values.yaml

# We use global values scope to multiplex the docker-registry details to both mlrun and nuclio
global:
  # External host/ip to reach the k8s node. This might take various values if k8s is run in a VM or a cloud env
  externalHostAddress: localhost
  registry: &userRegistry
    url: mustprovide
    secretName:
  nuclio:
    dashboard:
      nodePort: 30050
  infrastructure:
    # Defines infra flavour, for instance: standalone, onprem, aws, azure, gcp...
    kind: standalone
    # Defines k8s flavour, for instance: eks, aks, gcp, kubespray, openshift, rancher, minikube...
    provider: ~
    inboundCidrs: ~
    loadBalancerName: ~
    aws:
      bucketName: ~
      s3NonAnonymous: false
      domainNameCertificate: ~

# =============================================================================
# S3-compatible storage configuration
# These credentials are used by MLRun, Jupyter, and Kubeflow Pipelines
# to access the storage backend.
# =============================================================================

# storage.mode selects which backend credentials are injected into the 'storage-credentials' Secret.
# Options:
#   s3 (default) - uses storage.s3.accessKey/secretKey/bucket with SeaweedFS endpoint
#   azure-blob   - uses storage.azure.* fields
storage:
  mode: s3
  s3:
    accessKey: "seaweed"
    secretKey: "seaweed123"
    bucket: "mlrun"
  azure:
    containerName: ""
    connectionString: ""
    accountName: ""
    accountKey: ""
    sasToken: ""
    clientSecret: ""
    tenantId: ""

nuclio:
  global:
    registry: *userRegistry
  # coupled with mlrun.nuclio.dashboardName template in mlrun chart
  fullnameOverride: nuclio
  controller:
    enabled: true
  dashboard:
    enabled: true
    # nodePort - taken from global.nuclio.dashboard.nodePort for re-usability

    # k8s has deprecated docker support since v1.20
    containerBuilderKind: kaniko
    ingress:
      enabled: false

    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
  autoscaler:
    enabled: false
  dlx:
    enabled: false
  rbac:
    create: true

    # do not allow nuclio to listen on all namespaces
    crdAccessMode: namespaced
  crd:
    create: true
  platform:
    logger:
      sinks:
        myStdoutLoggerSink:
          kind: stdout
          attributes:
            encoding: console
            timeFieldName: time
            timeFieldEncoding: iso8601
      system:
        - level: debug
          sink: myStdoutLoggerSink
      functions:
        - level: debug
          sink: myStdoutLoggerSink
    projectsLeader:
      kind: mlrun
      synchronizationInterval: 10m
      apiAddress: http://mlrun-api-chief:8080/api

mlrun:
  # set the type of filesystem to use: filesystem, s3
  enabled: true
  global:
    registry: *userRegistry
  defaultFunctionPodResources:
    limits:
      cpu: "2"
      memory: "20Gi"
    requests:
      cpu: "25m"
      memory: "1Mi"
  storage: filesystem
  # Storage auto-mount configuration for SeaweedFS S3-compatible storage
  # This allows MLRun SDK to automatically mount storage without user-provided params
  storageAutoMountType: secret_env
  storageAutoMountParams: ~
  secrets:
    s3:
      accessKey: ""
      secretKey: ""
  s3:
    region: us-east-1
    regionEndpoint: s3.us-east-1.amazonaws.com
    bucket: mlrun
    encrypt: false
    secure: true
  fullnameOverride: mlrun
  nuclio:
    mode: enabled
  rbac:
    create: true
  v3io:
    enabled: false
  api:
    image:
      tag: 1.11.0-rc28
    ingress:
      enabled: false
      annotations: {}
    sidecars:
      logCollector:
        image:
          tag: 1.11.0-rc28
        enabled: true
    fullnameOverride: mlrun-api
    functionSpecServiceAccountDefault: ~
    service:
      type: NodePort
      nodePort: 30070
    volumes:
      storageOverride:
        persistentVolumeClaim:
          claimName: mlrun-api-pvc
    persistence:
      enabled: true
      existingClaim:
      storageClass:
      accessMode: "ReadWriteOnce"
      size: "8Gi"
      annotations:
        helm.sh/resource-policy: "keep"
    envFrom:
      - configMapRef:
          name: mlrun-common-env
      - secretRef:
          name: storage-credentials
          optional: true
      - configMapRef:
          name: mlrun-pipelines-config
          optional: true
      - configMapRef:
          name: mlrun-spark-config
          optional: true
      - configMapRef:
          name: mlrun-override-env
          optional: true
    extraPersistentVolumeMounts: ~

