values.yaml

# Default values for Nublado.

image:
  # -- Nublado image to use
  repository: "ghcr.io/lsst-sqre/nublado"

  # -- Pull policy for the Nublado image
  pullPolicy: "IfNotPresent"

  # -- Tag of Nublado image to use
  # @default -- The appVersion of the chart
  tag: null

controller:
  # -- Affinity rules for the Nublado controller
  affinity: {}

  # -- If Google Artifact Registry is used as the image source, the Google
  # service account that has an IAM binding to the `nublado-controller`
  # Kubernetes service account and has the Artifact Registry reader role
  # @default -- None, must be set when using Google Artifact Registry
  googleServiceAccount: null

  ingress:
    # -- Additional annotations to add for the Nublado controller ingress
    annotations: {}

  # -- Node selector rules for the Nublado controller
  nodeSelector: {}

  # -- Annotations for the Nublado controller
  podAnnotations: {}

  # -- Resource limits and requests for the Nublado controller
  # @default -- See `values.yaml`
  resources:
    limits:
      cpu: "1"
      memory: "1Gi"
    requests:
      cpu: "0.05"
      memory: "200Mi"

  # -- Whether to enable Slack alerts. If set to true, `slack_webhook` must be
  # set in the corresponding Nublado Vault secret.
  slackAlerts: false

  # -- Tolerations for the Nublado controller
  # @default -- Tolerate GKE arm64 taint
  tolerations:
    - key: "kubernetes.io/arch"
      operator: "Equal"
      value: "arm64"
      effect: "NoSchedule"

  # Passed as YAML to the lab controller.
  config:
    # -- Level of Python logging
    logLevel: "INFO"

    # -- Path prefix that will be routed to the controller
    pathPrefix: "/nublado"

    fileserver:
      # -- Enable user file servers
      enabled: false

      # -- Affinity rules for user file server pods
      affinity: {}

      # -- Argo CD application in which to collect user file servers
      application: "nublado-fileservers"

      # -- Timeout to wait for Kubernetes to create file servers, in Safir
      # `parse_timedelta` format
      creationTimeout: 3m

      # -- Timeout for deleting a user's file server from Kubernetes, in Safir
      # `parse_timedelta` format
      deleteTimeout: 2m

      # -- Timeout for idle user fileservers, in Safir `parse_timedelta`
      # format
      idleTimeout: 1d

      # -- Namespace for user file servers
      namespace: "fileservers"

      # -- Node selector rules for user file server pods
      nodeSelector: {}

      # -- Path prefix for user file servers
      pathPrefix: "/files"

      # -- How frequently to reconcile file server state against Kubernetes to
      # catch deletions from outside Nublado, in Safir `parse_timedelta`
      # format
      reconcileInterval: "1h"

      # -- Resource requests and limits for user file servers
      # @default -- See `values.yaml`
      resources:
        requests:
          cpu: 0.1
          memory: "1Gi"
        limits:
          cpu: 1
          memory: "10Gi"

      # -- Tolerations for user file server pods
      # @default -- Tolerate GKE arm64 taint
      tolerations:
        - key: "kubernetes.io/arch"
          operator: "Equal"
          value: "arm64"
          effect: "NoSchedule"

      # -- Volumes that should be made available via WebDAV
      volumeMounts: []
      # volumeMounts:
      # - containerPath: "/project"
      #   readOnly: true
      #   volumeName: "project"

    fsadmin:
      # -- Affinity rules for fsadmin pods
      affinity: {}

      # -- Argo CD application in which to collect fsadmins
      application: "nublado-fileservers"

      # -- Extra volumes that should be made available to fsadmin
      extraVolumes: []

      # -- Extra volumes that should be mounted to fsadmin
      extraVolumeMounts: []

      # -- Mount prefix, to be prepended to mountpoints in order to
      # collect them in one place
      mountPrefix: null

      # -- Node selector rules for fsadmin pods
      nodeSelector: {}

      # -- Resource requests and limits for fsadmin
      # @default -- See `values.yaml`
      resources:
        requests:
          cpu: 0.1
          memory: "250Mi"
        limits:
          cpu: 1
          memory: "10Gi"

      # -- Timeout to wait for Kubernetes to create/destroy fsadmin, in Safir
      # `parse_timedelta` format
      timeout: 2m

