apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: fission namespace: fission-ns spec: chart: spec: chart: fission-all sourceRef: kind: HelmRepository name: fission namespace: flux-system interval: 5m values: ## Fission chart configuration ## ## serviceType to consider while creating Fission Controller service. ## For minikube/kind, set this to NodePort, elsewhere use LoadBalancer or ClusterIP. ## serviceType: LoadBalancer ## routerServiceType to consider while creating Fission Router service. ## For minikube, set this to NodePort, elsewhere use LoadBalancer or ClusterIP. ## routerServiceType: LoadBalancer ## repository represents base repository for images used in the chart. ## Keep it empty for using existing local image ## repository: ghcr.io ## image represents the base image fission-bundle used by multiple Fission components. ## We alter arguments to the image to run a particular component. ## image: fission/fission-bundle ## imageTag represents the tag of the base image fission-bundle used by multiple Fission components. ## It is also used by the chart to identify version of the few more images apart from fission-bundle. ## Keep it empty for using latest tag. ## imageTag: v1.19.0 ## pullPolicy represents the pull policy to use for images in the chart. ## pullPolicy: IfNotPresent ## imageppullsecrets imagePullSecrets: [] ## priorityClassName represents the priority class name to use for Fission components. ## Refer to https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ ## executor.priorityClassName takes precedence over this value for executor. ## router.priorityClassName takes precedence over this value for router. ## priorityClassName: "" ## terminationMessagePath is the path at which the pod termination message will be written. ## executor.terminationMessagePath takes precedence over this value for executor. ## router.terminationMessagePath takes precedence over this value for router. ## terminationMessagePath: /dev/termination-log ## terminationMessagePolicy is the policy for the termination message. ## executor.terminationMessagePolicy takes precedence over this value for executor. ## router.terminationMessagePolicy takes precedence over this value for router. ## terminationMessagePolicy: File ## controllerPort represents the port at which the Fission controller service should be exposed. ## controllerPort: 31313 ## routerPort represents the port at which the Fission Router service should be exposed. ## routerPort: 31314 ## defaultNamespace represents the namespace in which Fission custom resources will be created by the Fission user. ## This is different from the release namespace. ## Please consider setting `additionalFissionNamespaces` if you want more than one namespace to be used for Fission custom resources. ## defaultNamespace: fission-service-ns ## builderNamespace represents the namespace in which Fission Builder resources will be created. ## if builderNamespace is set to empty then builder resources will be created in the same namespace as the Fission resources. ## This is different from the release namespace. ## builderNamespace: "" ## functionNamespace represents the namespace in which Fission Function resources will be created. ## if functionNamespace is set to empty then function resources will be created in the same namespace as the Fission resources. ## This is different from the release namespace. ## functionNamespace: "" ## Fission will watch the following namespaces along with the `defaultNamespace` for fission custom resources. ## additionalFissionNamespaces: ## - namespace1 ## - namespace2 ## - namespace3 additionalFissionNamespaces: [] ## createNamespace decides to create namespaces by the chart. ## If set to true, functionNamespace and builderNamespace namespaces mentioned above will be created by the chart. ## Set to false if you want to create the namespaces manually. ## createNamespace: true ## enableIstio indicates whether to enable istio integration. ## enableIstio: false ## fetcher is a light weight component that helps in running functions. ## fetcher helps in fetching function source code/build and uploading it when function is invoked. ## fetcher: ## image represents the image of the fetcher component. image: fission/fetcher ## imageTag represents the tag of the image of the fetcher component. imageTag: v1.19.0 ## Fetcher is only for to downloading or uploading archive. ## Normally, you don't need to change the value here, unless necessary. ## resource: ## cpu represents the cpu resource required by the fetcher component. ## cpu: requests: "10m" ## Low CPU limits will increases the function specialization time. limits: "" ## mem represents the memory resource required by the fetcher component. ## mem: requests: "16Mi" limits: "" ## executor is responsible for providing resources to your functions. ## executor: ## executor priorityClassName ## Ref. https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ ## Recommended to use system-cluster-critical for executor pods. ## priorityClassName: "" ## terminationMessagePath is the path at which the file to which the executor will write a message upon termination. ## terminationMessagePath: "" ## terminationMessagePolicy is the policy for the executor termination message. ## terminationMessagePolicy: "" ## adoptExistingResources decides whether to adopt existing resources when executor restarts or Fission is redeployed. ## adoptExistingResources: false ## podReadyTimeout represents the timeout in seconds for waiting for pod to become ready. ## This is applicable to Pool Manager executor type only. ## podReadyTimeout: 300s ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## Object Reaper ## objectReaperInterval (seconds) represents GLOBAL interval to run process that reaps objects after certain idle time. ## Also you can set different objectReaperInterval for specific executor type. See poolmgs/newdeploy/container section ## Default: 5 (in seconds) ## objectReaperInterval: 5 poolmgr: {} ## objectReaperInterval specific to poolmgr executor type ## ## objectReaperInterval: 5 newdeploy: {} ## objectReaperInterval specific to newdeploy executor type ## ## objectReaperInterval: 5 container: {} ## objectReaperInterval specific to container executor type ## ## objectReaperInterval: 5 serviceAccountCheck: ## enables fission to create service account, roles and rolebinding for missing permission for builder and fetcher. enabled: true ## indicates the time interval in minutes, after that fission will create service account, roles and rolebinding for builder and fetcher. ## interval will be applicable only if enable value is set to true. ## default timing will be 0 minutes. That means check will run only once. ## if you want to run check every 30 minutes then set interval to 30. interval: 0 ## router is responsible for routing function calls to the appropriate function. ## router: ## router priorityClassName ## Ref. https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/ ## Recommended to use system-cluster-critical for router pods. ## priorityClassName: "" ## terminationMessagePath is the path at which the file to which the router will write a message upon termination. ## terminationMessagePath: "" ## terminationMessagePolicy is the policy for the router termination message. ## terminationMessagePolicy: "" ## deployAsDaemonSet decides whether to deploy router as a DaemonSet or a Deployment. ## deployAsDaemonSet: false ## replicas decides how many router pods to deploy. Only used when deployAsDaemonSet is false. ## replicas: 1 ## svcAddressMaxRetries is the max times for router to retry with a specific function service address ## svcAddressMaxRetries: 5 ## svcAddressUpdateTimeout is the timeout setting for a goroutine to wait for the update of a service entry. ## svcAddressUpdateTimeout: 30s ## unTapServiceTimeout is the timeout used in the request context of unTapService. ## unTapService is called to free up the resources once the function invocation is done. ## unTapServiceTimeout: 3600s ## displayAccessLog display endpoing access logs ## Please be aware of enabling logging endpoint access log, it increases ## router resource utilization when under heavy workloads. ## displayAccessLog: false ## svcAnnotations is the annotations to be added to the service resource created for router. ## # svcAnnotations: # cloud.google.com/load-balancer-type: Internal ## useEncodedPath decideds to match encoded path. ## If true, "/foo%2Fbar" will match the path "/{var}"; ## Otherwise, it will match the path "/foo/bar". ## For details, see: https://github.com/fission/fission/issues/1317 ## useEncodedPath: false roundTrip: ## If true, router will disable the HTTP keep-alive which result in performance degradation. ## But it ensures that router can redirect new coming requests to new function pods. ## ## If false, router will enable transport keep-alive feature for better performance. ## However, the drawback is it takes longer to switch to newly created function pods ## if using newdeploy as executor type for function. If you want to preserve the ## performance while keeping the short switching time to