charts/ocis/values.yaml

---
# Image for oCIS services
image:
  # -- Image repository
  repository: owncloud/ocis
  # -- Image tag. Defaults to the chart's appVersion.
  tag: ""
  # -- Image sha / digest (optional).
  sha: ""
  # -- Image pull policy
  pullPolicy: IfNotPresent
  # -- Names of the secret containing the credentials to pull an image from the registry. More
  # information how a secret can be defined at https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  #
  # *Note:* These secrets also apply to initContainers, so you need to provide secrets for the initContainer image here as well.
  pullSecrets: []
  # pullSecrets:
  #   - name: mySecret
  #   - name: mySecret2

# Image for oCIS services
initContainerImage:
  # -- Image repository
  repository: busybox
  # -- Image tag.
  tag: "stable"
  # -- Image sha / digest (optional).
  sha: ""
  # -- Image pull policy
  pullPolicy: IfNotPresent

# Logging settings for oCIS services
logging:
  # -- Log level. Valid values: `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace`.
  level: "info"
  # -- Activates pretty log output.
  # Not recommended for production installations.
  pretty: "false"
  # -- Activates colorized log output.
  # Not recommended for production installations.
  color: "false"

# Tracing settings for oCIS services
tracing:
  # -- Tracing enables sending traces
  enabled: false

  # -- Type of trace provider to use
  type: "jaeger"

  # -- Endpoint of the tracing system, jaeger-agent.observability.svc.cluster.local:6831 or similar.
  endpoint: ""

  # -- The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector.observability.svc.cluster.local:14268/api/traces. Only used if the tracing endpoint is unset.
  collector: ""

# HTTP settings for oCIS services.
http:
  #-- CORS settings for oCIS services.
  cors:
    #-- allow_origins is a list of origins a cross-domain request can be executed from.
    # If the special "*" value is present in the list, all origins will be allowed.
    allow_origins: []

# Debug settings for the oCIS service
debug:
  # -- Profiling enables the http://<pod>:<debug-metrics>/debug/pprof endpoint to inspect various Go runtime internals.
  # You can use the endpoint on your machine by forwarding the port, eg: `kubectl port-forward -n ocis pod/authbasic-8587dc9d64-fs24l 9147:9147`
  # and then accessing the port on https://localhost:9147/debug/pprof or using the pprof command line tool: `go tool pprof -web http://localhost:9147/debug/pprof/symbol\?seconds\=10`
  profiling: false

# -- Deployment strategy.
deploymentStrategy:
  type: RollingUpdate

# -- Domain where oCIS is reachable for the outside world
externalDomain: ocis.owncloud.test

# Insecure options.
# These are useful for some limited environments like CI or on a test cluster.
insecure:
  # -- Disables SSL certificate checking for connections to the openID connect identity provider.
  # Not recommended for production installations.
  oidcIdpInsecure: false
  # -- Disables SSL certificate checking for connections to the oCIS http apis.
  # Not recommended for production installations.
  ocisHttpApiInsecure: false

cache:
  # -- Type of the cache to use. It defaults to no cache or a in memory cache depending on the service.
  # To disable the cache, set to "noop".
  # Can be set to "redis", "redis-sentinel" or "etcd", then the address of Redis (Sentinel) / etcd node(s) needs to be set to `cache.nodes`.
  type: ""
  # -- Nodes of the cache to use.
  nodes: []
  # nodes:
  #   - redis-master-1.ocis-redis.svc.cluster.local:6379
  #   - redis-master-2.ocis-redis.svc.cluster.local:6379

store:
  # -- Configure the store type. To disable the cache, set to "noop".
  # Defaults to "nats-js". Therefore `store.nodes` defaults to the address of the builtin NATS.
  # Can be set to "redis", "redis-sentinel" or "etcd", then the address of Redis (Sentinel) / etcd node(s) needs to be set to `cache.nodes`.
  type: nats-js
  # -- Nodes of the store to use.
  nodes:
    - "{{ .appNameNats }}:9233"

registry:
  # -- Configure the service registry type.
  # Defaults to "kubernetes".
  # Can be set to "etcd" or "nats", then the address of etcd / nats node(s) needs to be set to `registry.nodes`.
  type: kubernetes
  # -- Nodes of the service registry to use.
  nodes: []
  # nodes:
  #   - etcd.ocis-etcd.svc.cluster.local:2379

messagingSystem:
  external:
    # -- Use an external NATS messaging system instead of the internal one.
    # Recommended for all production instances.
    # Needs to be used if HighAvailability is needed.
    # Needs to be used if oCIS shall be used by more than a 2-digit user count.
    enabled: false
    # -- Endpoint of the messaging system.
    endpoint: "nats.ocis-nats.svc.cluster.local:4222"
    # -- Cluster name to use with the messaging system.
    cluster: "ocis-cluster"
    tls:
      # -- Enables TLS encrypted communication with the messaging system.
      # Recommended for production installations.
      enabled: true
      # -- Set only to false, if the certificate of your messaging system service is not trusted.
      # If set to false, you need to put the CA cert of the messaging system server into the secret referenced by "messagingSystemCaRef"
      certTrusted: true
      # -- Disables SSL certificate checking for connections to the messaging system server.
      # -- For self signed certificates, consider to put the CA cert of the messaging system secure server into the secret referenced by "messagingSystemCaRef"
      # Not recommended for production installations.
      insecure: false