    # Set mlrun api workers count by setting the minReplicas value.
    # This is recommended for production environments running at high scale.
    # more informatino on https://github.com/v3io/helm-charts/blob/7add12015d51f7ce500a71cb40fbb658b2c9ff3d/stable/mlrun/values.yaml#L99-L102
    # worker:
      # minReplicas: 1

    # Enable microservices is recommended for production environments running at high scale.
    # more information on https://github.com/v3io/helm-charts/blob/7add12015d51f7ce500a71cb40fbb658b2c9ff3d/stable/mlrun/values.yaml#L8-L53
    # microservices:
      # enabled: false
      # services:
      # - name: alerts

  ui:
    image:
      tag: 1.11.0-rc28
    fullnameOverride: mlrun-ui
    ingress:
      enabled: false
    service:
      type: NodePort
      nodePort: 30060
  db:
    name: db
    fullnameOverride: mlrun-db
    securityContext:
      runAsUser: 999
    podSecurityContext:
      runAsUser: 999
      fsGroup: 999
    volumes:
      storageOverride:
        persistentVolumeClaim:
          claimName: mlrun-db-pvc
    persistence:
      enabled: true
      existingClaim:
      storageClass:
      accessMode: "ReadWriteOnce"
      size: "8Gi"
      annotations:
        helm.sh/resource-policy: "keep"

  httpDB:
    dbType: mysql
    dirPath: "/mlrun/db"
    dsn: mysql+pymysql://root@mlrun-db:3306/mlrun
    oldDsn: sqlite:////mlrun/db/mlrun.db?check_same_thread=false
  modelMonitoring:
    # If no dsn has been provided, will initiate monitoring database under mlrun-db service:
    # mysql+pymysql://root@mlrun-db:3306/mlrun_model_monitoring
    dsn:
  ce:
    mode: full

jupyterNotebook:
  serviceAccount:
    create: true
    name: mlrun-jupyter
  awsInstall: false
  fullnameOverride: mlrun-jupyter
  name: jupyter-notebook
  enabled: true
  service:
    type: NodePort
    nodePort: 30040
    port: 8888
  ingress:
    enabled: false
    annotations: {}
    ingressClassName: ""

    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
    hosts:
      - host: chart-example.local
        paths: []
    tls: []

    #  - secretName: chart-example-tls
    #    hosts:
    #      - chart-example.local
  image:
    repository: quay.io/mlrun/jupyter
    tag: 1.11.0-rc28
    pullPolicy: IfNotPresent
    pullSecrets: []
  busybox:
    image: busybox
    tag: 1.37
  ce:
    mode: full

  # use this to override mlrunUIURL, by default it will be auto-resolved to externalHostAddress and
  # mlrun UI node port
  mlrunUIURL:
  extraEnvKeyValue: {}
  envFrom:
    - configMapRef:
        name: jupyter-common-env
        optional: true
    - secretRef:
        name: storage-credentials
        optional: true
  persistence:
    enabled: true
    existingClaim:
    storageClass:
    accessMode: "ReadWriteOnce"
    size: "8Gi"
    annotations:
      helm.sh/resource-policy: "keep"

  nodeSelector:
    {}
    # node-role.kubernetes.io/node: "true"
    # tier: cs
  tolerations:
    []
    #  - key: "node-role.kubernetes.io/master"
    #    effect: NoSchedule

mpi-operator:
  fullnameOverride: mpi-operator
  crd:
    create: true
  rbac:
    clusterResources:
      create: true
    namespaced:
      create: true
  deployment:
    create: true

seaweedfs:
  enabled: true
  # Preserve resource names after chart upgrade (4.17 switched from seaweedfs.name to seaweedfs.fullname)
  fullnameOverride: seaweedfs
  global:
    # Override parent chart's global.registry (which is a map) with empty string
    # to prevent "map[secretName:<nil> url:mustprovide]" in image names
    registry: ""
    # Override default "001" to "000" for single-node setup (no replication)
    replicationPlacement: "000"
    # Disabled by default. Only needed if SeaweedFS master/volume pods need to
    # delete other pods during data migration (e.g., multi-node rebalancing).
    # Enabling this creates a ClusterRole, which conflicts in multi-NS deployments.
    createClusterRole: false

  # Disable individual component pods - allInOne runs everything in a single deployment
  master:
    enabled: false
  volume:
    enabled: false
  filer:
    enabled: false

  # S3 auth config - enableAuth gates the seaweedfs-s3-config Secret creation in
  # templates/seaweedfs/seaweedfs-s3-config.yaml even though the dedicated s3 pod
  # is disabled. The secret is consumed by allInOne.s3.existingConfigSecret below.
  s3:
    port: 8333
    enableAuth: true

