Chart reference

The Helm chart aims to offer easy config settings through values for most used Kubernetes or Stream features. If something you need is not yet covered, you can also use:

extraConfig to directly edit Horizon config;
extraObjects to add related Kubernetes resources.

The chart source is also freely available to investigate unwanted behaviors.

kubeVersion

Force target Kubernetes version (using Helm capabilities if not set)

kubeVersion: ""

nameOverride

String to partially override stream.fullname

nameOverride: ""

fullnameOverride

String to fully override stream.fullname

fullnameOverride: ""

imageRegistry

String to override the image registry for all containers

imageRegistry: ""

commonLabels

Labels to add to all deployed objects

commonLabels: {}

commonAnnotations

Annotations to add to all deployed objects

commonAnnotations: {}

image

By default, we fetch the Stream image from the Evertrust registry. If the tag is null or unset, the default value will be set the to the chart appVersion. As the official Evertrust registry is not in open-access, you should specify an image pull secret that has access to Stream images.

Kubernetes Reference

registry

Stream image registry

image.registry: "registry.evertrust.io"

repository

Stream image repository

image.repository: "stream"

tag

Stream image tag (immutable tags are recommended)

image.tag: "2.1.8"

flavor

Stream image flavor (for HSM compatible images)

image.flavor: ""

pullPolicy

Stream image pull policy

image.pullPolicy: "IfNotPresent"

pullSecrets

Stream image pull secrets

image.pullSecrets: []

updateStrategy

Set it to Recreate if you use a PV that cannot be mounted on multiple pods

Kubernetes Reference

Example

updateStrategy:
 type: RollingUpdate
 rollingUpdate:
   maxSurge: 25%
   maxUnavailable: 25%

type

Stream deployment strategy type

updateStrategy.type: "Recreate"

deploymentAnnotations

Annotations to add to the deployment object

deploymentAnnotations: {}

deploymentLabels

Annotations to add to the deployment object

deploymentLabels: {}

priorityClassName

Stream pod priority class name

priorityClassName: ""

hostAliases

Stream pod host aliases

Kubernetes Reference

hostAliases: []

extraVolumes

Optionally specify extra list of additional volumes for Stream pods

extraVolumes: []

Example

extraVolumes:
  - name: extra-volume-name
    configMap:
      name: example-configmap

extraVolumeMounts

Optionally specify extra list of additional volumeMounts for Stream container(s)

extraVolumeMounts: []

Example

extraVolumeMounts:
  - name: extra-volume-name
    mountPath: /mnt/extra-volume

sidecars

Add additional sidecar containers to the Stream pod

sidecars: []

Example

sidecars:
  - name: your-image-name
    image: your-image
    imagePullPolicy: Always
    ports:
      - name: portname
        containerPort: 1234

initContainers

Add additional init containers to the Stream pod

initContainers: []

lifecycleHooks

Add lifecycle hooks to the Stream deployment

lifecycleHooks: {}

podLabels

Extra labels for Stream pods

Kubernetes Reference

podLabels: {}

podAnnotations

Annotations for Stream pods

Kubernetes Reference

podAnnotations: {}

podAffinityPreset

Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard

Kubernetes Reference

podAffinityPreset: ""

podAntiAffinityPreset

Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard

Kubernetes Reference

podAntiAffinityPreset: "soft"

nodeAffinityPreset

Node affinity preset

Kubernetes Reference

type

Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard

nodeAffinityPreset.type: ""

key

Node label key to match. Ignored if affinity is set

nodeAffinityPreset.key: ""

values

Node label values to match. Ignored if affinity is set

nodeAffinityPreset.values: []

Example

values:
  - e2e-az1
  - e2e-az2

revisionHistoryLimit

Number of controller revisions to keep

revisionHistoryLimit: 3

replicas

Replica count when no autoscaler is configured

replicas: 1

affinity

podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it’s set

Kubernetes Reference

affinity: {}

nodeSelector

Node labels for pod assignment

Kubernetes Reference

nodeSelector: {}

tolerations

Tolerations for pod assignment

Kubernetes Reference

tolerations: []

topologySpreadConstraints

Spread Constraints for pod assignment

Kubernetes Reference

topologySpreadConstraints: []

Example

topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: node
    whenUnsatisfiable: DoNotSchedule

resources

Stream containers' resource requests and limits

The JVM will automatically adapt the memory allocation pool to the container allocated resources.

