When Keyfactor Command is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 1127: Keyfactor Command Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
|
additionalEnvironmentVariables
|
Other environment variables that should be included for all containers. For example:
|
||
|
appConfig
analysis
image
name
|
The name of the image for the Analysis container in the Keyfactor artifactory. | analysis | |
|
appConfig
analysis
path
|
The URL to which traffic is directed for the Analysis application. |
KeyfactorAnalysis | |
|
appConfig
analysis
probeSettings
|
Liveness and readiness probe settings used to identify whether the container is operating as expected. Liveness probes are health checks while the readiness probes determine when the pod is considered ready and can start serving requests. Clear this value to unset probes. No probes are set for the Analysis container by default. |
||
|
appConfig
analysis
resources
limits
cpu
|
The maximum CPU the Analysis application container may use. | 500m | |
|
appConfig
analysis
resources
limits
memory
|
The maximum memory the Analysis application container may use. | 2G | |
|
appConfig
analysis
resources
requests
cpu
|
The baseline amount of CPU allocated for use by the Analysis application container. | 100m | |
|
appConfig
analysis
resources
requests
memory
|
The baseline amount of memory allocated for use by the Analysis application container. | 600M | |
|
appConfig
api
image
name
|
The name of the image for the Keyfactor API container in the Keyfactor artifactory. | api | |
|
appConfig
api
path
|
The URL to which traffic is directed for the Keyfactor API application. |
Keyfactor API | |
|
appConfig
caconnectorapi
image
name
|
The name of the image for the CA Connector API container in the Keyfactor artifactory. | ca- connector- api | |
|
appConfig
caconnectorapi
path
|
The URL to which traffic is directed for the CA Connector API application. |
Keyfactor CA Connectors | |
|
appConfig
claimsproxy
image
name
|
The name of the image for the Claims Proxy container in the Keyfactor artifactory. | claims-proxy | |
|
appConfig
claimsproxy
path
|
The URL to which traffic is directed for the Claims Proxy application. |
Keyfactor Proxy | |
|
appConfig
orchestratorapi
image
name
|
The name of the image for the Orchestrator API container in the Keyfactor artifactory. | orchestrator- api | |
|
appConfig
orchestratorapi
path
|
The URL to which traffic is directed for the Orchestrator API application. |
Keyfactor Agents | |
|
appConfig
portal
image
name
|
The name of the image for the Management Portal container in the Keyfactor artifactory. | console | |
|
appConfig
portal
image
path
|
The URL to which traffic is directed for the Management Portal application. |
Keyfactor Portal | |
|
appConfig
timerservice
image
name
|
The name of the image for the Keyfactor Command Service (timer service) container in the Keyfactor artifactory. | timer- service | |
|
appConfig
timerservice
probeSettings
livenessProbe
failureThreshold
|
The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it. Clear this value to unset probes. |
6 | |
|
appConfig
timerservice
probeSettings
livenessProbe
initialDelaySeconds
|
The number of seconds to wait before firing the first health check probe. Clear this value to unset probes. |
10 | |
|
appConfig
timerservice
probeSettings
livenessProbe
periodSeconds
|
The number of seconds in between runs of the health check probe. Clear this value to unset probes. |
5 | |
|
appConfig
timerservice
probeSettings
livenessProbe
tcpSocket
port
|
The port to which Kubernetes should attempt to establish a TCP connection for health checks. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
appConfig
timerservice
probeSettings
readinessProbe
failureThreshold
|
The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it. Clear this value to unset probes. |
6 | |
|
appConfig
timerservice
probeSettings
readinessProbe
initialDelaySeconds
|
The number of seconds to wait before firing the first readiness probe. Clear this value to unset probes. |
10 | |
|
appConfig
timerservice
probeSettings
readinessProbe
periodSeconds
|
The number of seconds in between runs of the readiness probe. Clear this value to unset probes. |
5 | |
|
appConfig
timerservice
probeSettings
readinessProbe
tcpSocket
port
|
The port to which Kubernetes should attempt to establish a TCP connection for readiness checks. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
appConfig
timerservice
resources
limits
cpu
|
The maximum CPU the Keyfactor Command Service (timer service) application container may use. | 500m | |
|
appConfig
timerservice
resources
limits
memory
|
The maximum memory the Keyfactor Command Service (timer service) application container may use. | 2G | |
|
appConfig
timerservice
service
enabled
|
The Keyfactor Command Service controls CA synchronization jobs, alert generation, reporting, and database cleanup tasks, among other jobs. The parameter enables the service (true) or not (false). | false | |
|
connectionStrings
database
|
The plain text name of the database in SQL server for Keyfactor Command. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
