Values File Settings for Containers Under Kubernetes

When AnyCAGateway REST is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.

Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

Table 1060: AnyCAGateway REST Containerized Installation Values File Settings

Name

Description

Example Default
additionalEnvironmentVariables

Other environment variables that should be included for all containers.

   
authentication
cookieExpirationMinutes

The cookie Expiration Minutes value determines the length of time the authentication cookie for the AnyCAGateway REST Portal browser session is considered valid. After half of the setting's duration, the AnyCAGateway REST will attempt to use a refresh token to update the cookie. If this fails, the user's session will be terminated. The cookie renewal is seamless from the user’s perspective (there is no prompt for credentials).

 

5
authentication
defaultIdentityProviderAuthScheme

The authentication scheme of the default identity provider used for login. For example, Keycloak.

Tip:  An identity provider hint can be given in the AnyCAGateway REST URL to indicate a specific identity provider—referenced by an authentication Scheme—at login. For example:
https://restgateway. keyexample.com/ AnyGatewayREST/ Login/ Signin? idpHint= REST-Gateway-3

Where restgateway. keyexample.com is the fully qualified domain name of the AnyCAGateway REST server, AnyGatewayREST is the virtual directory for the Portal on that server, and REST-Gateway-3 is the authentication scheme for the identity provider to use for authentication.

The default Identity Provider AuthScheme value is not required if only one identity provider will be used. If more than one identity provider is configured and the default Identity Provider AuthScheme is not specified, the first configured authentication Scheme will be used if no hint is provided at login. Additional identity providers can be added using the AnyCAGateway REST API endpoints (see Managing Multiple Identity Providers via API Endpoints).

 

 
authentication
oauth
authenticationScheme

A unique authentication scheme (reference name) for the identity provider in the AnyCAGateway REST. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from AnyCAGateway REST.

For Keycloak, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keycloak (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

   
authentication
oauth
displayName

A display name for the identity provider in AnyCAGateway REST. The display name may contain spaces.

This parameter is required.

   
authentication
oauth
parameters
auth0ApiUrl

The unique identifier defined in Auth0 or a similar identity provider for the API.

This parameter is required if Auth0 is set as the type (see authentication > oauth > provider Type).

This value is not used for Keycloak.

   
authentication
oauth
parameters
authority

The issuer/authority endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

https:// my- keyidp- server .keyexample .com /realms /Keyfactor  
authentication
oauth
parameters
authorizationEndpoint

The authorization endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth  
authentication
oauth
parameters
clientIdSecretKey

The Kubernetes secret key name given to the ID of the client application created in the identity provider for this AnyCAGateway REST to use.

  client-id
authentication
oauth
parameters
clientSecretSecretKey

The Kubernetes secret key name given to the secret for the client application created in the identity provider for this AnyCAGateway REST to use.

  client- secret
authentication
oauth
parameters
disableBearerTokenScopeRequirement

Optional. If true, the scope will not be required when using OAuth token authentication with the AnyCAGateway REST.

Tip:  You will need to set this to true if your identity provider does not provide a scope. Some identity providers do not offer the option to include a scope value (e.g. Azure AD). Other identity providers offer this option but do not include the scope by default (e.g. Keyfactor Identity Provider).
Important:  If you configure the Disable Bearer Token Scope Requirement option to false (no), you must either configure the client you’re using to connect from Keyfactor Command to the gateway to always include the scope keyfactor-anyca-gateway in the token or you must configure the keyfactor-anyca-gateway scope on the authentication methods tab when configuring the CA record in Keyfactor Command. Your OAuth identity provider needs to be configured to recognize keyfactor-anyca-gateway as a scope.
  false
authentication
oauth
parameters
jsonWebKeySetUri

The JWKS (JSON Web Key Set) URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs  
authentication
oauth
parameters
nameClaimType

A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in AnyCAGateway REST, since the value is used as the user’s display name. It is best to avoid duplicates.

For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com).

This parameter is required.

Tip:  The value in this parameter is used to populate the username in the AnyCAGateway REST Portal header.
preferred_ username  
authentication
oauth
parameters
oidcAudience

The audience value for tokens issued from the identity provider.

This parameter is required.

   
authentication
oauth
parameters
secretName

The Kubernetes secret name that contains the credential values for the client application created in the identity provider for this AnyCAGateway REST to use.

  idp- secrets
authentication
oauth
parameters
signOutUrl

The signout URL for the identity provider.

