A Helm chart for deploying Cryostat on Kubernetes and OpenShift.
Kubernetes: >= 1.25.0-0
The chart is available at the following repositories:
To install the chart, add the repository and install, for example:
helm repo add cryostat-charts https://cryostat.io/helm-charts
helm repo update
helm install cryostat cryostat-charts/cryostatThe chart is also available as an OCI image on GitHub Container Registry (ghcr.io).
To install the chart, run:
helm install cryostat oci://ghcr.io/cryostatio/cryostat-helm --version $VERSIONTo install the chart from source code, run:
git clone https://github.com/cryostatio/cryostat-helm
cd cryostat-helm
helm install cryostat ./charts/cryostatSee the sections below for Helm chart values which can be used for configuring various aspects of the Cryostat installation.
If there are further customizations required to suit your deployment environment, choose the settings values that get
you closest to what you need, then manually edit the resulting Kubernetes objects to suit your requirements. You may
also consider using helm install --dry-run to render the Kubernetes YAML manifests without installing them, so that
you can apply your own customization patches as needed.
When installed on OpenShift with authentication.openshift.enabled=true, the cluster's
"service serving certificates"
feature is used to enable managed TLS configuration on the exposed HTTP(S) ports.
When installed with authentication.openshift.enabled=false but oauth2Proxy.tls.selfSigned.enabled=true then a
self-signed TLS certificate will be generated at installation time to serve similar purposes. These TLS certificates
are not managed, will not automatically rotate, and will expire after 365 days. You will need to manually rotate the
certificates, or reinstall the chart, or else apply your own customizations to the Kubernetes manifests to automate TLS
certificate issuance and rotation.
| Name | Description | Value |
|---|---|---|
core |
Configuration for the core Cryostat application | |
core.image.repository |
Repository for the main Cryostat container image | quay.io/cryostat/cryostat |
core.image.pullPolicy |
Image pull policy for the main Cryostat container image | Always |
core.image.tag |
Tag for the main Cryostat container image | 4.1.0-snapshot |
core.podAnnotations |
Annotations to be applied to the Cryostat Pods | {} |
core.service.type |
Type of Service to create for the Cryostat application | ClusterIP |
core.service.httpPort |
Port number to expose on the Service for Cryostat's HTTP server | 8181 |
core.service.annotations |
Annotations to be applied to the Service for Cryostat's HTTP server | {} |
core.debug.log.level |
Log level for troubleshooting and debugging | INFO |
core.sslProxied |
Enables SSL Proxied Environment Variables, useful when you are offloading SSL/TLS at External Loadbalancer instead of Ingress | false |
core.ingress.enabled |
Whether to create an Ingress object for the Cryostat service | false |
core.ingress.className |
Ingress class name for the Cryostat application Ingress | "" |
core.ingress.annotations |
Annotations to apply to the Cryostat application Ingress | {} |
core.ingress.hosts |
Hosts to create rules for in the Cryostat application Ingress. See: IngressSpec | [] |
core.ingress.tls |
TLS configuration for the Cryostat application Ingress. See: IngressSpec | [] |
core.route.enabled |
Whether to create a Route object for the Cryostat service. Available only on OpenShift | false |
core.route.tls.enabled |
Whether to secure the Cryostat application Route with TLS. See: TLSConfig | true |
core.route.tls.termination |
Type of TLS termination to use for the Cryostat application Route. One of: edge, passthrough, reencrypt |
edge |
core.route.tls.insecureEdgeTerminationPolicy |
Specify how to handle insecure traffic for the Cryostat application Route. One of: Allow, Disable, Redirect |
Redirect |
core.route.tls.key |
Custom private key to use when securing the Cryostat application Route | "" |
core.route.tls.certificate |
Custom certificate to use when securing the Cryostat application Route | "" |
core.route.tls.caCertificate |
Custom CA certificate to use, if needed to complete the certificate chain, when securing the Cryostat application Route | "" |
core.route.tls.destinationCACertificate |