# Feature options.
# Enable or disable features of oCIS.
features:
  # -- Enable basic authentication.
  # Not recommended for production installations.
  basicAuthentication: false
  # -- Create demo users on the first startup.
  # Not recommended for production installations.
  demoUsers: false
  emailNotifications:
    # -- Enables email notifications.
    enabled: false
    smtp:
      # -- SMTP host to connect to.
      host:
      # -- Port of the SMTP host to connect to.
      port:
      # -- Sender address of emails that will be sent. Example: 'ownCloud <noreply@example.com>'
      sender:
      # -- Authentication method for the SMTP communication. Possible values are ‘login’, ‘plain’, ‘crammd5’, ‘none’
      # If set to another value than `none`, a secret referenced by `notificationsSmtpSecretRef` needs to be present.
      authentication: none
      # -- Encryption method for the SMTP communication. Possible values are ‘starttls’, ‘ssl’, ‘ssltls’, ‘tls’ and ‘none’.
      encryption: none
    branding:
      # -- Enables mail branding. If enabled, you need to provide the text and html template ConfigMap.
      # The image ConfigMap is optional.
      enabled: false
      # -- Reference to a ConfigMap containing the text mail template.
      # The template file must be named "email.text.tmpl".
      # The default template can be seen here: https://github.com/owncloud/ocis/blob/master/services/notifications/pkg/email/templates/text/email.text.tmpl
      textMailTemplatesConfigRef: "text-mail-templates"
      # -- Reference to a ConfigMap containing the html mail template.
      # The template file must be named "email.html.tmpl".
      # The default template can be seen here: https://github.com/owncloud/ocis/blob/master/services/notifications/pkg/email/templates/html/email.html.tmpl
      htmlMailTemplatesConfigRef: "html-mail-templates"
      # -- Reference to a ConfigMap containing images that can be referenced from the html mail template.
      # This ConfigMap is optional and can be omitted when images are not used.
      htmlMailImagesConfigRef: "html-mail-images"
  # Sharing related settings
  sharing:
    # Sharing with users related settings
    users:
      # -- Allow a share receiver to share the share with a 3rd person.
      resharing: true
      # Search settings for finding users to share with.
      search:
        # -- Minimum number of characters to enter before a client should start a search for Share receivers.
        # This setting can be used to customize the user experience if e.g too many results are displayed.
        minLengthLimit: 3
    # Sharing per public link related setings
    publiclink:
      # -- Enforce a password on writable public link shares.
      writeableShareMustHavePassword: false
  # Apps integration
  appsIntegration:
    # -- Enables the apps integration.
    enabled: false
    # WOPI (office suite integration) needs an https://github.com/cs3org/wopiserver[cs3org/wopiserver] and at least one office suite.
    wopiIntegration:
      # -- URL of the https://github.com/cs3org/wopiserver[cs3org/wopiserver]. Can be deployed https://artifacthub.io/packages/helm/cs3org/wopiserver[with this Chart].
      wopiServerURI: https://wopiserver.owncloud.test
      # -- Base url to navigate back from the app to the containing folder in the file list.
      wopiFolderURI: https://{{ .Values.externalDomain }}
      # List of WOPI compliant office suites.
      officeSuites:
        - # -- Name of the office suite. Will be displayed to the users.
          name: Collabora
          # -- Enables the office suite.
          enabled: false
          # -- URI of the office suite.
          uri: https://collabora.owncloud.test
          # -- URI for the icon of the office suite. Will be displayed to the users.
          iconURI: https://collabora.owncloud.test/favicon.ico
          # -- Disables SSL certificate checking for connections to the office suites http api.
          # Not recommended for production installations.
          insecure: false
        - # -- Name of the office suite. Will be displayed to the users.
          name: OnlyOffice
          # -- Enables the office suite.
          enabled: false
          # -- URI of the office suite.
          uri: https://onlyoffice.owncloud.test
          # -- URI for the icon of the office suite. Will be displayed to the users.
          iconURI: https://onlyoffice.owncloud.test/web-apps/apps/documenteditor/main/resources/img/favicon.ico
          # -- Disables SSL certificate checking for connections to the office suites http api.
          # Not recommended for production installations.
          insecure: false
          # -- Disables Chat functionality of OnlyOffice
          disableChat: false
    # -- Mimetype configuration.
    # Let's you configure a mimetypes' default application, if it is allowed to create a new file and more.
    # @default -- default configuration of oCIS, see https://doc.owncloud.com/ocis/next/deployment/services/s-list/app-registry.html#yaml-example[doc.owncloud.com]
    mimetypes:
      []
      # - mime_type: application/vnd.oasis.opendocument.text
      # extension: odt
      # name: OpenDocument
      # description: OpenDocument text document
      # icon: ""
      # default_app: ""
      # allow_creation: true
  # External user management
  externalUserManagement:
    # -- Enables external user management (and disables internal user management).
    # Needs an external OpenID Connect Identity Provider and an external LDAP server.
    enabled: false
    # -- UUID of the inital admin user.
    # If the given value matches a user's value from `features.externalUserManagement.oidc.userIDClaim`, the admin role will be assigned.
    # Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.
    # Note: Enabling `roleAssignment` will disable `adminUUID`.
    adminUUID: ""
    # OpenID Connect Identity provider related settings.
    oidc:
      # -- Issuer URI of the OpenID Connect Identity Provider.
      # If the IDP doesn't have valid / trusted SSL certificates, certificate validation can be disabled with the `insecure.oidcIdpInsecure` option.
      issuerURI: https://idp.owncloud.test/realms/ocis
      # -- Link to the OIDC provider's user accessible session management. This will be shown to the user on the personal account page.
      # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/
      sessionManagementLink: ""
      # -- Link to the OIDC provider's user accessible account editing page. This will be shown to the user on the personal account page.
      # When using Keycloak with the a realm named "ocis" this could point to eg. https://keycloak.owncloud.test/realms/ocis/account/
      editAccountLink: ""
      # -- Specify the client ID which the web frontend will use
      webClientID: web
      # -- Claim to take an unique user identifier from. It will be used to look up the user on the LDAP server.
      userIDClaim: ocis.user.uuid
      # -- Attribute mapping of for the userIDClaim.
      # Set to `userid` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.id`.
      # Set to `mail` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in  `...ldap.user.schema.mail`.
      # Set to `username` if the claim specified in `...oidc.userIDClaim` holds the value of the ldap user attribute specified in `...ldap.user.schema.userName`.
      userIDClaimAttributeMapping: userid

