Deploy SuperLink using Helm¶
Note
Flower Helm charts are a Flower Enterprise feature. See Flower Enterprise for details.
The Flower Framework offers a unified approach to federated learning, analytics, and evaluation, allowing you to federate any workload, machine learning framework, or programming language.
This Helm chart installs the server-side components of the Flower Framework, specifically setting up the SuperLink.
The default installation configuration aims to replicate the functionality and setup of the provided Flower Framework releases.
Disable the SuperLink component¶
superlink:
name: superlink
enabled: false
Enable the SuperExec component¶
superexec:
enabled: true
Run simulations in Kubernetes using the Simulation Plugin¶
For more details, visit: Run simulations guide.
superlink:
enabled: true
simulation:
enabled: true
Change Log Verbosity Level¶
The log verbosity level in Flower can be adjusted using the FLWR_LOG_LEVEL environment variable.
This helps control the level of detail included in logs, making debugging and monitoring easier.
Setting Global Log Level¶
To enable detailed logging (e.g., DEBUG level) for all services, add FLWR_LOG_LEVEL to the env
parameter under the global section in your values.yml file:
global:
env:
- name: FLWR_LOG_LEVEL
value: DEBUG
Setting Log Level for a Specific Service¶
If you want to enable logging only for a specific service (e.g., superlink), you can specify it
under the respective service section:
superlink:
env:
- name: FLWR_LOG_LEVEL
value: DEBUG
For more details on logging configuration, visit: Flower Logging Documentation
Configure Audit Logging¶
Audit logging provides JSON-formatted log output for Flower, allowing you to capture and store events that occur in the SuperLink. This feature is useful for monitoring, debugging, or maintaining a historical record of important actions.
To enable audit logging, add the following flag to the SuperLink configuration:
superlink:
enabled: true
extraArgs:
- --enable-event-log
For more details on audit logging configuration, visit: Flower Audit Logging Documentation
License Key¶
Starting from 1.20.0, the SuperLink service must be started with
a valid license key.
You can configure the license key in the global.license section of your values.yml file in one
of two ways:
Directly — by setting
global.license.keyto your license key.From an existing Kubernetes Secret — by setting
global.license.existingSecretto the name of a secret that contains your key.
Note
The SuperLink must be able to connect to https://api.flower.ai in order to validate the license.
Example: Setting the License Key Directly¶
global:
license:
enabled: true
key: <YOUR_FLWR_LICENSE_KEY>
existingSecret: ""
In this configuration, the Helm chart will automatically create a Kubernetes Secret and mount it into the SuperLink container.
Example: Using an Existing Secret¶
global:
license:
enabled: true
key: ""
existingSecret: "existing-license-key-secret"
If both key and existingSecret are set, existingSecret takes precedence and the key value
will be ignored.
Note
By default, the existingSecret resource must contain a key named FLWR_LICENSE_KEY.
kind: Secret
stringData:
FLWR_LICENSE_KEY: <YOUR_FLWR_LICENSE_KEY>
Example: Setting a Custom Secret Key¶
If you prefer to use a different key name instead of the default FLWR_LICENSE_KEY,
you can override it by setting secretKey to your desired name:
global:
license:
enabled: true
key: ""
secretKey: "license-key"
existingSecret: "existing-license-key-secret"
kind: Secret
stringData:
license-key: <YOUR_FLWR_LICENSE_KEY>
Enable User Authentication¶
User authentication can be enabled if you're using the Flower Enterprise Edition (EE) Docker images.
This is configured in the global.userAuth section of your values.yml file.
Example: Enabling OpenID Connect (OIDC) Authentication¶
global:
userAuth:
enabled: true
config:
authentication:
auth_type: oidc
auth_url: https://<domain>/auth/device
token_url: https://<domain>/token
validate_url: https://<domain>/userinfo
oidc_client_id: <client_id>
oidc_client_secret: <client_secret>
Explanation of Parameters:
auth_type: The authentication mechanism being used (e.g., oidc).auth_url: The OpenID Connect authentication endpoint where users authenticate.token_url: The URL for retrieving access tokens.validate_url: The endpoint for validating user authentication.oidc_client_id: The client ID issued by the authentication provider.oidc_client_secret: The secret key associated with the client ID.