      # -- Tolerations for fsadmin pod
      # @default -- Tolerate GKE arm64 taint
      tolerations:
        - key: "kubernetes.io/arch"
          operator: "Equal"
          value: "arm64"
          effect: "NoSchedule"

    images:
      # -- How long to wait for a prepull of a pod to finish before deciding
      # it has failed, in Safir `parse_timedelta` format.
      prepullTimeout: "10m"

      # -- How frequently to refresh the list of available images and compare
      # it to the cached images on nodes to prepull new images, in Safir
      # `parse_timedelta` format. Newly-available images will not appear in
      # the menu for up to this interval.
      refreshInterval: "5m"

      # -- Source for prepulled images. For Docker, set `type` to `docker`,
      # `registry` to the hostname and `repository` to the name of the
      # repository. For Google Artifact Repository, set `type` to `google`,
      # `location` to the region, `projectId` to the Google project,
      # `repository` to the name of the repository, and `image` to the name of
      # the image.
      # @default -- None, must be specified
      source: {}

      # -- Tag marking the recommended image (shown first in the menu)
      recommendedTag: "recommended"

      # -- Number of most-recent releases to prepull.
      numReleases: 1

      # -- Number of most-recent weeklies to prepull.
      numWeeklies: 2

      # -- Number of most-recent dailies to prepull.
      numDailies: 3

      # -- Restrict images to this SAL cycle, if given.
      cycle: null

      # -- List of additional image tags to prepull. Listing the image tagged
      # as recommended here is recommended when using a Docker image source to
      # ensure its name can be expanded properly in the menu.
      pin: []

      # -- Additional tags besides `recommendedTag` that should be recognized
      # as aliases.
      aliasTags: []

    lab:
      # -- How frequently the lab should report activity to JupyterHub in
      # Safir `parse_timedelta` format
      activityInterval: 1h

      # -- Affinity rules for user lab pods
      affinity: {}

      # -- Argo CD application in which to collect user lab objects
      application: "nublado-users"

      # -- Default size selected on the spawner form. This must be either
      # `null` or the name of one of the sizes listed in `sizes`. If `null`,
      # the first listed size will be the default.
      defaultSize: "large"

      # -- Timeout for deleting a user's lab resources from Kubernetes in
      # Safir `parse_timedelta` format
      deleteTimeout: 1m

      # -- Select where `/tmp` and `/lab_startup` in the lab will come
      # from. Choose between `disk` (node-local ephemeral storage) and
      # `memory` (tmpfs capped at 25% of the available memory for `/tmp`).
      emptyDirSource: "memory"

      # -- Environment variables to set for every user lab
      # @default -- See `values.yaml`
      env:
        API_ROUTE: "/api"
        ARROW_DEFAULT_MEMORY_POOL: "jemalloc"  # Arrow >17 memory leak hack
        AUTO_REPO_SPECS: "https://github.com/lsst-sqre/system-test@prod"
        FIREFLY_ROUTE: "/portal/app"
        HUB_ROUTE: "/nb/hub"
        RSP_SITE_TYPE: "science"
        TAP_ROUTE: "/api/tap"
        TUTORIAL_NOTEBOOKS_URL: "https://github.com/lsst/tutorial-notebooks@main"
        TUTORIAL_NOTEBOOKS_DIR: "/opt/lsst/software/notebooks-at-build-time/tutorial-notebooks"

      # -- Extra annotations to add to user lab pods
      extraAnnotations: {}

      # -- Files to be mounted as ConfigMaps inside the user lab pod.
      # `contents` contains the file contents. Set `modify` to true to make
      # the file writable in the pod.
      # @default -- See `values.yaml`
      files:
        /opt/lsst/software/jupyterlab/lsst_dask.yml: |
          # No longer used, but preserves compatibility with runlab.sh
          dask_worker.yml: |
            enabled: false
        /opt/lsst/software/jupyterlab/panda/idds.cfg.client.template: |
          # Licensed under the Apache License, Version 2.0 (the "License");
          # You may not use this file except in compliance with the License.
          # You may obtain a copy of the License at
          # http://www.apache.org/licenses/LICENSE-2.0
          #
          # Authors:
          # - Wen Guan, <wen.guan@cern.ch>, 2020
          [common]
          # if logdir is configured, idds will write to idds.log in this
          # directory, else idds will go to stdout/stderr. With supervisord,
          # it's good to write to stdout/stderr, then supervisord can manage
          # and rotate logs.
          # logdir = /var/log/idds
          loglevel = INFO
          [rest]
          host = https://iddsserver.cern.ch:443/idds
          #url_prefix = /idds
          #cacher_dir = /tmp
          cacher_dir = /data/idds

