Configurable parameters
You can also Specify each parameter using the --set or --set-file argument to helm install.
Global parameters
Global values are used to define common parameters for the chart and all its sub-charts by exactly the same name.
| Parameter | Default value | Description |
|---|---|---|
| global.replicaCount | 1 | Number of replicas for the application |
| global.config.enabled | true | Enables global configuration |
| global.image.registry | "" | Global docker registry name |
| global.image.repository | "" | Global docker image repository name |
| global.image.pullSecrets | [] | Global array of secret names for image pull |
| global.volumes.ephemeral.type | "" | Global ephemeral volume type to be used |
| global.volumes.ephemeral.sizeLimit | "" | Global ephemeral volume size limit |
| global.volumes.ephemeral.storageClassName | "" | Global ephemeral volume storage class name for storage type |
| global.volumes.ephemeral.custom | {} | Global custom definition of the ephemeral volume for custom type |
| global.database.type | "" | Type of the database, currently only postgresql is supported |
| global.database.host | "" | Host where is the database located |
| global.database.port | "" | Port on which is the database listening |
| global.database.name | "" | Database name |
| global.database.username | "" | Username to access the database |
| global.database.password | "" | Password to access the database |
| global.database.pgBouncer.enabled | true | Enable pgBouncer for database connection pooling and management |
| global.database.pgBouncer.host | "pg-bouncer-service" | Host where is the pgBouncer located |
| global.database.pgBouncer.port | 5432 | Port on which is the pgBouncer listening |
| global.trusted.certificates | "" | List of additional CA certificates that should be trusted |
| global.httpProxy | "" | Proxy to be used to access external resources through http |
| global.httpsProxy | "" | Proxy to be used to access external resources through https |
| global.noProxy | "" | Defines list of external resources that should not use proxy settings |
| global.hostName | "" | Global hostname of the running instance |
| global.keycloak.enabled | false | Enables internal Keycloak for authentication |
| global.keycloak.clientSecret | "" | Keycloak OIDC client secret to be used internally |
| global.messaging.external.enabled | false | Enable external messaging |
| global.messaging.external.host | "" | Host where is the external messaging located |
| global.messaging.external.amqp.port | "" | Port on which is the external messaging listening |
| global.messaging.remoteAccess | false | Enable remote access to messaging service |
| global.messaging.username | "" | Username to access the messaging |
| global.messaging.password | "" | Password to access the messaging |
| global.utils.enabled | false | Enables external access to Utils Service |
| global.admin.username | "" | Initial administrator username |
| global.admin.password | "" | Initial administrator password |
| global.admin.name | "" | Initial administrator first name |
| global.admin.surname | "" | Initial administrator last name |
| global.admin.email | "" | Initial administrator email |
| global.initContainers | [] | Global init containers |
| global.sidecarContainers | [] | Global sidecar containers |
| global.additionalVolumes | [] | Global additional volumes |
| global.additionalVolumeMounts | [] | Global additional volume mounts |
| global.additionalPorts | [] | Global additional ports |
| global.additionalEnv.variables | [] | Global additional environment variables |
| global.additionalEnv.secrets | [] | Global additional environment secrets |
| global.additionalEnv.configMaps | [] | Global additional environment config maps |
Local parameters
The following values may be configured for the CZERTAINLY core service:
| Parameter | Default value | Description |
|---|---|---|
| database.type | "postgresql" | Type of the database, currently only postgresql is supported |
| database.host | "host.docker.internal" | Host where is the database located |
| database.port | 5432 | Port on which is the database listening |
| database.name | "czertainlydb" | Database name |
| database.username | "czertainlyuser" | Username to access the database |
