Configuration

Every chart depends on one library chart, quench-common, so the operational knobs look the same whichever datastore you run. App-specific settings live under a config: (and where relevant auth:) block documented on each chart page; everything below is shared.

Image (pinned by digest)

The image is referenced by sha256 digest, never a tag. quench-common refuses a tag-only reference on purpose, so a chart can never deploy something unpinned. CI rewrites this to the latest signed digest on each image build, so you normally leave it alone.

1
image:
2
  repository: ghcr.io/quenchworks/images/postgresql
3
  digest: "sha256:..."   # set by CI; override to pin a specific build
4
  pullPolicy: IfNotPresent

Persistence

Stateful charts provision a PVC. Turn it off for ephemeral use, size it, choose a class, or bind an existing claim.

1
persistence:
2
  enabled: true
3
  size: 8Gi
4
  storageClass: ""          # default class if empty
5
  accessModes: ["ReadWriteOnce"]
6
  existingClaim: ""         # bind an existing PVC instead

Resources

1
resources:
2
  requests: { cpu: 250m, memory: 256Mi }
3
  limits:   { cpu: "1",  memory: 1Gi }

A few engines size their heap or memory from these (or from a dedicated value); their chart pages call that out.

Scheduling and placement

The usual Kubernetes controls are passed straight through: nodeSelector, affinity, tolerations, topologySpreadConstraints, priorityClassName, schedulerName, terminationGracePeriodSeconds, and updateStrategy.

Extra environment and volumes

Inject configuration without forking the chart:

1
extraEnvVars:
2
  - name: MY_FLAG
3
    value: "1"
4
extraEnvVarsCM: ""          # name of a ConfigMap to envFrom
5
extraEnvVarsSecret: ""      # name of a Secret to envFrom
6
extraVolumes: []
7
extraVolumeMounts: []
8
initContainers: []
9
sidecars: []

Security context

The hardened defaults come from quench-common: runAsNonRoot (uid/gid/fsGroup 1001), seccomp RuntimeDefault, read-only root filesystem, no privilege escalation, all capabilities dropped. Anything you set merges over the defaults, so you only override what you need.

1
podSecurityContext: {}        # your keys win over the hardened defaults
2
containerSecurityContext: {}

Probes

Each chart ships sensible liveness and readiness probes. Tune the timing, or replace a probe outright.

1
livenessProbe:  { initialDelaySeconds: 30 }   # merge timing overrides
2
readinessProbe: { periodSeconds: 10 }
3
customLivenessProbe:  {}   # set to replace the probe entirely
4
customReadinessProbe: {}
5
customStartupProbe:   {}

Networking and availability

A NetworkPolicy is on by default and is the trust boundary for charts that ship without app-level auth. A PodDisruptionBudget guards voluntary disruptions.

1
networkPolicy:
2
  enabled: true
3
  allowExternal: false      # restrict ingress to same-namespace pods
4
podDisruptionBudget:
5
  enabled: true
6
  minAvailable: 1
7
serviceAccount: { create: true, name: "", annotations: {} }
8
rbac: { create: false }

See the schema

Every chart ships a values.schema.json, so Helm validates what you pass and your editor can autocomplete it. Read a chart’s full values inline:

helm show values oci://ghcr.io/quenchworks/charts/postgresql
helm show readme  oci://ghcr.io/quenchworks/charts/postgresql

Edit this page on GitHub