      # -- Path inside the lab container where custom JupyterLab configuration
      # is stored
      jupyterlabConfigDir: "/opt/lsst/software/jupyterlab"

      # -- Prefix of home directory path to add before the username. This is
      # the path inside the container, not the path of the volume.
      homedirPrefix: "/home"

      # -- Schema for home directory construction. Choose between `username`
      # (paths like `/home/rachel`) and `initialThenUsername` (paths like
      # `/home/r/rachel`).
      homedirSchema: "username"

      # -- Portion of the home directory path after the username. This is
      # intended for environments that want the JupyterLab home directory to
      # be a subdirectory of the user's home directory in some external
      # environment.
      homedirSuffix: ""

      # -- Home volume name.  The controller needs to know which volume
      # contains user homes.
      homeVolumeName: "home"

      # -- Containers run as init containers with each user pod. Each should
      # set `name`, `image` (a Docker image and pull policy specification),
      # and `privileged`, and may contain `volumeMounts` (similar to the main
      # `volumeMountss` configuration). If `privileged` is true, the container
      # will run as root with all capabilities. Otherwise it will run as the
      # user.
      initContainers: []

      # -- Command executed in the container to start the lab
      labStartCommand:
        - "/opt/lsst/software/jupyterlab/runlab.sh"

      # -- Prefix for namespaces for user labs. To this will be added a dash
      # (`-`) and the user's username.
      namespacePrefix: "nublado"

      # -- Node selector rules for user lab pods
      nodeSelector: {}

      nss:
        # -- Base `/etc/passwd` file for lab containers
        # @default -- See `values.yaml`
        basePasswd: |
          root:x:0:0:root:/root:/bin/bash
          daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
          bin:x:2:2:bin:/bin:/usr/sbin/nologin
          sys:x:3:3:sys:/dev:/usr/sbin/nologin
          sync:x:4:65534:sync:/bin:/bin/sync
          games:x:5:60:games:/usr/games:/usr/sbin/nologin
          man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
          lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
          mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
          news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
          uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
          proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
          www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
          backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
          list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
          irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
          _apt:x:42:65534::/nonexistent:/usr/sbin/nologin
          nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

        # -- Base `/etc/group` file for lab containers
        # @default -- See `values.yaml`
        baseGroup: |
          root:x:0:
          daemon:x:1:
          bin:x:2:
          sys:x:3:
          adm:x:4:
          tty:x:5:
          disk:x:6:
          lp:x:7:
          mail:x:8:
          news:x:9:
          uucp:x:10:
          man:x:12:
          proxy:x:13:
          kmem:x:15:
          dialout:x:20:
          fax:x:21:
          voice:x:22:
          cdrom:x:24:
          floppy:x:25:
          tape:x:26:
          sudo:x:27:
          audio:x:29:
          dip:x:30:
          www-data:x:33:
          backup:x:34:
          operator:x:37:
          list:x:38:
          irc:x:39:
          src:x:40:
          shadow:x:42:
          utmp:x:43:
          video:x:44:
          sasl:x:45:
          plugdev:x:46:
          staff:x:50:
          games:x:60:
          users:x:100:
          _ssh:x:101:
          nogroup:x:65534:

      # -- Pull secret to use for labs. Set to the string `pull-secret` to use
      # the normal pull secret from Vault.
      # @default -- Do not use a pull secret
      pullSecret: null

      # -- How frequently to reconcile lab state against Kubernetes to catch
      # deletions from outside Nublado, in Safir `parse_timedelta` format. If
      # a lab is deleted by a node replacement or upgrade, or manually with
      # `kubectl`, that deletion will not be noticed, and the user will not be
      # able to spawn a new lab, for up to this interval.
      reconcileInterval: "5m"

      # -- Directory in the lab under which runtime information such as
      # tokens, environment variables, and container information will be
      # mounted
      runtimeMountsDir: "/opt/lsst/software/jupyterlab"

      # -- Secrets to set in the user pods. Each should have a `secretKey` key
      # pointing to a secret in the same namespace as the controller
      # (generally `nublado-secret`) and `secretRef` pointing to a field in
      # that key.
      secrets: []