  # Single-pod mode: master + volume + filer + S3 gateway in one deployment.
  # Reduces from 4 component pods down to 1, cutting CPU/memory footprint significantly.
  allInOne:
    enabled: true
    s3:
      enabled: true
      port: 8333
      enableAuth: true
      # IAM config secret created by templates/seaweedfs/seaweedfs-s3-config.yaml
      existingConfigSecret: "seaweedfs-s3-config"
    # Storage: use PVC instead of default emptyDir
    data:
      type: "persistentVolumeClaim"
      size: "10Gi"
    resources:
      requests:
        memory: 256Mi
        cpu: 100m
      limits:
        memory: 2Gi

  # Admin server - user and policy management UI
  admin:
    enabled: true
    port: 23646
    # Point admin at the allInOne service since the standalone master StatefulSet
    # is disabled. Without this the chart cannot auto-discover the master address.
    masters: "seaweedfs-all-in-one:9333"
    secret:
      adminUser: "seaweed"
      adminPassword: "seaweed123"
    dataDir: "/data"
    # Storage: use PVC instead of default emptyDir
    data:
      type: "persistentVolumeClaim"
      size: "1Gi"
    resources:
      requests:
        memory: 64Mi
        cpu: 25m
      limits:
        memory: 128Mi
        cpu: 1

  # Custom NodePort service for Admin UI external access
  adminService:
    type: NodePort
    port: 23646
    nodePort: 30093
    ingress:
      enabled: false
      className: ""
      host: ""
      path: /
      pathType: Prefix
      annotations: {}
      tls: []

  # Custom NodePort service for S3 API external access.
  # Also provides the internal "seaweedfs-s3" cluster alias used by MLRun/KFP helpers.
  s3Service:
    type: NodePort
    port: 8333
    nodePort: 30094

spark-operator:
  enabled: true
  fullnameOverride: spark-operator
  controller:
    serviceName: spark-operator-webhook
  webhook:
    enable: true
  spark:
    # User should set this value accordingly when installing in another namespace
    jobNamespaces:
      - mlrun
    serviceAccount:
      name: sparkapp

pipelines:
  archiveLogs: false
  enabled: true
  name: pipelines
  # Log level for KFP api-server (DEBUG, INFO, WARNING, ERROR)
  logLevel: INFO
  ui:
    enabled: false
  metadata:
    enabled: false
  service:
    type: NodePort
    nodePort: 30100
  crd:
    enabled: true
  priority_class:
    enabled: true
  persistence:
    enabled: true
    existingClaim:
    storageClass:
    accessMode: "ReadWriteOnce"
    size: "20Gi"
    annotations:
      helm.sh/resource-policy: "keep"
  nodeSelector:
    {}
    # node-role.kubernetes.io/node: "true"
    # tier: cs
  tolerations:
    []
    #  - key: "node-role.kubernetes.io/master"
    #    effect: NoSchedule
  db:
    username: root
    securityContext:
      runAsUser: 1001
      runAsGroup: 1001
      fsGroup: 1001
      fsGroupChangePolicy: OnRootMismatch
  images:
    driver:
      repository: ghcr.io/kubeflow/kfp-driver
      tag: 2.15.0
    launcher:
      repository: ghcr.io/kubeflow/kfp-launcher
      tag: 2.15.0
    argoexec:
      repository: gcr.io/iguazio/argoexec
      tag: v3.4.17-license-compliance
    workflowController:
      repository: gcr.io/iguazio/workflow-controller
      tag: v3.4.17-license-compliance
    apiServer:
      repository: ghcr.io/kubeflow/kfp-api-server
      tag: 2.15.0
      busybox:
        repository: busybox
        tag: "1.36"
    persistenceagent:
      repository: ghcr.io/kubeflow/kfp-persistence-agent
      tag: 2.15.0
    scheduledworkflow:
      repository: ghcr.io/kubeflow/kfp-scheduled-workflow-controller
      tag: 2.15.0
    ui:
      repository: ghcr.io/kubeflow/kfp-frontend
      tag: 2.15.0
    viewerCrdController:
      repository: ghcr.io/kubeflow/kfp-viewer-crd-controller
      tag: 2.15.0
    visualizationServer:
      repository: ghcr.io/kubeflow/kfp-visualization-server
      tag: 2.15.0
    metadata:
      container:
        repository: gcr.io/tfx-oss-public/ml_metadata_store_server
        tag: 1.16.0
    metadataEnvoy:
      repository: ghcr.io/kubeflow/kfp-metadata-envoy
      tag: 2.15.0
    metadataWriter:
      repository: ghcr.io/kubeflow/kfp-metadata-writer
      tag: 2.15.0
    mysql:
      # MySQL 8.0.26 because >= 8.0.27 has deprecated the default_authentication_plugin option
      # which is required by MLMD workloads (metadata-grpc-deployment and metadata-writer).
      # https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_default_authentication_plugin
      repository: gcr.io/iguazio/mysql
      tag: "8.0.26"
    cacheImage:
      repository: gcr.io/google-containers/busybox
      tag: latest