efTemplate
|
The template for generating entity framework connection strings using plain text values. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
metadata= res://*/EFModels.csdl \\|res://*/EFModels.ssdl \\|res://*/EFModels.msl; provider= Microsoft. Data. SqlClient; provider connection string= 'Data Source=%s; Initial Catalog=%s; Integrated Security=False; User ID=%s; Password=%s; Persist Security Info=True; Command Timeout=360; Multiple Active Result Sets=True; Application Name=EntityFramework' |
|
|
connectionStrings
existingSecretEFKey
|
The Kubernetes secret key name given to the secret for the entity framework connection string. This parameter is required if plain text values are not provided. |
ef | |
|
connectionStrings
existingSecretName
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | |
|
connectionStrings
existingSqlDirectKey
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
sqlDirect | |
|
connectionStrings
hostname
|
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
password
|
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
sqlDirectTemplate
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; Command Timeout=360; User ID=%s; Password=%s; |
|
|
connectionStrings
username
|
The plain text username for a SQL user with sufficient permissions to complete the install (see Grant Permissions in SQL). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
dbPoller
pollingInterval
|
The interval of time between checks to the SQL database to confirm that it’s online and not in maintenance mode before the application containers are allowed to start. | 5 | |
|
dbupgradetool
adminUser
claimType
|
The claim type for the initial administrative user or group to be created in Keyfactor Command. The supported values are:
This parameter is required. |
||
|
dbupgradetool
adminUser
claimValue
|
The value for the for the initial administrative user or group to be created in Keyfactor Command. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation for more information). This parameter is required. |
||
|
dbupgradetool
adminUser
description
|
A description for the initial administrative user or group to be created in Keyfactor Command to override the default, if desired. | Default Administrator | |
|
dbupgradetool
adminUser
identityProvider
|
The name set by dbupgrade tool > idp > display Name for the initial administrative user or group to be created in Keyfactor Command. This parameter is required. |
Command OIDC | |
|
dbupgradetool
agents
useSSL
|
Use SSL for connections to the Orchestrator API application. | true | |
|
dbupgradetool
api
useSSL
|
Use SSL for connections to the Keyfactor API application. | true | |
|
dbupgradetool
appSettings
console
general
cookieExpiration
|
The cookieExpiration value determines the length of time the authentication cookie |
||
|
dbupgradetool
appSettings
console
general
sessionExpiration
|
The Note: For Keycloak, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keycloak. If you’ve opted not to issue refresh tokens in Keycloak, the cookieExpiration value should match the sessionExpiration value.
|
||
|
dbupgradetool
backoffLimit
|
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | |
|
dbupgradetool
caConnector
basicAuth
credentials
password
pamProviderName
|
The name of the PAM provider to use to store the password for the RabbitMQ user. |
||
|
dbupgradetool
caConnector
basicAuth
credentials
password
pamProviderParameters
|
Parameters for the PAM provider specified as name/value pairs. These will vary depending on the PAM provider. For example, a secret stored as a Delinea PAM secret might look like (where the SecretId and SecretFieldName are the parameter names from the PAM parameter type and the values contain the information created in the Delinea secret server for this purpose): pamProviderParameters:
- name: SecretId
value: MyID
- name: SecretFieldName
value: MyReferenceName
|
||
|
dbupgradetool
caConnector
basicAuth
credentials
password
password
|
The plain text password for the RabbitMQ user. |
||
|
dbupgradetool
caConnector
basicAuth
credentials
password
passwordSecretKey
|
The key within the Kubernetes secret named by secretName referencing the password for the RabbitMQ user. |
password | |
|
dbupgradetool
caConnector
basicAuth
credentials
password
secretName
|
The name of the Kubernetes secret containing the password for the RabbitMQ user. |
rabbit- basic- auth | |
|
dbupgradetool
caConnector
basicAuth
credentials
password
source
|
The source for the secret for the RabbitMQ user’s password. Supported options are:
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with Basic authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
dbupgradetool
caConnector
basicAuth
credentials
username
secretName
|
The name of the Kubernetes secret containing the username of the RabbitMQ user. |
rabbit- basic- auth | |
|
dbupgradetool
caConnector
basicAuth
credentials
username
source
|
The source for the RabbitMQ user’s username. Supported options are:
Note: PAM is not supported for usernames.