Use an Existing Secret¶
To use an existing secret that contains the user authentication configuration, set existingSecret
to the name of the existing secret:
global:
userAuth:
enabled: true
config: {}
existingSecret: "existing-user-auth-config"
Note that the existing secret must contain the key user-auth-config.yml:
kind: Secret
stringData:
user-auth-config.yml: |
authentication:
auth_type: oidc
auth_url: https://<domain>/auth/device
token_url: https://<domain>/token
validate_url: https://<domain>/userinfo
oidc_client_id: <client_id>
oidc_client_secret: <client_secret>
Configuring OpenFGA¶
The flower-server chat component supports OpenFGA as a fine-grained authorization service, but it is disabled by default.
To enable OpenFGA change the following value in your values.yml file:
openfga:
enabled: true
By default, OpenFGA will run with an in-memory store, which is non-persistent and suitable only for testing or development.
OpenFGA supports persistent storage using PostgreSQL or MySQL:
To deploy OpenFGA with a new PostgreSQL/MySQL instance, enable the bundled chart configuration.
To connect to an existing database, provide the appropriate connection details via Helm values (e.g.,
openfga.datastore.uri).
For more information visit the official OpenFGA Helm Chart Documentation.
The following commands set up a store, authorization model, and inserts users (using tuples) into OpenFGA. Run these once the OpenFGA instance is deployed.
Setup the authorization model and tuples:
Authorization model file model.fga
model
# We are using the 1.1 schema with type restrictions
schema 1.1
# Define the 'flwr_aid' type to represent individual users in the system.
type flwr_aid
# Define the 'service' type to group users.
type service
relations
# The 'has_access' relation defines users who have access to this service.
define has_access: [flwr_aid]
User permissions file tuples.fga
- user: flwr_aid:<OIDC_SUB_1>
relation: has_access
object: service:<your_grid_name>
- user: flwr_aid:<OIDC_SUB_2>
relation: has_access
object: service:<your_grid_name>
Create store:
OPENFGA_URL="<OPENFGA_URL>"
OPENFGA_STORE_NAME="<OPENFGA_STORE_NAME>"
docker run --rm -v "$(pwd)":/app -w /app openfga/cli \
--api-url ${OPENFGA_URL} store create \
--name ${OPENFGA_STORE_NAME}
The response will include an id field, which is the OpenFGA store ID associated with the OPENFGA_STORE_NAME that was created.
Get store ID (alternative way):
docker run --rm -v "$(pwd)":/app -w /app openfga/cli \
--api-url ${OPENFGA_URL} store list
Set OpenFGA store ID from previous step and write model:
OPENFGA_STORE_ID="<STORE_ID_FROM_EARLIER_STEP>"
docker run --rm -v "$(pwd)":/app -w /app openfga/cli \
--api-url ${OPENFGA_URL} model write \
--store-id ${OPENFGA_STORE_ID} \
--file model.fga
Set OpenFGA model ID from previous step and write tuples:
OPENFGA_MODEL_ID="<MODEL_ID_FROM_EARLIER_STEP>"
docker run --rm -v "$(pwd)":/app -w /app openfga/cli \
--api-url ${OPENFGA_URL} tuple write \
--store-id ${OPENFGA_STORE_ID} \
--model-id ${OPENFGA_MODEL_ID} \
--file tuples.yaml
Add a new authorization section under your existing global.userAuth configuration or directly within your existing secret, depending on your setup. Set the OPENFGA_STORE_ID and OPENFGA_MODEL_ID from the previous steps in the file:
authorization:
authz_type: openfga
authz_url: <OPENFGA_URL>
store_id: <OPENFGA_STORE_ID>
model_id: <OPENFGA_MODEL_ID>
relation: has_access
object: service:<your_grid_name>
Change Isolation Mode¶
The isolation mode determines how the SuperLink manages the SuperExec process execution.
