When Universal Orchestrator
Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 1007: Universal Orchestrator Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
|
containerSecurityContext
allowPrivilegeEscalation
|
The container security context to use for application containers. | false | |
|
fullnameOverride
|
Provide the deployment with a completely custom name, overriding both the default name of the Helm release defined in the chart.yaml file and the name of the Helm deployment provided in the Helm install command. | ||
|
image
pullPolicy
|
Retrieve a fresh copy of the Universal Orchestrator image from the Keyfactor artifactory on start? | IfNotPresent | |
|
imagePullSecrets
- name
|
The name of the secret created to authenticate to the Keyfactor artifactory. | ||
|
image
repository
|
The Universal Orchestrator image to retrieve from the Keyfactor artifactory, including the artifactory path.
|
repo.keyfactor.com/images/command/universal-orchestrator-ssl | |
|
image
tag
|
The version of the Universal Orchestrator image to deploy. This allows you to control which specific release of the Universal Orchestrator should be deployed. | The chart appVersion | |
|
initContainers
|
This structure is used to add extensions. Examples of use are shown with the example values file (see Kubernetes with Helm). For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
||
|
metadata
annotations
|
Additional annotations to add to all resources deployed by the helm chart. | ||
|
metadata
labels
|
Additional labels to add to all resources deployed by the helm chart. | ||
|
nameOverride
|
Override the default name of the Helm release defined in the chart.yaml file. For the Universal Orchestrator this value is: universal-orchestrator
This setting does not override the name of the Helm deployment provided in the Helm install command. For example, if you set this value to my-uo and execute the following Helm install command: sudo helm install univ-orch-one --namespace keyfactor-orchestrators --values values.yaml oci://repo.keyfactor.com/charts/command/universal-orchestrator --version 1.0.0
The resulting deployment name would be: univ-orch-one-my-uo
|
||
|
orchestrator
auth
ad
SecretName
|
The name of the Kubernetes secret containing the secret values for the service account created in Active Directory to allow the orchestrator to make requests to Keyfactor Command. | basic-credentials | |
|
orchestrator
auth
ad
secretPasswordKey
|
The key within the Kubernetes secret named by secretName referencing the secret value for the service account created in Active Directory to allow the orchestrator to make requests to Keyfactor Command. | password | |
|
orchestrator
auth
ad
secretUsernameKey
|
The key within the Kubernetes secret named by secretName referencing the username for the service account created in Active Directory to allow the orchestrator to make requests to Keyfactor Command. | username | |
|
orchestrator
auth
oauth
audience
|
The audience value for tokens issued from the OAuth identity provider. | ||
|
orchestrator
auth
oauth
scope
|
One or more scopes that should be included in token requests delivered to the OAuth identity provider when making a token request. Multiple scopes should be separated by spaces. | ||
|
orchestrator
auth
oauth
secretClientIdKey
|
The key within the Kubernetes secret named by secretName referencing the ID for the client application created in the OAuth identity provider to allow the orchestrator to make requests to Keyfactor Command. | client-id | |
|
orchestrator
auth
oauth
secretClientSecretKey
|
The key within the Kubernetes secret named by secretName referencing the secret value for the client application created in the OAuth identity provider to allow the orchestrator to make requests to Keyfactor Command. | client-secret | |
|
orchestrator
auth
oauth
SecretName
|
The name of the Kubernetes secret containing the secret values for the client application created in the OAuth identity provider to allow the orchestrator to make requests to Keyfactor Command. | client-credentials | |
|
orchestrator
auth
oauth
tokenUrl
|
The URL of the token endpoint for your OAuth identity provider. | ||
|
orchestrator
auth
useAD
|
Authenticate the orchestrator to Keyfactor Command using Active Directory (true) or OAuth (false). | false | |
|
orchestrator
checkCrl
|
A Boolean that indicates whether the revocation status (CRL) of the SSL certificate on the Keyfactor Command server should be checked when connecting to Keyfactor Command. | true | |
|
orchestrator
commandUrl
|
The URL of the orchestrator API on the Keyfactor Command server. | https://keyfactor.keyexample.com/KeyfactorAgents | |
|
orchestrator
env
|
Other environment variables that should be included. | ||
|
orchestrator
logLevel
|
The level of logging output for all containers. Supported values are:
|
Info | |
|
orchestrator
name
|
The name the orchestrator uses to register itself in Keyfactor Command. | By default, the Kubernetes pod name is used if this value is not specified. | |
|
podSecurityContext
runAsNonRoot
|
The security context to use for all pods in all deployments—run as root (false) or not (true). | true | |
|
podSecurityContext
runAsUser
|
The security context to use for all pods in all deployments—run as the specified user, if runAsNonRoot is true. | 1000 | |
|
serviceAccount
annotations
|
Additional annotations for a created service account. | ||
|
serviceAccount
create
|
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
serviceAccount
name
|
The name of an existing service account to use, or the name to give to a service account to be created. |
If create is true but the name is not provided, the default name will be used. | |
|
sidecarContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecar containers are included by default. A PKCS#11 container may be utilized as a sidecar container. |
||
|
topologySpreadConstraints
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
volumeMounts
- name
|
An array of volume mounts. This parameter specifies the name of the volume mount. This value should match the value set by volumes > -name. The example values file (see Kubernetes with Helm) includes a volume mount for the config map ca-roots to mount trusted CA certificates. For more information on this data structure, see: |
root-cas | |
|
volumeMounts
mountPath
|
The path, and file name for a single file, in the container to which to mount the file or directory. | /etc /ssl /certs /ca-certificates .crt | |
|
volumeMounts
subPath
|
The file or subdirectory within the container volume to mount to the container. | ca-certificates.crt | |
|
volumes
- name
|
An array of volumes. This parameter specifies the name of the volume. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. |
root-cas | |
|
volumes
configMap
items
- key
|
The Kubernetes config map key name given to the referenced value in the config map. |
ca-certificates.crt | |
|
volumes
configMap
items
path
|
The name of the mounted file, referenced by the Kubernetes config map, as it will appear in the volume. In the example values file, the data from the config map key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
volumes
configMap
name
|
The name given to the Kubernetes config map for the volume. | ca-roots |
Was this page helpful? Provide Feedback