      # -- OIDC Acces Token Verify Method
      # Set to "jwt" or "none"
      accessTokenVerifyMethod: "jwt"

      # -- Configure OIDC role assignment. If activated, oCIS will read the role assigment from the OIDC token, see
      # xref:{s-path}/proxy.adoc#automatic-role-assignments[Automatic Role Assignments]
      roleAssignment:
        enabled: false
        # -- The name of the OIDC claim holding the role assignment
        claim: roles
        # -- Configure the mapping for the role assignment
        mapping:
          - role_name: admin
            claim_value: ocisAdmin
          - role_name: spaceadmin
            claim_value: ocisSpaceAdmin
          - role_name: user
            claim_value: ocisUser
          - role_name: guest
            claim_value: ocisGuest
    # LDAP related settings.
    ldap:
      # -- Writeable configures if oCIS is allowed to write to the LDAP server, to eg. create or edit users.
      writeable: true
      # -- If the LDAP server is set to writable in general, some user attributes can be restricted to read only in the UI.
      # Note: This only disables editing in the UI. The readonly permissions need to be enforced in the LDAP server itself.
      readOnlyAttributes:
        []
        # - user.onPremisesSamAccountName # username
        # - user.displayName # display name
        # - user.mail # mail
        # - user.passwordProfile # password
        # - user.appRoleAssignments # role
        # - user.accountEnabled # login allowed
        # - drive.quota # quota
      # -- URI to connect to the LDAP secure server.
      uri: ldaps://ldaps.owncloud.test
      # -- Set only to false, if the certificate of your LDAP secure service is not trusted.
      # If set to false, you need to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
      certTrusted: true
      # -- Disables SSL certificate checking for connections to the LDAP server.
      # -- For self signed certificates, consider to put the CA cert of the LDAP secure server into the secret referenced by "ldapCaRef"
      # Not recommended for production installations.
      insecure: false
      # -- DN of the user to use to bind to the LDAP server.
      # The password for the user needs to be set in the secret referenced by `secretRefs.ldapSecretRef` as `reva-ldap-bind-password`.
      # The user needs to have permission to list users and groups.
      bindDN: uid=ocis,ou=system-users,dc=owncloud,dc=test
      # -- Signals that the LDAP server has the refint plugin enabled, which makes some actions not needed.
      refintEnabled: false
      # -- Use the Password Modify Extended Operation for updating user passwords.
      passwordModifyExOpEnabled: false
      # -- If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.
      useServerUUID: false
      user:
        schema:
          # -- LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.
          id: ownclouduuid
          # -- Set this to true if the defined `id` attribute for users is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the user ID`s.
          idIsOctetString: false
          # -- LDAP Attribute to use for the email address of users.
          mail: mail
          # -- LDAP Attribute to use for the displayname of users.
          displayName: displayname
          # -- LDAP Attribute to use for username of users.
          userName: uid
          # -- LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'.
          userType: ownCloudUserType
        # -- Search base DN for looking up LDAP users.
        baseDN: ou=users,dc=owncloud,dc=com
        # -- LDAP search scope to use when looking up users. Supported values are `base`, `one` and `sub`.
        scope: sub
        # -- Type of substring search filter to use for substring searches for users. Possible values: `initial` for doing prefix only searches, `final` for doing suffix only searches or `any` for doing full substring searches
        substringFilterType: any
        # -- LDAP filter to add to the default filters for user search like `(objectclass=ownCloud)`.
        filter:
        # -- The object class to use for users in the default user search filter like `inetOrgPerson`.
        objectClass: inetOrgPerson
      group:
        schema:
          # -- LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.
          id: ownclouduuid
          # -- Set this to true if the defined `id` attribute for groups is of the `OCTETSTRING` syntax. This is e.g. required when using the `objectGUID` attribute of Active Directory for the group ID`s.
          idIsOctetString: false
          # -- LDAP Attribute to use for the email address of groups (can be empty).
          mail: mail
          # -- LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).
          displayName: cn
          # -- LDAP Attribute to use for the name of groups.
          groupName: cn
          # -- LDAP Attribute that is used for group members.
          member: member
        # -- Search base DN for looking up LDAP groups.
        baseDN: ou=groups,dc=owncloud,dc=com
        # -- BaseDN where new groups are created and are considered as editable.
        # All existing groups with a DN outside the `features.externalUserManagement.ldap.group.createBaseDN` will be treated as read-only groups.
        # Defaults to the value `features.externalUserManagement.ldap.group.baseDN`.
        # Only applicable if `features.externalUserManagement.ldap.writeable` is set to `true`
        createBaseDN: ""
        # -- LDAP search scope to use when looking up groups. Supported values are `base`, `one` and `sub`.
        scope: sub
        # -- LDAP filter to add to the default filters for group searches.
        filter:
        # -- The object class to use for groups in the default group search filter like `groupOfNames`.
        objectClass: groupOfNames
      # -- When using external user management, users can be set as disabled by either belonging to a group or using an ldap attribute.
      disableUsers:
        # -- Enables disabling users if configured as "attribute" or "group"
        disableMechanism: none
        # -- Attribute to use for disabling users.
        userEnabledAttribute: ownCloudUserEnabled
        # -- Group that a user can be added to and by that being marked as disabled.
        disabledUsersGroupDN: "cn=DisabledUsersGroup,ou=groups,o=libregraph-idm"

