Values File Settings for Containers Under Kubernetes
When AnyCAGateway REST is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 1060: AnyCAGateway REST Containerized Installation Values File Settings
Name |
Description |
Example | Default |
---|---|---|---|
additionalEnvironmentVariables
|
Other environment variables that should be included for all containers. |
||
authentication
cookieExpirationMinutes
|
The cookie Expiration Minutes value determines the length of time the authentication cookie for the AnyCAGateway REST Portal browser session is considered valid. After half of the setting's duration, the AnyCAGateway REST will attempt to use a refresh token to update the cookie. If this fails, the user's session will be terminated. The cookie renewal is seamless from the user’s perspective (there is no prompt for credentials). |
|
5 |
authentication
defaultIdentityProviderAuthScheme
|
The authentication scheme of the default identity provider used for login. For example, Keycloak. Tip: An identity provider hint can be given in the AnyCAGateway REST URL to indicate a specific identity provider—referenced by an authentication Scheme—at login. For example:
https://restgateway. keyexample.com/ AnyGatewayREST/ Login/ Signin? idpHint= REST-Gateway-3 Where restgateway. keyexample.com is the fully qualified domain name of the AnyCAGateway REST server, AnyGatewayREST is the virtual directory for the Portal on that server, and REST-Gateway-3 is the authentication scheme for the identity provider to use for authentication. The default Identity Provider AuthScheme value is not required if only one identity provider will be used. If more than one identity provider is configured and the default Identity Provider AuthScheme is not specified, the first configured authentication Scheme will be used if no hint is provided at login. Additional identity providers can be added using the AnyCAGateway REST API endpoints (see Managing Multiple Identity Providers via API Endpoints). |
|
|
authentication
oauth
authenticationScheme
|
A unique authentication scheme (reference name) for the identity provider in the AnyCAGateway REST. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from AnyCAGateway REST. For Keycloak, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keycloak (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
||
authentication
oauth
displayName
|
A display name for the identity provider in AnyCAGateway REST. The display name may contain spaces. This parameter is required. |
||
authentication
oauth
parameters
auth0ApiUrl
|
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter is required if Auth0 is set as the type (see authentication > oauth > provider Type). This value is not used for Keycloak. |
||
authentication
oauth
parameters
authority
|
The issuer/authority endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
authentication
oauth
parameters
authorizationEndpoint
|
The authorization endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth | |
authentication
oauth
parameters
clientIdSecretKey
|
The Kubernetes secret key name given to the ID of the client application created in the identity provider for this AnyCAGateway REST to use. |
client-id | |
authentication
oauth
parameters
clientSecretSecretKey
|
The Kubernetes secret key name given to the secret for the client application created in the identity provider for this AnyCAGateway REST to use. |
client- secret | |
authentication
oauth
parameters
disableBearerTokenScopeRequirement
|
Optional. If true, the scope will not be required when using OAuth token authentication with the AnyCAGateway REST. Tip: You will need to set this to true if your identity provider does not provide a scope. Some identity providers do not offer the option to include a scope value (e.g. Azure AD). Other identity providers offer this option but do not include the scope by default (e.g. Keyfactor Identity Provider).
Important: If you configure the Disable Bearer Token Scope Requirement option to false (no), you must either configure the client you’re using to connect from Keyfactor Command to the gateway to always include the scope keyfactor-anyca-gateway in the token or you must configure the keyfactor-anyca-gateway scope on the authentication methods tab when configuring the CA record in Keyfactor Command. Your OAuth identity provider needs to be configured to recognize keyfactor-anyca-gateway as a scope.
|
false | |
authentication
oauth
parameters
jsonWebKeySetUri
|
The JWKS (JSON Web Key Set) URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
authentication
oauth
parameters
nameClaimType
|
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in AnyCAGateway REST, since the value is used as the user’s display name. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com). This parameter is required. Tip: The value in this parameter is used to populate the username in the AnyCAGateway REST Portal header.
