Values File Settings for Keyfactor Command Containers Under Kubernetes

When Keyfactor Command is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.

Table 111: Keyfactor Command Containerized Installation Values File Settings

Name

Description

Example Default
additionalEnvironmentVariables

Other environment variables that should be included for all containers.

See, for example:

   
appConfig
analysis
image
name
The name of the image for the Analysis container in the Keyfactor artifactory.   analysis
appConfig
analysis
path

The URL to which traffic is directed for the Analysis application.

  KeyfactorAnalysis
appConfig
analysis
probeSettings

Liveness and readiness probe settings used to identify whether the container is operating as expected. Liveness probes are health checks while the readiness probes determine when the pod is considered ready and can start serving requests.

Clear this value to unset probes.

No probes are set for the Analysis container by default.

   
appConfig
analysis
resources
limits
cpu
The maximum CPU the Analysis application container may use.   500m
appConfig
analysis
resources
limits
memory
The maximum memory the Analysis application container may use.   2G
appConfig
analysis
resources
requests
cpu
The baseline amount of CPU allocated for use by the Analysis application container.   100m
appConfig
analysis
resources
requests
memory
The baseline amount of memory allocated for use by the Analysis application container.   600M
appConfig
api
image
name
The name of the image for the Keyfactor API container in the Keyfactor artifactory.   api
appConfig
api
path

The URL to which traffic is directed for the Keyfactor API application.

  Keyfactor API
appConfig
caconnectorapi
image
name
The name of the image for the CA Connector API container in the Keyfactor artifactory.   ca- connector- api
appConfig
caconnectorapi
path

The URL to which traffic is directed for the CA Connector API application.

  Keyfactor CA Connectors
appConfig
claimsproxy
image
name
The name of the image for the Claims Proxy container in the Keyfactor artifactory.   claims-proxy
appConfig
claimsproxy
path

The URL to which traffic is directed for the Claims Proxy application.

  Keyfactor Proxy
appConfig
orchestratorapi
image
name
The name of the image for the Orchestrator API container in the Keyfactor artifactory.   orchestrator- api
appConfig
orchestratorapi
path

The URL to which traffic is directed for the Orchestrator API application.

  Keyfactor Agents
appConfig
portal
image
name
The name of the image for the Management Portal container in the Keyfactor artifactory.   console
appConfig
portal
image
path

The URL to which traffic is directed for the Management Portal application.

  Keyfactor Portal
appConfig
timerservice
image
name
The name of the image for the Keyfactor Command Service (timer service) container in the Keyfactor artifactory.   timer- service
appConfig
timerservice
probeSettings
livenessProbe
failureThreshold

The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it.

Clear this value to unset probes.

  6
appConfig
timerservice
probeSettings
livenessProbe
initialDelaySeconds

The number of seconds to wait before firing the first health check probe.

Clear this value to unset probes.

  10
appConfig
timerservice
probeSettings
livenessProbe
periodSeconds

The number of seconds in between runs of the health check probe.

Clear this value to unset probes.

  5
appConfig
timerservice
probeSettings
livenessProbe
tcpSocket
port

The port to which Kubernetes should attempt to establish a TCP connection for health checks. If the connection is successful, the probe is considered a success.

Clear this value to unset probes.

  connection-port
appConfig
timerservice
probeSettings
readinessProbe
failureThreshold

The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it.

Clear this value to unset probes.

  6
appConfig
timerservice
probeSettings
readinessProbe
initialDelaySeconds

The number of seconds to wait before firing the first readiness probe.

Clear this value to unset probes.

  10
appConfig
timerservice
probeSettings
readinessProbe
periodSeconds

The number of seconds in between runs of the readiness probe.

Clear this value to unset probes.

  5
appConfig
timerservice
probeSettings
readinessProbe
tcpSocket
port

The port to which Kubernetes should attempt to establish a TCP connection for readiness checks. If the connection is successful, the probe is considered a success.

Clear this value to unset probes.

  connection-port
appConfig
timerservice
resources
limits
cpu
The maximum CPU the Keyfactor Command Service (timer service) application container may use.   500m
appConfig
timerservice
resources
limits
memory
The maximum memory the Keyfactor Command Service (timer service) application container may use.   2G
appConfig
timerservice
service
enabled
The Keyfactor Command Service controls CA synchronization jobs, alert generation, reporting, and database cleanup tasks, among other jobs. The parameter enables the service (true) or not (false).   false
connectionStrings
database

The plain text name of the database in SQL server for Keyfactor Command.

The database will be created if it does not already exist.

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret EFKey

  • connection Strings > existing Sql DirectKey

   
connectionStrings
efTemplate

The template for generating entity framework connection strings using plain text values.