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with Basic authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
dbupgradetool
caConnector
basicAuth
credentials
username
username
|
The plain text username for the RabbitMQ user. |
||
|
dbupgradetool
caConnector
basicAuth
credentials
username
usernameSecretKey
|
The key within the Kubernetes secret named by secretName referencing the username for the RabbitMQ user. |
username | |
|
dbupgradetool
caConnector
configureCAConnector
|
Enable the CA connector option (true) or not (false). | true | |
|
dbupgradetool
caConnector
jobQueueAudience
|
An audience value to be included in token requests delivered to your identity provider. This is not required when using Keycloak. |
||
|
dbupgradetool
caConnector
jobQueueScope
|
One or more scopes that should be included in token requests delivered to your identity provider. This is not required when using Keycloak. |
||
|
dbupgradetool
caConnector
jobQueueTokenURL
|
The URL of the token endpoint for your identity provider. |
https:// my-keyidp-server .keyexample .com / realms/ Keyfactor/ protocol/ openid- connect/ token | |
|
dbupgradetool
caConnector
jobQueueUrl
|
The amqp or amqps URL to the RabbitMQ instance. | amqps:// appsrvr12. keyexample .com | |
|
dbupgradetool
caConnector
jobQueueUseOAuth
|
If set to true, uses OAuth client credentials to authenticate to RabbitMQ. If set to false, uses basic authentication (username/password) to authenticate to RabbitMQ. Keyfactor strongly recommends that if you choose basic authentication, you connect to RabbitMQ over a secure channel (amqps). |
true | |
|
dbupgradetool
caConnector
jobQueueValidateOnSave
|
Validate the job queue connection and credentials before saving to the database during configuration (true) or not (false). | true | |
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
clientId
|
The plain text ID for the RabbitMQ client. |
||
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
clientIdSecretKey
|
The key within the Kubernetes secret named by secretName referencing the ID for the RabbitMQ client. |
client-id | |
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
secretName
|
The name of the Kubernetes secret containing the ID of the RabbitMQ client. |
rabbit-oauth | |
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
source
|
The source for the RabbitMQ client. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with OAuth authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
clientSecret
|
The plain text secret value for the RabbitMQ client. |
||
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
clientSecretSecretKey
|
The key within the Kubernetes secret named by secretName referencing the secret value for the RabbitMQ client. |
client-secret | |
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
pamProviderName
|
The name of the PAM provider to use to store the client secret for the RabbitMQ user. |
||
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
pamProviderParameters
|
Parameters for the PAM provider specified as name/value pairs. These will vary depending on the PAM provider. For example, a secret stored as a Delinea PAM secret might look like (where the SecretId and SecretFieldName are the parameter names from the PAM parameter type and the values contain the information created in the Delinea secret server for this purpose): pamProviderParameters:
- name: SecretId
value: MyID
- name: SecretFieldName
value: MyReferenceName
|
||
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
secretName
|
The name of the Kubernetes secret containing the secret value for the RabbitMQ client. |
rabbit-oauth | |
|
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
source
|
The source for the secret for the RabbitMQ client. Supported options are:
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with OAuth authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
dbupgradetool
caConnector
overwrite
|
Overwrite any existing CA connector configuration settings (true) or not (false). | false | |
|
dbupgradetool
caConnector
useSSL
|
Use SSL for connections to the Keyfactor Command CA Connector API application. | true | |
|
dbupgradetool
dbCommandTimeout
|
Custom timeout for the database connection during the database setup and configuration process. | ||
|
dbupgradetool
forceSecretReencryption
|
Rotate the application-level encryption keys and re-encrypt the data identified for application-level encryption in the Keyfactor Command database (true) or not (false). Application-level encryption is used to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology on top of standard SQL server encryption. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. If you enable application-level encryption, you must configure an encryption methodology (see Application-Level Encryption). |
false | |
|
dbupgradetool
idp
api
clientCredentials
clientId
clientId
|
The plain text ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
||
|
dbupgradetool
idp
api
clientCredentials
clientId
clientIdSecretKey
|
The key within the Kubernetes secret named by secretName referencing the ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
client-id | |
|
dbupgradetool
idp
api
clientCredentials
clientId
secretName
|
The name of the Kubernetes secret containing the ID of the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
idp-api-secrets | |
|
dbupgradetool
idp
api
clientCredentials
clientId
source
|
The source for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
dbupgradetool
idp
api
clientCredentials
clientSecret
clientSecret
|
The plain text secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
||
|
dbupgradetool
idp
api
clientCredentials
clientSecret
clientSecretSecretKey
|
The key within the Kubernetes secret named by secretName referencing the secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
client-secret | |
|
dbupgradetool
idp
api
clientCredentials
clientSecret
pamProviderName
|
The name of the PAM provider to use to store the client secret for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
||
|
dbupgradetool
idp
api
clientCredentials
clientSecret
pamProviderParameters
|
