When AnyCAGateway REST is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 957: AnyCAGateway REST Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
| additional Environment Variables |
Other environment variables that should be included for all containers. |
||
|
authentication |
The cookie Expiration Minutes value determines the length of time the authentication cookie for the AnyCAGateway REST Portal browser session is considered valid. After half of the setting's duration, the AnyCAGateway REST will attempt to use a refresh token to update the cookie. If this fails, the user's session will be terminated. The cookie renewal is seamless from the user’s perspective (there is no prompt for credentials). |
|
5 |
|
authentication |
The authentication scheme of the default identity provider used for login. For example, Keycloak. Tip: An identity provider hint can be given in the AnyCAGateway REST URL to indicate a specific identity provider—referenced by an authentication Scheme—at login. For example:
https://restgateway. keyexample.com/ AnyGatewayREST/ Login/ Signin? idpHint= REST-Gateway-3 Where restgateway. keyexample.com is the fully qualified domain name of the AnyCAGateway REST server, AnyGatewayREST is the virtual directory for the Portal on that server, and REST-Gateway-3 is the authentication scheme for the identity provider to use for authentication. The default Identity Provider AuthScheme value is not required if only one identity provider will be used. If more than one identity provider is configured and the default Identity Provider AuthScheme is not specified, the first configured authentication Scheme will be used if no hint is provided at login. Additional identity providers can be added using the AnyCAGateway REST API endpoints (see Managing Multiple Identity Providers via API Endpoints). |
|
|
|
authentication oauth |
A unique authentication scheme (reference name) for the identity provider in the AnyCAGateway REST. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from AnyCAGateway REST. For Keyfactor Identity Provider, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keyfactor Identity Provider (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
||
|
authentication oauth |
A display name for the identity provider in AnyCAGateway REST. The display name may contain spaces. This parameter is required. |
||
|
authentication oauth parameters |
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter is required if Auth0 is set as the type (see authentication > oauth > provider Type). This value is not used for Keyfactor Identity Provider. |
||
|
authentication oauth parameters authority |
The issuer/authority endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
authentication oauth parameters |
The authorization endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth | |
|
authentication oauth parameters |
The Kubernetes secret key name given to the ID of the client application created in the identity provider for this AnyCAGateway REST to use. |
client-id | |
|
authentication oauth parameters |
The Kubernetes secret key name given to the secret for the client application created in the identity provider for this AnyCAGateway REST to use. |
client- secret | |
|
authentication oauth parameters |
Optional. If true, the scope will not be required when using OAuth token authentication with the AnyCAGateway REST. Tip: You will need to set this to true if your identity provider does not provide a scope. Some identity providers do not offer the option to include a scope value (e.g. Azure AD). Other identity providers offer this option but do not include the scope by default (e.g. Keyfactor Identity Provider).
Important: If you configure the Disable Bearer Token Scope Requirement option to false, you must either configure the client you’re using to connect from Keyfactor Command to the gateway to always include the scope keyfactor-anyca-gateway in the token or you must configure the keyfactor-anyca-gateway scope on the authentication methods tab when configuring the CA record in Keyfactor Command. Your OAuth identity provider needs to be configured to recognize keyfactor-anyca-gateway as a scope.
|
false | |
|
authentication oauth parameters |
The JWKS (JSON Web Key Set) URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
authentication oauth parameters |
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in AnyCAGateway REST, since the value is used as the user’s display name. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com). This parameter is required. Tip: The value in this parameter is used to populate the username in the AnyCAGateway REST Portal header.