This parameter is required if Auth0 is set as the authentication > oauth > provider Type.

This value is not used for Keycloak.

   
authentication
oauth
parameters
timeout

The number of seconds a request to the OAuth identity provider is allowed to process before timing out with an error.

  60
authentication
oauth
parameters
tokenEndpoint

The token endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token  
authentication
oauth
parameters
userInfoEndpoint

The user info endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs  
authentication
oauth
providerType

The provider type defined for the identity provider in the AnyCAGateway REST. Supported values are:

  • Generic

  • Auth0

Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type.

This parameter is required.

Generic  
authentication
overwrite

Overwrite existing settings for the named authentication Scheme on run.

 

false
authentication
sessionExpirationMinutes

The sessionExpirationMinutes value determines the length of time a AnyCAGateway REST browser session in the Portal will remain logged in before the user is prompted to re-authenticate regardless of whether the session is idle or in active use.

Note:  For Keycloak, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keycloak (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). If you’ve opted not to issue refresh tokens in Keycloak, the cookieExpiration value should match the sessionExpiration value.

 

60
authentication
superAdmin
description
A description for the initial administrative user to be created in the AnyCAGateway REST to override the default, if desired.   SuperAdmin
authentication
superAdmin
provider

The name set by authentication > oauth > display Name for the initial administrative user to be created in the AnyCAGateway REST.

This parameter is required.

  yourProvider
authentication
superAdmin
type

The claim type for the initial administrative user to be created in AnyCAGateway REST. Values are provided as OAuth_ followed by the claim type. For example:

  • OAuth_aud

    An open authorization audience claim.

  • OAuth_azp

    An open authorization authorized party claim.

  • OAuth_client_id

    An open authorization client application claim.

  • OAuth_sub

    An open authorization user claim.

  OAuth_sub
authentication
superAdmin
value

The value for the for the initial administrative user to be created in the AnyCAGateway REST.

For example, a GUID for a user account sub, a role name for a role, or a client ID for a client (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation for more information).

This parameter is required.

  yourSubClaim
connectionStrings
database

The plain text name of the database in SQL server for AnyCAGateway REST.

The database will be created if it does not already exist.

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret Key

   
connectionStrings
existingSecretKey

The Kubernetes secret key name given to the secret for the SQL connection string.

This parameter is required if plain text values are not provided.

connection- key  
connectionStrings
existingSecretName

The Kubernetes secret name that contains the connection string values.

This parameter is required if plain text values are not provided.

connection- strings  
connectionStrings
hostname

The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server.

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret Key

   
connectionStrings
password

The plain text password for the SQL user (see connection Strings > username).

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret Key

   
connectionStrings
template

The template for generating SQL connection strings using plain text values for the connection string.

This value is used if a Kubernetes secret is not used to provide a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret Key

  Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; User ID=%s; Password=%s;
connectionStrings
username

The plain text username for a SQL user with sufficient permissions to complete the install.

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing SecretKey

   
containerSecurityContext
allowPrivilegeEscalation

Specifies whether a process in a container can gain more privileges than its parent process. If set to true, processes in the container can escalate their privileges, potentially allowing them to gain additional system capabilities. If set to false, privilege escalation is prevented, which can improve security by limiting the container's ability to perform actions that require higher privileges than the container's default security context allows.

  false
dbmanagement
backoffLimit
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating.   5
dbmanagement
image
name
The name of the image for the dbmanagement container in the Keyfactor artifactory.   anygateway- dbmanagement
dbmanagement
resources
limits
cpu

The maximum CPU the database management container may use.

  500m
dbmanagement
resources
limits
memory

The maximum memory the database management container may use.

  2G
dbmanagement
servicePasswordSecretKey
The Kubernetes secret key name given to the secret for the password for the SQL user that will create or update the database for the gateway in SQL.   service- password
dbmanagement
servicePasswordSecretName

The Kubernetes secret name that contains the password for the SQL user that will create or update the database for the gateway in SQL.

  service- password
dbmanagement
serviceUsername
The plain text name of the SQL user that will create or update the database for the gateway in SQL. This user must already exist in SQL and have sufficient permissions for the create/ update/ populate task.   sa
dbmanagement
ttlSecondsAfterFinished
The number of seconds after the database management tasks are complete before the database management container shuts down.   60
ingress
className
The ingress class name to use.   nginx
ingress
enabled
Creation of the ingress controller is enabled (true) or disabled (false).   true
ingress
hostname

The hostname to use for the ingress controller. This will be the name you use to access your AnyCAGateway REST portal.

