diff --git a/docs/modules/charts/nav.adoc b/docs/modules/charts/nav.adoc index 95897a7..017ce21 100644 --- a/docs/modules/charts/nav.adoc +++ b/docs/modules/charts/nav.adoc @@ -3,6 +3,7 @@ ** xref:alertmanager-ntfy.adoc[alertmanager-ntfy] ** xref:authentik-application.adoc[authentik-application] ** xref:conduit.adoc[conduit] +** xref:element-call.adoc[element-call] ** xref:forgejo-runner.adoc[forgejo-runner] ** xref:gotosocial.adoc[gotosocial] ** xref:grampsweb.adoc[grampsweb] diff --git a/docs/modules/charts/pages/element-call.adoc b/docs/modules/charts/pages/element-call.adoc new file mode 120000 index 0000000..c551b35 --- /dev/null +++ b/docs/modules/charts/pages/element-call.adoc @@ -0,0 +1 @@ +../../../../element-call/README.adoc \ No newline at end of file diff --git a/element-call/.helmignore b/element-call/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/element-call/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/element-call/Chart.yaml b/element-call/Chart.yaml new file mode 100644 index 0000000..3759519 --- /dev/null +++ b/element-call/Chart.yaml @@ -0,0 +1,10 @@ +apiVersion: v2 +name: element-call +description: Run Element-Call and his dependencies +type: application +version: 0.0.1 +# renovate: image=ghcr.io/element-hq/element-call +appVersion: "0.5.18" +maintainers: + - name: WrenIX + url: https://wrenix.eu diff --git a/element-call/README.adoc b/element-call/README.adoc new file mode 100644 index 0000000..f11fb87 --- /dev/null +++ b/element-call/README.adoc @@ -0,0 +1,357 @@ + + += element-call + +image::https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square[Version: 0.0.1] +image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application] +image::https://img.shields.io/badge/AppVersion-0.5.18-informational?style=flat-square[AppVersion: 0.5.18] +== Maintainers + +.Maintainers +|=== +| Name | Email | Url + +| WrenIX +| +| +|=== + +== Usage + +Helm must be installed and setup to your kubernetes cluster to use the charts. +Refer to Helm's https://helm.sh/docs[documentation] to get started. +Once Helm has been set up correctly, fetch the charts as follows: + +[source,bash] +---- +helm pull oci://codeberg.org/wrenix/helm-charts/element-call +---- + +You can install a chart release using the following command: + +[source,bash] +---- +helm install element-call-release oci://codeberg.org/wrenix/helm-charts/element-call --values values.yaml +---- + +To uninstall a chart release use `helm`'s delete command: + +[source,bash] +---- +helm uninstall element-call-release +---- + +== Values + +.Values +|=== +| Key | Type | Default | Description + +| autoscaling.enabled +| bool +| `false` +| + +| autoscaling.maxReplicas +| int +| `100` +| + +| autoscaling.minReplicas +| int +| `1` +| + +| autoscaling.targetCPUUtilizationPercentage +| int +| `80` +| + +| fullnameOverride +| string +| `""` +| + +| global.image.pullPolicy +| string +| `nil` +| if set it will overwrite all pullPolicy + +| global.image.registry +| string +| `nil` +| if set it will overwrite all registry entries + +| imagePullSecrets +| list +| `[]` +| + +| ingress.annotations +| object +| `{}` +| + +| ingress.className +| string +| `""` +| + +| ingress.enabled +| bool +| `false` +| + +| ingress.tls +| list +| `[]` +| + +| nameOverride +| string +| `""` +| + +| service.call.affinity +| object +| `{}` +| + +| service.call.config +| object +| `{}` +| + +| service.call.image.pullPolicy +| string +| `"IfNotPresent"` +| + +| service.call.image.registry +| string +| `"ghcr.io"` +| + +| service.call.image.repository +| string +| `"element-hq/element-call:v0.5.18"` +| + +| service.call.image.tag +| string +| `nil` +| Overrides the image tag whose default is the chart appVersion. + +| service.call.ingress.host +| string +| `nil` +| + +| service.call.livenessProbe.httpGet.path +| string +| `"/"` +| + +| service.call.livenessProbe.httpGet.port +| string +| `"http"` +| + +| service.call.nodeSelector +| object +| `{}` +| + +| service.call.podAnnotations +| object +| `{}` +| + +| service.call.podLabels +| object +| `{}` +| + +| service.call.podSecurityContext +| object +| `{}` +| + +| service.call.readinessProbe.httpGet.path +| string +| `"/"` +| + +| service.call.readinessProbe.httpGet.port +| string +| `"http"` +| + +| service.call.replicaCount +| int +| `1` +| + +| service.call.resources +| object +| `{}` +| + +| service.call.securityContext +| object +| `{}` +| + +| service.call.serviceAccount.annotations +| object +| `{}` +| + +| service.call.serviceAccount.automount +| bool +| `true` +| + +| service.call.serviceAccount.create +| bool +| `true` +| + +| service.call.serviceAccount.name +| string +| `""` +| + +| service.call.tolerations +| list +| `[]` +| + +| service.lkJWT.affinity +| object +| `{}` +| + +| service.lkJWT.config.key +| string +| `"devkey"` +| + +| service.lkJWT.config.secret +| string +| `"secret"` +| + +| service.lkJWT.config.url +| string +| `""` +| + +| service.lkJWT.image.pullPolicy +| string +| `"IfNotPresent"` +| + +| service.lkJWT.image.registry +| string +| `"ghcr.io"` +| + +| service.lkJWT.image.repository +| string +| `"element-hq/lk-jwt-service"` +| + +| service.lkJWT.image.tag +| string +| `"sha-4a29504"` +| + +| service.lkJWT.ingress.host +| string +| `nil` +| + +| service.lkJWT.livenessProbe.httpGet.path +| string +| `"/healthz"` +| + +| service.lkJWT.livenessProbe.httpGet.port +| string +| `"http"` +| + +| service.lkJWT.nodeSelector +| object +| `{}` +| + +| service.lkJWT.podAnnotations +| object +| `{}` +| + +| service.lkJWT.podLabels +| object +| `{}` +| + +| service.lkJWT.podSecurityContext +| object +| `{}` +| + +| service.lkJWT.readinessProbe.httpGet.path +| string +| `"/healthz"` +| + +| service.lkJWT.readinessProbe.httpGet.port +| string +| `"http"` +| + +| service.lkJWT.replicaCount +| int +| `1` +| + +| service.lkJWT.resources +| object +| `{}` +| + +| service.lkJWT.securityContext +| object +| `{}` +| + +| service.lkJWT.serviceAccount.annotations +| object +| `{}` +| + +| service.lkJWT.serviceAccount.automount +| bool +| `true` +| + +| service.lkJWT.serviceAccount.create +| bool +| `true` +| + +| service.lkJWT.serviceAccount.name +| string +| `""` +| + +| service.lkJWT.tolerations +| list +| `[]` +| +|=== + +Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs] + diff --git a/element-call/_docs.gotmpl b/element-call/_docs.gotmpl new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/element-call/_docs.gotmpl @@ -0,0 +1 @@ + diff --git a/element-call/templates/_helpers.tpl b/element-call/templates/_helpers.tpl new file mode 100644 index 0000000..063b922 --- /dev/null +++ b/element-call/templates/_helpers.tpl @@ -0,0 +1,70 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "element-call.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "element-call.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "element-call.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "element-call.labels" -}} +helm.sh/chart: {{ include "element-call.chart" . }} +{{ include "element-call.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "element-call.selectorLabels" -}} +app.kubernetes.io/name: {{ include "element-call.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "element-call.serviceAccountName" -}} +{{- $ := get . "root" }} +{{- $suffix := get . "suffix" }} +{{- with get . "ctx" }} +{{- if .serviceAccount.create }} +{{- if $suffix }} +{{- default (printf "%s-%s" (include "element-call.fullname" $) $suffix) .serviceAccount.name }} +{{- else }} +{{- default (include "element-call.fullname" $) .serviceAccount.name }} +{{- end }} +{{- else }} +{{- default "default" .serviceAccount.name }} +{{- end }} +{{- end }} +{{- end }} diff --git a/element-call/templates/configmap.yaml b/element-call/templates/configmap.yaml new file mode 100644 index 0000000..4e7df01 --- /dev/null +++ b/element-call/templates/configmap.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "element-call.fullname" . }} + labels: + {{- include "element-call.labels" . | nindent 4 }} +data: + "config.json": | + {{- toJson .Values.service.call.config | nindent 4 }} diff --git a/element-call/templates/deployment.yaml b/element-call/templates/deployment.yaml new file mode 100644 index 0000000..695a1a4 --- /dev/null +++ b/element-call/templates/deployment.yaml @@ -0,0 +1,76 @@ +{{- $fullName := include "element-call.fullname" . -}} +{{- with .Values.service.call }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }} + labels: + {{- include "element-call.labels" $ | nindent 4 }} + app.kubernetes.io/component: call +spec: + {{- if not $.Values.autoscaling.enabled }} + replicas: {{ .replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "element-call.