  # GDPR report related settings.
  gdprReport:
    # -- Enables the GDPR report feature
    # -- Controls the separate GDPR integrations
    integrations:
      keycloak:
        # -- Enable keycloak data export.
        enabled: false
        # -- Base URI of keycloak.
        basePath: https://keycloak.owncloud.test
        # -- Client ID to authenticate against keycloak with.
        clientID: gdpr-exporter
        # -- Realm that the client ID is configured in, usually master.
        clientRealm: master
        # -- Realm that the users are in.
        userRealm: oCIS
        # -- Disables SSL certificate checking for connections to the GDPR export service.
        # Not recommended for production installations.
        insecure: false
  # Define custom roles here. Note that the definition will be either or. So you cannot provide a ConfigMap name and text at once.
  roles:
    # -- Define the roles by specifying a name of a ConfigMap which already contains the the role description (might also be defined in the `extraResources` section).
    # The ConfigMap needs to contain a file named `custom-roles.json` which holds the role description in JSON format
    # Please note that you have to restart the settings service manually if you change the content of you ConfigMap.
    customRolesConfigRef:
    # -- Define the roles by providing the JSON text here.
    customRoles: ""
  # Define quota settings.
  quotas:
    # -- Sets the maximum quota for spaces in bytes. So 1000 sets the max quota to 1KB.
    max:
    # -- Sets the default quota for spaces in bytes. So 1000 sets the default quota to 1KB. 0 means unlimited.
    default:
    # -- Sets specific quotas for roles
    roles: {}
    # roles:
    #   # User Role set to 2GB
    #   d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11: 2000000000
    #   # Administrator Role set to 100GB
    #   71881883-1768-46bd-a24d-a356a2afdf7f: 100000000000
    #   # Space Administrator Role set to 100GB
    #   2aadd357-682c-406b-8874-293091995fdd: 100000000000
  # Define virus scanning
  virusscan:
    # -- Enables virus scanning
    enabled: false
    # -- Define what should happen with infected files. Supported options are: 'delete', 'continue' and 'abort '.
    # Delete will delete the file.
    # Continue will mark the file as infected but continues further processing.
    # Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination.
    infectedFileHandling: delete
    # -- Sets a maximum file size for scans. Only this many bytes of a file will be scanned. 0 means unlimited and is the default.
    # Usable common abbreviations: [KB, KiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.
    maxScanSize:
    # -- Define icap parameters
    icap:
      # -- Sets the timeout for icap scans
      timeout: 300
      # -- Sets the icap url
      url: icap://127.0.0.1:1344
      # -- Sets the service to be used in icap
      service: avscan
  # Define policies
  policies:
    # -- Enables policies
    enabled: false
    # -- Sets the timeout the rego expression evaluation can take. The timeout can be set as number followed by a unit identifier
    # like ms, s, etc. Rules default to deny if the timeout was reached.
    engineTimeout: 10s
    # -- Sets the policies. Each policy file is defined by a `fileName` and a `content`. The content takes the rego script as text.
    # For further information, please have a look at https://doc.owncloud.com/ocis/next/deployment/services/s-list/policies.html
    # Attention: All scripts provided here will end up in a ConfigMap. The data stored in a ConfigMap cannot exceed 1 MiB. see
    # https://kubernetes.io/docs/concepts/configuration/configmap/#:~:text=The%20data%20stored%20in%20a,separate%20database%20or%20file%20service.
    policies: []
    # - fileName: proxy.rego
    #   content: |-
    #     package proxy
    #     default granted := true
    #
    # - fileName: postprocessing.rego
    #   content: |-
    #     package postprocessing
    #     default granted := true
    #
  # -- Edition of ownCloud Infinite Scale.
  edition: "Community"
  # Archiver settings
  archiver:
    # -- Max size in bytes of the zip archive the archiver can create.
    maxSize: 1073741824
    # -- Max number of files that can be packed into an archive.
    maxNumFiles: 10000
# Ingress for oCIS.
ingress:
  # -- Enables the Ingress.
  enabled: false
  # -- Ingress class to use.
  # Uses the default ingress class if not set.
  ingressClassName:
  # -- Ingress annotations.
  annotations: {}
  # -- Labels for the ingress.
  labels: {}
  # -- Ingress TLS configuration.
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - ocis.owncloud.test

# References to ConfigMaps.
# The ConfigMaps need to be manually created.
# Leave these empty to have them autogenerated by the Helm chart.
# Note that ConfigMaps generated by the helm chart will be removed once the helm chart is uninstalled.
# Furthermore, if you already had ConfigMaps at the default locations, they will be NOT be overwritten,
# but the helm chart will claim ownership of them. If this is a problem, fill in the configRefs below
# with the names of your existing secrets.
# See https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
configRefs:
  # -- Reference to an existing storage-users config.
  storageusersConfigRef: ""
  # -- Reference to an existing graph config.
  graphConfigRef: ""
  # -- Optional reference to an existing web theme config.
  # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud for Web.
  # Does not get autogenerated.
  # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
  webThemeConfigRef: ""
  # -- Optional reference to an existing web theme assets config.
  # Will be mounted to /var/lib/ocis/web/assets/themes/owncloud/assets for Web.
  # Does not get autogenerated.
  # Hint: if you set this, you'll no longer be able to change the instance logo via the Web UI.
  webThemeAssetsConfigRef: ""