      # -- Available lab sizes. Sizes must be chosen from `fine`,
      # `diminutive`, `tiny`, `small`, `medium`, `large`, `huge`,
      # `gargantuan`, and `colossal` in that order. Each should specify the
      # maximum CPU equivalents and memory. SI suffixes for memory are
      # supported. Sizes will be shown in the order defined here, and the
      # first defined size will be the default.
      # @default -- See `values.yaml`
      sizes:
        - size: "small"
          resources:
            limits:
              cpu: 1.0
              memory: "4Gi"
            requests:
              cpu: 0.25
              memory: "0.75Gi"
        - size: "large"
          resources:
            limits:
              cpu: 4.0
              memory: "16Gi"
            requests:
              cpu: 1.0
              memory: "4Gi"

      # -- How long to wait for Kubernetes to spawn a lab in seconds. This
      # should generally be shorter than the spawn timeout set in JupyterHub.
      spawnTimeout: 600

      # -- Whether to use standard inithome container (requires
      # administrative access to home volume) or not.
      standardInithome: true

      # -- Tolerations for user lab pods
      # @default -- Tolerate GKE arm64 taint
      tolerations:
        - key: "kubernetes.io/arch"
          operator: "Equal"
          value: "arm64"
          effect: "NoSchedule"

      # -- Volumes that will be in lab pods or init containers. This supports
      # NFS, HostPath, and PVC volume types (differentiated in source.type).
      volumes: []
      # volumes:
      # - name: "project"
      #   source:
      #     type: nfs
      #     readOnly: true
      #     serverPath: "/share1/project"
      #     server: "10.87.86.26"

      # -- Volumes that should be mounted in lab pods.
      volumeMounts: []
      # volumeMounts:
      # - containerPath: "/project"
      #   readOnly: true
      #   volumeName: "project"

    # -- How frequently to restart a Kubernetes watch request. These
    # connections can be dropped and throw a 400 error, or even be silently
    # dropped in different Kubernetes enviroments. Setting this value can
    # help prevent those things from happening.
    watchReconnectTimeout: 3m

    metrics:
      # -- Whether to enable sending metrics
      enabled: false

      # -- Name under which to log metrics. Generally there is no reason to
      # change this.
      application: "nublado"

      events:
        # -- Topic prefix for events. It may sometimes be useful to change this
        # in development environments.
        topicPrefix: "lsst.square.metrics.events"

      schemaManager:
        # -- URL of the Confluent-compatible schema registry server
        # @default -- Sasquatch in the local cluster
        registryUrl: "http://sasquatch-schema-registry.sasquatch.svc.cluster.local:8081"

        # -- Suffix to add to all registered subjects. This is sometimes useful
        # for experimentation during development.
        suffix: ""

# JupyterHub configuration handled directly by this chart rather than by Zero
# to JupyterHub.
hub:
  # -- Whether to use the cluster-internal PostgreSQL server instead of an
  # external server. This is not used directly by the Nublado chart, but
  # controls how the database password is managed.
  internalDatabase: false

  # -- Default spawn page.  Usually '/lab', but can be overridden in order
  # to specify a custom landing page.
  landingPage: "/lab"

  # -- Minimum remaining token lifetime when spawning a lab. The token cannot
  # be renewed, so it should ideally live as long as the lab does. If the
  # token has less remaining lifetime, the user will be redirected to
  # reauthenticate before spawning a lab.
  # @default -- `jupyterhub.cull.maxAge` if lab culling is enabled, else none
  minimumTokenLifetime: null

  # -- Resource limits and requests for the Hub
  # @default -- See `values.yaml`
  resources:
    limits:
      cpu: "1"
      memory: "512Mi"
    requests:
      cpu: "6m"
      memory: "130Mi"

  timeout:
    # -- Timeout for JupyterLab to start in seconds. Currently this sometimes
    # takes over 60 seconds for reasons we don't understand.
    startup: 90

  # -- Whether to put each user's lab in a separate domain. This is strongly
  # recommended for security, but requires wildcard DNS and cert-manager
  # support and requires subdomain support be enabled in Gafaelfawr.
  useSubdomains: false

# Configuration for the Zero to JupyterHub subchart.
jupyterhub:
  cull:
    # -- Enable the lab culler.
    enabled: true

    # -- Default idle timeout before the lab is automatically deleted in
    # seconds
    # @default -- 432000 (5 days)
    timeout: 432000