Parameters for the PAM provider specified as name/value pairs. These will vary depending on the PAM provider. For example, a secret stored as a Delinea PAM secret might look like (where the SecretId and SecretFieldName are the parameter names from the PAM parameter type and the values contain the information created in the Delinea secret server for this purpose): pamProviderParameters:
- name: SecretId
value: MyID
- name: SecretFieldName
value: MyReferenceName
|
||
|
dbupgradetool
idp
api
clientCredentials
clientSecret
secretName
|
The name of the Kubernetes secret containing the secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
idp-api-secrets | |
|
dbupgradetool
idp
api
clientCredentials
clientSecret
source
|
The source for the secret for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. Supported options are:
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
dbupgradetool
idp
audience
|
The audience value for tokens issued from the identity provider. For Keycloak, this should be set to the same value as the dbupgrade tool > idp > client Id. This parameter is required. |
Command- OIDC- Client | |
|
dbupgradetool
idp
auth0ApiUrl
|
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter is required if Auth0 is set as the type (see dbupgrade tool > idp > provider Type). This value is not used for Keycloak. |
||
|
dbupgradetool
idp
authenticationScheme
|
A unique authentication scheme (reference name) for the identity provider in Keyfactor Command. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from Keyfactor Command. For Keycloak, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keycloak (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. Tip: An identity provider hint can be given in the Keyfactor Command URL to indicate a specific identity provider—referenced by an
https://keyfactor. keyexample.com/ KeyfactorPortal/ Login/ Signin? idpHint= Command-OIDC-3 Where keyfactor. keyexample.com is the fully qualified domain name of the Keyfactor Command server, KeyfactorPortal is the virtual directory for the Management Portal on that server, and Command-OIDC-3 is the authentication scheme for the identity provider to use for authentication. |
Command- OIDC | |
|
dbupgradetool
idp
authority
|
The issuer/authority endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authority will automatically be retrieved and does not need to be provided separately. Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
dbupgradetool
idp
authorizationEndpoint
|
The authorization endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authorization Endpoint will automatically be retrieved and does not need to be provided separately. |
https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth | |
|
dbupgradetool
idp
clientCredentials
clientId
clientId
|
The plain text ID of the client application created in the identity provider for primary application use. |
Command- OIDC- Client | |
|
dbupgradetool
idp
clientCredentials
clientId
clientIdSecretKey
|
The key within the Kubernetes secret named by secretName referencing the ID for the client application created in the identity provider for primary application use. |
client-id | |
|
dbupgradetool
idp
clientCredentials
clientId
secretName
|
The name of the Kubernetes secret containing the ID of the client application created in the identity provider for primary application use. |
idp-secrets | |
|
dbupgradetool
idp
clientCredentials
clientId
source
|
The source for the client ID for the client application created for primary application use. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
dbupgradetool
idp
clientCredentials
clientId
source
|
The source for the secret for the client application created for primary application use. Supported options are:
For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
dbupgradetool
idp
clientCredentials
clientSecret
clientSecret
|
The plain text secret value for the client application created in the identity provider for primary application use. |
||
|
dbupgradetool
idp
clientCredentials
clientSecret
clientSecretSecretKey
|
The key within the Kubernetes secret named by secretName referencing the secret value for the client application created in the identity provider for primary application use. |
client-secret | |
|
dbupgradetool
idp
clientCredentials
clientSecret
pamProviderName
|
The name of the PAM provider to use to store the client secret for the client application created in the identity provider for primary application use. |
||
|
dbupgradetool
idp
clientCredentials
clientSecret
pamProviderParameters
|
Parameters for the PAM provider specified as name/value pairs. These will vary depending on the PAM provider. For example, a secret stored as a Delinea PAM secret might look like (where the SecretId and SecretFieldName are the parameter names from the PAM parameter type and the values contain the information created in the Delinea secret server for this purpose): pamProviderParameters:
- name: SecretId
value: MyID
- name: SecretFieldName
value: MyReferenceName
|
||
|
dbupgradetool
idp
clientCredentials
clientSecret
secretName
|
The name of the Kubernetes secret containing the secret value for the client application created in the identity provider for primary application use. |
idp-secrets | |
|
dbupgradetool
idp
discoveryDocumentEndpoint
|
The discovery URL for the identity provider. For Keycloak, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration | |
|
dbupgradetool
idp
displayName
|
A display name for the identity provider in Keyfactor Command. The display name may contain spaces. This parameter is required. |
Command OIDC | |
|
dbupgradetool
idp
fallbackUniqueClaimType
|
A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see dbupgrade tool > idp > unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type. The cid (client ID) user claim type is commonly used by OAuth providers. This parameter is required. |
cid | |
|
dbupgradetool
idp
jsonWebKeySetUri
|
The JWKS (JSON Web Key Set) URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the json Web Key Set Uri will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
dbupgradetool
idp
nameClaimType
|
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g., john.smith@ keyexample.com) or just name (e.g., John Smith). For Auth0 this might be name (e.g., johnsmith@ keyexample.com). This parameter is required. Tip: The value in this parameter is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see dbupgrade tool > idp > unique Claim Type.