Provides the contents of the CA certificate of the final destination when using reencrypt termination for the Cryostat application Route | "" |
core.resources.requests.cpu |
CPU resource request for the Cryostat container. See: ResourceRequirements | 500m |
core.resources.requests.memory |
Memory resource request for the Cryostat container. | 384Mi |
core.securityContext |
Security Context for the Cryostat container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
core.databaseSecretName |
Name of the secret containing database keys. This secret must contain a CONNECTION_KEY secret which is the database connection password, and an ENCRYPTION_KEY secret which is the key used to encrypt sensitive data stored within the database, such as the target credentials keyring. It must not be updated across chart upgrades. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
core.discovery |
Configuration options to the Cryostat application's target discovery mechanisms | |
core.discovery.kubernetes.enabled |
Enables Kubernetes API discovery mechanism | true |
core.discovery.kubernetes.installNamespaceDisabled |
When false and namespaces is empty, the Cryostat application will default to discovery targets in the install namespace (i.e. {{ .Release.Namespace }}) |
false |
core.discovery.kubernetes.namespaces |
List of namespaces whose workloads the Cryostat application should be permitted to access and profile | [] |
core.discovery.kubernetes.builtInPortNamesDisabled |
When false and portNames is empty, the Cryostat application will use the default port name jfr-jmx to look for JMX connectable targets. |
false |
core.discovery.kubernetes.portNames |
List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | [] |
core.discovery.kubernetes.builtInPortNumbersDisabled |
When false and portNumbers is empty, the Cryostat application will use the default port number 9091 to look for JMX connectable targets. |
false |
core.discovery.kubernetes.portNumbers |
List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | [] |
core.config.declarative.fsMode |
default filesystem mode (permissions) for declarative configuration volumes | 440 |
core.config.credentials.secretNames |
List of Secret names. Each Secret is expected to contain one or more files, which are json Stored Credentials, to be mounted to the Cryostat container. | [] |
core.config.rules.configMapNames |
List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are automated rule definitions, to be mounted to the Cryostat container. | [] |
core.config.probeTemplates.configMapNames |
List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are XML JMC Agent Probe Templates, to be mounted to the Cryostat container. | [] |
core.config.eventTemplates.configMapNames |
List of ConfigMap names. Each ConfigMap is expected to contain one or more files, which are .jfc (XML) JFR Event Templates, to be mounted to the Cryostat container. | [] |
core.config.tlsTruststore.secretNames |
List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. | [] |
core.config.extra |
Extra configurations for the main Cryostat container | |
core.config.extra.envVars |
Extra environment variables for main Cryostat container container. See: Define Environment Variables | [] |
core.config.extra.envSources |
Sources for extra variables for main Cryostat container. See: Define Environment Variables From ConfigMap | [] |
core.nodeSelector |
Node Selector for the Cryostat Pod. See: NodeSelector | {} |
core.tolerations |
Tolerations for the Cryostat Pod. See: Tolerations | [] |
core.affinity |
Affinity for the Cryostat Pod. See: Affinity | {} |
| Name | Description | Value |
|---|---|---|
reports |
Configuration for the Reports Generator deployment | |
reports.image.repository |
Repository for the Report Generator container image | quay.io/cryostat/cryostat-reports |
reports.image.pullPolicy |
Image pull policy for the Report Generator container image | Always |
reports.image.tag |
Tag for the Report Generator image | 4.1.0-snapshot |
reports.podAnnotations |
Annotations to be applied to the Report Generator Pods | {} |
reports.service.type |
Type of Service to create for the Report Generator Deployment | ClusterIP |
reports.service.httpPort |
Port number to expose on the Service for the Report Generator Deployment | 10001 |
reports.service.annotations |
Annotations to be applied to the Service for the Report Generator Deployment | {} |