kube-prometheus-stack:
  fullnameOverride: monitoring
  enabled: true
  prometheusOperator:
    tls:
      enabled: false
    admissionWebhooks:
      enabled: false
  alertmanager:
    enabled: false
  grafana:
    adminUser: admin
    adminPassword: admin
    initChownData:
      enabled: false
    additionalDataSources:
      - name: iguazio
        type: mysql
        url: mlrun-db:3306
        user: root
        password:
        database: mlrun_model_monitoring
        editable: true
        maxOpenConns: 100
        maxIdleConns: 100
        maxIdleConnsAuto: true
    persistence:
      type: pvc
      enabled: true
      size: 10Gi
    grafana.ini:
      auth.anonymous:
        enabled: true
        org_role: Editor
    fullnameOverride: grafana
    enabled: true
    service:
      type: NodePort
      nodePort: 30010
    ingress:
      enabled: false
  prometheus:
    enabled: true
    service:
      type: NodePort
      nodePort: 30020
  kube-state-metrics:
    fullnameOverride: state-metrics
  prometheus-node-exporter:
    fullnameOverride: node-exporter
    hostNetwork: false
    service:
      port: 9100
    hostRootFsMount:
      enabled: false

timescaledb:
  enabled: true
  fullnameOverride: timescaledb
  image:
    repository: timescale/timescaledb-ha
    tag: "pg17.7-ts2.24.0"
    pullPolicy: IfNotPresent
  service:
    type: NodePort
    port: 5432
    nodePort: 30110
  auth:
    username: postgres
    password: postgres
    database: postgres
  persistence:
    enabled: true
    size: "10Gi"
    storageClass: ""
    accessMode: "ReadWriteOnce"
    annotations:
      helm.sh/resource-policy: "keep"
  resources:
    requests:
      memory: "256Mi"
      cpu: "100m"
    limits:
      memory: "1Gi"
      cpu: "1"
  nodeSelector: {}
  tolerations: []
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000
    fsGroupChangePolicy: OnRootMismatch

strimzi-kafka-operator:
  enabled: true
  watchAnyNamespace: true
#  defaultImageRegistry: quay.io
#  defaultImageRepository: strimzi
#  defaultImageTag: 0.48.0

kafka:
  enabled: true
  name: kafka-stream

  # Bootstrap service alias configuration
  bootstrapAlias:
    # Create a service alias for simpler Kafka bootstrap server name
    # When enabled, creates: {name}.{namespace}.svc.cluster.local:9092
    # instead of the default: {name}-kafka-bootstrap.{namespace}.svc.cluster.local:9092
    enabled: true
    # Name for the bootstrap service alias (only used if enabled is true)
    name: kafka-stream

  replicas: 1

  listeners:
    - name: client
      port: 9092
      type: internal
      tls: false
    - name: controller
      port: 9093
      type: internal
      tls: false
    - name: internal
      port: 9094
      type: internal
      tls: false

  storage:
    type: persistent-claim
    size: 8Gi
    class: ""

  resources:
    requests:
      memory: "1Gi"
      cpu: "500m"
    limits:
      memory: "2Gi"
      cpu: "1000m"

  config:
    # Replication settings for single-node setup
    default.replication.factor: 1
    offsets.topic.replication.factor: 1
    transaction.state.log.replication.factor: 1
    transaction.state.log.min.isr: 1

  zookeeper:
    replicas: 0

  # Kafka RBAC for user namespaces
  # Enable this when installing in user namespaces (mlrun, mlrun1, etc.)
  # When enabled, creates: ServiceAccount "kafka-client" + Role/RoleBinding
  rbac:
    # Enable RBAC for this namespace to access Kafka
    enabled: true

    # Operator namespace (where Kafka operator/cluster is running)
    # Empty means "use the release namespace"
    # Example: "controller" if that's where you installed the operator
    operatorNamespace: ""

  # NetworkPolicy for Kafka isolation in multi-NS deployments
  egress:
    enabled: false
# Spark configuration for multi-NS deployments
# Controls CE-level spark resources (mlrun-spark-config ConfigMap)
# In single-NS mode, both spark.enabled and spark-operator.enabled are true
# In multi-NS admin mode, spark.enabled is false (no ConfigMap needed)
# In multi-NS user mode, spark.enabled is true (ConfigMap needed for MLRun)
spark:
  enabled: true