charts/rstudio-workbench/values.yaml

# -- the name of the chart deployment (can be overridden)
nameOverride: ""
# -- the full name of the release (can be overridden)
fullnameOverride: ""

# -- A Workbench version to override the "tag" for the RStudio Workbench image and the session images. Necessary until https://github.com/helm/helm/issues/8194
versionOverride: ""

# -- Settings for enabling server diagnostics
diagnostics:
  enabled: false
  directory: /var/log/rstudio

session:
  # -- Whether to automatically mount the config.session configuration into session pods. If launcher.namespace is
  # different from Release Namespace, then the chart will duplicate the session configmap in both namespaces to
  # facilitate this
  defaultConfigMount: true
  # -- Whether to automatically add the homeStorage PVC to the session (i.e. via the `launcher-mounts` file)
  defaultHomeMount: true
  # -- The path to mount the sessionSecret (from `config.sessionSecret`) onto the server and session pods
  defaultSecretMountPath: /mnt/session-secret/
  image:
    # -- A tag prefix for session images (common selections: ubuntu2204-, centos7-). Only used if tag is not defined
    tagPrefix: ubuntu2204-
    # -- The repository to use for the session image
    repository: "rstudio/r-session-complete"
    # -- A tag override for the session image. Overrides the "tagPrefix" above, if set. Default tag is `{{ tagPrefix }}{{ version }}`
    tag: ""

sharedStorage:
  # -- whether to create the persistentVolumeClaim for shared storage
  create: false
  # -- The name of the pvc. By default, computes a value from the release name
  name: ""
  # -- Whether the persistentVolumeClaim should be mounted (even if not created)
  mount: false
  # -- the path to mount the sharedStorage claim within the pod
  path: /var/lib/rstudio-server
  # -- storageClassName - the type of storage to use. Must allow ReadWriteMany
  storageClassName: false
  # -- accessModes defined for the storage PVC (represented as YAML)
  accessModes:
    - ReadWriteMany
  requests:
    # -- the volume of storage to request for this persistent volume claim
    storage: "10Gi"
  # -- selector for PVC definition
  selector: {}
  # -- the volumeName passed along to the persistentVolumeClaim. Optional
  volumeName: ""
  # -- Define the annotations for the Persistent Volume Claim resource
  annotations:
    helm.sh/resource-policy: keep

# -- How to handle updates to the service. RollingUpdate (the default) minimizes downtime, but
# will not work well if your license only allows a single activation.
strategy:
  type: "RollingUpdate"
  rollingUpdate:
    maxSurge: "100%"
    maxUnavailable: 0

launcher:
  # -- determines whether the launcher should be started in the container
  enabled: true
  # -- allow customizing the namespace that sessions are launched into. Note RBAC and some config issues today
  namespace: ""
  # -- configuration for the "Kubernetes Health Check" that the launcher entrypoint runs at startup
  kubernetesHealthCheck:
    enabled: true
    extraCurlArgs: ["-fsSL"]
  # -- whether to render and use templates in the job launching process
  useTemplates: false
  # -- extra templates to render in the template directory.
  extraTemplates: {}
  # -- whether to include the default `job.tpl` and `service.tpl` files included with the chart
  includeDefaultTemplates: true
  # -- whether to include the templateValues rendering process
  includeTemplateValues: true
  # -- values that are passed along to the launcher job rendering process as a data object (in JSON). These values are then used within session templates.
  templateValues:
    service:
      type: ClusterIP
      annotations: {}
      labels: {}
    pod:
      annotations: {}
      labels: {}
      serviceAccountName: ""
      volumes: []
      volumeMounts: []
      env: []
      imagePullPolicy: ""
      imagePullSecrets: []
      initContainers: []
      extraContainers: []
      containerSecurityContext: {}
      defaultSecurityContext: {}
      securityContext: {}
      tolerations: []
      affinity: {}
      nodeSelector: {}
      # -- command for all pods. This is really not something we should expose and will be removed once we have a better option
      command: []
    job:
      annotations: {}
      labels: {}
      ttlSecondsAfterFinished: null

homeStorage:
  # -- whether to create the persistentVolumeClaim for homeStorage
  create: false
  # -- The name of the pvc. By default, computes a value from the release name
  name: ""
  # -- Whether the persistentVolumeClaim should be mounted (even if not created)
  mount: false
  # -- the path to mount the homeStorage claim within the pod
  path: /home
  # -- storageClassName - the type of storage to use. Must allow ReadWriteMany
  storageClassName: false
  # -- accessModes defined for the storage PVC (represented as YAML)
  accessModes:
    - ReadWriteMany
  requests:
    # -- the volume of storage to request for this persistent volume claim
    storage: "10Gi"
  # -- selector for PVC definition
  selector: {}
  # -- the volumeName passed along to the persistentVolumeClaim. Optional
  volumeName: ""
  # -- an optional subPath for the volume mount
  subPath: ""

image:
  # -- the repository to use for the main pod image
  repository: rstudio/rstudio-workbench
  # -- A tag prefix for the server image (common selection: ubuntu2204-). Only used if tag is not defined
  tagPrefix: ubuntu2204-
  # -- Overrides the image tag whose default is the chart appVersion.
  tag: ""
  # -- the imagePullPolicy for the main pod image
  imagePullPolicy: IfNotPresent
  # -- an array of kubernetes secrets for pulling the main pod image from private registries
  imagePullSecrets: []