This setting can be adjusted using the superlink.isolationMode parameter:
Example: Changing Isolation Mode
superlink:
isolationMode: process
# Don’t forget to enable the superexec if you don’t
# plan to use an existing one.
superexec:
enabled: true
Deploy Flower Framework with TLS¶
By default, the Flower Framework is deployed with TLS enabled. This means tls.enabled is
set to true.
If cert-manager is installed in your Kubernetes cluster, this chart can be used to set up TLS in
several ways. By default, it creates both a self-signed Issuer and a Certificate, but you can
also choose to create only an Issuer or create a Certificate from an existing
Issuer/ClusterIssuer.
Regardless of the option you choose, TLS is only enabled when you set tls.enabled: true.
Default Behavior (self-signed Issuer + Certificate)¶
global:
domain: example.com
tls:
enabled: true
issuer:
enabled: true
certificate:
enabled: true
When deployed with these values, the chart creates a self-signed Issuer and then uses it to
issue a TLS certificate. The generated Certificate is valid for five years,
is renewed fifteen days before expiry, and is stored in a Kubernetes Secret.
If you leave secretName empty, the secret name defaults to <chart-name>-server-tls.
The certificate includes global.domain as its common name, along with service DNS entries and
any additionalHosts you provide.
This setup is best suited for testing and validating the Helm charts in a non-production environment.
You can switch from self-signed to another issuer type by providing a spec block
for the Issuer.
Create a Certificate using an Existing Issuer / ClusterIssuer¶
Use this if you already have an Issuer or ClusterIssuer (e.g., Let’s Encrypt or a corporate CA)
and you want the chart to create the Certificate.
global:
domain: example.com
tls:
enabled: true
issuer:
enabled: false
certificate:
enabled: true
existingIssuer: letsencrypt-clusterissuer
existingIssuerKind: ClusterIssuer
With this configuration, the chart does not create a new Issuer. Instead, it references the
specified ClusterIssuer named letsencrypt-clusterissuer and requests a Certificate from it.
It is stored in a Kubernetes Secret that, by default, is named <chart-name>-server-tls.
To change the secret name, set tls.certificate.secretName to the desired name:
tls:
certificate:
secretName: my-custom-tls-secret-name
Create only an Issuer¶
In this mode, the chart creates an Issuer but does not create a Certificate.
This is useful if you want cert-manager to automatically generate certificates
based on Ingress annotations.
tls:
enabled: true
issuer:
enabled: true
certificate:
enabled: false
existingSecret: ""
See the Ingress Configuration section for more information.
Use an Existing TLS Certificate¶
If you already have a TLS certificate available as a Kubernetes Secret, you can configure the
chart to use it directly instead of creating a new Certificate with cert-manager. To do this,
disable certificate creation and set tls.existingSecret to the name of your Secret.
The Secret must be of type kubernetes.io/tls and contain the standard tls.crt, tls.key
fields, with ca.crt being optional. If ca.crt is not provided, tls.crt will also be used
as the CA certificate.
If both tls.existingSecret and tls.certificate.enabled are set, the tls.existingSecret value
will be ignored and a new Certificate will be issued.
tls:
enabled: true
certificate:
enabled: false
existingSecret: my-custom-tls-secret
Override Certificate Paths¶
By default, the TLS-related flags use the following paths when TLS is enabled:
--ssl-ca-certfile: /app/cert/ca.crt,
--ssl-certfile: /app/cert/tls.crt,
--ssl-keyfile: /app/cert/tls.key.
