## ## Global options relating to Gradle Enterprise as a whole rather than a specific subsystem. ## # # global: # ## ## Public URL ## # # hostname: ge.example.com # Hostname used to access the web interface by web browsers, etc. Required. # externalSSLTermination: true # If we are using HTTPS but not with termination in the built-in ingress or proxy. Default false. # externalPort: 8180 # Set to specify the external port the installation is available on. Only required if not using standard ports (80/443). # ## ## Gradle Enterprise license settings ## ## Exactly one of these options must be set. ## ## If performing an online (ie not airgapped) installation that pulls images from the Gradle image registry, ## and you are setting the license via global.license.secretName, you will also need to set an imagePullSecret ## with the license in dockerconfigjson form. If setting the license via global.license.file, the image pull ## secret is generated automatically. ## # # license: # file: ABCD1234 # Full license file or Base64 data part of the license. Can also be set using --set-file global.license.file=/path/to/file # secretName: my-example-license-secret # Name of Secret that contains the license. License should be in the "license" key in the secret. # ## ## Image pull settings ## ## For airgap installations, the registry and an image pull secret that can pull from that registry are required. ## # # image: # registry: registry.example.com/gradle-enterprise # Registry to pull images from. Default registry.gradle.com/gradle-enterprise # imagePullSecret: my-example-image-pull-secret # # tag: some-custom-tag # Tag to pull. Default is the Gradle Enterprise version. # imagePullPolicy: Always # Default IfNotPresent. # ## ## Storage settings ## ## There are no defaults set. If your cluster has a default storage class, this will be used. ## Otherwise you will need to set the storage class to be used for data and logs, and also backups if ## using the embedded database. ## # # storage: # data: # class: fast-storage # backup: # class: slow-cheap-storage # logs: # class: general-storage # ## ## Openshift ## ## Set to true if Gradle Enterprise will be deployed in an OpenShift cluster. ## # # openshiftInstallation: true # Default false # ## ## Unattended installation ## ## These cover auto-configuring aspects of Gradle Enterprise that are controlled by the Administration section of the application. ## Contact Gradle Support for assistance with unattended installation. ## # # unattended: # key: oijqefoijqOIQJFoijefoiqjfoij # Encryption key for secrets in the configuration, if any. Default none. # configuration: # version: 5 # systemPassword: "FEIpqflj265QEFq2efq54e" # auth: # anonymousRoles: # - buildScanView # - buildScanPublish # advanced: # jvmOptions: # app: # heapMemory: 7168 # network: # additionalTrust: # Default none. # proxy: # protocol: https # Default http # host: host.gradle.com # port: 8080 # Default 80 # excludedHosts: # Default empty # - some.external # - '*.internal' # auth: # Default none # username: user # password: "FEIpqflj265QEFq2efq54e" # ## ## Horizontal scaling ## # # scaling: # replicas: 5 # Default 1. # antiAffinity: # enabled: true # Default false # topologyKey: my-example-topology-key # Default "kubernetes.io/hostname" # ## ## Network policies ## ## Whether to create network policies to restrict traffic from Gradle Enterprise pods. ## By default these are not created. ## # # networkPolicies: true # Default false. # ## ## Node selection ## # # nodeSelector: # Default none # foo: bar # tolerations: # - key: "dedicated" # Default none # operator: "Equal" # value: "node-taints" # effect: "NoSchedule" # ## ## Pod annotations ## ## Set if you require additional pod annotations to support other Kubernetes tooling. ## # # podAnnotations: # ann1: foo # ann2: "bar.io/baz" # ## ## End global section ## ## ## Database section ## ## By default, Gradle Enterprise will store data in an embedded database. ## To connect to a user-managed database, configure connection