# -- the initContainer spec that will be used verbatim
initContainers: false

ingress:
  enabled: false
  # -- The ingressClassName for the ingress resource. Only used for clusters that support
  # networking.k8s.io/v1 Ingress resources
  ingressClassName: ""
  annotations: {}
  # kubernetes.io/ingress.class: nginx
  # kubernetes.io/tls-acme: "true"
  hosts:
  # - host: chart-example.local
  #   paths: []
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

# -- whether to provide `shareProcessNamespace` to the pod.
shareProcessNamespace: false

sealedSecret:
  # -- use SealedSecret instead of Secret to deploy secrets
  enabled: false
  # -- annotations for SealedSecret resources
  annotations: {}

service:
  # -- Annotations for the service, for example to specify [an internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer)
  annotations: {}
  # -- The service type, usually ClusterIP (in-cluster only) or LoadBalancer (to
  # expose the service using your cloud provider's load balancer)
  type: ClusterIP
  # -- The cluster-internal IP to use with `service.type` ClusterIP
  clusterIP: ""
  # -- The external IP to use with `service.type` LoadBalancer, when supported
  # by the cloud provider
  loadBalancerIP: ""
  # -- The explicit nodePort to use for `service.type` NodePort. If not
  # provided, Kubernetes will choose one automatically
  nodePort: false
  # -- The Service port. This is the port your service will run under.
  port: 80

# -- resources define requests and limits for the rstudio-server pod
resources:
  requests:
    enabled: false
    memory: "2Gi"
    cpu: "100m"
    ephemeralStorage: "100Mi"
  limits:
    enabled: false
    memory: "4Gi"
    cpu: "2000m"
    ephemeralStorage: "200Mi"

# -- livenessProbe is used to configure the container's livenessProbe
livenessProbe:
  enabled: false
  httpGet:
    path: /health-check
    port: 8787
  initialDelaySeconds: 10
  periodSeconds: 5
  timeoutSeconds: 2
  failureThreshold: 10
# -- startupProbe is used to configure the container's startupProbe
startupProbe:
  enabled: false
  httpGet:
    path: /health-check
    port: 8787
  initialDelaySeconds: 10
  periodSeconds: 10
  timeoutSeconds: 1
  # -- failureThreshold * periodSeconds should be strictly > worst case startup time
  failureThreshold: 30
# -- readinessProbe is used to configure the container's readinessProbe
readinessProbe:
  enabled: true
  httpGet:
    path: /health-check
    port: 8787
  initialDelaySeconds: 10
  periodSeconds: 3
  timeoutSeconds: 1
  successThreshold: 1
  failureThreshold: 3

loadBalancer:
  # -- whether to force the loadBalancer to be enabled. Otherwise requires replicas > 1. Worth setting if you are HA but may only have one node
  forceEnabled: false

# -- command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup
command: []
# -- args is the pod container's run arguments.
args: []

license:
  # -- key is the license to use
  key: null
  # -- server is the <hostname>:<port> for a license server
  server: false
  # -- the file section is used for licensing with a license file
  file:
    # -- contents is an in-line license file
    contents: false
    # -- mountPath is the place the license file will be mounted into the container
    mountPath: "/etc/rstudio-licensing"
    # -- mountSubPath is whether to mount the subPath for the file secret.
    # -- It can be preferable _not_ to enable this, because then updates propagate automatically
    mountSubPath: false
    # -- secretKey is the key for the secret to use for the license file
    secretKey: "license.lic"
    # -- secret is an existing secret with a license file in it
    secret: false

# -- replicas is the number of replica pods to maintain for this service. Use 2 or more to enable HA
replicas: 1

# -- userCreate determines whether a user should be created at startup (if true)
userCreate: false
# -- userName determines the username of the created user
userName: "rstudio"
# -- userUid determines the UID of the created user
userUid: "10000"
# -- userPassword determines the password of the created user
userPassword: "rstudio"

# -- The XDG config dirs (directories where configuration will be read from). Do not change without good reason.
xdgConfigDirs: "/mnt/dynamic:/mnt/session-configmap:/mnt/secret-configmap:/mnt/configmap:/mnt/load-balancer/"