This value is used if a Kubernetes secret is not used to provide a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret EFKey

  • connection Strings > existing Sql DirectKey

 

metadata= res://*/EFModels.csdl \\|res://*/EFModels.ssdl \\|res://*/EFModels.msl; provider= Microsoft. Data. SqlClient; provider connection string= 'Data Source=%s; Initial Catalog=%s; Integrated Security=False; User ID=%s; Password=%s; Persist Security Info=True; Command Timeout=360; Multiple Active Result Sets=True; Application Name=EntityFramework'

connectionStrings
existingSecretEFKey

The Kubernetes secret key name given to the secret for the entity framework connection string.

This parameter is required if plain text values are not provided.

ef  
connectionStrings
existingSecretName

The Kubernetes secret name that contains the connection string values.

This parameter is required if plain text values are not provided.

connection- strings  
connectionStrings
existingSqlDirectKey

The Kubernetes secret key name given to the secret for the SQL connection string.

This parameter is required if plain text values are not provided.

sqlDirect  
connectionStrings
hostname

The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server.

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret EFKey

  • connection Strings > existing Sql DirectKey

   
connectionStrings
password

The plain text password for the SQL user (see connection Strings > username).

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret EFKey

  • connection Strings > existing Sql DirectKey

   
connectionStrings
sqlDirectTemplate

The template for generating SQL connection strings using plain text values for the connection string.

This value is used if a Kubernetes secret is not used to provide a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret EFKey

  • connection Strings > existing Sql DirectKey

 

Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; Command Timeout=360; User ID=%s; Password=%s;

connectionStrings
username

The plain text username for a SQL user with sufficient permissions to complete the install (see Grant Permissions in SQL).

This value is required if a Kubernetes secret is not used to provide this information as part of a connection string.

To provide the connection strings as a secret, see:

  • connection Strings > existing Secret Name

  • connection Strings > existing Secret EFKey

  • connection Strings > existing Sql DirectKey

   
dbPoller
pollingInterval
The interval of time between checks to the SQL database to confirm that it’s online and not in maintenance mode before the application containers are allowed to start.   5
dbupgradetool
adminUser
claimType

The claim type for the initial administrative user or group to be created in Keyfactor Command. The supported values are:

  • OAuthOid

    An open authorization claim of a type not covered by client, role or subject.

  • OAuthRole

    An open authorization group claim.

  • OAuthSubject

    An open authorization user claim.

  • OAuthClientId

    An open authorization client application claim.

This parameter is required.

   
dbupgradetool
adminUser
claimValue

The value for the for the initial administrative user or group to be created in Keyfactor Command.

For example, a GUID for a user account sub, a role name for a role, or a client ID for a client (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation for more information).

This parameter is required.

   
dbupgradetool
adminUser
description
A description for the initial administrative user or group to be created in Keyfactor Command to override the default, if desired.   Default Administrator
dbupgradetool
adminUser
identityProvider

The name set by dbupgrade tool > idp > display Name for the initial administrative user or group to be created in Keyfactor Command.

This parameter is required.

Command OIDC  
dbupgradetool
agents
useSSL
Use SSL for connections to the Orchestrator API application.   true
dbupgradetool
api
useSSL
Use SSL for connections to the Keyfactor API application.   true
dbupgradetool
appSettings
console
general
cookieExpiration
The cookieExpiration value determines the length of time the authentication cookie for the Keyfactor Command Management Portal browser session is considered valid. After half of the setting's duration, Keyfactor Command will attempt to use a refresh token to update the cookie. If this fails, the user's session will be terminated. The cookie renewal is seamless from the user’s perspective (there is no prompt for credentials).    
dbupgradetool
appSettings
console
general
sessionExpiration

The sessionExpiration value determines the length of time a Keyfactor Command browser session in the Management Portal will remain logged in before the user is prompted to re-authenticate regardless of whether the session is idle or in active use.

Note:  For Keycloak, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keycloak (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation). If you’ve opted not to issue refresh tokens in Keycloak, the cookieExpiration value should match the sessionExpiration value.
   
dbupgradetool
backoffLimit
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating.   5
dbupgradetool
caConnector
basicAuth
clientCredentials
clientId
clientId

The plain text ID for the RabbitMQ user.

   
dbupgradetool
caConnector
basicAuth
clientCredentials
clientId
clientIdSecretKey

The key within the Kubernetes secret named by secretName referencing the ID for the RabbitMQ user.

  client-id
dbupgradetool
caConnector
basicAuth
clientCredentials
clientId
secretName

The name of the Kubernetes secret containing the ID of the RabbitMQ user.

  rabbit- basic- auth
dbupgradetool
caConnector
basicAuth
clientCredentials
clientId
source

The source for the RabbitMQ user. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientIdSecretKey fields.

  • Plaintext: A plain text value will be specified in the clientId field.

