4# (eg. disable helm hook delete policy)
7# Custom Service account management
9 # Whether to create service account or not
11 # Name of the service account.
13 # If `create: true` defaults to temporal.fullname, otherwise uses the namespace's default serviceAccount.
15 # extraAnnotations would let users add additional annotations
17additionalAnnotations: {}
19# Array of extra K8s manifests to deploy
24 repository: chainreg.biz/chainguard-private/temporal-server-fips
25 tag: latest@sha256:ec983b9ea1adc8dc50768a0b57f2464acbce563871ec4d94bb3efad5c96f4de9
26 pullPolicy: IfNotPresent
27 # Global default settings (can be overridden per service)
31 # Annotate pods and services directly with the following Prometheus annotations.
34 # prometheus.io/scheme
35 # prometheus.io/scrape
38 # Enable Prometheus ServiceMonitor
39 # Use this if you installed the Prometheus Operator (https://github.com/coreos/prometheus-operator).
43 # Set additional lables to all the ServiceMonitor resources
47 # Set Prometheus metric_relabel_configs via ServiceMonitor
48 # Use metricRelabelings to adjust metric and label names as needed
52 # - exported_namespace
53 # targetLabel: temporal_namespace
55 # regex: service_errors_(.+)
59 # targetLabel: temporal_error_kind
61 # regex: service_errors_.+
62 # replacement: temporal_service_errors
65 # targetLabel: __name__
67 deploymentAnnotations: {}
68 deploymentStrategy: {}
74 # We usually recommend not to specify default resources and to leave this as a conscious
75 # choice for the user. This also increases chances charts run on environments with little
76 # resources, such as Minikube. If you do want to specify resources, uncomment the following
77 # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
88 terminationGracePeriodSeconds: null
90 additionalVolumeMounts: []
92 additionalEnvSecretName: ""
93 additionalEnvConfigMapName: ""
94 # for sidecar containers, add containers here with restartPolicy: Always
95 additionalInitContainers: []
100 logLevel: "debug,info"
101 # Define your TLS configuration here. See https://docs.temporal.io/references/configuration#tls
102 # for configuration options. You must also use `server.additionalVolumeMounts` and `server.additionalVolumes`
103 # to mount certificates (from Secret or ConfigMap etc) to the path you use below.
107 # certFile: /path/to/internode/cert/file
108 # keyFile: /path/to/internode/key/file
109 # requireClientAuth: true
111 # - /path/to/internode/serverCa
113 # serverName: dnsSanInInternodeCertificate
115 # - /path/to/internode/serverCa
118 # certFile: /path/to/frontend/cert/file
119 # keyFile: /path/to/frontend/key/file
120 # requireClientAuth: true
122 # - /path/to/internode/serverCa
123 # - /path/to/sdkClientPool1/ca
124 # - /path/to/sdkClientPool2/ca
126 # serverName: dnsSanInFrontendCertificate
128 # - /path/to/frontend/serverCa
129 # Define your Authorizer and ClaimMapper configuration here. See https://docs.temporal.io/self-hosted-guide/security#authorization
133 # - http://localhost:/jwks.json
134 # refreshInterval: 1m
135 # permissionsClaimName: permissions
136 # authorizer: default
137 # claimMapper: default
139 defaultStore: default
140 visibilityStore: visibility
141 # Important: numHistoryShards cannot be changed after the initial deployment.
142 numHistoryShards: 512
143 # Persistence configuration follows the raw Temporal server config format.
144 # Driver is determined by which top-level key is present (cassandra vs sql).
145 # For SQL stores, you can use either connectAddr: "host:port" or separate host/port fields.
146 # Helm-specific fields (existingSecret, secretKey) are stripped before rendering to server config.
149 # Example SQL configuration:
151 # createDatabase: false
152 # manageSchema: false
153 # pluginName: mysql8 # or postgres12, postgres12_pgx
155 # databaseName: temporal
156 # connectAddr: "mysql.example.com:3306" # preferred format
157 # connectProtocol: "tcp"
158 # # OR use separate host/port:
159 # # host: mysql.example.com
161 # user: temporal_user
162 # password: "" # optional, use existingSecret instead
163 # existingSecret: temporal-db-secret # Helm-specific, stripped before rendering
164 # secretKey: password # Helm-specific, default: password
165 # # Server v1.31+ alternative to password/existingSecret (SQL datastores
166 # # only). When set, no password Secret is created and no SQL_PASSWORD
167 # # env is wired; the server invokes the command per new connection.