# -- A list of additional XDG config dir paths
xdgConfigDirsExtra: []

securityContext: {}

# -- The pod's priorityClassName
priorityClassName: ""
# -- A map used verbatim as the pod's "affinity" definition
affinity: {}
# -- A map used verbatim as the pod's "nodeSelector" definition
nodeSelector: {}
# -- An array used verbatim as the pod's "topologySpreadConstraints" definition
topologySpreadConstraints: []
# -- An array used verbatim as the pod's "tolerations" definition
tolerations: []
# -- Pod disruption budget
podDisruptionBudget: {}

# -- The revisionHistoryLimit to use for the pod deployment. Do not set to 0
revisionHistoryLimit: 10

pod:
  # -- env is an array of maps that is injected as-is into the "env:" component of the pod.container spec
  env: []
  # -- volumes is injected as-is into the "volumes:" component of the pod.container spec
  volumes: []
  # -- volumeMounts is injected as-is into the "volumeMounts:" component of the pod.container spec
  volumeMounts: []
  # -- Additional annotations to add to the rstudio-workbench pods
  annotations: {}
  # -- Additional labels to add to the rstudio-workbench pods
  labels: {}
  # -- sidecar is an array of containers that will be run alongside the main container
  sidecar: []
  # -- Values to set the `securityContext` for the service pod
  securityContext: {}
  # -- The containerPort used by the main pod container
  port: 8787
  # -- container lifecycle hooks
  lifecycle: {}
  # -- The termination grace period seconds allowed for the pod before shutdown
  terminationGracePeriodSeconds: 120

prometheus:
  # -- The parent setting for whether to enable prometheus metrics. Default is to use the built-in product exporter
  enabled: true
  # -- The port that prometheus will listen on. If legacy=true, then this will be hard-coded to 9108
  port: 8989
  # -- Whether to enable the legacy prometheusExporter INSTEAD OF the built-in product exporter. If you change this to
  # `true`, please let us know why! Requires prometheusExporter.enabled=true too
  legacy: false

prometheusExporter:
  # -- DEPRECATED. Whether the prometheus exporter sidecar should be enabled. See prometheus.enabled instead.
  enabled: true
  # -- Yaml that defines the graphite exporter mapping. null by default, which uses the embedded / default mapping yaml file
  mappingYaml: null
  # -- securityContext for the prometheus exporter sidecar
  securityContext: {}
  # -- resource specification for the prometheus exporter sidecar
  resources: {}
  image:
    repository: "prom/graphite-exporter"
    tag: "v0.9.0"
    imagePullPolicy: IfNotPresent

serviceMonitor:
  # -- Whether to create a ServiceMonitor CRD for use with a Prometheus Operator
  enabled: false
  # -- Namespace to create the ServiceMonitor in (usually the same as the one in
  # which the Prometheus Operator is running). Defaults to the release namespace
  namespace: ""
  # -- additionalLabels normally includes the release name of the Prometheus
  # Operator
  additionalLabels: {}
  #   release: kube-prometheus-stack

rbac:
  # -- Whether to create rbac. (also depends on launcher.enabled = true)
  create: true
  # -- The serviceAccount to be associated with rbac (also depends on launcher.enabled = true)
  serviceAccount:
    create: true
    name: ""
    annotations: {}
    labels: {}
  # -- Whether to create the ClusterRole that grants access to the Kubernetes nodes API. This is used by the Launcher
  # to get all of the IP addresses associated with the node that is running a particular job. In most cases, this can
  # be disabled as the node's internal address is sufficient to allow proper functionality.
  clusterRoleCreate: false

# -- Extra objects to deploy (value evaluated as a template)
extraObjects: []

# -- jobJsonOverridesFiles is a map of maps. Each item in the map will become a file (named by the key), and the underlying object will be converted to JSON as the file's contents
jobJsonOverridesFiles: {}

# -- An inline launcher.pem key. If not provided, one will be auto-generated. See README for more details.
launcherPem: ""
# -- An inline launcher.pub key to pair with launcher.pem. If `false` (the default), we will try to generate a `launcher.pub` from the provided `launcher.pem`
launcherPub: false

secureCookieKey: ""

dangerRegenerateAutomatedValues: false

global:
  secureCookieKey: ""

config:
  defaultMode:
    # -- default mode for session files
    # @default -- 0644
    session: 0644
    # -- default mode for session secrets
    # @default -- 0420
    sessionSecret: 0420
    # -- default mode for secrets
    # @default -- 0600
    secret: 0600
    # -- default mode for userProvisioning config
    # @default -- 0600
    userProvisioning: 0600
    # -- default mode for server config
    # @default -- 0644
    server: 0644
    # -- default mode for jobJsonOverrides config
    # @default -- 0644
    jobJsonOverrides: 0644
    # -- default mode for startup config
    # @default -- 0755
    startup: 0755
    # -- default mode for prestart config
    # @default -- 0755
    prestart: 0755
    # -- default mode for pam scripts
    # @default -- 0644
    pam: 0644