Note:  PAM is not supported for client IDs.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required if a CA connector with Basic authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector.

  SecretRef
dbupgradetool
caConnector
basicAuth
clientCredentials
clientSecret
clientSecretSecretKey

The key within the Kubernetes secret named by secretName referencing the secret value for the RabbitMQ user.

  client-secret
dbupgradetool
caConnector
basicAuth
clientCredentials
clientSecret
clientSecret

The plain text secret value for the RabbitMQ user.

   
dbupgradetool
caConnector
basicAuth
clientCredentials
clientSecret
secretName

The name of the Kubernetes secret containing the secret value for the RabbitMQ user.

  rabbit- basic- auth
dbupgradetool
caConnector
basicAuth
clientCredentials
clientSecret
source

The source for the secret for the RabbitMQ user. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientSecretSecretKey fields.

  • PAM: A PAM secret will be referenced in the pamProviderName and pamProviderParameters fields.

  • Plaintext: A plain text value will be specified in the clientSecret field.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required if a CA connector with Basic authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector.

  SecretRef
dbupgradetool
caConnector
configureCAConnector
Enable the CA connector option (true) or not (false).   true
dbupgradetool
caConnector
jobQueueAudience

An audience value to be included in token requests delivered to your identity provider.

This is not required when using Keycloak.

   
dbupgradetool
caConnector
jobQueueScope

One or more scopes that should be included in token requests delivered to your identity provider.

This is not required when using Keycloak.

   
dbupgradetool
caConnector
jobQueueTokenURL

The URL of the token endpoint for your identity provider.

https:// my-keyidp-server .keyexample .com / realms/ Keyfactor/ protocol/ openid- connect/ token  
dbupgradetool
caConnector
jobQueueUrl
The amqp or amqps URL to the RabbitMQ instance. amqps:// appsrvr12. keyexample .com  
dbupgradetool
caConnector
jobQueueUseOAuth

If set to true, uses OAuth client credentials to authenticate to RabbitMQ. If set to false, uses basic authentication (username/password) to authenticate to RabbitMQ.

Keyfactor strongly recommends that if you choose basic authentication, you connect to RabbitMQ over a secure channel (amqps).

  true
dbupgradetool
caConnector
jobQueueValidateOnSave
Validate the job queue connection and credentials before saving to the database during configuration (true) or not (false).   true
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
clientId

The plain text ID for the RabbitMQ client.

   
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
clientIdSecretKey

The key within the Kubernetes secret named by secretName referencing the ID for the RabbitMQ client.

  client-id
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
secretName

The name of the Kubernetes secret containing the ID of the RabbitMQ client.

  rabbit-oauth
dbupgradetool
caConnector
oAuth
clientCredentials
clientId
source

The source for the RabbitMQ client. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientIdSecretKey fields.

  • Plaintext: A plain text value will be specified in the clientId field.

Note:  PAM is not supported for client IDs.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required if a CA connector with OAuth authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector.

  SecretRef
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
clientSecretSecretKey

The key within the Kubernetes secret named by secretName referencing the secret value for the RabbitMQ client.

  client-secret
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
clientSecret

The plain text secret value for the RabbitMQ client.

   
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
secretName

The name of the Kubernetes secret containing the secret value for the RabbitMQ client.

  rabbit-oauth
dbupgradetool
caConnector
oAuth
clientCredentials
clientSecret
source

The source for the secret for the RabbitMQ client. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientSecretSecretKey fields.

  • PAM: A PAM secret will be referenced in the pamProviderName and pamProviderParameters fields.

  • Plaintext: A plain text value will be specified in the clientSecret field.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required if a CA connector with OAuth authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector.

  SecretRef
dbupgradetool
caConnector
overwrite
Overwrite any existing CA connector configuration settings (true) or not (false).   false
dbupgradetool
caConnector
useSSL
Use SSL for connections to the Keyfactor Command CA Connector API application.   true
dbupgradetool
dbCommandTimeout
Custom timeout for the database connection during the database setup and configuration process.    
dbupgradetool
forceSecretReencryption

Rotate the application-level encryption keys and re-encrypt the data identified for application-level encryption in the Keyfactor Command database (true) or not (false).

Application-level encryption is used to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology on top of standard SQL server encryption. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected.

If you enable application-level encryption, you must configure an encryption methodology (see Application-Level Encryption).

  false
dbupgradetool
idp
api
clientCredentials
clientId
clientId

The plain text ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself.

   
dbupgradetool
idp
api
clientCredentials
clientId
clientIdSecretKey

The key within the Kubernetes secret named by secretName referencing the ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself.

  client-id
dbupgradetool
idp
api
clientCredentials
clientId
secretName

The name of the Kubernetes secret containing the ID of the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself.

  idp-api-secrets
dbupgradetool
idp
api
clientCredentials
clientId
source

The source for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientIdSecretKey fields.