|
preferred_ username | |
|
dbupgradetool
idp
overwrite
|
Overwrite existing settings for the named authentication Scheme on run. | false | |
|
dbupgradetool
idp
providerType
|
The provider type defined for the identity provider in Keyfactor Command. Supported values are:
Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type. |
Generic | |
|
dbupgradetool
idp
requestHeaders
|
Custom OIDC request headers for the identity provider given as name/value pairs. Parameters configured in this value are added to the headers when Keyfactor Command sends an OIDC request to the OAuth server for the following request types:
If this parameter is added, the -name is required. |
||
|
dbupgradetool
idp
requestURLParameters
|
Custom OIDC request URL parameters for the identity provider given as name/value pairs. Parameters configured in this value are added to the URL queryString parameter when Keyfactor Command sends an OIDC request to the OAuth server for the following request types:
If this parameter is added, the -name is required. |
||
|
dbupgradetool
idp
roleClaimType
|
The value used to reference the type of group claim for the identity provider. This parameter is required. |
groups | |
|
dbupgradetool
idp
scope
|
One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keycloak. |
||
|
dbupgradetool
idp
signOutUrl
|
The signout URL for the identity provider. This parameter is required if Auth0 is set as the dbupgradetool > idp > providerType. This value is not used for Keycloak. |
||
|
dbupgradetool
idp
timeout
|
The number of seconds a request to the identity provider is allowed to process before timing out with an error. | ||
|
dbupgradetool
idp
tokenAudience
|
An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. This value is not used for Keycloak. |
||
|
dbupgradetool
idp
tokenEndpoint
|
The token endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the tokenEndpoint will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
|
dbupgradetool
idp
tokenScope
|
One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces. This value is not used for Keycloak. |
||
|
dbupgradetool
idp
uniqueClaimType
|
A type of user claim for the identity provider containing a unique name for the user. The sub (subject) user claim type is commonly used by OAuth providers. In Keycloak, the sub is a GUID uniquely identifying the user. See also dbupgradetool > idp > fallbackUniqueClaimType. This parameter is required. Tip: The value in this field is used as the second choice to populate the username in the Keyfactor CommandManagement Portal header if the dbupgradetool > idp > nameClaimType does not contain a value in the token.
The value in this field is the one to use when logging into Keyfactor Command. |
sub | |
|
dbupgradetool
idp
userInfoEndpoint
|
The user info endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the userInfoEndpoint will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
dbupgradetool
license
plaintext
|
The plain text Keyfactor Command license. This is provided as the raw XML content of the license file One of the following is required:
|
<?xml version="1.0" encoding="utf-8"?><LicenseData> [data removed for display] </LicenseData> | |
|
dbupgradetool
license
secretKey
|
The Kubernetes secret key name given to the secret for the Keyfactor Command license. One of the following is required:
|
license- content | |
|
dbupgradetool
license
secretName
|
The Kubernetes secret name given to the secret for the Keyfactor Command license. One of the following is required:
|
command- license | |
|
dbupgradetool
logi
useSSL
|
Use SSL for connections to the Analysis application. | true | |
|
dbupgradetool
proxy
useSSL
|
Use SSL for connections to the Claims Proxy application. | true | |
|
dbupgradetool
resources
limits
cpu
|
The maximum CPU the database setup and configuration container may use. |
500m | |
|
dbupgradetool
resources
limits
memory
|
The maximum memory the database setup and configuration container may use. |
2G | |
|
dbupgradetool
resources
requests
cpu
|
The baseline amount of CPU allocated for use by the database setup and configuration container. |
50m | |
|
dbupgradetool
resources
requests
memory
|
The baseline amount of memory allocated for use by the database setup and configuration container. |
300M | |
|
dbupgradetool
seededConfig
Overwrite
|
A Boolean indicating whether PAM providers and provider types included in the values file should update to the Keyfactor Command database. If set to true, new providers will be added and existing providers will be updated with the information given in PamProviderTypes and PamProviders. See example for PamProviderTypes. | ||
|
dbupgradetool
seededConfig
PamProviders
|
A JSON string indicating the PAM provider information to add or update in the database for each PAM provider in the format shown in the example for PamProviderTypes. | ||
|
dbupgradetool
seededConfig
PamProviderTypes
|
A JSON string indicating the PAM provider type information to add or update in the database for each PAM provider type in the format shown in the example. Important notes:
Note: The provider type for Keyfactor Command local PAM providers is defined by default and does not need to be created. Secrets cannot be seeded into a Keyfactor Command local PAM database using this method.