These paths can be overridden by specifying the flags in the extraArgs, as shown below:
tls:
enabled: true
superlink:
enabled: true
extraArgs:
- --ssl-ca-certfile
- /mount/cert/ca.cert
- --ssl-certfile
- /mount/cert/tls.cert
- --ssl-keyfile
- /mount/cert/tls.key
Deploy Flower Framework without TLS¶
You might want to disable TLS for testing or internal use. In this mode, the chart does not create
any cert-manager Issuer or Certificate resources, and any TLS-related configuration on
the Ingress resource is ignored.
tls:
enabled: false
Ingress Configuration¶
Generate a Certificate via Ingress Annotations¶
If you prefer to let cert-manager generate a Certificate through Ingress annotations,
you can disable the chart’s built-in certificate management.
To do this, set tls.certificate.enabled to false and leave tls.existingSecret empty.
Also ensure tls.enabled is set to true.
The annotations you specify under superlink.ingress.annotations will be passed directly to the
Ingress resource. For supported annotation keys, refer to the cert-manager
documentation.
tls:
enabled: true
certificate:
enabled: false
existingSecret: ""
superlink:
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: GRPCS
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
cert-manager.io/cluster-issuer: cert-manager-selfsigned
cert-manager.io/common-name: api.example.com
api:
enabled: true
hostname: api.example.com
tls:
enabled: true
The chart creates an Ingress for SuperLink with the provided annotations. cert-manager
generates a Certificate, and stores it in a Kubernetes Secret. That Secret is then mounted
into the SuperLink container so it can use the TLS keypair for its endpoints. The same Secret
is also referenced by the Ingress resource, which means the generated certificate is
shared between the Ingress and the SuperLink service.
By default, the Ingress-generated certificate is stored in a Secret named
<chart-name>-server-tls.
You can override this by setting superlink.ingress.tls.secretName:
superlink:
ingress:
enabled: true
tls:
enabled: true
secretName: my-custom-tls-secret
Important:
If
tls.certificate.enabledis set totrueor iftls.existingSecretis specified, thesecretNameof theIngressresource is ignored. In that case, the chart will rely on theCertificatecreated through its own mechanism.Always ensure that when you use
Ingressannotations, no certificate is generated or referenced by this chart. Otherwise, you may end up with conflicting secrets.
TLS Certificate with Additional Hosts¶
By default, when cert-manager issues a Certificate it only includes the DNS name specified in
commonName, which is derived from global.domain.
In some deployments, the server and client charts may run inside the same Kubernetes cluster,
while the Control API is exposed publicly over the internet. In this scenario, the SuperNodes
need to connect to the SuperLink using its internal service URL
(e.g., <superlink>.<namespace>.svc.cluster.local).
To support this, you can extend the certificate with additional hosts by using
superlink.ingress.extraHosts.
The example below shows how to configure the Ingress so that the generated Certificate covers
both the external hostname and the internal service name:
tls:
enabled: true
certificate:
enabled: false
existingSecret: ""
superlink:
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: GRPCS
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
cert-manager.io/cluster-issuer: cert-manager-selfsigned
cert-manager.io/common-name: control.example.com
control:
enabled: true
hostname: control.example.com
extraHosts:
- name: <superlink_name>.<namespace>.svc.cluster.local
pathType: ImplementationSpecific
path: /
port: 9092
tls:
enabled: true
SSL-Passthrough¶
In some scenarios, you may want to let the SuperLink service terminate TLS directly rather than having the Ingress controller handle TLS termination. This is useful if you need to use protocols such as gRPC over TLS end-to-end, where the Ingress should simply forward the encrypted traffic without decrypting it.
To enable this mode with the NGINX Ingress Controller, you can configure SSL passthrough by setting
the nginx.ingress.kubernetes.io/ssl-passthrough annotation to "true". In this configuration,
the Ingress forwards TLS traffic directly to the SuperLink container,
which then handles certificate validation and encryption.
tls:
enabled: true
certificate:
enabled: true
superlink:
enabled: true
ingress:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: GRPCS
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
ingressClassName: nginx
tls: false
control:
enabled: true
hostname: control.example.com
path: /
pathType: ImplementationSpecific
fleet:
enabled: true
hostname: fleet.example.com
path: /
pathType: ImplementationSpecific
serverAppIo:
enabled: true
hostname: serverappio.example.com
path: /
pathType: ImplementationSpecific
Enable Node Authentication¶
global:
nodeAuth:
enabled: true
authListPublicKeys:
- ecdsa-sha2-nistp384 [...]