  • Plaintext: A plain text value will be specified in the clientId field.

Note:  PAM is not supported for client IDs.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required.

  SecretRef
dbupgradetool
idp
api
clientCredentials
clientSecret
clientSecretSecretKey

The key within the Kubernetes secret named by secretName referencing the secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself.

  client-secret
dbupgradetool
idp
api
clientCredentials
clientSecret
clientSecret

The plain text secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself.

   
dbupgradetool
idp
api
clientCredentials
clientSecret
secretName

The name of the Kubernetes secret containing the secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself.

  idp-api-secrets
dbupgradetool
idp
api
clientCredentials
clientSecret
source

The source for the secret for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientSecretSecretKey fields.

  • PAM: A PAM secret will be referenced in the pamProviderName and pamProviderParameters fields.

  • Plaintext: A plain text value will be specified in the clientSecret field.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required.

  SecretRef
dbupgradetool
idp
audience

The audience value for tokens issued from the identity provider.

For Keycloak, this should be set to the same value as the dbupgrade tool > idp > client Id.

This parameter is required.

Command- OIDC- Client  
dbupgradetool
idp
auth0ApiUrl

The unique identifier defined in Auth0 or a similar identity provider for the API.

This parameter is required if Auth0 is set as the type (see dbupgrade tool > idp > provider Type).

This value is not used for Keycloak.

   
dbupgradetool
idp
authenticationScheme

A unique authentication scheme (reference name) for the identity provider in Keyfactor Command. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from Keyfactor Command.

For Keycloak, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keycloak (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required.

Tip:  An identity provider hint can be given in the Keyfactor Command URL to indicate a specific identity provider—referenced by an authentication Scheme—at login. For example:
https://keyfactor. keyexample.com/ KeyfactorPortal/ Login/ Signin? idpHint= Command-OIDC-3

Where keyfactor. keyexample.com is the fully qualified domain name of the Keyfactor Command server, KeyfactorPortal is the virtual directory for the Management Portal on that server, and Command-OIDC-3 is the authentication scheme for the identity provider to use for authentication.

Command- OIDC  
dbupgradetool
idp
authority

The issuer/authority endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authority will automatically be retrieved and does not need to be provided separately.

Tip:  When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
  • That the discovery document is reachable using the Authority value provided and can be parsed into a valid discovery document.

  • That the Authority URL matches the Issuer returned in the discovery document.

  • That all the URLs on the discovery document are using HTTPS.

  • That the JSONWebKeySetUri value is included on the discovery document.

  • That any endpoint configuration values (Authorization Endpoint, Token Endpoint, UserInfo Endpoint, JSONWebKeySetUri) that have been saved or are being saved match—including case—the values returned in the discovery document. The UserInfo Endpoint is not a required configuration field, but if a value is provided, it must match what’s in the discovery document.

If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged.

https:// my- keyidp- server .keyexample .com /realms /Keyfactor  
dbupgradetool
idp
authorizationEndpoint

The authorization endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authorization Endpoint will automatically be retrieved and does not need to be provided separately.

https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth  
dbupgradetool
idp
clientCredentials
clientId
clientId

The plain text ID of the client application created in the identity provider for primary application use.

Command- OIDC- Client  
dbupgradetool
idp
clientCredentials
clientId
clientIdSecretKey

The key within the Kubernetes secret named by secretName referencing the ID for the client application created in the identity provider for primary application use.

  client-id
dbupgradetool
idp
clientCredentials
clientId
secretName

The name of the Kubernetes secret containing the ID of the client application created in the identity provider for primary application use.

  idp-secrets
dbupgradetool
idp
clientCredentials
clientId
source

The source for the client ID for the client application created for primary application use. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientIdSecretKey fields.

  • Plaintext: A plain text value will be specified in the clientId field.

Note:  PAM is not supported for client IDs.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required.

  SecretRef
dbupgradetool
idp
clientCredentials
clientSecret
clientSecretSecretKey

The key within the Kubernetes secret named by secretName referencing the secret value for the client application created in the identity provider for primary application use.

  client-secret
dbupgradetool
idp
clientCredentials
clientSecret
clientSecret

The plain text secret value for the client application created in the identity provider for primary application use.

   
dbupgradetool
idp
clientCredentials
clientSecret
secretName

The name of the Kubernetes secret containing the secret value for the client application created in the identity provider for primary application use.

  idp-secrets
dbupgradetool
idp
clientCredentials
clientId
source

The source for the secret for the client application created for primary application use. Supported options are:

  • SecretRef: A Kubernetes secret will be referenced in the SecretName and ClientSecretSecretKey fields.