This parameter is required.

  your .k8s .cluster .hostname .here
ingress
tlsSecretName
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to the AnyCAGateway REST.   ingress-tls
initContainers

For more information on this data structure, see:

https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

   
metadata
annotations

Annotations are key-value pairs used to store arbitrary, non-identifying metadata on Kubernetes resources. They are typically used for integration with external tools, storing build information, or documenting deployment details. Annotations do not affect the resource’s behavior and are not used for selection.

   
metadata
labels

Labels are key-value pairs used to categorize and identify Kubernetes resources for easy selection and management. They are often used for grouping resources by application, environment, or version, enabling efficient querying and filtering. Labels are essential for resource selection and grouping in Kubernetes operations.

   
podSecurityContext
runAsNonRoot

The runAsNonRoot parameter specifies whether the pod's containers should be run as a non-root user. When set to true, the containers must run as a user other than root, improving security by adhering to the principle of least privilege. If set to false (or not specified), containers may run as the root user, which could increase security risks.

  true
podSecurityContext
runAsUser

The runAsUser parameter specifies the user ID (UID) that the containers in the pod should run as. By setting this value, you ensure that the containers run with the specified user privileges, rather than the default root user. This enhances security by limiting the container’s access to system resources and following the principle of least privilege. This value is used if runAsNonRoot is true.

  1000
portal
allowedHosts
Set this value to something other than “*” to enable host filtering, which acts as a whitelist for hosts that can make requests to the AnyCAGateway REST server.   “*”
portal
cache
caConfigurationCacheExpirationMinutes

An integer that sets the time between which modifications or additions to the CA configuration (in minutes) will be available to the AnyCAGateway REST portal. Any changes to the CA configuration will not appear in the portal for this amount of time, but caching may improve performance during CA sync and enrollment.

  10
portal
cache
roleClaimsCacheExpirationMinutes

An integer that sets the time between when modification to Roles on the Claims page will be available on the AnyCAGateway REST portal.

  10
portal
extensionsDirectory
The name of the directory where third-party integration artifacts will be installed.   “Extensions”
portal
image
name
The name of the image for the portal container in the Keyfactor artifactory.   anygateway- rest
portal
lockHeartbeatIntervalMilliseconds

In the case of a High Availability implementation, the three Lock settings will set the lockout intervals (in milliseconds) during CA sync so multiple CA syncs are not running at the same time. It is unlikely these would need to be modified.

The lock heartbeat interval.

  60000
portal
lockTimeoutMilliseconds
The lock timeout.   5000
portal
lockHoldTimeoutMilliseconds
The lock hold timeout.   900000
portal
path

The URL to which traffic is directed for the AnyCAGateway REST application.

  /AnyGateway REST
portal
podDisruptionBudget
maxUnavailable
The maximum number of pods that can be unavailable simultaneously.    
portal
podDisruptionBudget
minAvailable
The minimum number of pods that must remain available during disruptions.   1
portal
replicaCount
The number of replicas created for deployment/stateful set.   1
portal
service
enabled
Enable the network service for the portal container (true) or not (false).   true
portal
service
sessionAffinity
The setting for session affinity for the network service for the portal container.   None
portal
service
type

The service type to use for the network service for the portal container.

For information about the service types, see:

https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

  ClusterIP
portal
sqlRetryConfiguration
deltaTime
The preferred gap time to delay before the next attempt to connect to SQL will be made.   “00:00:00.5”
portal
sqlRetryConfiguration
maxTimeInterval
The maximum time interval before the next attempt to connect to SQL will be made.   “00:02:00”
portal
sqlRetryConfiguration
numberOfTries
The number of times a connection attempt will be made to SQL before an exception is thrown.   5
serviceAccount
annotations

ServiceAccount annotations are key-value pairs used to attach non-identifying metadata to the service account resource. These annotations are typically used for integration with external tools, documenting configurations, or adding extra information relevant to the service account's usage. Like other annotations, they don't affect the resource's functionality and aren't used for selection.

   
serviceAccount
create

Create a new service account (true) or not (false).

For more information on service accounts, see:

https://kubernetes.io/docs/concepts/security/service-accounts/

  true
serviceAccount
name

The name of an existing service account to use, or the name to give to a service account to be created.

