath indicates the path on the host where the PFS metadata
# will be stored. It must end in /. It is analogous to the
# --host-path argument to pachctl deploy.
hostPath: ""
requireRoot: true #Root required for hostpath, but we run rootless in CI
microsoft:
container: ""
id: ""
secret: ""
minio:
# minio bucket name
bucket: ""
# the minio endpoint. Should only be the hostname:port, no http/https.
endpoint: ""
# the username/id with readwrite access to the bucket.
id: ""
# the secret/password of the user with readwrite access to the bucket.
secret: ""
# enable https for minio with "true" defaults to "false"
secure: ""
# Enable S3v2 support by setting signature to "1". This feature is being deprecated
signature: ""
# putFileConcurrencyLimit sets the maximum number of files to
# upload or fetch from remote sources (HTTP, blob storage) using
# PutFile concurrently. It is analogous to the
# --put-file-concurrency-limit argument to pachctl deploy.
putFileConcurrencyLimit: 100
# uploadConcurrencyLimit sets the maximum number of concurrent
# object storage uploads per Pachd instance. It is analogous to
# the --upload-concurrency-limit argument to pachctl deploy.
uploadConcurrencyLimit: 100
# The shard size corresponds to the total size of the files in a shard.
# The shard count corresponds to the total number of files in a shard.
# If either criteria is met, a shard will be created.
compactionShardSizeThreshold: 0
compactionShardCountThreshold: 0
memoryThreshold: 0
levelFactor: 0
maxFanIn: 10
maxOpenFileSets: 50
# diskCacheSize and memoryCacheSize are defined in units of 8 Mb chunks. The default is 100 chunks which is 800 Mb.
diskCacheSize: 100
ppsWorkerGRPCPort: 1080
# the number of seconds between PFS's garbage collection cycles.
# if this value is set to 0, it will default to pachyderm's internal configuration.
# if this value is less than 0, it will turn off garbage collection.
storageGCPeriod: 0
# the number of seconds between chunk garbage collection cycles.
# if this value is set to 0, it will default to pachyderm's internal configuration.
# if this value is less than 0, it will turn off chunk garbage collection.
storageChunkGCPeriod: 0
# There are three options for TLS:
# 1. Disabled
# 2. Enabled, existingSecret, specify secret name
# 3. Enabled, newSecret, must specify cert, key and name
tls:
enabled: false
secretName: ""
newSecret:
create: false
crt: ""
key: ""
tolerations: []
worker:
image:
repository: "pachyderm/worker"
pullPolicy: "IfNotPresent"
# Worker tag is set under pachd.image.tag (they should be kept in lock step)
serviceAccount:
create: true
additionalAnnotations: {}
# name sets the name of the worker service account. Analogous to
# the --worker-service-account argument to pachctl deploy.
name: "pachyderm-worker" #TODO Set default in helpers / Wire up in templates
rbac:
# create indicates whether RBAC resources should be created.
# Setting it to false is analogous to passing --no-rbac to pachctl
# deploy.
create: true
# Set up default resources for pipelines that don't include any requests or limits. The values
# are k8s resource quantities, so "1Gi", "2", etc. Set to "0" to disable setting any defaults.
defaultPipelineCPURequest: ""
defaultPipelineMemoryRequest: ""
defaultPipelineStorageRequest: ""
defaultSidecarCPURequest: ""
defaultSidecarMemoryRequest: ""
defaultSidecarStorageRequest: ""