  • PAM: A PAM secret will be referenced in the pamProviderName and pamProviderParameters fields.

  • Plaintext: A plain text value will be specified in the clientSecret field.

For more information, see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation.

This value and the selected option’s associated settings are required.

  SecretRef
dbupgradetool
idp
discoveryDocumentEndpoint

The discovery URL for the identity provider.

For Keycloak, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration  
dbupgradetool
idp
displayName

A display name for the identity provider in Keyfactor Command. The display name may contain spaces.

This parameter is required.

Command OIDC  
dbupgradetool
idp
fallbackUniqueClaimType

A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see dbupgrade tool > idp > unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type.

The cid (client ID) user claim type is commonly used by OAuth providers.

This parameter is required.

cid  
dbupgradetool
idp
jsonWebKeySetUri

The JWKS (JSON Web Key Set) URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the json Web Key Set Uri will automatically be retrieved and does not need to be provided separately.

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs  
dbupgradetool
idp
nameClaimType

A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates.

For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com).

This parameter is required.

Tip:  The value in this parameter is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see dbupgrade tool > idp > unique Claim Type.
preferred_ username  
dbupgradetool
idp
overwrite
Overwrite existing settings for the named authentication Scheme on run.   false
dbupgradetool
idp
providerType

The provider type defined for the identity provider in Keyfactor Command. Supported values are:

  • Generic

  • Auth0

Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type.

Generic  
dbupgradetool
idp
roleClaimType

The value used to reference the type of group claim for the identity provider.

This parameter is required.

groups  
dbupgradetool
idp
scope

One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces.

This value is not used for Keycloak.

   
dbupgradetool
idp
signOutUrl

The signout URL for the identity provider.

This parameter is required if Auth0 is set as the dbupgradetool > idp > providerType.

This value is not used for Keycloak.

   
dbupgradetool
idp
timeout
The number of seconds a request to the identity provider is allowed to process before timing out with an error.    
dbupgradetool
idp
tokenAudience

An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client.

This value is not used for Keycloak.

   
dbupgradetool
idp
tokenEndpoint

The token endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the tokenEndpoint will automatically be retrieved and does not need to be provided separately.

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token  
dbupgradetool
idp
tokenScope

One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces.

This value is not used for Keycloak.

   
dbupgradetool
idp
uniqueClaimType

A type of user claim for the identity provider containing a unique name for the user.

The sub (subject) user claim type is commonly used by OAuth providers.

In Keycloak, the sub is a GUID uniquely identifying the user.

See also dbupgradetool > idp > fallbackUniqueClaimType.

This parameter is required.

Tip:  The value in this field is used as the second choice to populate the username in the Keyfactor CommandManagement Portal header if the dbupgradetool > idp > nameClaimType does not contain a value in the token.

The value in this field is the one to use when logging into Keyfactor Command.

sub  
dbupgradetool
idp
userInfoEndpoint

The user info endpoint URL for the identity provider.

For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keycloak and Collecting Data for the Keyfactor Command Installation).

This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the userInfoEndpoint will automatically be retrieved and does not need to be provided separately.

https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs  
dbupgradetool
license
plaintext

The plain text Keyfactor Command license. This is provided as the raw XML content of the license file

One of the following is required:

  • dbupgrade tool > license > plaintext

  • dbupgrade tool > license > secretName and dbupgrade tool > license > secretKey

<?xml version="1.0" encoding="utf-8"?><LicenseData> [data removed for display] </LicenseData>  
dbupgradetool
license
secretKey

The Kubernetes secret key name given to the secret for the Keyfactor Command license.

One of the following is required:

  • dbupgrade tool > license > plaintext

  • dbupgrade tool > license > secretName and dbupgrade tool > license > secretKey

  license- content
dbupgradetool
license
secretName

The Kubernetes secret name given to the secret for the Keyfactor Command license.

One of the following is required:

  • dbupgrade tool > license > plaintext

  • dbupgrade tool > license > secretName and dbupgrade tool > license > secretKey

  command- license
dbupgradetool
logi
useSSL
Use SSL for connections to the Analysis application.   true
dbupgradetool
proxy
useSSL
Use SSL for connections to the Claims Proxy application.   true
dbupgradetool
resources
limits
cpu

The maximum CPU the database setup and configuration container may use.

  500m
dbupgradetool
resources
limits
memory

The maximum memory the database setup and configuration container may use.

  2G
dbupgradetool
resources
requests
cpu

The baseline amount of CPU allocated for use by the database setup and configuration container.

  50m
dbupgradetool
resources
requests
memory

The baseline amount of memory allocated for use by the database setup and configuration container.