|
dbupgradetool:
seededConfig: |
{
"Overwrite": true,
"PamProviderTypes": [
{
"Name":"DelineaExample",
"Parameters": [
{
"Name": "Host",
"DisplayName":"Secret Server URL",
"InstanceLevel": false,
"DataType": "1"
},
{
"Name": "Username",
"DisplayName": "Secret Server Username",
"DataType": "2",
"InstanceLevel": false
},
{
"Name": "Password",
"DisplayName": "Secret Server Password",
"DataType": "2",
"InstanceLevel": false
},
{
"Name": "SecretId",
"DisplayName": "Secret Server Secret ID",
"DataType": "1",
"InstanceLevel": true
},
{
"Name": "SecretFieldName",
"DisplayName": "Secret Field Name",
"DataType": "1",
"InstanceLevel": true
}
]
},
{
// If desired, provider two type info goes here
}
],
"PamProviders": [
{
"Name": "DelineaProvider",
"ProviderType":"DelineaExample",
"Parameters": [
{
"Name":"Host",
"Value":"https://MyDelineaURL"
},
{
"Name":"Username",
"Value":"MyDelineaServiceAccountUser"
},
{
"Name":"Password",
"Value":"MySuperSecretPasswordtoAccessDelinea"
}
]
},
{
// If desired, provider two info goes here
}
]
}
|
|
|
dbupgradetool
ttlSecondsAfterFinished
|
The number of seconds after the Keyfactor Command installation/upgrade job completes before it is deleted. | 60 | |
|
dbupgradetool
webConsole
useSSL
|
Use SSL for connections to the Management Portal application. | true | |
|
hostName
|
The Keyfactor Command hostname parameter. Set this to a value that resolves in DNS to your Kubernetes server/cluster. This is the hostname that will make up part of the URL you will use to reach the Keyfactor Command Management Portal and Keyfactor API. The SSL certificate to secure connections to the server needs to contain this name. This parameter is required. |
“command185 .keyexample .com” | your .k8s .cluster .hostname .here |
|
ingress
annotations
|
Annotations are key-value pairs used to store arbitrary, non-identifying metadata on Kubernetes resources. They are typically used for integration with external tools, storing build information, or documenting deployment details. Annotations do not affect the resource’s behavior and are not used for selection. |
annotations:
annotationsSticky:
|
|
|
ingress
className
|
The ingress class name to use. | nginx | |
|
ingress
enabled
|
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
|
ingress
tlsSecretName
|
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor Command. | ingress-tls | |
|
initContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ By default, one init container is included that polls the database to check whether it is online and in an operational state before allowing any deployments to begin. |
||
|
jobConfig
dbupgradetool
image
name
|
The name of the image for the database setup and configuration container in the Keyfactor artifactory. | database- upgrade- tool | |
|
jobConfig
dbupgradetool
limits
cpu
|
The maximum CPU the database setup and configuration container may use. |
500m | |
|
jobConfig
dbupgradetool
limits
memory
|
The maximum memory the database setup and configuration container may use. |
2G | |
|
metadata
annotations
|
Annotations are key-value pairs used to store arbitrary, non-identifying metadata on Kubernetes resources. They are typically used for integration with external tools, storing build information, or documenting deployment details. Annotations do not affect the resource’s behavior and are not used for selection. |
||
|
metadata
labels
|
Labels are key-value pairs used to categorize and identify Kubernetes resources for easy selection and management. They are often used for grouping resources by application, environment, or version, enabling efficient querying and filtering. Labels are essential for resource selection and grouping in Kubernetes operations. |
||
|
serviceAccount
annotations
|
ServiceAccount annotations are key-value pairs used to attach non-identifying metadata to the service account resource. These annotations are typically used for integration with external tools, documenting configurations, or adding extra information relevant to the service account's usage. Like other annotations, they don't affect the resource's functionality and aren't used for selection. |
||
|
serviceAccount
create
|
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
serviceAccount
name
|
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
|
sidecarContainers
|
Additional containers that run alongside the main application container within a pod are known as sidecarContainers. These containers typically provide supporting functionality, such as logging, monitoring, or proxying, without modifying the primary application's behavior. These sidecarContainers share the same network namespace and storage volumes as the main container, enabling close integration. For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecarContainers are included by default. |
||
|
sqlRootFingerprint
|