# References to secrets.
# Leave these empty to have them autogenerated by the Helm chart.
# Note that secrets generated by the helm chart will be removed once the helm chart is uninstalled.
# Furthermore, if you already had secrets at the default locations, they will be NOT be overwritten,
# but the helm chart will claim ownership of them. If this is a problem, fill in the secretRefs below
# with the names of your existing secrets.
# TODO: Update https://doc.owncloud.com/ocis/next/deployment/container/orchestration/orchestration.html#customize-the-generic-setup[doc.owncloud.com] for how to generate them.
secretRefs:
  # -- Reference to an existing admin user secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
  adminUserSecretRef: ""
  # -- Reference to an existing IDP secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
  idpSecretRef: ""
  # -- Reference to an existing JWT secret (see ref:Secrets#secrets).
  jwtSecretRef: ""
  # -- Reference to an existing keycloak client secret, used for the GDPR export. Only used if features.externalUserManagement.gdprExport.enabled equals true.
  gdprExportClientSecretRef: ""
  # -- Reference to an existing LDAP certificate authority secret (see ref:Secrets#secrets)
  ldapCaRef: ""
  # -- Reference to an existing LDAP cert secret (see ref:Secrets#secrets). Not used if `features.externalUserManagement.enabled` equals `true`.
  ldapCertRef: ""
  # -- Reference to an existing LDAP bind secret (see ref:Secrets#secrets).
  ldapSecretRef: ""
  # -- Reference to an existing machine auth api key secret (see ref:Secrets#secrets)
  machineAuthApiKeySecretRef: ""
  # -- Reference to an existing messaging system certificate authority secret (see ref:Secrets#secrets)
  messagingSystemCaRef: ""
  # -- Reference to an existing SMTP email server settings secret (see ref:Secrets#secrets).
  # Not used if `features.emailNotifications.enabled` equals `false`.
  # Not used if `features.emailNotifications.smtp.authentication` equals `none`.
  notificationsSmtpSecretRef: ""
  # -- Reference to an existing storage-system JWT secret (see ref:Secrets#secrets)
  storagesystemJwtSecretRef: ""
  # -- Reference to an existing storage-system secret (see ref:Secrets#secrets)
  storagesystemSecretRef: ""
  # -- Reference to an existing thumbnails transfer secret (see ref:Secrets#secrets)
  thumbnailsSecretRef: ""
  # -- Reference to an existing transfer secret (see ref:Secrets#secrets)
  transferSecretSecretRef: ""
  # -- Reference to an existing s3 secret (see ref:Secrets#secrets)
  # If not filled in, will attempt to use values in `.storageusers.storageBackend.s3.driverConfig.s3ng` instead.
  s3CredentialsSecretRef: ""

# Security context options.
securityContext:
  # -- File system group for all volumes.
  fsGroup: 1000
  # -- File system group change policy for all volumes.
  # Possible values "Always" and "OnRootMismatch".
  # This will also apply to all services' chownInitContainer.
  fsGroupChangePolicy: "OnRootMismatch"
  # -- User ID that all processes within any containers will run with.
  runAsUser: 1000
  # -- Group ID that all processes within any containers will run with.
  runAsGroup: 1000

# -- TopologySpreadConstraints controls how Pods of a service are spread across the cluster among failure-domains.
# Defaults to allow skew no more then 1 node per node.
# Passed through tpl and therefore needs to be configured as string.
topologySpreadConstraints: "" # |
#  - maxSkew: 1
#    topologyKey: kubernetes.io/hostname
#    whenUnsatisfiable: DoNotSchedule
#    labelSelector:
#      matchLabels:
#        app: {{ .appName }}

# -- Custom labels for all manifests
extraLabels: {}

# -- Override the deployment namespace of all resources in this Helm chart.
namespaceOverride:

# -- Number of replicas for each scalable service. Has no effect when `autoscaling.enabled` is set to `true`.
replicas: 1

# Default PodDisruptionBudget to apply to all services, except per-service PodDisruptionBudget configuration in `services.<service-name>.podDisruptionBudget` is set.
podDisruptionBudget:
  {}
  # -- Sets the maxUnavailable or the global PodDisruptionBudget.
  #maxUnavailable: 1

# Autoscaling settings.
autoscaling:
  # -- Enables autoscaling. When set to `true`, `replicas` is no longer applied.
  enabled: false
  # -- Sets minimum replicas for autoscaling.
  minReplicas: 3
  # -- Sets maximum replicas for autoscaling.
  maxReplicas: 10
  # -- Metrics to use for autoscaling
  metrics: []
# Kubernetes pre 1.25
#   metrics:
#   - type: Resource
#     resource:
#       name: cpu
#       targetAverageUtilization: 60
#   - type: Resource
#     resource:
#       name: memory
#       targetAverageUtilization: 60
# Kubernetes 1.25+
#   metrics:
#   - type: Resource
#     resource:
#       name: cpu
#       target:
#         type: Utilization
#         averageUtilization: 60
#   - type: Resource
#     resource:
#       name: memory
#       target:
#         type: Utilization
#         averageUtilization: 60

# -- Default resources to apply to all services, except per-service resources configuration in `services.<service-name>.resources` is set.
# Best practice is to:
# - set memory request == memory limit (compare to https://home.robusta.dev/blog/kubernetes-memory-limit)
# - set cpu request and omit cpu limit (compare to https://home.robusta.dev/blog/stop-using-cpu-limits)
resources:
  {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

# -- Default resources to apply to all jobs in services, except per-service resources configuration in `services.<service-name>.jobResources` is set.
# Best practice is to:
# - set memory request == memory limit (compare to https://home.robusta.dev/blog/kubernetes-memory-limit)
# - set cpu request and omit cpu limit (compare to https://home.robusta.dev/blog/stop-using-cpu-limits)
jobResources:
  {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi


# Include arbitrary resources, eg. config maps or a cert-manager issuer (see example below)
# -- Extra resources to be included.
extraResources: []
#  - |
#    apiVersion: cert-manager.io/v1alpha2
#    kind: Issuer
#    metadata:
#      name: ocis-certificate-issuer
#      namespace: ocis
#    spec:
#      acme:
#        server: https://acme-v02.api.letsencrypt.org/directory
#        email: test@example.com
#        privateKeySecretRef:
#          name: ocis-certificate-issuer
#        solvers:
#        - http01:
#            ingress:
#              class: nginx

# per-service configuration.
services:
  # -- APP PROVIDER service. Not used if `features.appsIntegration.enabled` equals `false`.
  # @default -- see detailed service configuration options below
  appprovider:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Affinity settings for the approvider service.
    affinity: {}
    # -- Configuration for the appprovider service, every other service will have the same configuration.
    # The value of this key will be passed to the affinity setting of the pod as documented here:
    # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
    # This example will ensure that the pods will only be scheduled on nodes with the label `topology.kubernetes.io/zone`
    # set to `eu-west-1` or `eu-east-1`.
    # nodeAffinity:
    #   requiredDuringSchedulingIgnoredDuringExecution:
    #     nodeSelectorTerms:
    #     - matchExpressions:
    #       - key: topology.kubernetes.io/zone
    #         operator: In
    #         values:
    #         - eu-east-1
    #         - eu-west-1
    #
    # The following example will make sure that these pods will never be scheduled on the same node.
    # podAntiAffinity:
    #   requiredDuringSchedulingIgnoredDuringExecution:
    #     - labelSelector:
    #         matchExpressions:
    #           - key: app
    #             operator: In
    #             values:
    #               - appprovider
    #       topologyKey: "kubernetes.io/hostname"
    #
    # Do note that the value will be different for each service.
    # -- Per-service custom labels
    extraLabels: {}

  # -- APP REGISTRY service. Not used if `features.appsIntegration.enabled` equals `false`.
  # @default -- see detailed service configuration options below
  appregistry:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Affinity settings for the appregistry service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- AUDIT service.
  # @default -- see detailed service configuration options below
  audit:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the audit service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- AUTH BASIC service. Not used if `features.externalUserManagement.enabled` equals `true`.
  # @default -- see detailed service configuration options below
  authbasic:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the authbasic service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- AUTH MACHINE service.
  # @default -- see detailed service configuration options below
  authmachine:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the authmachine service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- ANTIVIRUS service. Not used if `features.virusscan.enabled` equals `false`.
  # @default -- see detailed service configuration options below
  antivirus:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the antivirus service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- EVENT HISTORY service.
  # @default -- see detailed service configuration options below
  eventhistory:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service store configuration for the eventhistory service. Overrides the default setting from `store` if set.
    store:
      {}
      # -- Configure the store type for the eventhistory service. Might be `memory`, `ocmem`, `etcd`, `redis`,
      # `redis-sentinel`, `nats-js` or `noop`
      #type:
      # -- Provide a list of comma-separated addresses of `etcd`, `redis`, `redis-sentinel` or `nats-js` servers here
      # if the proper store is selected
      # addresses: []
      # - "{{ .appNameNats }}:9233"
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the eventhistory service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- FRONTEND service.
  # @default -- see detailed service configuration options below
  frontend:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the frontend service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- GATEWAY service.
  # @default -- see detailed service configuration options below
  gateway:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the gateway service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- GRAPH service.
  # @default -- see detailed service configuration options below
  graph:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the graph service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- GROUPS service.
  # @default -- see detailed service configuration options below
  groups:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the groups service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- IDM service. Not used if `features.externalUserManagement.enabled` equals `true`.
  # @default -- see detailed service configuration options below
  idm:
    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations, except `features.externalUserManagement.enabled` equals `true`.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Affinity settings for the idm service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- IDP service. Not used if `features.externalUserManagement.enabled` equals `true`.
  # @default -- see detailed service configuration options below
  idp:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Affinity settings for the idp service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- NATS service. Not used if `messagingSystem.external.enabled` equals `true`.
  # @default -- see detailed service configuration options below
  nats:
    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations, except `messagingSystem.external.enabled` equals `true`.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Affinity settings for the nats service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- NOTIFICATIONS service. Not used if `features.emailNotifications.enabled` equals `true`.
  # @default -- see detailed service configuration options below
  notifications:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the notifications service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- OCDAV service.
  # @default -- see detailed service configuration options below
  ocdav:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the ocdav service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- OCS service.
  # @default -- see detailed service configuration options below
  ocs:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the ocs service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- POLICIES service.
  # @default -- see detailed service configuration options below
  policies:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the policies service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- POSTPROCESSING service.
  # @default -- see detailed service configuration options below
  postprocessing:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service store configuration for the eventhistory service. Overrides the default setting from `store` if set.
    store: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the postprocessing service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- PROXY service.
  # @default -- see detailed service configuration options below
  proxy:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the proxy service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- SEARCH service.
  # @default -- see detailed service configuration options below
  search:
    # -- Search Extractor settings.
    # @default -- see detailed search extractor configuration options below
    extractor:
      # -- Configures the search extractor type to be used. Possible extractors:
      # - `basic`: the default search extractor.
      # - `tika`: the Tika search extractor. If set to this value, additional settings in the `tika` section apply.
      type: basic
      # -- Configures the maximum file size in bytes that is allowed for content extraction.
      # For the default value see https://doc.owncloud.com/ocis/next/deployment/services/s-list/search.html
      sizeLimit:
      tika:
        # -- Set the URL to Tika. Only applicable if `services.search.extractor.type` == `tika`.
        url: http://tika.tika.svc.cluster.local:9998
    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Affinity settings for the search service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- SETTINGS service.
  # @default -- see detailed service configuration options below
  settings:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the settings service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- SHARING service.
  # @default -- see detailed service configuration options below
  sharing:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the sharing service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- STORAGE-PUBLICLINK service.
  # @default -- see detailed service configuration options below
  storagepubliclink:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the storagepubliclink service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- STORAGE-SHARES service.
  # @default -- see detailed service configuration options below
  storageshares:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the storageshares service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- STORAGE-SYSTEM service.
  # @default -- see detailed service configuration options below
  storagesystem:
    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 5Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the storagesystem service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- STORAGE-USERS service.
  # @default -- see detailed service configuration options below
  storageusers:
    storageBackend:
      # -- Configures the storage driver. Possible values are "ocis" and "s3ng".
      # The oCIS driver stores all data in the persistent volume if persistence is enabled.
      # The S3NG driver stores all metadata in the persistent volume and uploads blobs to s3 if persistence is enabled.
      driver: ocis
      driverConfig:
        ocis:
          # -- Metadata backend to use for the oCIS storage driver. Valid values are: "messagepack", "xattrs".
          metadataBackend: messagepack
        s3ng:
          # -- Metadata backend to use for the S3NG storage driver. Valid values are: "messagepack", "xattrs".
          metadataBackend: messagepack