reports.reportsSecretName |
Name of the secret containing the report generator access keys. This secret must contain a REPORTS_PASS secret which is the secret credential for the report generators. It must not be updated across chart upgrades, or else the connection between Cryostat and report generators will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
reports.debug.log.level |
Log level for troubleshooting and debugging | INFO |
reports.replicas |
Number of Report Generator replicas to deploy. If zero, the Deployment and Service will not be created and the main Cryostat container will handle all report generations on its own. | 0 |
reports.resources.requests.cpu |
CPU resource request for each Pod in the Report Generator Deployment. | 500m |
reports.resources.requests.memory |
Memory resource request for each Pod in the Report Generator Deployment. | 512Mi |
reports.securityContext |
Security Context for the Report Generator containers. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
reports.config.extra |
Extra configurations for the Report Generator container | |
reports.config.extra.envVars |
Extra environment variables for the Report Generator container. See: Define Environment Variables | [] |
reports.config.extra.envSources |
Sources for extra variables for the Report Generator container. See: Define Environment Variables From ConfigMap | [] |
reports.nodeSelector |
Node Selector for the Report Generator Pods. See: NodeSelector | {} |
reports.tolerations |
Tolerations for the Report Generator Pods. See: Tolerations | [] |
reports.affinity |
Affinity for the Report Generator Pods. See: Affinity | {} |
| Name | Description | Value |
|---|---|---|
db |
Configuration for Cryostat's database | |
db.image.repository |
Repository for the database container image | quay.io/cryostat/cryostat-db |
db.image.pullPolicy |
Image pull policy for the database container image | Always |
db.image.tag |
Tag for the database container image | latest |
db.podAnnotations |
Annotations to be applied to the Database Pods | {} |
db.service.type |
Type of Service to create for the database | ClusterIP |
db.service.port |
Port number to expose on the Service | 5432 |
db.service.annotations |
Annotations to be applied to the Service for the database | {} |
db.resources.requests.cpu |
CPU resource request for the database container. See: ResourceRequirements | 25m |
db.resources.requests.memory |
Memory resource request for the database container. | 64Mi |
db.pvc.enabled |
Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first. | false |
db.pvc.annotations |
Annotations to add to the persistentVolumeClaim | {} |
db.pvc.storage |
Storage size to request for the persistentVolumeClaim | 500Mi |
db.pvc.accessModes |
Access mode for the persistentVolumeClaim. See: Access Modes | ["ReadWriteOnce"] |
db.pvc.selector |
Selector for the persistentVolumeClaim. See: Selector | {} |
db.pvc.storageClassName |
The name of the StorageClass for the persistentVolumeClaim. See: Class | undefined |
db.securityContext |
Security Context for the database container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
db.config.extra |
Extra configurations for the database container | |
db.config.extra.envVars |
Extra environment variables for the database container. See: Define Environment Variables | [] |
db.config.extra.envSources |
Sources for extra variables for the database container. See: Define Environment Variables From ConfigMap | [] |
db.nodeSelector |
Node Selector for the Database Pod. See: NodeSelector | {} |
db.tolerations |
Tolerations for the Database Pod. See: Tolerations | [] |
db.affinity |
Affinity for the Database Pod. See: Affinity | {} |
| Name | Description | Value |
|---|---|---|
storage |
Configuration for Cryostat's object storage provider | |
storage.storageSecretName |
Name of the secret containing the object storage secret access key. This secret must contain a STORAGE_ACCESS_KEY secret which is the object storage secret access key. It must not be updated across chart upgrades, or else the connection between Cryostat components and object storage will not be able to initialize. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
storage.image.repository |
Repository for the storage container image | quay.io/cryostat/cryostat-storage |
storage.image.pullPolicy |