  300M
dbupgradetool
seededConfig
Overwrite
A Boolean indicating whether PAM providers and provider types included in the values file should update to the Keyfactor Command database. If set to true, new providers will be added and existing providers will be updated with the information given in PamProviderTypes and PamProviders. See example for PamProviderTypes.    
dbupgradetool
seededConfig
PamProviderTypes

A JSON string indicating the PAM provider type information to add or update in the database for each PAM provider type in the format shown in the example.

Important notes:

  • The Name in the PamProviderTypes section must match the ProviderType in the PamProviders section.

  • The parameters you define in the PamProviderTypes section with an InstanceLevel of false are used to define the underlying PAM provider.

  • The parameters you define in the PamProviderTypes section with an InstanceLevel of true are fields that need to be set to a value when configuring a record (e.g. a certificate store) to use the PAM provider.

  • When configuring the PamProviders section, the Name for the parameters should match the Name given to the parameters in the PamProviderTypes section.

  • Only parameters with an InstanceLevel of false should be configured in the PamProviders section.

  • The | given after seededConfig defines the following information as a multi-line string preserving line breaks exactly as they appear, which allows the JSON string to be interpreted in the YAML file.

Note:  The provider type for Keyfactor Command local PAM providers is defined by default and does not need to be created. Secrets cannot be seeded into a Keyfactor Command local PAM database using this method.
dbupgradetool:
  seededConfig: |
    {
      "Overwrite": true,
      "PamProviderTypes": [
        {
          "Name":"DelineaExample",
          "Parameters": [
            {
              "Name": "Host",
              "DisplayName":"Secret Server URL",
              "InstanceLevel": false,
              "DataType": "1"
            },
            {
              "Name": "Username",
              "DisplayName": "Secret Server Username",
              "DataType": "2",
              "InstanceLevel": false
            },
            {
              "Name": "Password",
              "DisplayName": "Secret Server Password",
              "DataType": "2",
              "InstanceLevel": false
            },
            {
              "Name": "SecretId",
              "DisplayName": "Secret Server Secret ID",
              "DataType": "1",
              "InstanceLevel": true
            },
            {
              "Name": "SecretFieldName",
              "DisplayName": "Secret Field Name",
              "DataType": "1",
              "InstanceLevel": true
            }
          ]
        },
        { 
          // If desired, provider two type info goes here
        }
      ],
      "PamProviders": [
        {
          "Name": "DelineaProvider",
          "ProviderType":"DelineaExample",
          "Parameters": [
            {
              "Name":"Host",
              "Value":"https://MyDelineaURL"
            },
            {
              "Name":"Username",
              "Value":"MyDelineaServiceAccountUser"
            },
            {
              "Name":"Password",
              "Value":"MySuperSecretPasswordtoAccessDelinea"
            }
          ]
        },
        {
          // If desired, provider two info goes here
        }
      ]
    }
 
dbupgradetool
seededConfig
PamProviders
A JSON string indicating the PAM provider information to add or update in the database for each PAM provider in the format shown in the example for PamProviderTypes.    
dbupgradetool
ttlSecondsAfterFinished
The number of seconds after the Keyfactor Command installation/upgrade job completes before it is deleted.   60
dbupgradetool
webConsole
useSSL
Use SSL for connections to the Management Portal application.   true
hostName

The Keyfactor Command hostname parameter. Set this to a value that resolves in DNS to your Kubernetes server/cluster. This is the hostname that will make up part of the URL you will use to reach the Keyfactor Command Management Portal and Keyfactor API. The SSL certificate to secure connections to the server needs to contain this name.

This parameter is required.

“command185 .keyexample .com” your .k8s .cluster .hostname .here
ingress
className
The ingress class name to use.   nginx
ingress
enabled
Creation of the ingress controller is enabled (true) or disabled (false).   true
ingress
tlsSecretName
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor Command.   ingress-tls
initContainers

For more information on this data structure, see:

https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

By default, one init container is included that polls the database to check whether it is online and in an operational state before allowing any deployments to begin.

   
jobConfig
dbupgradetool
image
name
The name of the image for the database setup and configuration container in the Keyfactor artifactory.   database- upgrade- tool
jobConfig
dbupgradetool
limits
cpu

The maximum CPU the database setup and configuration container may use.

  500m
jobConfig
dbupgradetool
limits
memory

The maximum memory the database setup and configuration container may use.

  2G
metadata
annotations

Annotations are key-value pairs used to store arbitrary, non-identifying metadata on Kubernetes resources. They are typically used for integration with external tools, storing build information, or documenting deployment details. Annotations do not affect the resource’s behavior and are not used for selection.

   
metadata
labels

Labels are key-value pairs used to categorize and identify Kubernetes resources for easy selection and management. They are often used for grouping resources by application, environment, or version, enabling efficient querying and filtering. Labels are essential for resource selection and grouping in Kubernetes operations.

   
serviceAccount
annotations

ServiceAccount annotations are key-value pairs used to attach non-identifying metadata to the service account resource. These annotations are typically used for integration with external tools, documenting configurations, or adding extra information relevant to the service account's usage. Like other annotations, they don't affect the resource's functionality and aren't used for selection.

   
serviceAccount
create

Create a new service account (true) or not (false).