|
preferred_ username | |
authentication
oauth
parameters
oidcAudience
|
The audience value for tokens issued from the identity provider. This parameter is required. |
||
authentication
oauth
parameters
secretName
|
The Kubernetes secret name that contains the credential values for the client application created in the identity provider for this AnyCAGateway REST to use. |
idp- secrets | |
authentication
oauth
parameters
signOutUrl
|
The signout URL for the identity provider. This parameter is required if Auth0 is set as the authentication > oauth > provider Type. This value is not used for Keycloak. |
||
authentication
oauth
parameters
timeout
|
The number of seconds a request to the OAuth identity provider is allowed to process before timing out with an error. |
60 | |
authentication
oauth
parameters
tokenEndpoint
|
The token endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
authentication
oauth
parameters
userInfoEndpoint
|
The user info endpoint URL for the identity provider. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
authentication
oauth
providerType
|
The provider type defined for the identity provider in the AnyCAGateway REST. Supported values are:
Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type. This parameter is required. |
Generic | |
authentication
overwrite
|
Overwrite existing settings for the named authentication Scheme on run. |
|
false |
authentication
sessionExpirationMinutes
|
The sessionExpirationMinutes value determines the length of time a AnyCAGateway REST browser session in the Portal will remain logged in before the user is prompted to re-authenticate regardless of whether the session is idle or in active use. Note: For Keycloak, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keycloak
|
|
60 |
authentication
superAdmin
description
|
A description for the initial administrative user to be created in the AnyCAGateway REST to override the default, if desired. | SuperAdmin | |
authentication
superAdmin
provider
|
The name set by authentication > oauth > display Name for the initial administrative user to be created in the AnyCAGateway REST. This parameter is required. |
yourProvider | |
authentication
superAdmin
type
|
The claim type for the initial administrative user to be created in AnyCAGateway REST. Values are provided as OAuth_ followed by the claim type. For example:
|
OAuth_sub | |
authentication
superAdmin
value
|
The value for the for the initial administrative user to be created in the AnyCAGateway REST. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client This parameter is required. |
yourSubClaim | |
connectionStrings
database
|
The plain text name of the database in SQL server for AnyCAGateway REST. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
connectionStrings
existingSecretKey
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
connection- key | |
connectionStrings
existingSecretName
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | |
connectionStrings
hostname
|
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
connectionStrings
password
|
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
connectionStrings
template
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; User ID=%s; Password=%s; | |
connectionStrings
username
|
The plain text username for a SQL user with sufficient permissions to complete the install. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
containerSecurityContext
allowPrivilegeEscalation
|
Specifies whether a process in a container can gain more privileges than its parent process. If set to true, processes in the container can escalate their privileges, potentially allowing them to gain additional system capabilities. If set to false, privilege escalation is prevented, which can improve security by limiting the container's ability to perform actions that require higher privileges than the container's default security context allows. |
false | |
dbmanagement
backoffLimit
|
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | |
dbmanagement
image
name
|
The name of the image for the dbmanagement container in the Keyfactor artifactory. | anygateway- dbmanagement | |
dbmanagement
resources
limits
cpu
|
The maximum CPU the database management container may use. |
500m | |
dbmanagement
resources
limits
memory
|
The maximum memory the database management container may use. |
2G | |
dbmanagement
servicePasswordSecretKey
|
The Kubernetes secret key name given to the secret for the password for the SQL user that will create or update the database for the gateway in SQL. | service- password | |
dbmanagement
servicePasswordSecretName
|
The Kubernetes secret name that contains the password for the SQL user that will create or update the database for the gateway in SQL. |
service- password | |
dbmanagement
serviceUsername
|
The plain text name of the SQL user that will create or update the database for the gateway in SQL. This user must already exist in SQL and have sufficient permissions for the create/ update/ populate task. | sa | |