Image pull policy for the storage container image | Always |
storage.image.tag |
Tag for the storage container image | latest |
storage.encryption.enabled |
Enable at-rest encryption of stored objects. The storage container will generate a secret key for each stored object and use this key to encrypt and decrypt objects transparently. The key is written to the object metadata, so in the default storage container configuration this only adds a small layer of additional security. | true |
storage.podAnnotations |
Annotations to be applied to the Storage Pods | {} |
storage.service.type |
Type of Service to create for the object storage | ClusterIP |
storage.service.port |
Port number to expose on the Service | 8333 |
storage.service.annotations |
Annotations to be applied to the Service for the object storage | {} |
storage.resources.requests.cpu |
CPU resource request for the object storage container. See: ResourceRequirements | 50m |
storage.resources.requests.memory |
Memory resource request for the object storage container. | 256Mi |
storage.pvc.enabled |
Specify whether to use persistentVolumeClaim (true) or EmptyDir storage (false). This is recommended to be enabled, but the storage size and selector should be chosen carefully first. | false |
storage.pvc.annotations |
Annotations to add to the persistentVolumeClaim | {} |
storage.pvc.storage |
Storage size to request for the persistentVolumeClaim | 500Mi |
storage.pvc.accessModes |
Access mode for the persistentVolumeClaim. See: Access Modes | ["ReadWriteOnce"] |
storage.pvc.selector |
Selector for the persistentVolumeClaim. See: Selector | {} |
storage.pvc.storageClassName |
The name of the StorageClass for the persistentVolumeClaim. See: Class | undefined |
storage.securityContext |
Security Context for the storage container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
storage.config.extra |
Extra configurations for the object storage container | |
storage.config.extra.envVars |
Extra environment variables for the object storage container. See: Define Environment Variables | [] |
storage.config.extra.envSources |
Sources for extra variables for the object storage container. See: Define Environment Variables From ConfigMap | [] |
storage.nodeSelector |
Node Selector for the Storage Pod. See: NodeSelector | {} |
storage.tolerations |
Tolerations for the Storage Pod. See: Tolerations | [] |
storage.affinity |
Affinity for the Storage Pod. See: Affinity | {} |
| Name | Description | Value |
|---|---|---|
grafana |
Configuration for the customized Grafana instance for Cryostat | |
grafana.image.repository |
Repository for the Grafana container image | quay.io/cryostat/cryostat-grafana-dashboard |
grafana.image.pullPolicy |
Image pull policy for the Grafana container image | Always |
grafana.image.tag |
Tag for the Grafana container image | latest |
grafana.resources.requests.cpu |
CPU resource request for the Grafana container. See: ResourceRequirements | 25m |
grafana.resources.requests.memory |
Memory resource request for the Grafana container. | 80Mi |
grafana.securityContext |
Security Context for the Grafana container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
grafana.config.extra |
Extra configurations for the Grafana container | |
grafana.config.extra.envVars |
Extra environment variables for for the Grafana container. See: Define Environment Variables | [] |
grafana.config.extra.envSources |
Sources for extra variables for the Grafana container. See: Define Environment Variables From ConfigMap | [] |
grafana.nodeSelector |
Node Selector for the Grafana Pod. See: NodeSelector | {} |
grafana.tolerations |
Tolerations for the Grafana Pod. See: Tolerations | [] |
| Name | Description | Value |
|---|---|---|
datasource |
Configuration for the JFR Data Source component, which translates recording events into a format consumable by Grafana | |
datasource.image.repository |
Repository for the JFR Data Source container image | quay.io/cryostat/jfr-datasource |
datasource.image.pullPolicy |
Image pull policy for the JFR Data Source container image | Always |
datasource.image.tag |
Tag for the JFR Data Source container image | latest |
datasource.resources.requests.cpu |
CPU resource request for the JFR Data Source container. See: ResourceRequirements | 200m |
datasource.resources.requests.memory |