  # -- a map of session-scoped config files. Mounted to `/mnt/session-configmap/rstudio/` on both server and session, by default.
  session:
    repos.conf:
      CRAN: https://packagemanager.posit.co/cran/__linux__/jammy/latest
    rsession.conf: {}
    notifications.conf: {}
    rstudio-prefs.json: |
      {}
  # -- a map of secret, session-scoped config files (odbc.ini, etc.). Mounted to `/mnt/session-secret/` on both server and session, by default
  sessionSecret: {}
  # -- a map of secret, server-scoped config files (database.conf, databricks.conf, openid-client-secret). Mounted to `/mnt/secret-configmap/rstudio/` with 0600 permissions
  secret:
  # -- a map of sssd config files, used for user provisioning. Mounted to `/etc/sssd/conf.d/` with 0600 permissions
  userProvisioning: {}
  # -- a map of server config files. Mounted to `/mnt/configmap/rstudio/`
  # @default -- [RStudio Workbench Configuration Reference](https://docs.rstudio.com/ide/server-pro/rstudio_server_configuration/rstudio_server_configuration.html). See defaults with `helm show values`
  server:
    rserver.conf:
      server-health-check-enabled: 1
      auth-pam-sessions-enabled: 1
      admin-enabled: 1
      www-port: 8787
      server-project-sharing: 1
      launcher-address: 127.0.0.1
      launcher-port: 5559
      launcher-sessions-enabled: 1
      launcher-default-cluster: Kubernetes
    launcher.conf:
      server:
        address: 127.0.0.1
        port: 5559
        server-user: rstudio-server
        admin-group: rstudio-server
        authorization-enabled: 1
        thread-pool-size: 4
        enable-debug-logging: 0
      cluster:
        name: Kubernetes
        type: Kubernetes
    jupyter.conf:
      jupyter-exe: /usr/local/bin/jupyter
      notebooks-enabled: 1
      labs-enabled: 1
      default-session-cluster: Kubernetes
    vscode.conf:
      enabled: 1
      exe: /opt/code-server/bin/code-server
      args: --host=0.0.0.0
    vscode-user-settings.json: |
      {
            "terminal.integrated.shell.linux": "/bin/bash",
            "extensions.autoUpdate": false,
            "extensions.autoCheckUpdates": false
      }
    logging.conf:
      "*":
        log-level: info
        logger-type: stderr
    health-check: |
      # HELP active_sessions health_check metric Active RStudio sessions
      # TYPE active_sessions gauge
      active_sessions #active-sessions#
      # HELP idle_seconds health_check metric Time since active RStudio sessions
      # TYPE idle_seconds gauge
      idle_seconds #idle-seconds#
      # HELP cpu_percent health_check metric cpu (percentage)
      # TYPE cpu_percent gauge
      cpu_percent #cpu-percent#
      # HELP memory_percent health_check metric memory used (percentage)
      # TYPE memory_percent gauge
      memory_percent #memory-percent#
      # HELP swap_percent health_check metric swap used (percentage)
      # TYPE swap_percent gauge
      swap_percent #swap-percent#
      # HELP load_average health_check metric cpu load average
      # TYPE load_average gauge
      load_average #load-average#
      # HELP license_days_left the number of days left on the license
      # TYPE license_days gauge
      license_days_left #license-days-left#
  # -- a map of server-scoped config files (akin to `config.server`), but with specific behavior that supports profiles. See README for more information.
  profiles: {}
  # -- a map of server-scoped config files (akin to `config.server`), but with .dcf file formatting (i.e. `launcher-mounts`, `launcher-env`, etc.)
  serverDcf:
    launcher-mounts: []
  # -- a map of supervisord .conf files to define custom services. Mounted into the container at /startup/custom/
  startupCustom: {}
  # -- a map of supervisord .conf files to define user provisioning services. Mounted into the container at /startup/user-provisioning/
  startupUserProvisioning:
    sssd.conf: |
      [program:sssd]
      command=/usr/sbin/sssd -i -c /etc/sssd/sssd.conf --logger=stderr
      autorestart=false
      numprocs=1
      stdout_logfile=/dev/stdout
      stdout_logfile_maxbytes=0
      stdout_logfile_backups=0
      stderr_logfile=/dev/stderr
      stderr_logfile_maxbytes=0
      stderr_logfile_backups=0

  # -- a map of pam config files. Will be mounted into the container directly / per file, in order to avoid overwriting system pam files
  pam: {}