For more information on service accounts, see:

https://kubernetes.io/docs/concepts/security/service-accounts/

  true
serviceAccount
name

The name of an existing service account to use, or the name to give to a service account to be created.

If create is true but the name is not provided, the default name will be used.

   
sidecarContainers

Additional containers that run alongside the main application container within a pod are known as sidecarContainers. These containers typically provide supporting functionality, such as logging, monitoring, or proxying, without modifying the primary application's behavior. These sidecarContainers share the same network namespace and storage volumes as the main container, enabling close integration.

For more information on this data structure, see:

https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/

No sidecarContainers are included by default. A PKCS#11 container may be utilized as a sidecarContainer.

   
sqlRootFingerprint

The thumbprint for the root (not issuing) CA to which the SSL certificate on the SQL certificate chains.

This parameter is required if Encrypt=true is set in the connection string.

The thumbprint should be provided with colons between each octet.

  fingerprint:for:sql:SSL:cert:Root:CA
topologySpreadConstraints

The topologySpreadConstraints parameter defines rules for distributing pods across nodes to ensure high availability and fault tolerance. It allows you to control how pods are spread across different failure domains, such as availability zones or regions, to prevent resource contention and ensure that the application remains functional even if one domain fails.

For more information on this data structure, see:

https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/

No topology spread constraints are included by default.

   
volumeMounts
- name

An array of volume mounts. This parameter specifies the name of the volume mount. The value should match the value set by volumes > -name.

The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates.

For more information on this data structure, see:

The mounts specified apply to all containers.

root-cas  
volumeMounts
mountPath

The mountPath specifies the path within the container where a volume should be mounted. It can be a directory or a specific file, depending on the mount configuration, allowing the container to access the contents of the volume at that location.

/etc /ssl /certs /ca-certificates .crt  
volumeMounts
subPath

The subPath specifies a subdirectory or file within the volume to mount at the mountPath. This allows you to mount only a specific part of the volume, rather than the entire volume, giving more fine-grained control over which data is exposed to the container.

ca-certificates.crt  
volumes
- name

An array of volumes. This parameter specifies the name of the volume. The value should match the value set by volumeMounts > -name.

The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates.

The volumes specified apply to all containers.

root-cas  
volumes
configMap
items
- key

The Kubernetes ConfigMap key name given to the referenced value in the ConfigMap.

ca-certificates.crt  
volumes
configMap
items
path

The name of the mounted file, referenced by the Kubernetes ConfigMap, as it will appear in the volume.

In the example values file, the data from the ConfigMap key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume.

ca-certificates.crt  
volumes
configMap
name

The name given to the Kubernetes ConfigMap for the volume.

ca-roots  
workloadDefaults
containerSecurityContext
allowPrivilegeEscalation

Specifies whether a process in a container can gain more privileges than its parent process. If set to true, processes in the container can escalate their privileges, potentially allowing them to gain additional system capabilities. If set to false, privilege escalation is prevented, which can improve security by limiting the container's ability to perform actions that require higher privileges than the container's default security context allows.

  false
workloadDefaults
enabled
Enables or disables resources associated with the given workload.   true
workloadDefaults
env

Other environment variables that should be included for application containers.

See, for example:

If desired, this may be set on an application container basis using appConfig and a job basis using JobConfig.

   
workloadDefaults
image
name

The name of the image to retrieve from the Keyfactor artifactory.

Important:  Because the Keyfactor Command installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for appConfig > [application] > image > name and jobConfig > dbupgradetool > image > name.
   
workloadDefaults
image
path
The path in the Keyfactor artifactory from which to retrieve the Keyfactor Command images.   images/ command
workloadDefaults
image
pullPolicy

The pullPolicy defines when the container images should be pulled from the Keyfactor artifactory. It can be set to Always (pull the images every time the containers start), IfNotPresent (pull only if the images are not already present locally), or Never (never pull the images, only use the locally available version(s)). This helps control image pulling behavior and optimize deployments.

  Always
workloadDefaults
image
pullSecrets
- name

The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the images.