    # -- How frequently to check for idle labs in seconds
    # @default -- 3600 (1 hour)
    every: 3600

    # -- Whether to log out the user (from JupyterHub) when culling their lab
    users: false

    # -- Whether to remove named servers when culling their lab
    removeNamedServers: true

    # -- Maximum age of a lab regardless of activity
    # @default -- 864000 (10 days)
    maxAge: 864000

  hub:
    # -- Whether to require metrics requests to be authenticated
    authenticatePrometheus: false

    image:
      # -- Image to use for JupyterHub
      name: "ghcr.io/lsst-sqre/nublado-jupyterhub"

      # -- Tag of image to use for JupyterHub
      tag: "12.1.0"

    # -- Resource limits and requests
    # @default -- See `values.yaml`
    resources:
      limits:
        cpu: "900m"
        memory: "1Gi"  # Should support about 200 users
      requests:
        cpu: "100m"
        memory: "128Mi"

    # -- Tolerations for Hub pod
    # @default -- Tolerate GKE arm64 taint
    tolerations:
      - key: "kubernetes.io/arch"
        operator: "Equal"
        value: "arm64"
        effect: "NoSchedule"

    db:
      # -- Type of database to use
      type: "postgres"

      # -- Database password (not used)
      # @default -- Comes from nublado-secret
      password: "true"

      # -- Whether to automatically update DB schema at Hub start
      upgrade: false

      # -- URL of PostgreSQL server
      # @default -- Use the in-cluster PostgreSQL installed by Phalanx
      url: "postgresql://nublado3@postgres.postgres/jupyterhub"

    # -- Security context for JupyterHub container
    # @default -- See `values.yaml`
    containerSecurityContext:
      runAsUser: 1000
      runAsGroup: 1000
      allowPrivilegeEscalation: false

    # -- Base URL on which JupyterHub listens
    baseUrl: "/nb"

    # -- Existing secret to use for private keys
    existingSecret: "nublado-secret"

    # -- Additional environment variables to set
    # @default -- Gets `JUPYTERHUB_CRYPT_KEY` from `nublado-secret`
    extraEnv:
      JUPYTERHUB_CRYPT_KEY:
        valueFrom:
          secretKeyRef:
            name: "nublado-secret"
            key: "hub.config.CryptKeeper.keys"

    # -- Additional volumes to make available to JupyterHub
    # @default -- The `hub-config` `ConfigMap` and the Gafaelfawr token
    extraVolumes:
      - name: "hub-config"
        configMap:
          name: "hub-config"
      - name: "hub-gafaelfawr-token"
        secret:
          secretName: "hub-gafaelfawr-token"

    # -- Additional volume mounts for JupyterHub
    # @default -- `hub-config` and the Gafaelfawr token
    extraVolumeMounts:
      - name: "hub-config"
        mountPath: "/usr/local/etc/jupyterhub/jupyterhub_config.d"
      - name: "hub-gafaelfawr-token"
        mountPath: "/etc/gafaelfawr"

    networkPolicy:
      # -- Whether to enable the default `NetworkPolicy` (currently, the
      # upstream one does not work correctly)
      enabled: false

    loadRoles:
      server:
        # -- Default scopes for the user's lab, overridden to allow the lab to
        # delete itself (which we use for our added menu items)
        # @default -- See `values.yaml`
        scopes:
          - "access:servers!user"
          - "delete:servers!user"
          - "users:activity!user"

  ingress:
    # -- Whether to enable the default ingress. Should always be disabled
    # since we install our own `GafaelfawrIngress` to avoid repeating the
    # global hostname and manually configuring authentication
    enabled: false

  prePuller:
    continuous:
      # -- Whether to run the JupyterHub continuous prepuller (the Nublado
      # controller does its own prepulling)
      enabled: false

    hook:
      # -- Whether to run the JupyterHub hook prepuller (the Nublado
      # controller does its own prepulling)
      enabled: false

  proxy:
    service:
      # -- Only expose the proxy to the cluster, overriding the default of
      # exposing the proxy directly to the Internet
      type: "ClusterIP"

    chp:
      networkPolicy:
        # -- Enable access to the proxy from other namespaces, since we put
        # each user's lab environment in its own namespace
        interNamespaceAccessLabels: "accept"

        # -- Enable the proxy to send traffic to any pod in any namespace with
        # the `nublado.lsst.io/category: lab` label.
        egress:
          - to:
              - namespaceSelector: {}
                podSelector:
                  matchLabels:
                    nublado.lsst.io/category: lab