| database.password | "your-strong-password" | Password to access the database |
| trusted.certificates | "CZERTAINLY Dummy Root CA" | List of additional CA certificates that should be trusted |
| image.registry | docker.io | Docker registry name for the image |
| image.repository | czertainly | Docker image repository name |
| image.name | czertainly-core | Docker image name |
| image.tag | 2.16.1 | Docker image tag |
| image.digest | "" | Docker image digest, will override tag if specified |
| image.pullPolicy | IfNotPresent | Image pull policy |
| image.pullSecrets | [] | Array of secret names for image pull |
| image.command | [] | Override the default command |
| image.args | [] | Override the default args |
| image.securityContext.runAsNonRoot | true | Run the container as non-root user |
| image.securityContext.readOnlyRootFilesystem | true | Run the container with read-only root filesystem |
| image.resources | {} | The resources for the container |
| podLabels | {} | Additional labels for the pod |
| podAnnotations | {} | Additional annotations for the pod |
| podSecurityContext | {} | Pod security context |
| volumes.ephemeral.type | memory | Ephemeral volume type to be used |
| volumes.ephemeral.sizeLimit | "1Mi" | Ephemeral volume size limit |
| volumes.ephemeral.storageClassName | "" | Ephemeral volume storage class name for storage type |
| volumes.ephemeral.custom | {} | Custom definition of the ephemeral volume for custom type |
| registerAdmin.enabled | true | Whether the administrator should be registered |
| registerAdmin.source | external | Source of the administrator certificate:
|
| registerAdmin.admin.certificate | "CZERTAINLY Administrator" | Administrator certificate in PEM format |
| registerAdmin.admin.description | "First Administrator" | Description for the administrator |
| registerAdmin.admin.username | "czertainly-admin" | Initial administrator username |
| registerAdmin.admin.password | "your-strong-password" | Initial administrator password |
| registerAdmin.admin.name | "admin" | Initial administrator first name |
| registerAdmin.admin.surname | "admin" | Initial administrator last name |
| registerAdmin.admin.email | "admin@czertainly.local" | Initial administrator email |
| logging.level | "INFO" | Allowed values are "INFO", "DEBUG", "WARN", "TRACE" |
| hostname | czertainly.local | Hostname (FQDN) for the platform |
| ingress.enabled | false | Install ingress resource |
| ingress.certificate.source | internal | Source for the ingress TLS certifiacate:
|
| ingress.class | nginx | Class name of ingress |
| ingress.annotations | { nginx.ingress.kubernetes.io/backend-protocol: "HTTP", nginx.ingress.kubernetes.io/auth-tls-verify-client: "optional",nginx.ingress.kubernetes.io/auth-tls-secret: "{{ .Release.Namespace }}/trusted-certificates", nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3", nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" } | Additional annotations to customize the ingress |
| ingress.tls.secretName | czertainly-ingress-tls | Ingress TLS certificate and private key secret name |
| messaging.external.enabled | false | Enable external messaging |
| messaging.external.host | "" | Host where is the external messaging located |
| messaging.external.amqp.port | "" | Port on which is the external messaging listening |
| messaging.remoteAccess | false | Enable remote access to messaging service |
| messaging.username | "admin" | Username to access the messaging |
| messaging.password | "admin" | Password to access the messaging |
| messaging.host | "messaging-service" | Host where is the messaging located when using internal messaging. Change only if you know what you are doing! |
| registerConnectors | true | Whether the connector should be auto-registered in the platform |
| commonCredentialProvider.enabled | true | Whether the Common Credential Provider should be enabled |
| ejbcaNgConnector.enabled | false | Whether the EJBCA NG Connector should be enabled |
| pyAdcsConnector.enabled | false | Whether the PyADCS Connector should be enabled |
| hashicorpVaultConnector.enabled | false | Whether the HashiCorp Vault Connector should be enabled |
| x509ComplianceProvider.enabled | false | Whether the X.509 Compliance Provider should be enabled |
