# Default values for gohoarder # This is a YAML-formatted file. # Declare variables to be passed into your templates. # Override the name of the chart nameOverride: "" # Override the full name of the chart fullnameOverride: "" # Global configuration global: # Base domain for the deployment domain: "gohoarder.local" # Image pull secrets for private registries # Reference existing secrets by name: # imagePullSecrets: # - name: ghcr-secret # - name: dockerhub-secret imagePullSecrets: [] # Auto-create image pull secrets from credentials (optional) # If you want the chart to create the secrets for you, use this instead: # imageCredentials: # ghcr-secret: # registry: ghcr.io # username: myusername # password: mytoken # email: myemail@example.com # dockerhub-secret: # registry: https://index.docker.io/v1/ # username: myusername # password: mytoken # email: myemail@example.com # Then reference them in global.imagePullSecrets: # - name: ghcr-secret imageCredentials: {} # Deployment replicas # NOTE: When running multiple server replicas (>1): # - Use S3 or SMB for storage.backend (not filesystem with local storage) # - Use PostgreSQL for metadata.backend (SQLite has limited concurrency) # - See "High Availability & Scaling" section in README replicaCount: server: 1 frontend: 1 scanner: 1 # Image configuration image: server: repository: ghcr.io/lukaszraczylo/gohoarder-server pullPolicy: IfNotPresent tag: "0.1.58" frontend: repository: ghcr.io/lukaszraczylo/gohoarder-frontend pullPolicy: IfNotPresent tag: "0.1.58" scanner: repository: ghcr.io/lukaszraczylo/gohoarder-scanner pullPolicy: IfNotPresent tag: "0.1.58" # Service Account serviceAccount: create: true annotations: {} name: "" # Pod annotations podAnnotations: {} # Pod security context podSecurityContext: fsGroup: 1000 runAsNonRoot: true runAsUser: 1000 # Container security context securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true # Server configuration server: host: "0.0.0.0" port: 8080 readTimeout: "5m" writeTimeout: "5m" idleTimeout: "2m" # Additional environment variables for server container # Use this to override config via environment variables # Format: GOHOARDER_ (dots replaced with underscores) # Examples: # GOHOARDER_STORAGE_BACKEND: s3 # GOHOARDER_METADATA_BACKEND: postgresql # env: # - name: GOHOARDER_STORAGE_BACKEND # value: "s3" # - name: GOHOARDER_STORAGE_S3_BUCKET # value: "my-bucket" # - name: GOHOARDER_METADATA_POSTGRESQL_PASSWORD # valueFrom: # secretKeyRef: # name: postgres-secret # key: password env: [] # Service configuration service: type: ClusterIP port: 80 targetPort: 8080 annotations: {} # Resource limits resources: limits: cpu: 2000m memory: 2Gi requests: cpu: 500m memory: 512Mi # Liveness and readiness probes livenessProbe: httpGet: path: /health port: http initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /health/ready port: http initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 # Node selector nodeSelector: {} # Tolerations tolerations: [] # Affinity affinity: {} # Frontend configuration frontend: # Backend URL for API calls backendUrl: "" # Auto-configured if empty # Additional environment variables for frontend container # env: # - name: API_BASE_URL # value: "https://api.example.com" env: [] # Service configuration service: type: ClusterIP port: 80 targetPort: 80 annotations: {} # Resource limits resources: limits: cpu: 500m memory: 512Mi requests: cpu: 100m memory: 128Mi # Liveness and readiness probes livenessProbe: httpGet: path: / port: http initialDelaySeconds: 30 periodSeconds: 10 readinessProbe: httpGet: path: / port: http initialDelaySeconds: 10 periodSeconds: 5 nodeSelector: {} tolerations: [] affinity: {} # Scanner configuration scanner: # Additional environment variables for scanner container # env: # - name: GOHOARDER_SECURITY_SCANNERS_TRIVY_ENABLED # value: "true" env: [] # Resource limits resources: limits: cpu: 2000m memory: 4Gi requests: cpu: 500m memory: 1Gi nodeSelector: {} tolerations: [] affinity: {} # Storage configuration storage: # Storage backend: filesystem, s3, smb # For multiple server replicas: # - S3 or SMB (recommended) # - Filesystem with ReadWriteMany (RWX) storage class (Longhorn, NFS, CephFS) # - NOT filesystem with ReadWriteOnce (RWO) or local storage backend: "filesystem" # Filesystem storage filesystem: # Storage class for PVC # For multiple replicas: use RWX-capable storage class (longhorn, nfs-client, cephfs, etc.) storageClass: "" # Storage size size: "100Gi" # Access mode: # ReadWriteOnce (RWO) - Single replica only # ReadWriteMany (RWX) - Multiple replicas (requires RWX storage class) accessMode: "ReadWriteOnce" # Use hostPath instead of PVC (for single-node testing only) useHostPath: false hostPath: "/var/lib/gohoarder" # Existing PVC name (if you want to use existing PVC) existingClaim: "" # S3 storage s3: endpoint: "s3.amazonaws.com" region: "us-east-1" bucket: "gohoarder-cache" accessKeyId: "" secretAccessKey: "" # Use existing secret for S3 credentials existingSecret: "" useSSL: true # SMB storage smb: host: "" share: "" username: "" password: "" domain: "" # Use existing secret for SMB credentials existingSecret: "" # Metadata storage configuration metadata: # Backend: sqlite, postgresql, mysql # # IMPORTANT: SQLite CANNOT be used with SMB/CIFS/NFS network storage! # SQLite requires POSIX file locking which causes "database is locked" errors on network filesystems. # # Choose your configuration: # 1. SQLite with local storage (development/single-node only) # - Set backend: sqlite # - Set sqlite.persistence.storageClass to a LOCAL storage class (e.g., "local-path") # - OR set sqlite.persistence.enabled: false to use emptyDir (data lost on pod restart) # # 2. PostgreSQL with any storage (RECOMMENDED for production) # - Set backend: postgresql # - Configure postgresql settings below # - Works with any storage including SMB/NFS # - Supports multiple replicas and high availability # # 3. MySQL/MariaDB with any storage (alternative to PostgreSQL) # - Set backend: mysql # - Configure mysql settings below # - Works with any storage including SMB/NFS # backend: "sqlite" # SQLite configuration # WARNING: Do NOT use SMB/CIFS/NFS storage classes with SQLite! sqlite: # Use PVC for SQLite database # IMPORTANT: storageClass must be LOCAL storage, NOT network storage (smb/nfs) persistence: enabled: false # Changed to false by default - use emptyDir unless you have local storage storageClass: "" # Must be local-path or similar LOCAL storage class if enabled size: "10Gi" accessMode: "ReadWriteOnce" existingClaim: "" # WAL mode provides better concurrency but doesn't work on network filesystems (SMB, NFS) # Set to false when using network storage for the metadata volume walMode: false # PostgreSQL configuration # Works with any storage including SMB/NFS # Recommended for production deployments postgresql: # Use bundled PostgreSQL (sets up postgresql subchart) enabled: false host: "localhost" port: 5432 database: "gohoarder" username: "gohoarder" password: "" sslMode: "disable" # disable, require, verify-ca, verify-full # Use existing secret for PostgreSQL credentials existingSecret: "" # MySQL/MariaDB configuration # Works with any storage including SMB/NFS # Alternative to PostgreSQL for production deployments mysql: host: "localhost" port: 3306 database: "gohoarder" username: "gohoarder" password: "" charset: "utf8mb4" parseTime: true # Use existing secret for MySQL credentials existingSecret: "" # GORM connection pool settings (applies to all database backends) # These settings control database connection pooling and performance maxOpenConns: 25 # Maximum number of open connections to the database maxIdleConns: 5 # Maximum number of idle connections in the pool connMaxLifetime: 3600 # Maximum lifetime of a connection in seconds (1 hour) logLevel: "warn" # GORM log level: silent, error, warn, info # Database migration configuration migration: # Enable automatic database migrations via init containers # When enabled, each pod will run migrations before starting the main container # Gormigrate handles concurrency automatically - safe for multiple pods enabled: true # Migration image configuration image: repository: ghcr.io/lukaszraczylo/gohoarder-migrate pullPolicy: IfNotPresent tag: "0.1.58" # Migration settings logLevel: "info" # debug, info, warn, error timeout: "5m" # Maximum time for migrations to complete # Resource limits for migration init container resources: limits: cpu: 500m memory: 256Mi requests: cpu: 100m memory: 128Mi # Cache configuration cache: defaultTTL: "168h" # 7 days cleanupInterval: "1h" maxSizeBytes: 536870912000 # 500GB perProjectQuota: 53687091200 # 50GB ttlOverrides: npm: "168h" pip: "168h" go: "168h" # Security scanning configuration security: enabled: false blockOnSeverity: "high" # none, low, medium, high, critical scanOnDownload: true rescanInterval: "24h" updateDbOnStartup: false blockThresholds: critical: 0 high: -1 medium: -1 low: -1 scanners: trivy: enabled: false timeout: "5m" cacheDb: "/var/lib/trivy" osv: enabled: false apiUrl: "https://api.osv.dev" timeout: "30s" grype: enabled: false timeout: "5m" govulncheck: enabled: false timeout: "5m" npmAudit: enabled: false timeout: "2m" pipAudit: enabled: false timeout: "2m" ghsa: enabled: false timeout: "30s" # GitHub token for higher rate limits token: "" existingSecret: "" static: enabled: true maxPackageSize: 2147483648 # 2GB checkChecksums: true blockSuspicious: false # Authentication configuration auth: enabled: true keyExpiration: "0" # Never expire bcryptCost: 10 auditLog: true # Admin API key - will be auto-generated if not provided adminApiKey: "" # Use existing secret for admin API key existingSecret: "" # Secret key name for admin API key secretKey: "admin-api-key" # Network configuration network: connectTimeout: "10s" readTimeout: "5m" writeTimeout: "5m" maxIdleConns: 100 maxConnsPerHost: 10 rateLimit: perApiKey: 1000 perIp: 100 burstSize: 50 circuitBreaker: threshold: 5 timeout: "30s" resetInterval: "60s" retry: maxAttempts: 3 initialBackoff: "1s" maxBackoff: "30s" # Logging configuration logging: level: "info" # debug, info, warn, error format: "json" # json, pretty # Package handlers configuration handlers: go: enabled: true upstreamProxy: "https://proxy.golang.org" checksumDb: "https://sum.golang.org" verifyChecksums: true npm: enabled: true upstreamRegistry: "https://registry.npmjs.org" pypi: enabled: true upstreamUrl: "https://pypi.org" simpleApiUrl: "https://pypi.org/simple" # Ingress configuration ingress: enabled: false className: "nginx" annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/proxy-body-size: "2048m" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/proxy-send-timeout: "300" # Single ingress routes all traffic to frontend # Frontend now includes reverse proxy to backend (merged gateway functionality) host: "gohoarder.local" tls: enabled: false secretName: "gohoarder-tls" # Autoscaling configuration autoscaling: enabled: false minReplicas: 1 maxReplicas: 10 targetCPUUtilizationPercentage: 80 targetMemoryUtilizationPercentage: 80 # Pod Disruption Budget podDisruptionBudget: enabled: false minAvailable: 1 # Network Policy networkPolicy: enabled: false # Allow external access to server ingress: - from: - namespaceSelector: {} ports: - protocol: TCP port: 8080