Memory resource request for the JFR Data Source container. | 200Mi |
datasource.securityContext |
Security Context for the JFR Data Source container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
datasource.config.extra |
Extra configurations for the JFR Data Source container | |
datasource.config.extra.envVars |
Extra environment variables for for the JFR Data Source container. See: Define Environment Variables | [] |
datasource.config.extra.envSources |
Sources for extra variables for the JFR Data Source container. See: Define Environment Variables From ConfigMap | [] |
datasource.nodeSelector |
Node Selector for the JFR Datasource Pod. See: NodeSelector | {} |
datasource.tolerations |
Tolerations for the JFR Datasource Pod. See: Tolerations | [] |
| Name | Description | Value |
|---|---|---|
authentication.cookieSecretName |
Name of the secret containing the authenticating proxy cookie encryption key. This secret must contain a COOKIE_SECRET secret which is the cookie encryption key. It must not be updated across chart upgrades, or else existing user login sessions will be invalidated. It is recommended that the secret should be marked as immutable to avoid accidental changes to secret's data. More details: https://kubernetes.io/docs/concepts/configuration/secret/#secret-immutable | "" |
authentication.openshift.enabled |
Whether the OAuth Proxy deployed for securing Cryostat's Pods should be one that integrates with OpenShift-specific features, or a generic one. | false |
authentication.openshift.clusterRole.name |
The name of the ClusterRole to bind for the OpenShift OAuth Proxy | system:auth-delegator |
authentication.basicAuth.enabled |
Whether Cryostat should use basic authentication for users. When false, Cryostat will not perform any form of authentication | false |
authentication.basicAuth.secretName |
Name of the Secret that contains the credentials within Cryostat's namespace (Required if basicAuth is enabled) | "" |
authentication.basicAuth.filename |
Key within Secret containing the htpasswd file. The file should contain one user definition entry per line, with the syntax "user:passHash", where "user" is the username and "passHash" is the bcrypt hash of the desired password. Such an entry can be generated with ex. htpasswd -nbB username password (Required if basicAuth is enabled) |
"" |
| Name | Description | Value |
|---|---|---|
oauth2Proxy.image.repository |
Repository for the OAuth2 Proxy container image | quay.io/oauth2-proxy/oauth2-proxy |
oauth2Proxy.image.pullPolicy |
Image pull policy for the OAuth2 Proxy container image | Always |
oauth2Proxy.image.tag |
Tag for the OAuth2 Proxy container image | latest |
oauth2Proxy.tls.selfSigned.enabled |
Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | false |
oauth2Proxy.resources.requests.cpu |
CPU resource request for the OAuth2 Proxy container. | 25m |
oauth2Proxy.resources.requests.memory |
Memory resource request for the OAuth2 Proxy container. | 64Mi |
oauth2Proxy.securityContext |
Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext. | {} |
oauth2Proxy.config.extra |
Extra configurations for the OAuth2 Proxy container | |
oauth2Proxy.config.extra.envVars |
Extra environment variables for the OAuth2 Proxy container. See: Define Environment Variables | [] |
oauth2Proxy.config.extra.envSources |
Sources for extra variables for the OAuth2 Proxy container. See: Define Environment Variables From ConfigMap | [] |
oauth2Proxy.config.extra.inPod.main.envVars |
Extra environment variables for the OAuth2 Proxy container only in the Cryostat main pod | [] |
oauth2Proxy.config.extra.inPod.main.envSources |
Sources for extra variables for the OAuth2 Proxy container only in the Cryostat main pod | [] |
oauth2Proxy.config.extra.inPod.reports.envVars |
Extra environment variables for the OAuth2 Proxy container only in the report generator pods | [] |
oauth2Proxy.config.extra.inPod.reports.envSources |
Sources for extra variables for the OAuth2 Proxy container only in the report generator pods | [] |
| Name | Description | Value |
|---|---|---|
openshiftOauthProxy.image.repository |
Repository for the OpenShift OAuth Proxy container image | quay.io/cryostat/openshift-oauth-proxy |
openshiftOauthProxy.image.pullPolicy |
Image pull policy for the OpenShift OAuth Proxy container image | Always |
openshiftOauthProxy.image.tag |