dbmanagement
ttlSecondsAfterFinished
|
The number of seconds after the database management tasks are complete before the database management container shuts down. | 60 | |
ingress
className
|
The ingress class name to use. | nginx | |
ingress
enabled
|
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
ingress
hostname
|
The hostname to use for the ingress controller. This will be the name you use to access your AnyCAGateway REST portal. This parameter is required. |
your .k8s .cluster .hostname .here | |
ingress
tlsSecretName
|
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to the AnyCAGateway REST. | ingress-tls | |
initContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
||
metadata
annotations
|
Annotations are key-value pairs used to store arbitrary, non-identifying metadata on Kubernetes resources. They are typically used for integration with external tools, storing build information, or documenting deployment details. Annotations do not affect the resource’s behavior and are not used for selection. |
||
metadata
labels
|
Labels are key-value pairs used to categorize and identify Kubernetes resources for easy selection and management. They are often used for grouping resources by application, environment, or version, enabling efficient querying and filtering. Labels are essential for resource selection and grouping in Kubernetes operations. |
||
podSecurityContext
runAsNonRoot
|
The runAsNonRoot parameter specifies whether the pod's containers should be run as a non-root user. When set to true, the containers must run as a user other than root, improving security by adhering to the principle of least privilege. If set to false (or not specified), containers may run as the root user, which could increase security risks. |
true | |
podSecurityContext
runAsUser
|
The runAsUser parameter specifies the user ID (UID) that the containers in the pod should run as. By setting this value, you ensure that the containers run with the specified user privileges, rather than the default root user. This enhances security by limiting the container’s access to system resources and following the principle of least privilege. This value is used if runAsNonRoot is true. |
1000 | |
portal
allowedHosts
|
Set this value to something other than “*” to enable host filtering, which acts as a whitelist for hosts that can make requests to the AnyCAGateway REST server. | “*” | |
portal
cache
caConfigurationCacheExpirationMinutes
|
An integer that sets the time between which modifications or additions to the CA configuration (in minutes) will be available to the AnyCAGateway REST portal. Any changes to the CA configuration will not appear in the portal for this amount of time, but caching may improve performance during CA sync and enrollment. |
10 | |
portal
cache
roleClaimsCacheExpirationMinutes
|
An integer that sets the time between when modification to Roles on the Claims page will be available on the AnyCAGateway REST portal. |
10 | |
portal
extensionsDirectory
|
The name of the directory where third-party integration artifacts will be installed. | “Extensions” | |
portal
image
name
|
The name of the image for the portal container in the Keyfactor artifactory. | anygateway- rest | |
portal
lockHeartbeatIntervalMilliseconds
|
In the case of a High Availability implementation, the three Lock settings will set the lockout intervals (in milliseconds) during CA sync so multiple CA syncs are not running at the same time. It is unlikely these would need to be modified. The lock heartbeat interval. |
60000 | |
portal
lockTimeoutMilliseconds
|
The lock timeout. | 5000 | |
portal
lockHoldTimeoutMilliseconds
|
The lock hold timeout. | 900000 | |
portal
path
|
The URL to which traffic is directed for the AnyCAGateway REST application. |
/AnyGateway REST | |
portal
podDisruptionBudget
maxUnavailable
|
The maximum number of pods that can be unavailable simultaneously. | ||
portal
podDisruptionBudget
minAvailable
|
The minimum number of pods that must remain available during disruptions. | 1 | |
portal
replicaCount
|
The number of replicas created for deployment/stateful set. | 1 | |
portal
service
enabled
|
Enable the network service for the portal container (true) or not (false). | true | |
portal
service
sessionAffinity
|
The setting for session affinity for the network service for the portal container. | None | |
portal
service
type
|
The service type to use for the network service for the portal container. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP | |
portal
sqlRetryConfiguration
deltaTime
|
The preferred gap time to delay before the next attempt to connect to SQL will be made. | “00:00:00.5” | |
portal
sqlRetryConfiguration
maxTimeInterval
|
The maximum time interval before the next attempt to connect to SQL will be made. | “00:02:00” | |
portal
sqlRetryConfiguration
numberOfTries
|
The number of times a connection attempt will be made to SQL before an exception is thrown. | 5 | |
serviceAccount
annotations
|