          # The S3NG driver needs an existing S3 bucket with following permissions:
          # {
          #     "Version": "2012-10-17",
          #     "Statement": [
          #         {
          #             "Sid": "ListObjectsInBucket",
          #             "Effect": "Allow",
          #             "Action": ["s3:ListBucket"],
          #             "Resource": ["arn:aws:s3:::bucket-name"]
          #         },
          #         {
          #             "Sid": "AllObjectActions",
          #             "Effect": "Allow",
          #             "Action": "s3:*Object",
          #             "Resource": ["arn:aws:s3:::bucket-name/*"]
          #         }
          #     ]
          # }
          # -- S3 endpoint to use for the S3NG driver. Only used if driver is set to "s3ng".
          endpoint: https://localhost:1234
          # -- S3 region to use for the S3NG driver. Only used if driver is set to "s3ng".
          region: default
          # -- S3 bucket to use for the S3NG driver. Only used if driver is set to "s3ng".
          bucket: example-bucket
          # -- S3 access key to use for the S3NG driver. Only used if driver is set to "s3ng".
          # DEPRECATION WARNING: These values will be removed in the future. Predefine `secretRefs.s3CredentialsSecretRef` instead.
          accessKey: ""
          # -- S3 secret key to use for the S3NG driver. Only used if driver is set to "s3ng".
          # DEPRECATION WARNING: These values will be removed in the future. Predefine `secretRefs.s3CredentialsSecretRef` instead.
          secretKey: ""

    maintenance:
      # Expired uploads can be cleaned up automatically by enabling the clean up job.
      cleanUpExpiredUploads:
        # -- Enables a job, that cleans up expired uploads. Requires persistence to be enabled and RWX storage.
        enabled: false
        # -- Cron pattern for the job to be run. Defaults to every minute.
        schedule: "* * * * *"
        # -- Duration in seconds after which uploads will expire.
        #    WARNING: Setting this to a low number will lead to uploads being cancelled before they are finished and returning a 403 to the user.
        uploadExpiration: 86400
      # Expired trash bin items can be cleaned up automatically by enabling the purge exired trash bin items job.
      purgeExpiredTrashBinItems:
        # -- Enables a job, that purges expired trash bin items. Requires persistence to be enabled.
        enabled: false
        # -- Cron pattern for the job to be run. Defaults to every minute.
        schedule: "* * * * *"
        # -- User ID of a user that has permissions to list all personal and project spaces.
        purgeTrashBinUserID: ""
        # -- Setting that makes the command delete all trashed personal files older than the value. The value is a number and a unit "d", "h", "m", "s".
        personalDeleteBefore: 30d
        # -- Setting that makes the command delete all trashed project files older than the value. The value is a number and a unit "d", "h", "m", "s".
        projectDeleteBefore: 30d