details here. ## # # database: # location: user-managed # Default "embedded" # ## ## Embedded database resources and storage ## ## If using the embedded database, its resources can be configured here. ## # # resources: # requests: # cpu: 500m # Default 250m # memory: 2Gi # Default 1Gi # limits: # cpu: 4 # Default 2 # memory: 20Gi # Default 8Gi # # storage: # data: # capacity: 500Gi # Default 250Gi # backup: # capacity: 750Gi # Default 250Gi ## Logs can be configured for both embedded and user-managed databases. # logs: # capacity: 400Mi # Default 200Mi # ## ## User-managed database connection details ## ## Connection details can be set here directly or specified by a ConfigMap. ## # # connection: # configMapName: my-example-database-connection-config-map # # OR # host: db.example.com # Required for user-managed database if connection secret not provided. # port: 5555 # Default 5432 # databaseName: example_gradle_enterprise_prod # Required for user-managed database if connection secret not provided. # params: "?ssl=false" # No default. # ## ## User-managed database credentials ## ## Credentials details can be set here directly or specified by secrets. ## ## Typically only a superuser account credential is required - Gradle Enterprise can then create other ## necessary accounts and schemas for the app automatically. ## ## It is also possible to instead set up the database using a script and only configure the more restricted ## application account credentials here. ## ## If you specify the name a secret that isn't managed by the Gradle Enterprise Helm installation, your ## installation won't be automatically restarted during `helm upgrade` when the underlying secret value changes. ## When the secret value changes, you need to restart all the pods in the Gradle Enterprise Helm installation, ## to take this change into account. # # credentials: # # superuser: # secretName: my-example-db-superuser-secret # # OR # username: postgres # password: "superS3cret!" # # # OR # app: # secretName: my-example-db-app-secret # # OR # password: "superS3cret!" # migrator: # secretName: my-example-db-migrator-secret # # OR # password: "superS3cret!" # ## ## End database section ## ## ## Ingress section ## ## By default, Gradle Enterprise does not create an Ingress to route traffic. ## A built-in ingress can be enabled and configured here. ## # # ingress: # enabled: true # Default false # ingressClassName: my-example-ingress-class # No default, use the default ingress provided by the cluster, if any. # annotations: # Set of custom ingress annotations. Default none, applied to every ingress objects # ann1: foo # ann2: "bar.io/baz" ## ## Ingress SSL settings ## ## By default, the generated Ingress will have HTTPS support and use self-signed SSL certificates. ## Both of these can be changed. Certificates can be set directly here, set using ## --set-file ingress.ssl.key=keyfile --set-file ingress.ssl.cert=certfile ## or set in a Secret. ## # # ssl: # enabled: false # Default true except if `global.externalSSLTermination: true` # # OR # key: | # -----BEGIN RSA PRIVATE KEY----- # MIIEpQIBAAKCAQEA4qV8JlqDMi7y85Ykq8dn7uIsi609D6KuFtlc+UvNYjatz0+u # ... # G7tI0qQ6F20e5R4tPpEDKCFZykyvgGMhfLzsvVlrgaVW8QbVK4YWNtQ= # -----END RSA PRIVATE KEY----- # cert: | # -----BEGIN CERTIFICATE----- # MIIDKjCCAhKgAwIBAgIRAPNTIHf6/oUuzMKm3ffGNOgwDQYJKoZIhvcNAQELBQAw # .. # z+P5RmRxU/kaaFB+Vuw1pRezbaAtZNorVgXnBwrdseY4zLGyhAcGcR9v+VtCiQ== # -----END CERTIFICATE----- # # OR # secretName: my-example-ingress-ssl-cert-secret # ## ## HTTP Ingress settings ## ## Some features of Gradle enterprise that use HTTP (REST API, GraphQL) may require a specific ## configuration to be compatible with the Ingress implementation in-use in your Kubernetes cluster. ## For this section, we recommend you to consult the official documentation of your Ingress Controller ## # http: ## Set of custom ingress annotations. Default none, applied to ingress objects in charge of http rules ## Those annotations have precedence over `ingress.annotations` in case of conflict. # annotations: # nginx.ingress.kubernetes.io/proxy-body-size: "0" # nginx.ingress.kubernetes.io/proxy-request-buffering: "off" # serviceAnnotations: # Set of custom service annotations. Default none, applied to services backed by a GRPC compatible component # projectcontour.io/upstream-protocol.h2c: "http" ## ## GRPC Ingress settings ## ## Some features of Gradle enterprise that use GRPC (e.g. Bazel build scans) may require a specific ## configuration to be compatible with the Ingress implementation in-use in your Kubernetes cluster. ## GRPC calls are internally using `Http2 without TLS`, also called `h2c`. ## For this section, we recommend you to consult the official documentation of your Ingress Controller and specifically ## the section about GRPC support. # grpc: ## Set of custom ingress annotations. Default none, applied to ingress objects in charge of grpc rules ## Those annotations have precedence over `ingress.annotations` in case of conflict. # annotations: # nginx.ingress.kubernetes.io/backend-protocol: "GRPC" # serviceAnnotations: # Set of custom service annotations. Default none, applied to services backed by a GRPC compatible component # projectcontour.io/upstream-protocol.h2c: "grpc" ## ## End ingress section ## ## ## Proxy section ## ## The proxy is the main entrypoint for web-based traffic into Gradle Enterprise. ## If not using the default Ingress, you should route traffic to the gradle-proxy service ## using a service with an external ip, a node port, a load balancer, an OpenShift route ## or some other method. ## If the method used passes TCP traffic straight through to the proxy, and you want to use HTTPS (strongly recommended), ## enable it here, similar to the ingress ssl option above. ## # # proxy: # ssl: # enabled: true # Default false # # OR # key: | # -----BEGIN RSA PRIVATE KEY----- # MIIEpQIBAAKCAQEA4qV8JlqDMi7y85Ykq8dn7uIsi609D6KuFtlc+UvNYjatz0+u # ... # G7tI0qQ6F20e5R4tPpEDKCFZykyvgGMhfLzsvVlrgaVW8QbVK4YWNtQ= # -----END RSA PRIVATE KEY----- # cert: | # -----BEGIN CERTIFICATE----- # MIIDKjCCAhKgAwIBAgIRAPNTIHf6/oUuzMKm3ffGNOgwDQYJKoZIhvcNAQELBQAw # .. # z+P5RmRxU/kaaFB+Vuw1pRezbaAtZNorVgXnBwrdseY4zLGyhAcGcR9v+VtCiQ== # -----END CERTIFICATE----- # # OR # secretName: my-example-proxy-ssl-cert-secret ## ## Proxy resources ## ## Resources used by the proxy pod ## # # resources: # requests: # cpu: 1000m # Default 1000m # memory: 512Mi # Default 512Mi # limits: # cpu: 1000m # Default 1000m # memory: 1Gi # Default 1Gi # storage: # logs: # capacity: 800Mi # Default 800Mi ## ## End proxy section ## ## ## Operator section ## # # operator: # resources: # requests: # cpu: 1 # Default 100m # memory: 1Gi # Default 1Gi # limits: # cpu: 4 # Default 2 # memory: 2Gi # Default 2Gi # storage: # logs: # capacity: 400Mi # Default 200Mi # ## ## End operator section ## ## ## Enterprise app section ## # # enterprise: # storage: # logs: # capacity: 400Mi # Default 200Mi. Mainly useful to increase if needing to capture a heap dump. # resources: # requests: # cpu: 2 # Default 1 # memory: 8Gi # Default 4Gi # limits: # cpu: 2 # Default 2 # memory: 16Gi # Default 4Gi # serviceAccount: # annotations: ## If using Amazon EKS and S3 Build Scan storage, follow these instructions to allow Gradle Enterprise to access S3 using a service account: ## https://docs.gradle.com/enterprise/helm-kubernetes-installation/current/#s3_eks_service_account # "eks.amazonaws.com/role-arn": "arn:aws:iam::111122223333:role/the-enterprise-iam-role-name" ## For both, token and key: the default value is empty and then uses the previously set value or, if this is not available, generates random value. ## If a fixed value is required it can be specified here. ## To generate a value, `cat /dev/urandom | head -c | base64` can be used, for example. # session: # # token used for signing the data associated with client sessions. Should be a secret key of 64 byte length, base64 encoded. # token: # Default empty # # key is a symmetric encryption key used for