This parameter is required.

image-creds  
workloadDefaults
image
repo
The name of the Keyfactor artifactory from which to retrieve the Keyfactor Command images.   repo .keyfactor .com
workloadDefaults
image
version
The version of Keyfactor Command to retrieve from the Keyfactor artifactory.   25.2
workloadDefaults
labels
Labels that should be applied to deployment/stateful set and pods.    
workloadDefaults
logLevel

The container logging level output. Supported values are:

  • OFF

    No logging

  • FATAL

    Log severe errors that cause early termination

  • ERROR

    Log severe errors and other runtime errors or unexpected conditions that may not cause early termination

  • WARN

    Log errors and use of deprecated APIs, poor use of APIs, almost errors, and other runtime situations that are undesirable or unexpected but not necessarily wrong

  • INFO

    Log all of the above plus runtime events (startup/shutdown)

  • DEBUG

    Log all of the above plus detailed information on the flow through the system

  • TRACE

    Maximum log information—this option can generate VERY large log files

The level set here applies to all containers. If desired, this may be set on an application container basis using appConfig. See also Editing NLog.

 

INFO
workloadDefaults
path

The path to the network service.

This should only have a value if workloadDefaults > service > enabled is true.

   
workloadDefaults
podDisruptionBudget
maxUnavailable

The maximum number of pods that can be disrupted at the same time.

Either maxUnavailable or minUnavailable should be set, but not both.

A Pod Disruption Budget (PDB) ensures that a certain number of pods remain available during voluntary disruptions (e.g., draining a node for maintenance). It does not protect against node failures or crashes.

A PDB is only generated when the replicaCount is greater than 1.

   
workloadDefaults
podDisruptionBudget
minUnavailable

The minimum number of pods that must remain available at any time.

Either maxUnavailable or minUnavailable should be set, but not both.

  1
workloadDefaults
podSecurityContext
runAsNonRoot

The runAsNonRoot parameter specifies whether the pod's containers should be run as a non-root user. When set to true, the containers must run as a user other than root, improving security by adhering to the principle of least privilege. If set to false (or not specified), containers may run as the root user, which could increase security risks.

  true
workloadDefaults
podSecurityContext
runAsUser

The runAsUser parameter specifies the user ID (UID) that the containers in the pod should run as. By setting this value, you ensure that the containers run with the specified user privileges, rather than the default root user. This enhances security by limiting the container’s access to system resources and following the principle of least privilege. This value is used if runAsNonRoot is true.

  1000
workloadDefaults
podEnableServiceLinks
Controls whether Kubernetes automatically injects environment variables for services into your pods. When set to true, Kubernetes automatically adds environment variables for all Services in the same namespace.   true
workloadDefaults
probeSettings
livenessProbe
failureThreshold

The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it.

Clear this value to unset probes.

  6
workloadDefaults
probeSettings
livenessProbe
httpGet
path

The path which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success.

Clear this value to unset probes.

  /Status/HealthCheck
workloadDefaults
probeSettings
livenessProbe
httpGet
port

The port which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success.

Clear this value to unset probes.

  connection-port
workloadDefaults
probeSettings
livenessProbe
initialDelaySeconds

The number of seconds to wait before firing the first health check probe.

Clear this value to unset probes.

  10
workloadDefaults
probeSettings
livenessProbe
periodSeconds

The number of seconds in between runs of the health check probe.

Clear this value to unset probes.

  5
workloadDefaults
probeSettings
readinessProbe
failureThreshold

The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it.

Clear this value to unset probes.

  6
workloadDefaults
probeSettings
readinessProbe
httpGet
path

The path which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success.

Clear this value to unset probes.

  /Status/HealthCheck
workloadDefaults
probeSettings
readinessProbe
httpGet
port

The port which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success.

Clear this value to unset probes.

  connection-port
workloadDefaults
probeSettings
readinessProbe
initialDelaySeconds

The number of seconds to wait before firing the first readiness probe.

Clear this value to unset probes.

  10
workloadDefaults
probeSettings
readinessProbe
periodSeconds

The number of seconds in between runs of the readiness probe.

Clear this value to unset probes.

  5
workloadDefaults
replicaCount
The number of replicas created for deployment/stateful set.   1
workloadDefaults
resources
limits
cpu

The maximum CPU each of the application containers may use.

If desired, this may be set on an application container basis using appConfig.

  250m
workloadDefaults
resources
limits
memory

The maximum memory each of the application containers may use.

If desired, this may be set on an application container basis using appConfig.

  1G
workloadDefaults
resources
requests
cpu

The baseline amount of CPU allocated for use by each of the application containers.

If desired, this may be set on an application container basis using appConfig.

  50m
workloadDefaults
resources
requests
memory

The baseline amount of memory allocated for use by each of the application containers.

If desired, this may be set on an application container basis using appConfig.

  300M
workloadDefaults
service
annotations
Additional annotations for the network service.    
workloadDefaults
service
enabled
Enable the network service for each of the application containers (true) or not (false).   true
workloadDefaults
service
sessionAffinity
The setting for session affinity for the network service for each of the application containers.   None
workloadDefaults
service
type

The service type to use for the network service for each of the application containers.

For information about the service types, see:

https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types

  ClusterIP