169 # command: my-token-helper
174 # maxConnLifetime: "1h"
176 # tx_isolation: "READ-COMMITTED"
179 # caFile: /path/to/ca.pem
180 # Example Cassandra configuration:
182 # createDatabase: false
183 # manageSchema: false
184 # hosts: "host1,host2"
187 # user: cassandra_user
188 # password: "" # optional, use existingSecret instead
189 # existingSecret: temporal-cassandra-secret
190 # secretKey: password
191 # replicationFactor: 3
194 # consistency: "local_quorum"
195 # serialConsistency: "local_serial"
197 # Example SQL configuration (same structure as default.sql):
199 # createDatabase: false
200 # manageSchema: false
203 # databaseName: temporal_visibility
204 # connectAddr: "mysql.example.com:3306"
205 # connectProtocol: "tcp"
206 # user: temporal_user
207 # existingSecret: temporal-db-secret
208 # secretKey: password
209 # Example Elasticsearch configuration:
214 # host: "elasticsearch:9200"
217 # existingSecret: temporal-es-secret
218 # secretKey: password
221 # visibility: temporal_visibility_v1
224 # caFile: /path/to/ca.crt
225 # certFile: /path/to/client.crt
226 # keyFile: /path/to/client.key
227 # serverName: elasticsearch.internal
228 # enableHostVerification: true
229 # aws-request-signing:
230 # credentialProvider: environment # static, environment, or aws-sdk-default
234 # secretAccessKey: ""
236 # Additional stores can be added here and will pass through directly
239 # pluginName: postgres12
242 # Additional tags to be added to Prometheus metrics
244 # ... All other fields from https://github.com/temporalio/temporal/blob/main/common/metrics/config.go
250 listenAddress: "0.0.0.0:9090"
252 # Enable this to create namespaces
260 # Evaluated as template
266 membershipAppProtocol: tcp
268 httpAppProtocol: http
269 # Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
270 # gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
275 # service: temporal.api.workflowservice.v1.WorkflowService
280 # kubernetes.io/ingress.class: traefik
281 # ingress.kubernetes.io/ssl-redirect: "false"
282 # traefik.frontend.rule.type: PathPrefix
288 # - secretName: chart-example-tls
290 # - chart-example.local
297 # timerType: histogram
299 deploymentAnnotations: {}
300 deploymentStrategy: {}
309 containerSecurityContext: {}
310 topologySpreadConstraints: []
311 podDisruptionBudget: {}
313 # Enable this to create internal-frontend
316 # Evaluated as template
322 membershipAppProtocol: tcp
324 httpAppProtocol: http
325 # Defaults to a tcpSocket probe; uncomment below for a gRPC probe.
326 # gRPC probes don't yet support TLS (kubernetes/enhancements#4939), so opt in only when TLS is off.
331 # service: temporal.api.workflowservice.v1.WorkflowService
338 # timerType: histogram
340 deploymentAnnotations: {}
341 deploymentStrategy: {}
350 containerSecurityContext: {}
351 topologySpreadConstraints: []
352 podDisruptionBudget: {}
360 membershipAppProtocol: tcp
368 # timerType: histogram
370 deploymentAnnotations: {}
371 deploymentStrategy: {}
380 containerSecurityContext: {}
381 topologySpreadConstraints: []
382 podDisruptionBudget: {}
390 membershipAppProtocol: tcp
398 # timerType: histogram
400 deploymentAnnotations: {}
401 deploymentStrategy: {}
410 containerSecurityContext: {}
411 topologySpreadConstraints: []
412 podDisruptionBudget: {}
420 membershipAppProtocol: tcp
428 # timerType: histogram
430 deploymentAnnotations: {}
431 deploymentStrategy: {}
440 containerSecurityContext: {}
441 topologySpreadConstraints: []
442 podDisruptionBudget: {}
446 repository: chainreg.biz/chainguard-private/temporal-admin-tools-fips
447 tag: latest@sha256:9d8c09326641e8d803092b010b7ef4f1d3523b6ec516da06449ee08c6d1a3363
448 pullPolicy: IfNotPresent
454 deploymentAnnotations: {}
455 deploymentStrategy: {}
461 additionalVolumes: []
462 additionalVolumeMounts: []
464 additionalEnvSecretName: ""
465 additionalEnvConfigMapName: ""
466 # temporalAddress: "localhost:7233"
467 # for sidecar containers, add containers here with restartPolicy: Always
468 additionalInitContainers: []
470 containerSecurityContext: {}
473 podDisruptionBudget: {}
475 # additionalInitContainers: []
479 repository: chainreg.biz/chainguard-private/temporal-ui-server-fips
480 tag: latest@sha256:293a521aafb20faf527c68d471cbea9a67e0efff5393b1281fe04c07a2cadec8
481 pullPolicy: IfNotPresent
483 # set type to NodePort if access to web needs access from outside the cluster
484 # for more info see https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
486 # The below clusterIP setting can be set to "None" to make the temporal-web service headless.
487 # Note that this requires the web.service.type to be the default ClusterIP value.
493 # Override the address the UI uses to connect to the Temporal frontend.
494 # Defaults to <fullname>-frontend.<namespace>.svc:<server.frontend.service.port>.
495 # Useful when running a proxy sidecar that intercepts gRPC traffic.
496 # temporalAddress: "localhost:7233"
498 initialDelaySeconds: 10
506 # kubernetes.io/ingress.class: traefik
507 # ingress.kubernetes.io/ssl-redirect: "false"
508 # traefik.frontend.rule.type: PathPrefix
514 # - secretName: chart-example-tls
516 # - chart-example.local
518 deploymentAnnotations: {}
519 deploymentStrategy: {}
523 # We usually recommend not to specify default resources and to leave this as a conscious
524 # choice for the user. This also increases chances charts run on environments with little
525 # resources, such as Minikube. If you do want to specify resources, uncomment the following
526 # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
536 additionalVolumes: []
537 additionalVolumeMounts: []
538 # Adjust Web UI config with environment variables:
539 # https://docs.temporal.io/references/web-ui-environment-variables
541 additionalEnvSecretName: ""
542 additionalEnvConfigMapName: ""
543 containerSecurityContext: {}
545 topologySpreadConstraints: []
547 podDisruptionBudget: {}
549 # Use Helm hooks to ensure schema setup completes before server pods start.
550 # Set to false if using Flux, Rancher or Terraform.
553 activeDeadlineSeconds: null
554 ttlSecondsAfterFinished: 86400
559 containerSecurityContext: {}
562 # Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
564 # Enable compatibility with Temporal 1.29 images. Set to false if using Temporal 1.30 or higher.
565 elasticsearchTool: true