new function, you can create ## an environment with short grace period by setting flag "--graceperiod" (default 360s), ## so that kubernetes will be able to reap old function pod quickly. ## ## For details, see https://github.com/fission/fission/issues/723 ## disableKeepAlive: false ## keepAliveTime is period for an active network connection to function pod. ## keepAliveTime: 30s ## timeout is HTTP transport request timeout ## timeout: 50ms ## The length of request timeout will multiply with timeoutExponent after each retry ## timeoutExponent: 2 ## maxRetries defines no of retries of a failed request ## maxRetries: 10 ## Extend the container specs for the core fission pods. ## Can be used to add things like affinity/tolerations/nodeSelectors/etc. ## For example: ## extraCoreComponentPodConfig: ## affinity: ## nodeAffinity: ## requiredDuringSchedulingIgnoredDuringExecution: ## nodeSelectorTerms: ## - matchExpressions: ## - key: capability ## operator: In ## values: ## - app ## #extraCoreComponentPodConfig: # affinity: # tolerations: # nodeSelector: ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## The builder manager watches the package & environments CRD changes and manages the builds of function source code. ## buildermgr: ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## controller is the component that the client talks to. ## It contains CRUD APIs for functions, triggers, environments, Kubernetes event watches, etc. and proxy APIs to internal 3rd-party services. ## controller: enabled: true ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## webhook is the component that validates API calls. ## It contains validation and mutation for functions, triggers, environments, Kubernetes event watches, etc. ## webhook: ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} certManager: enabled: false caBundlePEM: | crtPEM: | keyPEM: | ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## kubewatcher watches the Kubernetes API and invokes functions associated with watches, sending the watch event to the function. ## kubewatcher: ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## The storage service is the home for all archives of packages with sizes larger than 256KB. ## storagesvc: ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Archive pruner removes archives from storage which are not referenced by any package. archivePruner: enabled: true ## Run prune routine at interval (in minutes) interval: 60 ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## The timer works like kubernetes CronJob but instead of creating a pod to do the task ## It sends a request to router to invoke the function. ## timer: ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## Kafka: enable and configure the details ## kafka: enabled: false ## note: below link is only for reference. ## Please use the brokers link for your kafka here. ## brokers: "broker.kafka:9092" # or your-bootstrap-server.kafka:9092/9093 ## Sample config for authentication ## authentication: ## tls: ## enabled: true ## caCert: 'auth/kafka/ca.crt' ## userCert: 'auth/kafka/user.crt' ## userKey: 'auth/kafka/user.key' ## authentication: tls: enabled: false ## InsecureSkipVerify controls whether a client verifies the server's certificate chain and host name. ## Warning: Setting this to true, makes TLS susceptible to man-in-the-middle attacks ## insecureSkipVerify: false ## path to certificate containing public key of CA authority ## caCert: "" ## path to certificate containing public key of the user signed by CA authority ## userCert: "" ## path to private key of the user ## userKey: "" ## version of Kafka broker ## For 0.x it must be a string in the format ## "major.minor.veryMinor.patch" example: 0.8.2.0 ## For 1.x it must be a string in the format ## "major.major.veryMinor" example: 2.0.1 ## Should be >= 0.11.2.0 to enable Kafka record headers support ## # version: "0.11.2.0" # The following components expose Prometheus metrics and have servicemonitors in this chart (disabled by default) # Controller, router, executor, storage svc serviceMonitor: enabled: false ##namespace in which you want to deploy servicemonitor ## namespace: "" ## Map of additional labels to add to the ServiceMonitor resources # to allow selecting specific ServiceMonitors # in case of multiple prometheus deployments additionalServiceMonitorLabels: {} # release: "monitoring" # key: "value" # The following components expose Prometheus metrics and have podmonitors in this chart (disabled by default) # podMonitor: enabled: false ##namespace in which you want