| cryptosenseDiscoveryProvider.enabled | false | Whether the Cryptosense Discovery Provider should be enabled |
| ctLogsDiscoveryProvider.enabled | false | Whether the CT Logs Discovery Provider should be enabled |
| networkDiscoveryProvider.enabled | false | Whether the Network Discovery Provider should be enabled |
| keystoreEntityProvider.enabled | false | Whether the Keystore Entity Provider should be enabled |
| softwareCryptographyProvider.enabled | false | Whether the Software Cryptography Provider should be enabled |
| emailNotificationProvider.enabled | false | Whether the Email Notification Provider should be enabled |
| webhookNotificationProvider.enabled | false | Whether the Webhook Notification Provider should be enabled |
| auth.header.certificate | "ssl-client-cert" | Name of the header containing client certificate |
| javaOpts | "" | Customize Java system properties |
Customization parameters
| Parameter | Default value | Description |
|---|---|---|
| initContainers | [] | Init containers |
| sidecarContainers | [] | Sidecar containers |
| additionalVolumes | [] | Additional volumes |
| additionalVolumeMounts | [] | Additional volume mounts |
| additionalPorts | [] | Additional ports |
| additionalEnv.variables | [] | Additional environment variables |
| additionalEnv.secrets | [] | Additional environment secrets |
| additionalEnv.configMaps | [] | Additional environment config maps |
Parameters for associated containers
Open Policy Agent
| Parameter | Default value | Description |
|---|---|---|
| opa.image.registry | docker.io | Docker registry name for the image |
| opa.image.repository | czertainly | Docker image repository name |
| opa.image.name | czertainly-opa | Docker image name |
| opa.image.tag | 1.10.0-static | Docker image tag |
| opa.image.digest | "" | Docker image digest, will override tag if specified |
| opa.image.pullPolicy | IfNotPresent | Image pull policy |
| opa.image.pullSecrets | [] | Array of secret names for image pull |
| opa.image.command | [] | Override the default command |
| opa.image.args | [] | Override the default args |
| opa.image.securityContext.runAsNonRoot | true | Run the container as non-root user |
| opa.image.securityContext.readOnlyRootFilesystem | true | Run the container with read-only root filesystem |
| opa.image.resources | {} | The resources for the container |
cURL
| Parameter | Default value | Description |
|---|---|---|
| curl.image.registry | docker.io | Docker registry name for the image |
| curl.image.repository | czertainly | Docker image repository name |
| curl.image.name | czertainly-curl | Docker image name |
| curl.image.tag | 8.16.0 | Docker image tag |
| curl.image.digest | "" | Docker image digest, will override tag if specified |
| curl.image.pullPolicy | IfNotPresent | Image pull policy |
| curl.image.pullSecrets | [] | Array of secret names for image pull |
| curl.image.command | [] | Override the default command |
| curl.image.args | [] | Override the default args |
| curl.image.securityContext.runAsNonRoot | true | Run the container as non-root user |
| curl.image.securityContext.readOnlyRootFilesystem | true | Run the container with read-only root filesystem |
| curl.image.resources | {} | The resources for the container |
kubectl
| Parameter | Default value | Description |
|---|---|---|
| kubectl.image.registry | docker.io | Docker registry name for the image |
| kubectl.image.repository | czertainly | Docker image repository name |
| kubectl.image.name | czertainly-kubectl | Docker image name |
| kubectl.image.tag | 2.16.1 | Docker image tag |
| kubectl.image.digest | "" | Docker image digest, will override tag if specified |
| kubectl.image.pullPolicy | IfNotPresent | Image pull policy |
| kubectl.image.pullSecrets | [] | Array of secret names for image pull |
| kubectl.image.command | [] | Override the default command |
| kubectl.image.args | [] | Override the default args |
| kubectl.image.securityContext.runAsNonRoot | true | Run the container as non-root user |
| kubectl.image.securityContext.readOnlyRootFilesystem | true | Run the container with read-only root filesystem |
Probes parameters
For mode details about probes, see the Kubernetes documentation.