The thumbprint for the root (not issuing) CA to which the SSL certificate on the SQL certificate chains. This parameter is required if Encrypt=true is set in the connection string. The thumbprint should be provided with colons between each octet. |
fingerprint:for:sql:SSL:cert:Root:CA | |
|
workloadDefaults
containerSecurityContext
allowPrivilegeEscalation
|
Specifies whether a process in a container can gain more privileges than its parent process. If set to true, processes in the container can escalate their privileges, potentially allowing them to gain additional system capabilities. If set to false, privilege escalation is prevented, which can improve security by limiting the container's ability to perform actions that require higher privileges than the container's default security context allows. |
false | |
|
workloadDefaults
enabled
|
Enables or disables resources associated with the given workload. | true | |
|
workloadDefaults
env
|
Other environment variables that should be included for application containers. See, for example:
If desired, this may be set on an application container basis using appConfig and a job basis using JobConfig. |
||
|
workloadDefaults
image
name
|
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the Keyfactor Command installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for appConfig > [application] > image > name and jobConfig > dbupgradetool > image > name.
|
||
|
workloadDefaults
image
path
|
The path in the Keyfactor artifactory from which to retrieve the Keyfactor Command images. | images/ command | |
|
workloadDefaults
image
pullPolicy
|
The pullPolicy defines when the container image |
Always | |
|
workloadDefaults
image
pullSecrets
- name
|
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the image This parameter is required. |
image-creds | |
|
workloadDefaults
image
repo
|
The name of the Keyfactor artifactory from which to retrieve the Keyfactor Command images. | repo .keyfactor .com | |
|
workloadDefaults
image
version
|
The version of Keyfactor Command to retrieve from the Keyfactor artifactory. | 25.3 | |
|
workloadDefaults
labels
|
Labels that should be applied to deployment/stateful set and pods. | ||
|
workloadDefaults
logLevel
|
The container logging level output. Supported values are:
The level set here applies to all containers. If desired, this may be set on an application container basis using appConfig. See also Editing NLog. |
|
INFO |
|
workloadDefaults
path
|
The path to the network service. This should only have a value if workloadDefaults > service > enabled is true. |
||
|
workloadDefaults
podDisruptionBudget
maxUnavailable
|
The maximum number of pods that can be disrupted at the same time. Either maxUnavailable or minUnavailable should be set, but not both. A Pod Disruption Budget (PDB) ensures that a certain number of pods remain available during voluntary disruptions (e.g., draining a node for maintenance). It does not protect against node failures or crashes. A PDB is only generated when the replicaCount is greater than 1. |
||
|
workloadDefaults
podDisruptionBudget
minUnavailable
|
The minimum number of pods that must remain available at any time. Either maxUnavailable or minUnavailable should be set, but not both. |
1 | |
|
workloadDefaults
podEnableServiceLinks
|
Controls whether Kubernetes automatically injects environment variables for services into your pods. When set to true, Kubernetes automatically adds environment variables for all Services in the same namespace. | true | |
|
workloadDefaults
podSecurityContext
runAsNonRoot
|
The runAsNonRoot parameter specifies whether the pod's containers should be run as a non-root user. When set to true, the containers must run as a user other than root, improving security by adhering to the principle of least privilege. If set to false (or not specified), containers may run as the root user, which could increase security risks. |
true | |
|
workloadDefaults
podSecurityContext
runAsUser
|
The runAsUser parameter specifies the user ID (UID) that the containers in the pod should run as. By setting this value, you ensure that the containers run with the specified user privileges, rather than the default root user. This enhances security by limiting the container’s access to system resources and following the principle of least privilege. This value is used if runAsNonRoot is true. |
1000 | |
|
workloadDefaults
probeSettings
livenessProbe
failureThreshold
|
The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it. Clear this value to unset probes. |
6 | |
|
workloadDefaults
probeSettings
livenessProbe
httpGet
path
|
The path which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
/Status/HealthCheck | |
|
workloadDefaults
probeSettings
livenessProbe
httpGet
port
|
The port which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
workloadDefaults
probeSettings
livenessProbe