ServiceAccount annotations are key-value pairs used to attach non-identifying metadata to the service account resource. These annotations are typically used for integration with external tools, documenting configurations, or adding extra information relevant to the service account's usage. Like other annotations, they don't affect the resource's functionality and aren't used for selection. |
||
serviceAccount
create
|
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
serviceAccount
name
|
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
sidecarContainers
|
Additional containers that run alongside the main application container within a pod are known as sidecarContainers. These containers typically provide supporting functionality, such as logging, monitoring, or proxying, without modifying the primary application's behavior. These sidecarContainers share the same network namespace and storage volumes as the main container, enabling close integration. For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecarContainers are included by default. |
||
topologySpreadConstraints
|
The topologySpreadConstraints parameter defines rules for distributing pods across nodes to ensure high availability and fault tolerance. It allows you to control how pods are spread across different failure domains, such as availability zones or regions, to prevent resource contention and ensure that the application remains functional even if one domain fails. For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
volumeMounts
- name
|
An array of volume mounts. This parameter specifies the name of the volume mount. The value should match the value set by volumes > -name. The example values file ( For more information on this data structure, see: |
root-cas | |
volumeMounts
mountPath
|
The mountPath specifies the path within the container where a volume should be mounted. It can be a directory or a specific file, depending on the mount configuration, allowing the container to access the contents of the volume at that location. |
/etc /ssl /certs /ca-certificates .crt | |
volumeMounts
subPath
|
The subPath specifies a subdirectory or file within the volume to mount at the mountPath. This allows you to mount only a specific part of the volume, rather than the entire volume, giving more fine-grained control over which data is exposed to the container. |
ca-certificates.crt | |
volumes
- name
|
An array of volumes. This parameter specifies the name of the volume. The value should match the value set by volumeMounts > -name. The example values file ( |
root-cas | |
volumes
configMap
items
- key
|
The Kubernetes ConfigMap key name given to the referenced value in the ConfigMap. |
ca-certificates.crt | |
volumes
configMap
items
path
|
The name of the mounted file, referenced by the Kubernetes ConfigMap, as it will appear in the volume. In the example values file, the data from the ConfigMap key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
volumes
configMap
name
|
The name given to the Kubernetes ConfigMap for the volume. |
ca-roots | |
workloadDefaults
image
name
|
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the AnyCAGateway REST installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for portal > image > name and dbmanagement > image > name.
|
||
workloadDefaults
image
path
|
The path in the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images. | charts/ command | |
workloadDefaults
image
pullPolicy
|
The pullPolicy defines when the container image should be pulled from the Keyfactor artifactory. It can be set to Always (pull the image every time the container start |
Always | |
workloadDefaults
image
pullSecrets
- name
|
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the image. This parameter is required. |
image-creds | |
workloadDefaults
image
repo
|
The name of the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images. | repo .keyfactor .com | |
workloadDefaults
image
version
|
The version of AnyCAGateway REST to retrieve from the Keyfactor artifactory. | 25.2 | |
workloadDefaults
labels
|
Labels that should be applied to deployment/stateful set and pods. | ||
workloadDefaults
logLevel
|
The container logging level output. Supported values are:
If desired, this may be set on an application container basis using appConfig. |
|
INFO |
workloadDefaults
resources
limits
cpu
|
The maximum CPU each of the application containers may use. If desired, this may be set uniquely on the database management container basis using dbmanagement. |
250m | |
workloadDefaults
resources
limits
memory
|
The maximum memory each of the application containers may use. If desired, this may be set uniquely on the database management container basis using dbmanagement. |
1G | |
workloadDefaults
resources
requests
cpu
|
The baseline amount of CPU allocated for use by each of the application containers. |
50m | |
workloadDefaults
resources
requests
memory
|
The baseline amount of memory allocated for use by each of the application containers. |
300M |
Was this page helpful? Provide Feedback