Tag for the OpenShift OAuth Proxy container image | cryostat-v3.0 |
openshiftOauthProxy.resources.requests.cpu |
CPU resource request for the OpenShift OAuth Proxy container. | 25m |
openshiftOauthProxy.resources.requests.memory |
Memory resource request for the OpenShift OAuth Proxy container. | 64Mi |
openshiftOauthProxy.accessReview.enabled |
Whether the SubjectAccessReview/TokenAccessReview role checks for users and clients are enabled. If this is disabled then the proxy will only check that the user has valid credentials or holds a valid token. | true |
openshiftOauthProxy.accessReview.group |
The OpenShift resource group that the SubjectAccessReview/TokenAccessReview will be performed for. See https://github.com/openshift/oauth-proxy/?tab=readme-ov-file#delegate-authentication-and-authorization-to-openshift-for-infrastructure | "" |
openshiftOauthProxy.accessReview.resource |
The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | pods |
openshiftOauthProxy.accessReview.subresource |
The OpenShift resource that the SubjectAccessReview/TokenAccessReview will be performed for. | exec |
openshiftOauthProxy.accessReview.name |
The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | "" |
openshiftOauthProxy.accessReview.namespace |
The OpenShift namespace that the SubjectAccessReview/TokenAccessReview will be performed for. | {{ .Release.Namespace }} |
openshiftOauthProxy.accessReview.verb |
The OpenShift resource name that the SubjectAccessReview/TokenAccessReview will be performed for. | create |
openshiftOauthProxy.accessReview.version |
The OpenShift resource version that the SubjectAccessReview/TokenAccessReview will be performed for. | "" |
openshiftOauthProxy.securityContext |
Security Context for the OpenShift OAuth Proxy container. Defaults to meet "restricted" Pod Security Standard. See: SecurityContext | {} |
openshiftOauthProxy.config.extra |
Extra configurations for the OpenShift OAuth Proxy | |
openshiftOauthProxy.config.extra.envVars |
Extra environment variables for the OpenShift OAuth Proxy. See: Define Environment Variables | [] |
openshiftOauthProxy.config.extra.envSources |
Sources for extra variables for the OpenShift OAuth Proxy. See: Define Environment Variables From ConfigMap | [] |
openshiftOauthProxy.config.extra.inPod.main.envVars |
Extra environment variables for the OpenShift OAuth Proxy only in the Cryostat main pod | [] |
openshiftOauthProxy.config.extra.inPod.main.envSources |
Sources for extra variables for the OpenShift OAuth Proxy only in the Cryostat main pod | [] |
openshiftOauthProxy.config.extra.inPod.reports.envVars |
Extra environment variables for the OpenShift OAuth Proxy only in the report generator pods | [] |
openshiftOauthProxy.config.extra.inPod.reports.envSources |
Sources for extra variables for the OpenShift OAuth Proxy only in the report generator pods | [] |
| Name | Description | Value |
|---|---|---|
imagePullSecrets |
Image pull secrets to be used for the Cryostat deployment | [] |
nameOverride |
Overrides the name of this Chart | "" |
fullnameOverride |
Overrides the fully qualified application name of [release name]-[chart name] |
"" |
rbac.create |
Specifies whether RBAC resources should be created | true |
serviceAccount.create |
Specifies whether a service account should be created | true |
serviceAccount.annotations |
Annotations to add to the service account | {} |
serviceAccount.name |
The name of the service account to use. If not set and create is true, a name is generated using the fullname template | "" |
podAnnotations |
Annotations to be applied to the various Pods | {} |
podSecurityContext |
Security Context for the Cryostat Pod. Defaults to meet "restricted" Pod Security Standard. See: PodSecurityContext | {} |
networkPolicy.ingress.enabled |
whether a NetworkPolicy for restricting Cryostat component Pods' traffic is installed. This prevents other Pods from sending unwanted traffic to Cryostat's Pods. Traffic should flow via the Service (or Route, or other Ingress) only, not by directly targeting Pods. | true |
nodeSelector |
default Node Selector for the various Pods. Any Pod which does not have an individual nodeSelector setting will default to this. See: NodeSelector | {} |
tolerations |
default Tolerations for the various Pods. See: Tolerations | [] |
affinity |
default Affinity for the various Pods. See: Affinity | {} |