If create is true but the name is not provided, the default name will be used.

   
sidecarContainers

Additional containers that run alongside the main application container within a pod are known as sidecarContainers. These containers typically provide supporting functionality, such as logging, monitoring, or proxying, without modifying the primary application's behavior. These sidecarContainers share the same network namespace and storage volumes as the main container, enabling close integration.

For more information on this data structure, see:

https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/

No sidecarContainers are included by default.

   
topologySpreadConstraints

The topologySpreadConstraints parameter defines rules for distributing pods across nodes to ensure high availability and fault tolerance. It allows you to control how pods are spread across different failure domains, such as availability zones or regions, to prevent resource contention and ensure that the application remains functional even if one domain fails.

For more information on this data structure, see:

https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/

No topology spread constraints are included by default.

   
volumeMounts
- name

An array of volume mounts. This parameter specifies the name of the volume mount. The value should match the value set by volumes > -name.

The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates.

For more information on this data structure, see:

root-cas  
volumeMounts
mountPath

The mountPath specifies the path within the container where a volume should be mounted. It can be a directory or a specific file, depending on the mount configuration, allowing the container to access the contents of the volume at that location.

/etc /ssl /certs /ca-certificates .crt  
volumeMounts
subPath

The subPath specifies a subdirectory or file within the volume to mount at the mountPath. This allows you to mount only a specific part of the volume, rather than the entire volume, giving more fine-grained control over which data is exposed to the container.

ca-certificates.crt  
volumes
- name

An array of volumes. This parameter specifies the name of the volume. The value should match the value set by volumeMounts > -name.

The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates.

root-cas  
volumes
configMap
items
- key

The Kubernetes ConfigMap key name given to the referenced value in the ConfigMap.

ca-certificates.crt  
volumes
configMap
items
path

The name of the mounted file, referenced by the Kubernetes ConfigMap, as it will appear in the volume.

In the example values file, the data from the ConfigMap key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume.

ca-certificates.crt  
volumes
configMap
name

The name given to the Kubernetes ConfigMap for the volume.

ca-roots  
workloadDefaults
image
name

The name of the image to retrieve from the Keyfactor artifactory.

Important:  Because the AnyCAGateway REST installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for portal > image > name and dbmanagement > image > name.
   
workloadDefaults
image
path
The path in the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images.   charts/ command
workloadDefaults
image
pullPolicy

The pullPolicy defines when the container image should be pulled from the Keyfactor artifactory. It can be set to Always (pull the image every time the container starts), IfNotPresent (pull only if the image is not already present locally), or Never (never pull the image, only use the locally available version). This helps control image pulling behavior and optimize deployments.

  Always
workloadDefaults
image
pullSecrets
- name

The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the image.

This parameter is required.

image-creds  
workloadDefaults
image
repo
The name of the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images.   repo .keyfactor .com
workloadDefaults
image
version
The version of AnyCAGateway REST to retrieve from the Keyfactor artifactory.   25.2
workloadDefaults
labels
Labels that should be applied to deployment/stateful set and pods.    
workloadDefaults
logLevel

The container logging level output. Supported values are:

  • OFF

    No logging

  • FATAL

    Log severe errors that cause early termination

  • ERROR

    Log severe errors and other runtime errors or unexpected conditions that may not cause early termination

  • WARN

    Log errors and use of deprecated APIs, poor use of APIs, almost errors, and other runtime situations that are undesirable or unexpected but not necessarily wrong

  • INFO

    Log all of the above plus runtime events (startup/shutdown)

  • DEBUG

    Log all of the above plus detailed information on the flow through the system

  • TRACE

    Maximum log information—this option can generate VERY large log files

If desired, this may be set on an application container basis using appConfig.

 

INFO
workloadDefaults
resources
limits
cpu

The maximum CPU each of the application containers may use.

If desired, this may be set uniquely on the database management container basis using dbmanagement.

  250m
workloadDefaults
resources
limits
memory

The maximum memory each of the application containers may use.

If desired, this may be set uniquely on the database management container basis using dbmanagement.

  1G
workloadDefaults
resources
requests
cpu

The baseline amount of CPU allocated for use by each of the application containers.

  50m
workloadDefaults
resources
requests
memory

The baseline amount of memory allocated for use by each of the application containers.

  300M