- ecdsa-sha2-nistp384 [...]
tls:
enabled: true
Public keys can include comments at the end of the key data:
global:
nodeAuth:
authListPublicKeys:
- ecdsa-sha2-nistp384 [...] comment with spaces
参数¶
Helm parameters¶
Name |
Description |
Value |
|---|---|---|
|
Override Replaces the name of the chart in the Chart.yaml |
|
|
Override Completely replaces the generated name. |
|
Global parameters¶
Name |
Description |
Value |
|---|---|---|
|
Default Annotations |
|
|
Default Labels |
|
|
Default PodLabels |
|
|
Default Domain |
|
|
Default IngressClass |
|
|
Default node selector for all components |
|
|
Default tolerations for all components |
|
|
Default affinity preset for all components |
|
|
Default pod anti-affinity rules. Either: |
|
|
Default node affinity rules. Either: |
|
|
Default match expressions for node affinity |
|
|
Enables or Disables Node-Authentication SuperLink <-> SuperNode |
|
|
A list of ecdsa-sha2-nistp384 SuperNode keys |
|
|
Enables or disables the user authentication plugin. |
|
|
Set the user authentication configuration. |
|
|
Existing secret with user authentication configuration. |
|
|
Enables or disables the configuration of the EE license. |
|
|
The EE license key. |
|
|
The name of the key inside the Kubernetes Secret |
|
|
Name of an existing Kubernetes Secret |
|
|
Set Security Context runAsUser |
|
|
Set Security Context runAsGroup |
|
|
Set Security Context fsGroup |
|
|
Set Security Context runAsNonRoot |
|
|
Set Security Context readOnlyRootFilesystem |
|
|
Set Security Context allowPrivilegeEscalation |
|
|
Set Security Context seccompProfile |
|
|
Set Security Context capabilities |
|
|
Default environment variables |
|
|
Default image pullPolicy |
|
TLS Configuration¶
Name |
Description |
Value |
|---|---|---|
|
Enable TLS configuration for the Flower Framework. |
|
|
Enable automatic creation of a cert-manager Issuer. |
|
|
Name of the Issuer resource to use. |
|
|
The contents of the |
|
|
Enable automatic creation of a cert-manager Certificate. |
|
|
Certificate CRD annotations. |
|
|
Name of the Kubernetes Secret to store the TLS key and certificate. |
|
|
API group for the issuer. Defaults to |
|
|
Name of an existing Issuer or ClusterIssuer to use. |
|
|
Kind of the existing issuer ( |
|
|
The requested ‘duration’ (i.e. lifetime) of the Certificate. |
|
|
How long before the currently issued certificate’s expiry |
|
|
Private key options. These include the key algorithm and |
|
|
Requested key usages and extended key usages. |
|
|
Additional hosts you want to put into the SAN's |
|
|
Name of an existing Kubernetes Secret |
|
Component SuperLink¶
Name |
Description |
Value |
|---|---|---|
|
Name of the SuperLink |
|
|
Enable or Disable SuperLink |
|
|
Set container requests and limits for different resources like CPU or memory (essential for production workloads) |
|
|
Specify a list of volumes for the SuperLink pod(s) |
|
|
Allows to specify additional VolumeMounts |
|
|
Launch the SimulationIo API server in place of the |
|
|
The isolation mode of the SuperLink |
|
|
Automount SA-Token into the pod. |
|
|
Enabled a service account for the application controller |
|
|
Annotations applied to enabled service account |
|
|
Labels applied to enabled service account |
|
|
Automount SA-Token |
|
|
Valid are ClusterIP, NodePort or Loadbalancer |
|
|
Prefix of the SuperLink Control API port |
|
|
Port to expose for the SuperLink Control API |
|
|
Node port for SuperLink Control API |
|
|
Prefix of the SuperLink ServerAppIo API port |
|
|
Port to expose for the SuperLink ServerAppIo API |
|
|
Node port for SuperLink ServerAppIo API |
|
|
Prefix of the SuperLink Fleet API port |