client-side session data. Should be a cryptographically secure byte value of length 16, base64 encoded. # key: # Default empty ## ## End enterprise app section ## ## ## Enterprise app background processor section ## # enterpriseBackgroundProcessor: # enabled: # Default false # storage: # logs: # capacity: 400Mi # Default 200Mi. Mainly useful to increase if needing to capture a heap dump. # resources: # requests: # cpu: 2 # Default 1 # memory: 8Gi # Default 4Gi # limits: # cpu: 2 # Default 2 # memory: 16Gi # Default 4Gi # scaling: # replicas: 5 # Default global.scaling.replicas # serviceAccount: # annotations: ## If using Amazon EKS and S3 Build Scan storage, follow these instructions to allow Gradle Enterprise to access S3 using a service account: ## https://docs.gradle.com/enterprise/helm-kubernetes-installation/current/#s3_eks_service_account # "eks.amazonaws.com/role-arn": "arn:aws:iam::111122223333:role/the-enterprise-iam-role-name" # ## End Enterprise app background processor section ## ## ## Build cache node section ## ## The amount of storage allocated to the built-in build cache node can be set here. ## ## If you specify the name a secret that isn't managed by the Gradle Enterprise Helm installation, your ## installation won't be automatically restarted during `helm upgrade` when the underlying secret value changes. ## When the secret value changes, you need to restart all the pods in the Gradle Enterprise Helm installation, ## to take this change into account. # # buildCacheNode: # storage: # data: # capacity: 100Gi # Default 10Gi # logs: # capacity: 400Mi # Default 200Mi # # resources: # requests: # cpu: 1 # Default 1 # memory: 4Gi # Default 1Gi # limits: # cpu: 2 # Default 2 # memory: 8Gi # Default 2Gi # # buildCacheBuiltin: # secretName: my-example-build-cache-builtin-secret # Being the key build.cache.builtin.secret # # OR # value: "superS3cret!" ## ## End build cache node section ## ## ## Test distribution section ## ## The amount of storage allocated to the test distribution broker can be set here. ## # # testDistribution: # storage: # data: # capacity: 100Gi # Default 10Gi # logs: # capacity: 400Mi # Default 200Mi # # resources: # requests: # cpu: 2 # Default 1 # memory: 8Gi # Default 2Gi # limits: # cpu: 2 # Default 2 # memory: 16Gi # Default 2Gi # ## ## End test distribution section ## ## ## Metrics section ## ## The amount of storage allocated to metrics can be set here. ## # # metrics: # storage: # data: # capacity: 100Gi # Default 10Gi # # resources: # requests: # cpu: 1 # Default 50m # memory: 1Gi # Default 256Mi # limits: # cpu: 2 # Default 250m # memory: 2Gi # Default 500Mi # ## ## End metrics section ## ## ## Authentication broker section ## ## Resources allocated to the authentication broker can be set here. ## ## If you specify the name a secret that isn't managed by the Gradle Enterprise Helm installation, your ## installation won't be automatically restarted during `helm upgrade` when the underlying secret value changes. ## When the secret value changes, you need to restart all the pods in the Gradle Enterprise Helm installation, ## to take this change into account. # # authenticationBroker: # resources: # requests: # cpu: 1 # Default 500m # memory: 2Gi # Default 1Gi # limits: # cpu: 4 # Default 2 # memory: 4Gi # Default 2Gi # storage: # logs: # capacity: 400Mi # Default 200Mi # # adminPassword: # secretName: my-example-admin-password-secret # Being the key keycloak.admin.password # # OR # value: "superS3cret!" # clientSecret: # secretName: my-example-client-secret-secret # Being the key keycloak.client.secret # # OR # value: "superS3cret!" ## ## End authentication broker section ## ## ## Monitoring section ## ## Resources allocated to the monitoring can be set here. ## # # monitoring: # logging: # resources: # requests: # cpu: 500m # Default 500m # memory: 256Mi # Default 256Mi # limits: # cpu: 1000m # Default 1000m # memory: 512Mi # Default 512Mi # storage: # data: # capacity: 20Gi # Default 20Gi # ## ## End monitoring section ##