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: call + template: + metadata: + {{- with .podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "element-call.labels" $ | nindent 8 }} + app.kubernetes.io/component: call + {{- with .podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with $.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" .) }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: call + securityContext: + {{- toYaml .securityContext | nindent 12 }} + {{- with .image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12 }} + resources: + {{- toYaml .resources | nindent 12 }} + volumeMounts: + - mountPath: /app/config.json + name: config + subPath: config.json + volumes: + - name: config + configMap: + name: {{ $fullName }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }}{{/* end-with .service.call */}} diff --git a/element-call/templates/hpa.yaml b/element-call/templates/hpa.yaml new file mode 100644 index 0000000..573a25d --- /dev/null +++ b/element-call/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "element-call.fullname" . }} + labels: + {{- include "element-call.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "element-call.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/element-call/templates/ingress.yaml b/element-call/templates/ingress.yaml new file mode 100644 index 0000000..b3db40b --- /dev/null +++ b/element-call/templates/ingress.yaml @@ -0,0 +1,42 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "element-call.fullname" . -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "element-call.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.ingress.className }} + ingressClassName: {{ . }} + {{- end }} + {{- with .Values.ingress.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + - host: {{ .Values.service.call.ingress.host | quote }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $fullName }} + port: + name: http + - host: {{ .Values.service.lkJWT.ingress.host | quote }} + http: + paths: + - path: /sfu/get + pathType: Exactly + backend: + service: + name: {{ $fullName }}-lk-jwt + port: + name: http +{{- end }} diff --git a/element-call/templates/lk-jwt/deployment.yaml b/element-call/templates/lk-jwt/deployment.yaml new file mode 100644 index 0000000..c504d72 --- /dev/null +++ b/element-call/templates/lk-jwt/deployment.yaml @@ -0,0 +1,76 @@ +{{- $fullName := include "element-call.fullname" . -}} +{{- with .Values.service.lkJWT }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ $fullName }}-lk-jwt + labels: + {{- include "element-call.labels" $ | nindent 4 }} + app.kubernetes.io/component: lk-jwt +spec: + {{- if not $.Values.autoscaling.enabled }} + replicas: {{ .replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "element-call.selectorLabels" $ | nindent 6 }} + app.kubernetes.io/component: lk-jwt + template: + metadata: + {{- with .podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "element-call.labels" $ | nindent 8 }} + app.kubernetes.io/component: lk-jwt + {{- with .podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with $.Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" . "suffix" "lk-jwt") }} + securityContext: + {{- toYaml .podSecurityContext | nindent 8 }} + containers: + - name: lk-jwt + securityContext: + {{- toYaml .securityContext | nindent 12 }} + {{- with .image }} + image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}" + imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }} + {{- end }} + env: + - name: "LK_JWT_PORT" + value: "8080" + - name: "LIVEKIT_URL" + value: {{ .config.url }} + envFrom: + - secretRef: + name: {{ $fullName }}-lk-jwt + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + {{- toYaml .livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .readinessProbe | nindent 12 }} + resources: + {{- toYaml .resources | nindent 12 }} + {{- with .nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }}{{/* end-with .Values.service.lkJWT */}} diff --git a/element-call/templates/lk-jwt/secret.yaml b/element-call/templates/lk-jwt/secret.yaml new file mode 100644 index 0000000..06968fd --- /dev/null +++ b/element-call/templates/lk-jwt/secret.