Kubernetes Reference

limits

The resources limits for the Stream container

resources.limits: {}

requests

The requested resources for the Stream container

resources.requests:
  memory: 512Mi
  cpu: 300m

podSecurityContext

Configure Pods Security Context

Kubernetes Reference

enabled

Enabled Stream pods' Security Context

podSecurityContext.enabled: true

fsGroup

Set Stream pod’s Security Context fsGroup

podSecurityContext.fsGroup: 1001

containerSecurityContext

Configure Container Security Context (only main container)

Kubernetes Reference

enabled

Enabled Stream containers' Security Context

containerSecurityContext.enabled: true

runAsUser

Set Stream container’s Security Context runAsUser

containerSecurityContext.runAsUser: 1001

runAsNonRoot

Set Stream container’s Security Context runAsNonRoot

containerSecurityContext.runAsNonRoot: true

livenessProbe

Configure extra options for Stream containers probes

Kubernetes Reference

enabled

Enable livenessProbe

livenessProbe.enabled: true

initialDelaySeconds

Initial delay seconds for livenessProbe

livenessProbe.initialDelaySeconds: 0

periodSeconds

Period seconds for livenessProbe

livenessProbe.periodSeconds: 10

timeoutSeconds

Timeout seconds for livenessProbe

livenessProbe.timeoutSeconds: 5

successThreshold

Success threshold for livenessProbe

livenessProbe.successThreshold: 1

failureThreshold

Failure threshold for livenessProbe

livenessProbe.failureThreshold: 3

startupProbe

A startup probe allows us to define a shorter period to improve Stream time-to-liveliness time while preserving the Stream pod from a restart loop when it is slow to start.

Kubernetes Reference

enabled

Enable startupProbe. Since Stream is slow to start, this is highly recommended.

startupProbe.enabled: true

failureThreshold

Failure threshold for startupProbe

startupProbe.failureThreshold: 60

periodSeconds

Period seconds for startupProbe

startupProbe.periodSeconds: 3

horizontalAutoscaler

Stream Autoscaling configuration

Kubernetes Reference

enabled

Enable Horizontal POD autoscaling for Stream

horizontalAutoscaler.enabled: false

minReplicas

Minimum number of Stream replicas

horizontalAutoscaler.minReplicas: 1

maxReplicas

Maximum number of Stream replicas

horizontalAutoscaler.maxReplicas: 3

targetCPU

Target CPU utilization percentage

horizontalAutoscaler.targetCPU: 50

targetMemory

Target Memory utilization percentage

horizontalAutoscaler.targetMemory: 50

disruptionBudget

Pod Disruption Budget configuration

Kubernetes Reference

enabled

Created a PodDisruptionBudget

disruptionBudget.enabled: false

minAvailable

Min number of pods that must still be available after the eviction

disruptionBudget.minAvailable: 1

maxUnavailable

Max number of pods that can be unavailable after the eviction

disruptionBudget.maxUnavailable: 0

environment

Configure environment variable injections into Stream’s pods. This is the way you should inject secrets into the app if you wish to use the Kubernetes secrets implementation.

Kubernetes Reference

environment: []

dnsConfig

Pod’s DNS Configuration

This value is useful if you need to resolve your custom domain for ACME challenges

Kubernetes Reference

dnsConfig: {}

Example

nameservers:
  - 1.2.3.4
searches:
  - ns1.svc.cluster-domain.example
  - my.dns.search.suffix
options:
  - name: ndots
    value: "2"

dnsPolicy

Pod’s DNS Policy

Kubernetes Reference

dnsPolicy: "ClusterFirst"

service

Service configuration

type

Kubernetes service type

service.type: "ClusterIP"

clusterIP

Stream service clusterIP IP

service.clusterIP: ""

Example

clusterIP: None

loadBalancerIP

Load balancer IP for the Stream Service (optional, cloud specific)

Kubernetes Reference

service.loadBalancerIP: ""

loadBalancerSourceRanges

Address that are allowed when service is LoadBalancer

Kubernetes Reference

service.loadBalancerSourceRanges: []

Example

loadBalancerSourceRanges:
  - 10.10.10.0/24

externalTrafficPolicy

Enable client source IP preservation

Kubernetes Reference

service.externalTrafficPolicy: "Cluster"

extraPorts

Extra port to expose on Stream service

service.extraPorts: []

annotations

Annotations for Stream service

service.annotations: {}

ingress

Ingress configuration

Kubernetes Reference

enabled

Set to true to enable ingress record generation

ingress.enabled: false

ingressClassName

IngressClass that will be used to implement the Ingress (Kubernetes 1.18+)

ingress.ingressClassName: ""

hostname

Default host for the ingress resource

ingress.hostname: ""

path

Default path for the ingress record NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers

ingress.path: "/"

pathType

Ingress path type

ingress.pathType: "Prefix"

annotations

Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.

ingress.annotations: {}

Example

annotations:
  cert-manager.io/cluster-issuer: cluster-issuer-name

tls

Enable TLS configuration for the hostname defined at ingress.hostname TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or let the chart create self-signed certificates for you

ingress.tls: false

extraHosts

Additional hostnames to be covered with this ingress record Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array

ingress.extraHosts: []

Example

extraHosts:
- name: stream.local
  path: /

extraPaths

An array with additional arbitrary paths that may need to be added to the ingress under the main host

ingress.extraPaths: []

Example

extraPaths:
- path: /*
  backend:
    serviceName: ssl-redirect
    servicePort: use-annotation

extraTls

The tls configuration for additional hostnames to be covered with this ingress record.

