# Default values for nifi-registry.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
  replicaCount: 1

  image:
    repository: apache/nifi-registry
    pullPolicy: IfNotPresent
    tag: "1.24.0"

  initContainers:
    git:
      image: alpine/git
      tag: v2.26.2
    alpine:
      image: alpine
      tag: 3.6
    # Additional environment variables to set for the initContainers
    # extraEnvs:
    #   - name: FOO
    #     value: bar

  imagePullSecrets: []
  nameOverride: "nr"
  fullnameOverride: "nr"
  service:
    type: ClusterIP
    port: 18443
  podSecurityContext: {}
    # fsGroup: 2000

  securityContext: {}
    # capabilities:
    #   drop:
    #   - ALL
    # readOnlyRootFilesystem: true
    # runAsNonRoot: false
    # runAsUser: 0

  ingress:
    enabled: true
    annotations: 
      kubernetes.io/ingress.class: nginx
      nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    hosts:
      - host: my-nifi-registry.company.net
        paths:
          - path: /nifi-registry
            pathType: ImplementationSpecific
          - path: /nifi-registry-api
            pathType: ImplementationSpecific
          - path: /nifi-registry-docs
            pathType: ImplementationSpecific
  ## Persist data to a persistent volume
  persistence:
    enabled: true
    database:
      # storageClass: "-"
      accessMode: ReadWriteOnce
      size: 10Gi
    flowStorage:
      # storageClass: "-"
      accessMode: ReadWriteOnce
      size: 10Gi

  resources: {}
    # limits:
    #   cpu: 300m
    #   memory: 256Mi
    # requests:
    #   cpu: 300m
    #   memory: 256Mi

  bundleProvider:
    file:
      enabled: true
      # -- the path in the running pod where the git repo will be cloned into
      # either absolute or relative to the container working directory, which is NIFI_REGISTRY_HOME
      # If you elect to use a non-default location, you must also update the property associated.
      storageDirectory: ./extension_bundles

  flowProvider:
    git:
      enabled: false
      # Repository to be cloned at pod startup
      url:
      # Sets NIFI_REGISTRY_GIT_REMOTE for update_flow_provider.sh
      remote: origin
      # Sets NIFI_REGISTRY_GIT_USER for update_flow_provider.sh
      user:
      # Sets NIFI_REGISTRY_GIT_PASSWORD for update_flow_provider.sh
      password:
      # passwordSecret(Name|Key) is the name and key of the k8s secret holding the password (can be used instead of password)
      # passwordSecretName:
      # passwordSecretKey:
      # Global Git configuration See https://git-scm.com/docs/git-config for more details.
      config:
        enabled: false
        data: ""
        # data: |
        #   [credential "https://github.com"]
        #           username = foo
      ssh:
        # To use an SSH public/private keypair as a Kubernetes secret:
        # 1. Generate a SSH key named id_rsa:
        #      ssh-keygen -q -N "" -f ./id_rsa
        # 2. Create a Kubernetes secret:
        #      kubectl -n nifi-registry create secret generic nifi-registry-git-ssh --from-file=./id_rsa
        # 3. Don't check these key files into your Git repository! Once you've created
        #    the Kubernetes secret, Delete the private key:
        #      rm ./id_rsa
        # 4. Add ./id_rsa.pub as a deployment key with write access in your Git repo
        # 5. Set the secret name (e.g., nifi-registry-git-ssh) here:
        secretName:
        # 6. Provide the public key(s) of the SSH server(s) for $HOME/.ssh/known_hosts
        known_hosts:
        # 7. Set the GIT_SSH_COMMAND
        gitSshCommand: "ssh -v"
        # 8. specify the config which would go in $HOME/.ssh/config file, for e.g.
        # config: |
        #   Host github.com
        #   ProxyCommand socat STDIO PROXY:<proxyIP>:%h:%p,proxyport=<proxyPort>,proxyauth=<username:password>
        #   User git
        #   Hostname ssh.github.com
        #   Port 443
        #   IdentityFile /etc/fluxd/ssh/identity
        # or, if using an SSH public/private keypair:
        config: |
          StrictHostKeyChecking accept-new

  # Additional environment variables to set
  extraEnvs: []
  # extraEnvs:
  #   - name: FOO
  #     value: bar

  # Configuration to run NiFi Registry securely
  # c.f. https://nifi.apache.org/docs/nifi-registry-docs/html/administration-guide.html#security_configuration
  # TLS keystores and truststores must be configured to run secure;
  # see (e.g.) certManager (below)

  security:
    # Disabled by default (following the principle of least astonishment)
    enabled: true
    needClientAuth: true
    httpsHost: "0.0.0.0"
    httpsPort: 18443
    admin: "Initial Administrator"
    persistence:
    # storageClass: "-"
      accessMode: ReadWriteOnce
      size: 1Gi
    # ConfigMap with users.xml and authorizations.xml keys; note that these
    # settings will override the admin: key above if present
    authConf:

  # cert-manager support
  # Setting this true will have cert-manager create a private CA just for NiFi Registry,
  # including certificates for each NiFi Registry node.
  certManager:
    # If true, use cert-manager to create and rotate intra-NiFi-Registry-cluster
    # TLS keys (note that cert-manager is a Kubernetes cluster-wide resource, so
    # is not installed automatically by this chart); c.f. https://cert-manager.io
    enabled: true
    # TLS Common Name of a client, suitable for using as an initial administrator.
    # The client certificate (including private key) will be in a Kubernetes
    # TLS secret of the name {{ template "nifi-registry.fullname"}}-client
    clientCommonName: "Initial Administrator"
    # Kubernetes cluster top level domain, to generate fully qualified domain names
    # for certificate Common Names
    clusterDomain: cluster.local
    # Java Key Store (JKS) password for NiFi Registry keystore
    keystorePasswd: changeme
    # Java Key Store (JKS) password for NiFi Registry truststore
    truststorePasswd: changeme
    # Additional DNS names to incorporate into TLS certificates (e.g. where users
    # point browsers to access the NiFi Registry UI)
    additionalDnsNames:
      - localhost
      - my-nifi-registry.company.net
    # Names of Kubernetes secrets containing ca.crt keys to add to the
    # NiFi Registry truststore (e.g. CAs of NiFi Registry clients)

    # If your (e.g.) OIDC server is using TLS with a private CA, then set this
    # to true so that Java will use the cert-manager-derived TrustStore:
    replaceDefaultTrustStore: true
    # How often the sidecar refreshes the NiFi keystore and truststore from
    # the cert-manager Kubernetes secrets (and other caSecrets)
    refreshSeconds: 300
    # sidecar resources needed to populate and refresh those secrets
    resources:
      requests:
        cpu: 100m
        memory: 128Mi
      limits:
        cpu: 100m
        memory: 128Mi
    # cert-manager takes care of rotating the TLS certificates, so default
    # their lifetime to 90 days.  But when the CA expires you may need to
    # 'helm delete' the cluster, delete all the TLS certificates and secrets,
    # and then 'helm install' the NiFi Registry cluster again.  If a site-to-site trusted
    # CA or a NiFi Registry CA certificate expires, you'll need to restart all
    # pods to pick up the new version of the CA certificate.  So default the CA
    # lifetime to 10 years to avoid that happening very often.
    # c.f. https://github.com/cert-manager/cert-manager/issues/2478#issuecomment-1095545529
    certDuration: 2160h0m0s
    caDuration: 87660h0m0s