to deploy podmonitor ## namespace: "" ## Map of additional labels to add to the PodMonitor resources # to allow selecting specific PodMonitor # in case of multiple prometheus deployments additionalPodMonitorLabels: {} # release: "monitoring" # key: "value" ## Persist data to a persistent volume. ## persistence: ## If true, fission will create/use a Persistent Volume Claim unless storageType is set to s3 ## If false, use emptyDir ## enabled: false ## Must be set to either local or S3. ## If storateType is set(other than local), one of its backend configuration must be set as below. ## #storageType: s3 ## Sample configuration for AWS s3 storage backend ## #s3: # bucketName: # subDir: # accessKeyId: # secretAccessKey: # region: ## #For Minio and other s3 compatible storage systems set endPoint property # endPoint: ## A manually managed Persistent Volume Claim name ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound ## # existingClaim: ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClass: "-" accessMode: ReadWriteOnce size: 8Gi ## Extend the container specs for the core fission pods. ## Can be used to add things like affinity/tolerations/nodeSelectors/etc. ## For example: ## extraCoreComponentPodConfig: ## affinity: ## nodeAffinity: ## requiredDuringSchedulingIgnoredDuringExecution: ## nodeSelectorTerms: ## - matchExpressions: ## - key: capability ## operator: In ## values: ## - app ## #extraCoreComponentPodConfig: # affinity: # tolerations: # nodeSelector: ## Analytics let us count how many people installed fission. Set to ## false to disable analytics. ## analytics: true ## Internally used for generating an analytics job for non-helm installs ## analyticsNonHelmInstall: false ## Google Analytics Tracking ID ## gaTrackingID: UA-196546703-1 ## Logger config ## This would be used if influxdb is enabled ## logger: influxdbAdmin: "admin" fluentdImageRepository: index.docker.io fluentdImage: fluent/fluent-bit fluentdImageTag: 1.8.8 ## Fluent-bit writes/reads it’s own sqlite database to record a history of tracked ## files and a state of offsets, this is very useful to resume a state if the ser- ## vice is restarted. For Kubernetes environment with constraints like OpenShift, ## the containers are limited to write hostPath volume. Hence, we have to enable ## security context and set privileged to true. ## enableSecurityContext: false ## Enable PodSecurityPolicies to allow privileged container ## Only required in some clusters and when enableSecurityContext is true ## podSecurityPolicy: enabled: false ## Configure additional capabilities ## additionalCapabilities: # example values for linkerd #- NET_RAW #- NET_ADMIN ## Enable InfluxDB ## influxdb: enabled: false image: influxdb:1.8 ## Allow user to override busybox image used in fluent-bit init container ## busyboxImage: busybox ## Archive pruner is a garbage collector for archives on the fission storage service. ## This interval configures the frequency at which it runs inside the storagesvc pod. ## The value is in minutes. ## preUpgradeChecks: ## Run pre-install/pre-upgrade checks if true ## enabled: true ## pre-install/pre-upgrade checks live in this image ## image: fission/pre-upgrade-checks ## pre-install/pre-upgrade checks image version ## imageTag: v1.19.0 ## Fission post-install/post-upgrade reporting live in this image ## postInstallReportImage: fission/reporter ## If there are any pod specialization errors when a function is triggered, the error ## summary is returned as part of http response if this is set to true. ## debugEnv: false ## Prometheus related configuration to query metrics ## prometheus: ## please assign the prometheus service URL ## that is accessible by Fission components. ## This is mainly used to enable canary deployment. ## serviceEndpoint: "" canaryDeployment: ## set this flag to true if you need canary deployment feature enabled: false ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Security Context ## It holds pod-level and container level security configuration. ## This is an experimental section, please verify before enabling in production. ## Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1 securityContext: enabled: true ## Mark it false, if you want to stop the non root user validation runAsNonRoot: true fsGroup: 10001 runAsUser: 10001 runAsGroup: 10001 ## Enable authentication for fission function invocation via Fission router ## authentication: ## set this flag to true if you need authentication ## for all function invocations ## default 'false' ## enabled: false ## authUriPath defines