Kubernetes Reference

ingress.extraTls: []

Example

extraTls:
- hosts:
    - stream.local
  secretName: stream.local-tls

extraRules

Additional rules to be covered with this ingress record

Kubernetes Reference

ingress.extraRules: []

Example

extraRules:
- host: stream.local
    http:
      path: /
      backend:
        service:
          name: stream
          port:
            name: http

appSecret

Configure the Play secret for the Stream instance. As this is used for cryptographic purposes, it should be fetched from the environment.

https://www.playframework.com/documentation/2.8.x/ApplicationSecret

appSecret:
  secretName: ''
  secretKey: ''

Example

appSecret:
  valueFrom:
    secretKeyRef:
      name: stream-secret
      key: appSecret

license

A valid Stream license is required for the software to run. You should store it (base64-encoded) in a Kubernetes secret and specify the secret details here.

README.md[README.md]

secretName

Existing secret name where the Stream license is stored

license.secretName: ""

secretKey

Existing secret key where the Stream license is stored

license.secretKey: ""

initialAdminHashPassword

Set up initial admin user.

enabled

Whether to enable the initial admin user

initialAdminHashPassword.enabled: false

secretName

Existing secret name where the initial admin password is stored

initialAdminHashPassword.secretName: ""

secretKey

Existing secret key where the initial admin password is stored

initialAdminHashPassword.secretKey: ""

allowedHosts

Additional allowed hosts that are whitelisted to access the Stream UI. Configured ingresses will automatically be added to the list, this should only be used when port forwarding or when an ingress is created manually.

allowedHosts:
  - localhost:9000
  - localhost:9443

Example

allowedHosts:
  - localhost:9000
  - demo.example.org

trustedProxies

Depending on your Kubernetes environment, Ingress IPs may be unpredictable. In that case, you should trust whitelist every IP in your local addressing space.

trustedProxies:
  - 0.0.0.0/0
  - '::/0'

Example

trustedProxies:
  - 0.0.0.0/0
  - ::/0

events

Configuration for Stream events

chainsign

Whether Stream events should be signed and chained using the event seal secret.

events.chainsign: true

ttl

Duration during which events are kept in database.

events.ttl: "90 days"

logFormat

Format in which logs will be outputted. Can be set either to "console" or "json" for structured logging.

logFormat: "console"

serviceAccount

Stream pods ServiceAccount

Kubernetes Reference

create

Enable the creation of a ServiceAccount for Stream pods

serviceAccount.create: true

name

Name of the created ServiceAccount

If not set and create is true, a name is generated using the stream.fullname template

serviceAccount.name: ""

annotations

Annotations for Stream Service Account

serviceAccount.annotations: {}

automountServiceAccountToken

Automount service account token for the server service account

serviceAccount.automountServiceAccountToken: true

clientCertificateHeader

Indicates to Stream in which header the client certificate will be passed by the Ingress controller.

clientCertificateHeader: ""

podsDirectConnect

Whether Stream pods should connect to each other directly via IP, or through a DNS record generated by a Kubernetes DNS server. Useful if the kube-dns server is configured with "pods disabled" or if you use GKE Cloud DNS NOTE: This is not support by Istio

podsDirectConnect: false

extraConfig

Additional configuration for Stream. Injecting arbitrary config could result in unexpected behavior. Proceed with caution.

https://docs.evertrust.fr/stream/admin-guide/-/parameters

extraConfig: ""

Example

extraConfig: |
  stream {
    notification.mail.attachment.extension.der = "der"
  }

externalDatabase

Configuration for a Stream external database Refer to the Stream installation guide to configure the installation correctly

secretName

Existing secret name where the external MongoDB URI is stored

externalDatabase.secretName: ""

secretKey

Existing secret key where the external MongoDB URI is stored

externalDatabase.secretKey: ""

mailer

Configuration for the Stream mailer. You should configure this if you want your Stream instance to be able to send emails. You should fetch credentials from the environment if they are required.

host

SMTP host

mailer.host: ""

port

SMTP host port

mailer.port: ""

tls

Enable TLS for this SMTP host

mailer.tls: ""

ssl

Enable SSL for this SMTP host

mailer.ssl: ""

user

Authentication username for this SMTP host

mailer.user: ""

password

The password field can be a reference to a secret.

mailer.password: {}

Example

password:
  valueFrom:
    secretKeyRef:
      name: stream-secret
      key: mailerPassword

extraObjects

Create dynamic manifests via values

extraObjects: []

Example

- apiVersion: "kubernetes-client.io/v1"
  kind: ExternalSecret
  metadata:
    name: stream-secrets
  spec:
    backendType: gcpSecretsManager
    data:
      - key: stream-secret-key
        name: stream-secret-name

metrics

Enable Prometheus metrics

enabled

Whether to enable Prometheus metrics

metrics.enabled: false

port

Prometheus metrics port

metrics.port: 9095