    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 50Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service jobResources configuration. Overrides the default setting from `jobResources` if set.
    jobResources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the storageusers service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- STORE service.
  # @default -- see detailed service configuration options below
  store:
    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Needs to be enabled on production installations.
      # If not enabled, pod restarts will lead to data loss.
      # Also scaling this service beyond one instance is not possible if the service instances don't share the same storage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 5Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers:
        - kubernetes.io/pvc-protection
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Affinity settings for the store service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- THUMBNAILS service.
  # @default -- see detailed service configuration options below
  thumbnails:
    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Is recommended to be enabled on production installations.
      # If enabled, generated thumbnails are cached on this volume and available across pod restarts and service instances.
      # If not enabled, thumbnail generation might lead to higher CPU usage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance or persistence needs to be disabled.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 10Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers: []
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service jobResources configuration. Overrides the default setting from `jobResources` if set.
    jobResources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Maintenance configuration for cleanup jobs.
    maintenance:
      cleanUpOldThumbnails:
        # -- Enables a job, that cleans up old thumbnails. Requires persistence to be enabled.
        enabled: false
        # -- Cron pattern for the job to be run. Defaults to every minute.
        schedule: "* * * * *"
        # -- Setting that makes the command delete all thumbnails older than the value. The value is a number in days.
        deleteBefore: 30
        # -- Method to use with BusyBox "find" for finding old thumbnails. Can be mtime, atime or ctime.
        method: atime
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the thumbnails service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- USERLOG service.
  # @default -- see detailed service configuration options below
  userlog:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service store configuration for the userlog service. Overrides the default setting from `store` if set.
    store:
      {}
      # -- Configure the store type for the userlog service. Might be `memory`, `ocmem`, `etcd`, `redis`,
      # `redis-sentinel`, `nats-js` or `noop`
      # type:
      # -- Provide a list of comma-separated addresses of `etcd`, `redis`, `redis-sentinel` or `nats-js` servers here
      # if the proper store is selected
      # addresses:
      # - "{{ .appNameNats }}:9233"
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the userlog service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- USERS service.
  # @default -- see detailed service configuration options below
  users:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the users service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- ownCloud WEB service.
  # @default -- see detailed service configuration options below
  web:
    # Configuration for web, that ends up in the config.json file.
    config:
      contextHelpersReadMore:
        # -- Specifies whether the “Read more” link should be displayed or not.
        enabled: true
      feedbackLink:
        # -- Enables the feedback link in the Web UI.
        enabled: true
        # -- URI where the feedback link points. Uses the ownCloud default href if empty.
        href: ""
        # -- Screen reader accessible label for the feedback link. Uses the ownCloud default label if empty.
        ariaLabel: ""
        # -- Description to be shown for the feedback link. Uses the ownCloud default description if empty.
        description: ""
      # -- Specifies which mimeTypes will be previewed in the UI.
      previewFileMimeTypes:
        []
        # - image/gif
        # - image/png
        # - image/jpeg
        # - text/plain
        # - image/tiff
        # - image/bmp
        # - image/x-ms-bmp
      # -- Configure the {"styles": []} section in the Web config.json.
      styles:
        []
        # - href: /theme/foo.css
      # -- Configure the {"styles": []} section in the Web config.json.
      scripts:
        []
        # - src: /theme/foo.js
        #   async: true
      # -- Configure custom translations
      customTranslations:
        []
        # - url: https://ocis.kube.owncloud.test/custom_translations.json
      # -- Configure the {"apps": []} section in the Web config.json.
      apps:
        []
        # default apps, add and remove apps as desired
        # - files
        # - search
        # - text-editor
        # - pdf-viewer
        # - external
        # - user-management
      # -- Configure the {"applications": []} section in the Web config.json.
      applications:
        []
        # example for an user manual homepage, that will be linked in the app drawer
        # - icon: book-read
        #   url: "https://manual.owncloud.test"
        #   target: _blank
        #   title:
        #     de: Anleitung
        #     en: Manual
      # -- Configure the {"external_apps": []} section in the Web config.json.
      externalApplications:
        []
        # default external application of Web, add and remove apps as desired
        # - id: preview
        #   path: web-app-preview
        #   config:
        #     mimeTypes:
        #       - image/tiff
        #       - image/bmp
        #       - image/x-ms-bmp
        # - id: settings
        #   path: /settings.js
      # Theme settings
      theme:
        # -- URL to load themes from. Will be prepended to the theme path. Defaults to the value of "externalDomain".
        server: ""
        # -- URL path to load themes from. The theme server will be prepended. Defaults to the ownCloud Web default theme.
        path: ""
      # URI where to redirect the user after a logout was performed. Defaults to the URI of the login page.
      postLogoutRedirectURI: ""
      # Specifies the target url valid for the logged out / access denied page.
      accessDeniedHelpURL: ""
      # Specifies the target url for the imprint link in the account menu.
      imprintURL:
      # Specifies the target url for the privacy link in the account menu.
      privacyURL:

    # -- Persistence settings.
    # @default -- see detailed persistence configuration options below
    persistence:
      # -- Enables persistence.
      # Is recommended to be enabled on production installations.
      # If enabled, generated thumbnails are cached on this volume and available across pod restarts and service instances.
      # If not enabled, thumbnail generation might lead to higher CPU usage.
      enabled: false
      # -- Enables a initContainer to chown the volume.
      # The initContainer is run as root.
      # This is not needed if the driver applies the fsGroup from the securityContext.
      chownInitContainer: false
      # -- Storage class to use.
      # Uses the default storage class if not set.
      storageClassName:
      # -- Persistent volume access modes. Needs to be `["ReadWriteMany"]` when scaling this service beyond one instance or persistence needs to be disabled.
      accessModes:
        - ReadWriteMany
      # -- Size of the persistent volume.
      size: 1Gi
      # -- Persistent volume annotations.
      annotations: {}
      # -- Persistent volume finalizers.
      finalizers: []
      # -- Persistent volume selector labels.
      selectorLabels: {}
      # -- Use a custom name for the PVC instead of the default one.
      claimName: ""
      # -- Use an existing PersistentVolumeClaim for persistence.
      existingClaim:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the web service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

  # -- WEBDAV service.
  # @default -- see detailed service configuration options below
  webdav:
    # -- Per-service resources configuration. Overrides the default setting from `resources` if set.
    resources: {}
    # -- Per-service PodDisruptionBudget. Overrides the default setting from `podDisruptionBudget` if set.
    podDisruptionBudget: {}
    # -- Per-service autoscaling. Overrides the default setting from `autoscaling` if set.
    autoscaling: {}
    # -- Affinity settings for the webdav service. See the documentation of this setting in approvider for examples.
    affinity: {}
    # -- Per-service custom labels
    extraLabels: {}

# -- Service monitoring configuration. Requires the monitoring.coreos.com/v1 CRDs to be installed.
monitoring:
  # -- Enable service monitoring.
  enabled: false
  # -- Interval at which to scrape metrics.
  interval: 60s
  # -- Scrape timeout.
  scrapeTimeout: 60s