authentication endpoint path ## via router ## default '/auth/login' ## authUriPath: ## authUsername is used as a username for authentication ## default 'admin' ## authUsername: admin ## jwtSigningKey is the signing key used for ## signing the JWT token ## jwtSigningKey: serverless ## jwtExpiryTime is the JWT expiry time ## in seconds ## default '120' ## jwtExpiryTime: ## jwtIssuer is the issuer of JWT ## default 'fission' ## jwtIssuer: fission ## OpenTelemetry is a set of tools for collecting, analyzing, and visualizing ## distributed tracing data across function calls. ## openTelemetry: ## Use this flag to set the collector endpoint for OpenTelemetry. ## The variable is endpoint of the collector in the format shown below. ## otlpCollectorEndpoint: "otel-collector.observability.svc:4317" ## otlpCollectorEndpoint: "" ## Set this flag to false if you are using secure endpoint for the collector. ## otlpInsecure: true ## Key-value pairs to be used as headers associated with gRPC or HTTP requests to the collector. ## Eg. otlpHeaders: "key1=value1,key2=value2" ## otlpHeaders: "" ## Supported samplers: ## always_on - Sampler that always samples spans, regardless of the parent span's sampling decision. ## always_off - Sampler that never samples spans, regardless of the parent span's sampling decision. ## traceidratio - Sampler that samples probabalistically based on rate. ## parentbased_always_on - (default if empty) Sampler that respects its parent span's sampling decision, but otherwise always samples. ## parentbased_always_off - Sampler that respects its parent span's sampling decision, but otherwise never samples. ## parentbased_traceidratio - Sampler that respects its parent span's sampling decision, but otherwise samples probabalistically based on rate. ## See https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md#general-sdk-configuration ## tracesSampler: "parentbased_traceidratio" ## Each Sampler type defines its own expected input, if any. ## Currently we get trace ratio for the case of, ## 1. traceidratio ## 2. parentbased_traceidratio ## Sampling probability, a number in the [0..1] range, e.g. "0.1". Default is 0.1. ## tracesSamplingRate: "0.1" ## Supported providers: ## tracecontext - W3C Trace Context ## baggage - W3C Baggage ## b3 - B3 Single ## b3multi - B3 Multi ## jaeger - Jaeger uber-trace-id header ## xray - AWS X-Ray (third party) ## ottrace - OpenTracing Trace (third party) ## none - No tracing ## See https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/sdk-environment-variables.md#general-sdk-configuration ## propagators: "tracecontext,baggage" ## Message Queue Trigger Kind, KEDA: enable and configuration ## mqt_keda: enabled: true connector_images: kafka: image: fission/keda-kafka-http-connector tag: v0.12 rabbitmq: image: fission/keda-rabbitmq-http-connector tag: v0.10 awskinesis: image: fission/keda-aws-kinesis-http-connector tag: v0.10 aws_sqs: image: fission/keda-aws-sqs-http-connector tag: v0.11 nats_steaming: image: fission/keda-nats-streaming-http-connector tag: v0.13 nats_jetstream: image: fission/keda-nats-jetstream-http-connector tag: v0.4 gcp_pubsub: image: fission/keda-gcp-pubsub-http-connector tag: v0.6 redis: image: fission/keda-redis-http-connector tag: v0.3 ## Pod resources as: ## resources: ## limits: ## cpu: ## memory: ## requests: ## cpu: ## memory: ## resources: {} ## Enable Pprof based profiling used mostly by Fission developers ## pprof: enabled: false ## Enable runtimePodSpec and add spec to your poolmgr or newdeploy pods ## runtimePodSpec: ## Setting it false by default so that integration tests pass ## enabled: false ## Checkout PodSpec in https://fission.io/docs/reference/crd-reference/#runtime ## podSpec: ## Default podspec to improve security of the pods ## securityContext: fsGroup: 10001 runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 ## Enable builderPodSpec and add spec to your env builder pods ## builderPodSpec: ## Setting it false by default so that integration tests pass ## enabled: false ## Checkout PodSpec in https://fission.io/docs/reference/crd-reference/#builder ## podSpec: ## Default podspec to improve security of the pods ## securityContext: fsGroup: 10001 runAsGroup: 10001 runAsNonRoot: true runAsUser: 10001 ## Enable Grafana Dashboard configmaps for auto dashboard provisioning ## If you use kube-prometheus stack for monitoring, these will get imported into grafana grafana: ## The namespace in which grafana pod is present namespace: monitoring dashboards: ## Disabled by default. switch to true to deploy them enable: false