initialDelaySeconds
|
The number of seconds to wait before firing the first health check probe. Clear this value to unset probes. |
10 | |
|
workloadDefaults
probeSettings
livenessProbe
periodSeconds
|
The number of seconds in between runs of the health check probe. Clear this value to unset probes. |
5 | |
|
workloadDefaults
probeSettings
readinessProbe
failureThreshold
|
The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it. Clear this value to unset probes. |
6 | |
|
workloadDefaults
probeSettings
readinessProbe
httpGet
path
|
The path which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
/Status/HealthCheck | |
|
workloadDefaults
probeSettings
readinessProbe
httpGet
port
|
The port which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
workloadDefaults
probeSettings
readinessProbe
initialDelaySeconds
|
The number of seconds to wait before firing the first readiness probe. Clear this value to unset probes. |
10 | |
|
workloadDefaults
probeSettings
readinessProbe
periodSeconds
|
The number of seconds in between runs of the readiness probe. Clear this value to unset probes. |
5 | |
|
workloadDefaults
replicaCount
|
The number of replicas created for deployment/stateful set. | 1 | |
|
workloadDefaults
resources
limits
cpu
|
The maximum CPU each of the application containers may use. If desired, this may be set on an application container basis using appConfig. |
250m | |
|
workloadDefaults
resources
limits
memory
|
The maximum memory each of the application containers may use. If desired, this may be set on an application container basis using appConfig. |
1G | |
|
workloadDefaults
resources
requests
cpu
|
The baseline amount of CPU allocated for use by each of the application containers. If desired, this may be set on an application container basis using appConfig. |
50m | |
|
workloadDefaults
resources
requests
memory
|
The baseline amount of memory allocated for use by each of the application containers. If desired, this may be set on an application container basis using appConfig. |
300M | |
|
workloadDefaults
service
annotations
|
Additional annotations for the network service. | ||
|
workloadDefaults
service
enabled
|
Enable the network service for each of the application containers (true) or not (false). | true | |
|
workloadDefaults
service
sessionAffinity
|
The setting for session affinity for the network service for each of the application containers. | None | |
|
workloadDefaults
service
type
|
The service type to use for the network service for each of the application containers. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP | |
|
workloadDefaults
topologySpreadConstraints
|
The topologySpreadConstraints parameter defines rules for distributing pods across nodes to ensure high availability and fault tolerance. It allows you to control how pods are spread across different failure domains, such as availability zones or regions, to prevent resource contention and ensure that the application remains functional even if one domain fails. For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
workloadDefaults
volumeMounts
- name
|
An array of volume mounts. This parameter specifies the name of the volume mount. The value should match the value set by volumes > -name. The example values file ( For more information on this data structure, see: The mounts specified apply to all containers. |
root-cas | |
|
workloadDefaults
volumeMounts
mountPath
|
The mountPath specifies the path within the container where a volume should be mounted. It can be a directory or a specific file, depending on the mount configuration, allowing the container to access the contents of the volume at that location. |
/etc /ssl /certs /ca-certificates .crt | |
|
workloadDefaults
volumeMounts
subPath
|
The subPath specifies a subdirectory or file within the volume to mount at the mountPath. This allows you to mount only a specific part of the volume, rather than the entire volume, giving more fine-grained control over which data is exposed to the container. |
ca-certificates.crt | |
|
workloadDefaults
volumes
- name
|
An array of volumes. This parameter specifies the name of the volume. The value should match the value set by volumeMounts > -name. The example values file ( The volumes specified apply to all containers. |
root-cas | |
|
workloadDefaults
volumes
configMap
items
- key
|
The Kubernetes ConfigMap key name given to the referenced value in the ConfigMap. |
ca-certificates.crt | |
|
workloadDefaults
volumes
configMap
items
path
|
The name of the mounted file, referenced by the Kubernetes ConfigMap, as it will appear in the volume. In the example values file, the data from the ConfigMap key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
workloadDefaults
volumes
configMap
name
|
The name given to the Kubernetes ConfigMap for the volume. |
ca-roots |
Was this page helpful? Provide Feedback