|
|
Port to expose for the SuperLink Fleet API |
|
|
Node port for SuperLink Fleet API |
|
|
Prefix of the SuperLink SimulationIo API port |
|
|
Port to expose for the SuperLink SimulationIo API |
|
|
Node port for SuperLink SimulationIo API |
|
|
Container port for SuperLink Control API |
|
|
Container port for SuperLink ServerAppIo API |
|
|
Container port for SuperLink Fleet API |
|
|
Container port for SuperLink SimulationIo API |
|
|
Container port for SuperLink Health API |
|
|
The number of SuperLink pods to run |
|
|
Extra labels for SuperLink pods |
|
|
Add extra arguments to the default arguments for the SuperLink |
|
|
Node labels for SuperLink pods which merges with global.nodeSelector |
|
|
Node tolerations for SuperLink pods which merges with global.tolerations |
|
|
SuperLink deployment strategy type |
|
|
SuperLink deployment rolling update configuration parameters |
|
|
Node affinity for SuperLink pods which merges with global.affinity |
|
|
Array with extra environment variables to add to SuperLink nodes which merges with global.env |
|
|
Security settings that for the SuperLink Pods |
|
|
Security settings that for the SuperLink |
|
|
Enable livenessProbe on SuperLink containers |
|
|
Initial delay seconds for livenessProbe |
|
|
Period seconds for livenessProbe |
|
|
Timeout seconds for livenessProbe |
|
|
Failure threshold for livenessProbe |
|
|
Success threshold for livenessProbe |
|
|
Enable readinessProbe on SuperLink containers |
|
|
Initial delay seconds for readinessProbe |
|
|
Period seconds for readinessProbe |
|
|
Timeout seconds for readinessProbe |
|
|
Failure threshold for readinessProbe |
|
|
Success threshold for readinessProbe |
|
|
Enable the ingress resource |
|
|
Additional annotations for the ingress |
|
|
Defines which ingress controller which implement the resource |
|
|
Enable TLS termination at the Ingress level. |
|
|
Name of the Kubernetes Secret that will contain the |
|
|
Enable an ingress resource for SuperLink API |
|
|
Ingress hostname for the SuperLink API ingress |
|
|
SuperLink API ingress path |
|
|
Ingress path type. One of Exact, Prefix or ImplementationSpecific |
|
|
Enable an ingress resource for SuperLink Fleet API |
|
|
Ingress hostname for the SuperLink Fleet API ingress |
|
|
SuperLink Fleet API ingress path |
|
|
Ingress path type. One of Exact, Prefix or ImplementationSpecific |
|
|
Enable an ingress resource for SuperLink ServerAppIo API |
|
|
Ingress hostname for the SuperLink ServerAppIo API ingress |
|
|
SuperLink ServerAppIo API ingress path |
|
|
Ingress path type. One of Exact, Prefix or ImplementationSpecific |
|
|
Enable an ingress resource for SuperLink SimulationIo API |
|
|
Ingress hostname for the SuperLink SimulationIo API ingress |
|
|
SuperLink SimulationIo API ingress path |
|
|
Ingress path type. One of Exact, Prefix or ImplementationSpecific |
|
|
An array with additional hostname(s) to be covered with the ingress record |
|
|
TLS configuration for additional hostname(s) to be covered with this ingress record |
|
|
Additional rules to be covered with this ingress record |
|
|
SuperLink container(s) to automate configuration before or after startup |
|
|
Additional custom annotations for SuperLink |
|
|
Extra selectorLabels for SuperLink pods |
|
|
Annotations for SuperLink pods |
|
|
Extra podLabels for SuperLink pods |
|
|
SuperLink image pull secrets which overrides global.imagePullSecrets |
|
|
SuperLink image registry |
|
|
SuperLink image repository |
|
|
SuperLink image tag |
|
|
SuperLink image digest |
|
|
SuperLink image pullPolicy which Components image pullPolicy |
|
|
Specifies whether a NetworkPolicy should be created |