| Parameter | Default value | Description |
|---|---|---|
| image.probes.liveness.enabled | false | Enable/disable liveness probe |
| image.probes.liveness.custom | {} | Custom liveness probe command. When defined, it will override the default command |
| image.probes.liveness.initialDelaySeconds | 60 | Initial delay seconds for liveness probe |
| image.probes.liveness.timeoutSeconds | 5 | Timeout seconds for liveness probe |
| image.probes.liveness.periodSeconds | 10 | Period seconds for liveness probe |
| image.probes.liveness.successThreshold | 1 | Success threshold for liveness probe |
| image.probes.liveness.failureThreshold | 3 | Failure threshold for liveness probe |
| image.probes.readiness.enabled | true | Enable/disable readiness probe |
| image.probes.readiness.custom | {} | Custom readiness probe command. When defined, it will override the default command |
| image.probes.readiness.initialDelaySeconds | 15 | Initial delay seconds for readiness probe |
| image.probes.readiness.timeoutSeconds | 5 | Timeout seconds for readiness probe |
| image.probes.readiness.periodSeconds | 10 | Period seconds for readiness probe |
| image.probes.readiness.successThreshold | 1 | Success threshold for readiness probe |
| image.probes.readiness.failureThreshold | 3 | Failure threshold for readiness probe |
| image.probes.startup.enabled | true | Enable/disable startup probe |
| image.probes.startup.custom | {} | Custom startup probe command. When defined, it will override the default command |
| image.probes.startup.initialDelaySeconds | 15 | Initial delay seconds for startup probe |
| image.probes.startup.timeoutSeconds | 5 | Timeout seconds for startup probe |
| image.probes.startup.periodSeconds | 10 | Period seconds for startup probe |
| image.probes.startup.successThreshold | 1 | Success threshold for startup probe |
| image.probes.startup.failureThreshold | 45 | Failure threshold for startup probe |
Open Policy Agent
| Parameter | Default value | Description |
|---|---|---|
| opa.image.probes.liveness.enabled | false | Enable/disable liveness probe |
| opa.image.probes.liveness.custom | {} | Custom liveness probe command. When defined, it will override the default command |
| opa.image.probes.liveness.initialDelaySeconds | 5 | Initial delay seconds for liveness probe |
| opa.image.probes.liveness.timeoutSeconds | 5 | Timeout seconds for liveness probe |
| opa.image.probes.liveness.periodSeconds | 10 | Period seconds for liveness probe |
| opa.image.probes.liveness.successThreshold | 1 | Success threshold for liveness probe |
| opa.image.probes.liveness.failureThreshold | 3 | Failure threshold for liveness probe |
| opa.image.probes.readiness.enabled | true | Enable/disable readiness probe |
| opa.image.probes.readiness.custom | {} | Custom readiness probe command. When defined, it will override the default command |
| opa.image.probes.readiness.initialDelaySeconds | 5 | Initial delay seconds for readiness probe |
| opa.image.probes.readiness.timeoutSeconds | 5 | Timeout seconds for readiness probe |
| opa.image.probes.readiness.periodSeconds | 10 | Period seconds for readiness probe |
| opa.image.probes.readiness.successThreshold | 1 | Success threshold for readiness probe |
| opa.image.probes.readiness.failureThreshold | 3 | Failure threshold for readiness probe |
| opa.image.probes.startup.enabled | false | Enable/disable startup probe |
| opa.image.probes.startup.custom | {} | Custom startup probe command. When defined, it will override the default command |
| opa.image.probes.startup.initialDelaySeconds | 5 | Initial delay seconds for startup probe |
| opa.image.probes.startup.timeoutSeconds | 5 | Timeout seconds for startup probe |
| opa.image.probes.startup.periodSeconds | 10 | Period seconds for startup probe |
| opa.image.probes.startup.successThreshold | 1 | Success threshold for startup probe |
| opa.image.probes.startup.failureThreshold | 3 | Failure threshold for startup probe |
Additional parameters
Additional parameters may be found in the respective values.yaml and dependencies.
See dependent charts for the description of available parameters.