      # -- Extra CLI options to pass to the proxy. The most up-to-date list is
      # [here](https://github.com/jupyterhub/configurable-http-proxy/blob/main/bin/configurable-http-proxy)
      # (not the docs, unfortunately)
      extraCommandLineFlags:
        # Keepalive timeout, in milliseconds. This should be longer than any
        # keepalive timeouts on any downstream proxies. The keepalive timeout
        # for ingress-nginx connections is 60s.
        - --keep-alive-timeout=61000

      # -- Resource limits and requests for proxy pod
      # @default -- See `values.yaml`
      resources:
        limits:
          cpu: "1"
          memory: "3Gi"
        requests:
          cpu: "250m"
          memory: "200Mi"

      # -- Tolerations for proxy pod
      # @default -- Tolerate GKE arm64 taint
      tolerations:
        - key: "kubernetes.io/arch"
          operator: "Equal"
          value: "arm64"
          effect: "NoSchedule"


  scheduling:
    userScheduler:
      # -- Whether the user scheduler should be enabled
      enabled: false

    userPlaceholder:
      # -- Whether to spawn placeholder pods representing fake users to force
      # autoscaling in advance of running out of resources
      enabled: false

cloudsql:
  # -- Enable the Cloud SQL Auth Proxy, used with Cloud SQL databases on
  # Google Cloud
  enabled: false

  # -- Affinity rules for the Cloud SQL Auth Proxy pod
  affinity: {}

  image:
    # -- Cloud SQL Auth Proxy image to use
    repository: "gcr.io/cloudsql-docker/gce-proxy"

    # -- Pull policy for Cloud SQL Auth Proxy images
    pullPolicy: "IfNotPresent"

    # -- Cloud SQL Auth Proxy tag to use
    tag: "1.37.14"

  # -- Instance connection name for a Cloud SQL PostgreSQL instance
  # @default -- None, must be set if Cloud SQL Auth Proxy is enabled
  instanceConnectionName: ""

  # -- Resource limits and requests for the Cloud SQL Proxy pod
  # @default -- See `values.yaml`
  resources:
    limits:
      cpu: "100m"
      memory: "30Mi"
    requests:
      cpu: "5m"
      memory: "15Mi"

  # -- Annotations for the Cloud SQL Auth Proxy pod
  podAnnotations: {}

  # -- Node selection rules for the Cloud SQL Auth Proxy pod
  nodeSelector: {}

  # -- The Google service account that has an IAM binding to the
  # `cloud-sql-proxy` Kubernetes service account and has the `cloudsql.client`
  # role
  # @default -- None, must be set if Cloud SQL Auth Proxy is enabled
  serviceAccount: null

  # -- Tolerations for the Cloud SQL Auth Proxy pod
  # @default -- Tolerate GKE arm64 taint
  tolerations:
    - key: "kubernetes.io/arch"
      operator: "Equal"
      value: "arm64"
      effect: "NoSchedule"

# JupyterHub proxy configuration handled directly by this chart rather than by
# Zero to JupyterHub.
proxy:
  ingress:
    # -- Additional annotations to add to the proxy ingress (also used to talk
    # to JupyterHub and all user labs)
    # @default -- See `values.yaml`
    annotations:
      nginx.ingress.kubernetes.io/proxy-read-timeout: "300"  # 5 minutes
      nginx.ingress.kubernetes.io/proxy-send-timeout: "300"  # 5 minutes

# Configuration for Nublado secrets management.
secrets:
  # -- Whether to use the new secrets management mechanism. If enabled, the
  # Vault nublado secret will be split into a nublado secret for JupyterHub
  # and a nublado-lab-secret secret used as a source for secret values for the
  # user's lab.
  templateSecrets: true

purger:
  # -- Purge scratch space?
  enabled: false

  # -- Affinity rules for purger
  affinity: {}

  # -- Node selector rules for purger
  nodeSelector: {}

  # -- Annotations for the purger pod
  podAnnotations: {}

  # -- Tolerations for purger
  # @default -- Tolerate GKE arm64 taint
  tolerations:
    - key: "kubernetes.io/arch"
      operator: "Equal"
      value: "arm64"
      effect: "NoSchedule"

  # -- Resource limits and requests for the filesystem purger
  # @default -- See `values.yaml`
  resources:
    limits:
      cpu: "1"
      memory: "1Gi"
    requests:
      cpu: "0.05"
      memory: "120Mi"