|
preferred_ username | |
|
authentication oauth parameters |
The audience value for tokens issued from the identity provider. This parameter is required. |
||
|
authentication oauth parameters |
The Kubernetes secret name that contains the credential values for the client application created in the identity provider for this AnyCAGateway REST to use. |
idp- secrets | |
|
authentication oauth parameters |
The signout URL for the identity provider. This parameter is required if Auth0 is set as the authentication > oauth > provider Type. This value is not used for Keyfactor Identity Provider. |
||
|
authentication oauth parameters timeout |
The number of seconds a request to the identity provider is allowed to process before timing out with an error. |
60 | |
|
authentication oauth parameters |
The token endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
|
authentication oauth parameters |
The user info endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
authentication oauth |
The provider type defined for the identity provider in the AnyCAGateway REST. Supported values are:
Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type. This parameter is required. |
Generic | |
|
authentication overwrite |
Overwrite existing settings for the named authentication Scheme on run. |
|
false |
|
authentication |
The sessionExpirationMinutes value determines the length of time a AnyCAGateway REST browser session in the Portal will remain logged in before the user is prompted to re-authenticate regardless of whether the session is idle or in active use. Note: For Keyfactor Identity Provider, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keyfactor Identity Provider
|
|
60 |
|
authentication superAdmin description |
A description for the initial administrative user to be created in the AnyCAGateway REST to override the default, if desired. | SuperAdmin | |
|
authentication superAdmin provider |
The name set by authentication > oauth > display Name for the initial administrative user to be created in the AnyCAGateway REST. This parameter is required. |
yourProvider | |
|
authentication superAdmin type |
The claim type for the initial administrative user to be created in AnyCAGateway REST. Values are provided as OAuth_ followed by the claim type. For example:
|
OAuth_sub | |
|
authentication superAdmin value |
The value for the for the initial administrative user to be created in the AnyCAGateway REST. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client This parameter is required. |
yourSubClaim | |
|
database |
The plain text name of the database in SQL server for AnyCAGateway REST. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
connection- key | ||
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | ||
|
hostname |
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
password |
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; User ID=%s; Password=%s; | ||
|
username |
The plain text username for a SQL user with sufficient permissions to complete the install. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
Privilege Escalation |
The container security context to use for all containers. | false | |
|
dbmanagement backoffLimit |
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | |
|
dbmanagement image name |
The name of the image for the dbmanagement container in the Keyfactor artifactory. | anygateway- dbmanagement | |
|
dbmanagement resources limits cpu |
The maximum CPU the database management container may use. |
500m | |
|
dbmanagement resources limits memory |
The maximum memory the database management container may use. |
2G | |
|
dbmanagement |
The Kubernetes secret key name given to the secret for the password for the SQL user that will create or update the database for the gateway in SQL. | service- password | |
|
dbmanagement |
The Kubernetes secret name that contains the password for the SQL user that will create or update the database for the gateway in SQL. |
service- password | |
|
dbmanagement |
The plain text name of the SQL user that will create or update the database for the gateway in SQL. This user must already exist in SQL and have sufficient permissions for the create/ update/ populate task. | sa | |
|
dbmanagement |
The number of seconds after the database management tasks are complete before the database management container shuts down. | 60 | |
|
ingress |
The ingress class name to use. | nginx | |
|
ingress enabled |
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
|
ingress hostname |
The hostname to use for the ingress controller. This will be the name you use to access your AnyCAGateway REST portal. This parameter is required. |
your .k8s .cluster .hostname .here | |
|
ingress |
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor Command. | ingress-tls | |
| init Containers |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ By default, one init container is included that polls the database to check whether it is online and in an operational state before allowing any deployments to begin. |
||
|
metadata annotations |
Additional annotations to add to all resources deployed by the helm chart. | ||
|
metadata labels |
Additional labels to add to all resources deployed by the helm chart. | ||
| The security context to use for all pods in all deployments—run as root (false) or not (true). | true | ||
| The security context to use for all pods in all deployments—run as the specified user, if runAsNonRoot is true. | 1000 | ||
|
portal allowedHosts |
Set this value to something other than “*” to enable host filtering, which acts as a whitelist for hosts that can make requests to the AnyCAGateway REST server. | “*” | |