|
|
Allow external ingress traffic |
|
|
Allow unrestricted egress traffic |
|
|
Add extra ingress rules to the NetworkPolicy |
|
|
Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) |
|
|
Labels to match to allow traffic from other pods. Ignored if |
|
|
Labels to match to allow traffic from other namespaces. Ignored if |
|
|
Pod labels to match to allow traffic from other namespaces. Ignored if |
|
|
Labels to match to allow traffic from other pods. Ignored if |
|
|
Labels to match to allow traffic from other namespaces. Ignored if |
|
|
Pod labels to match to allow traffic from other namespaces. Ignored if |
|
|
Labels to match to allow traffic from other pods. Ignored if |
|
|
Labels to match to allow traffic from other namespaces. Ignored if |
|
|
Pod labels to match to allow traffic from other namespaces. Ignored if |
|
|
Labels to match to allow traffic from other pods. Ignored if |
|
|
Labels to match to allow traffic from other namespaces. Ignored if |
|
|
Pod labels to match to allow traffic from other namespaces. Ignored if |
|
Component SuperExec¶
Name |
Description |
Value |
|---|---|---|
|
Name of the SuperExec |
|
|
Enable or disable SuperExec |
|
|
Address of the SuperLink the SuperExec should connect to |
|
|
Set container requests and limits for different resources like CPU or memory (essential for production workloads) |
|
|
Optionally specify list of volumes for the SuperExec pod(s) |
|
|
Allows to specify additional VolumeMounts |
|
|
Automount SA-Token into the pod. |
|
|
Enable a service account for this component |
|
|
Annotations applied to enabled service account |
|
|
Labels applied to enabled service account |
|
|
Automount SA-Token |
|
|
Container port for SuperExec Health API |
|
|
Security settings that for the SuperExec Pods |
|
|
Enable livenessProbe on SuperExec containers |
|
|
Initial delay seconds for livenessProbe |
|
|
Period seconds for livenessProbe |
|
|
Timeout seconds for livenessProbe |
|
|
Failure threshold for livenessProbe |
|
|
Success threshold for livenessProbe |
|
|
Enable readinessProbe on SuperExec containers |
|
|
Initial delay seconds for readinessProbe |
|
|
Period seconds for readinessProbe |
|
|
Timeout seconds for readinessProbe |
|
|
Failure threshold for readinessProbe |
|
|
Success threshold for readinessProbe |
|
|
The number of SuperExec pods to run |
|
|
Extra labels for SuperExec pods |
|
|
Add extra arguments to the default arguments for the SuperExec |
|
|
Node labels for SuperExec pods which merges with global.nodeSelector |
|
|
Node tolerations for SuperExec pods which merges with global.tolerations |
|
|
SuperExec deployment strategy type |
|
|
SuperExec deployment rolling update configuration parameters |
|
|
Node affinity for SuperExec pods which merges with global.affinity |
|
|
Array with extra environment variables to add to SuperExec nodes which merges with global.env |
|
|
SuperExec container(s) to automate configuration before or after startup |
|
|
Additional custom annotations for SuperExec |
|
|
Extra selectorLabels for SuperExec pods |
|
|
Annotations for SuperExec pods |
|
|
Extra podLabels for SuperExec pods |
|
|
SuperExec image pull secrets which overrides global.imagePullSecrets |
|
|
SuperExec image registry |
|
|
SuperExec image repository |
|
|
Image tag of SuperExec |
|
|
Image digest of SuperExec |
|
|
Components image pullPolicy |
|
|
Specifies whether a NetworkPolicy should be created |
|
|
Allow unrestricted egress traffic |
|
|
Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) |
|
Component OpenFGA¶
Name |
Description |
Value |
|---|---|---|
|
Enable the openfga subchart and deploy OpenFGA |
|