  # -- Crontab entry for when to run.
  schedule: "05 03 * * *"

  config:
    # -- Add timestamps to log messages
    addTimestamp: false

    # -- File holding purge policy
    policyFile: /etc/purger/policy.yaml

    # -- Report only; do not purge
    dryRun: false

    # -- Level at which to log
    logLevel: info

    # -- "production" (JSON logs) or "development" (human-friendly)
    logProfile: production

  policy:
    # -- Per-directory pruning policy.
    # @default -- See `values.yaml`
    directories:
      - path: /scratch

        # Files this large or larger will be subject to the "large" interval
        # set
        threshold: 1GiB

        # If any of these times are older than specified, remove the file.
        # Zero means "never remove".
        intervals:
          large:
            accessInterval: 0
            modificationInterval: 0
            creationInterval: 0
          small:
            accessInterval: 0
            modificationInterval: 0
            creationInterval: 0

  # -- Name of volume to purge (from controller.lab.config.volumes)
  # @default -- None, must be set for each environment
  volumeName: null

# If we're installing tutorials and artifacts at a given site, this cronjob
# controls their refresh.
cronjob:
  tutorials:
    # -- Clone the notebooks?
    enabled: false

    # -- Source for Tutorials repository to clone
    gitSource: "https://github.com/lsst/tutorial-notebooks"

    # -- Target where Tutorials repository should land
    gitTarget: "/rubin/cst_repos/tutorial-notebooks"

    # -- Branch of repository to clone
    gitBranch: "main"

    # -- Where repository volume should be mounted
    targetVolumePath: "/rubin"

    targetVolume:
      # -- Name of volume to mount (from controller.lab.config.volumes)
      # @default -- None, must be set for each environment
      volumeName: null

      # -- Where volume will be mounted in the container
      mountPath: "/rubin"   # Conventional

    # -- Schedule for the cloning cronjob(s).
    schedule: "42 * * * *"

    # -- UID for the cloning cronjob(s)
    uid: 1000

    # -- GID for the cloning cronjob(s)
    gid: 1000

  artifacts:
    # -- Clone the artifacts?
    enabled: false

    # -- Source for Tutorials binary artifact repository to clone
    gitSource: "https://github.com/lsst/tutorial-notebooks-data"

    # -- Target where Tutorial artifacts repository should land
    gitTarget: "/rubin/cst_repos/tutorial-notebooks-data"

    # -- Branch of repository to clone
    gitBranch: "main"

    # -- Where repository volume should be mounted
    targetVolumePath: "/rubin"

    targetVolume:
      # -- Name of volume to mount (from controller.lab.config.volumes)
      # @default -- None, must be set for each environment
      volumeName: null

      # -- Where volume will be mounted in the container
      mountPath: "/rubin"   # Conventional

    # -- Schedule for the cloning cronjob(s).
    schedule: "43 * * * *"

    # -- UID for the cloning cronjob(s)
    uid: 1000

    # -- GID for the cloning cronjob(s)
    gid: 1000

  # -- Affinity rules for the cloning cronjob(s).
  affinity: {}

  # -- Resource limits and requests for the cloning cronjob(s)
  # @default -- See `values.yaml`
  resources:
    limits:
      cpu: "1"
      memory: "1Gi"
    requests:
      cpu: "50m"
      memory: "50Mi"

  # -- Tolerations for the cloning cronjob(s).
  # @default -- Tolerate GKE arm64 taint
  tolerations:
    - key: "kubernetes.io/arch"
      operator: "Equal"
      value: "arm64"
      effect: "NoSchedule"

sentry:
  # -- Whether to report errors to Sentry. Applies to all Nublado components
  # that support Sentry.
  enabled: false

# The following will be set by parameters injected by Argo CD and should not
# be set in the individual environment values files.
global:
  # -- Base URL for the environment
  # @default -- Set by Argo CD
  baseUrl: null

  # -- Name of the Phalanx environment
  # @default -- Set by Argo CD Application
  environmentName: null

  # -- Host name for ingress
  # @default -- Set by Argo CD
  host: null

  # -- Base URL for Repertoire discovery API
  # @default -- Set by Argo CD
  repertoireUrl: null

  # -- Base path for Vault secrets
  # @default -- Set by Argo CD
  vaultSecretsPath: null