|
portal cache |
An integer that sets the time between which modifications or additions to the CA configuration (in minutes) will be available to the AnyCAGateway REST portal. Any changes to the CA configuration will not appear in the portal for this amount of time, but caching may improve performance during CA sync and enrollment. |
10 | |
|
portal cache |
An integer that sets the time between when modification to Roles on the Claims page will be available on the AnyCAGateway REST portal. |
10 | |
|
portal |
The name of the directory where third-party integration artifacts will be installed. | “Extensions” | |
|
portal image name |
The name of the image for the portal container in the Keyfactor artifactory. | anygateway- rest | |
|
portal |
In the case of a High Availability implementation, the three Lock settings will set the lockout intervals (in milliseconds) during CA sync so multiple CA syncs are not running at the same time. It is unlikely these would need to be modified. The lock heartbeat interval. |
60000 | |
|
portal |
The lock timeout. | 5000 | |
|
portal |
The lock hold timeout. | 900000 | |
|
portal path |
The URL to which traffic is directed for the AnyCAGateway REST application. |
/AnyGateway REST | |
|
portal |
The maximum number of pods that can be unavailable simultaneously. | ||
|
portal |
The minimum number of pods that must remain available during disruptions. | 1 | |
|
portal |
The number of replicas created for deployment/stateful set. | 1 | |
|
portal service enabled |
Enable the network service for the portal container (true) or not (false). | true | |
|
portal service |
The setting for session affinity for the network service for the portal container. | None | |
|
portal service type |
The service type to use for the network service for the portal container. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP | |
|
portal deltaTime |
The preferred gap time to delay before the next attempt to connect to SQL will be made. | “00:00:00.5” | |
|
portal |
The maximum time interval before the next attempt to connect to SQL will be made. | “00:02:00” | |
|
portal |
The number of times a connection attempt will be made to SQL before an exception is thrown. | 5 | |
|
annotations |
Additional annotations for a created service account. | ||
|
create |
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
name |
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
| sidecar Containers |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecar containers are included by default. A PKCS#11 container may be utilized as a sidecar container. |
||
| topology Spread Constraints |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
- name |
An array of volume mounts to use on all deployments. This parameter specifies the name of the volume mount. This value should match the value set by volumes > -name. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. For more information on this data structure, see: |
root-cas | |
| The path, and file name for a single file, in the container to which to mount the file or directory. | /etc /ssl /certs /ca-certificates .crt | ||
| The file or subdirectory within the container volume to mount to the container. | ca-certificates.crt | ||
|
volumes - name |
An array of volumes to use on all deployments. This parameter specifies the name of the volume. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. |
root-cas | |
|
volumes items - key |
The Kubernetes config map key name given to the reference value in the config map. |
ca-certificates.crt | |
|
volumes items path |
The name of the mounted file, referenced by the Kubernetes config map, as it will appear in the volume. In the example values file, the data from the config map key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
volumes name |
The name given to the Kubernetes config map for the volume. | ca-roots | |
|
image name |
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the AnyCAGateway REST installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for portal > image > name and dbmanagement > image > name.
|
||
|
image path |
The path in the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images. | charts/ command | |
|
image |
Retrieve a fresh copy of the AnyCAGateway REST images from the Keyfactor artifactory on start? | Always | |
|
image - name |
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the AnyCAGateway REST components. This parameter is required. |
image-creds | |
|
image repo |
The name of the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images. | repo .keyfactor .com | |
|
image version |
The version of AnyCAGateway REST to retrieve from the Keyfactor artifactory. | 24.4.1 | |
|
labels |
Labels that should be applied to deployment/stateful set and pods. | ||
|
The level of logging output for all containers. Supported values are:
If desired, this may be set on an application container basis using appConfig. |
|
INFO | |
|
resources limits cpu |
The maximum CPU each of the application containers may use. If desired, this may be set uniquely on the database management container basis using dbmanagement. |
250m | |
|
resources limits memory |
The maximum memory each of the application containers may use. If desired, this may be set uniquely on the database management container basis using dbmanagement. |
1G | |
|
resources requests cpu |
The baseline amount of CPU allocated for use by each of the application containers. |
50m | |
|
resources requests memory |
The baseline amount of memory allocated for use by each of the application containers. |
300M |