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "element-call.fullname" . }}-lk-jwt + labels: + {{- include "element-call.labels" . | nindent 4 }} +data: + {{- with .Values.service.lkJWT.config }} + LIVEKIT_KEY: {{ .key | b64enc }} + LIVEKIT_SECRET: {{ .secret | b64enc }} + {{- end }} diff --git a/element-call/templates/lk-jwt/service.yaml b/element-call/templates/lk-jwt/service.yaml new file mode 100644 index 0000000..a0f0e38 --- /dev/null +++ b/element-call/templates/lk-jwt/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "element-call.fullname" . }}-lk-jwt + labels: + {{- include "element-call.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + {{- include "element-call.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: lk-jwt diff --git a/element-call/templates/lk-jwt/serviceaccount.yaml b/element-call/templates/lk-jwt/serviceaccount.yaml new file mode 100644 index 0000000..f46447e --- /dev/null +++ b/element-call/templates/lk-jwt/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- with .Values.service.lkJWT }} +{{- if .serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" . "suffix" "lk-jwt") }} + labels: + {{- include "element-call.labels" $ | nindent 4 }} + {{- with .serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .serviceAccount.automount }} +{{- end }} +{{- end }} diff --git a/element-call/templates/service.yaml b/element-call/templates/service.yaml new file mode 100644 index 0000000..cb76c9e --- /dev/null +++ b/element-call/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "element-call.fullname" . }} + labels: + {{- include "element-call.labels" . | nindent 4 }} +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + {{- include "element-call.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: call diff --git a/element-call/templates/serviceaccount.yaml b/element-call/templates/serviceaccount.yaml new file mode 100644 index 0000000..806d9f0 --- /dev/null +++ b/element-call/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- with .Values.service.call }} +{{- if .serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" . "suffix" "") }} + labels: + {{- include "element-call.labels" $ | nindent 4 }} + {{- with .serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .serviceAccount.automount }} +{{- end }} +{{- end }} diff --git a/element-call/values.yaml b/element-call/values.yaml new file mode 100644 index 0000000..5da5a53 --- /dev/null +++ b/element-call/values.yaml @@ -0,0 +1,127 @@ +global: + image: + # -- if set it will overwrite all registry entries + registry: + # -- if set it will overwrite all pullPolicy + pullPolicy: + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + + + +ingress: + enabled: false + className: "" + annotations: {} + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +service: + call: + replicaCount: 1 + image: + registry: ghcr.io + repository: element-hq/element-call + pullPolicy: IfNotPresent + # -- Overrides the image tag whose default is the chart appVersion. + tag: + config: {} + ingress: + host: + livenessProbe: + httpGet: + path: / + port: http + readinessProbe: + httpGet: + path: / + port: http + resources: {} + serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + nodeSelector: {} + tolerations: [] + affinity: {} + + lkJWT: + replicaCount: 1 + image: + registry: ghcr.io + repository: element-hq/lk-jwt-service + pullPolicy: IfNotPresent + tag: sha-4a29504 + config: + url: "" + key: "devkey" + secret: "secret" + ingress: + host: + livenessProbe: + httpGet: + path: /healthz + port: http + readinessProbe: + httpGet: + path: /healthz + port: http + resources: {} + serviceAccount: + # Specifies whether a service account should be created + create: true + # Automatically mount a ServiceAccount's API credentials? + automount: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + + podAnnotations: {} + podLabels: {} + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + nodeSelector: {} + tolerations: [] + affinity: {}