When Keyfactor Command is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 112: Keyfactor Command Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
| additional Environment Variables |
Other environment variables that should be included for all containers. See, for example: |
||
|
appConfig analysis image name |
The name of the image for the Analysis container in the Keyfactor artifactory. | analysis | |
|
appConfig api image name |
The name of the image for the Keyfactor API container in the Keyfactor artifactory. | api | |
|
appConfig api image path |
The URL to which traffic is directed for the Keyfactor API application. If you opt to change this, these values must match:
|
/Keyfactor API | |
|
appConfig image name |
The name of the image for the CA Connector API container in the Keyfactor artifactory. | ca- connector- api | |
|
appConfig image path |
The URL to which traffic is directed for the Keyfactor API application. If you opt to change this, these values must match:
|
/Keyfactor CA Connectors | |
|
appConfig image name |
The name of the image for the Claims Proxy container in the Keyfactor artifactory. | claims-proxy | |
|
appConfig image path |
The URL to which traffic is directed for the Keyfactor API application. If you opt to change this, these values must match:
|
/Keyfactor Proxy | |
|
appConfig image name |
The name of the image for the Orchestrator API container in the Keyfactor artifactory. | orchestrator- api | |
|
appConfig image path |
The URL to which traffic is directed for the Keyfactor API application. If you opt to change this, these values must match:
|
/Keyfactor Agents | |
|
appConfig portal image name |
The name of the image for the Management Portal container in the Keyfactor artifactory. | console | |
|
appConfig portal image path |
The URL to which traffic is directed for the Keyfactor API application. If you opt to change this, these values must match:
|
/Keyfactor Portal | |
|
appConfig image name |
The name of the image for the Keyfactor Command Service (timer service) container in the Keyfactor artifactory. | timer- service | |
|
appConfig limits cpu |
The maximum CPU the Keyfactor Command Service container may use. |
500m | |
|
appConfig timer service service enabled |
The Keyfactor Command Service controls CA synchronization jobs, alert generation, reporting, and database cleanup tasks, among other jobs. The parameter enables the service (true) or not (false). | false | |
|
appConfig limits memory |
The maximum memory the Keyfactor Command Service container may use. |
2G | |
|
database |
The plain text name of the database in SQL server for Keyfactor Command. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
The template for generating entity framework connection strings using plain text values. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
metadata= res://*/EFModels.csdl \\|res://*/EFModels.ssdl \\|res://*/EFModels.msl; provider= Microsoft. Data. SqlClient; provider connection string= ’Data Source=%s; Initial Catalog=%s; Integrated Security=False; User ID=%s; Password=%s; Encrypt=true;Persist Security Info=True; Command Timeout=360; Multiple Active Result Sets=True; Application Name= Entity Framework' | ||
|
The Kubernetes secret key name given to the secret for the entity framework connection string. This parameter is required if plain text values are not provided. |
ef | ||
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | ||
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
sqlDirect | ||
|
hostname |
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
password |
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; Command Timeout=360; User ID=%s; Password=%s; Encrypt=true; | ||
|
username |
The plain text username for a SQL user with sufficient permissions to complete the install (see Grant Permissions in SQL). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
| The container security context to use for all containers. | false | ||
|
dbPoller |
Retrieve a fresh copy of the Keyfactor Command images from the Keyfactor artifactory on start? | Always | |
|
dbPoller |
The interval of time between checks to the SQL database to confirm that it’s online and not in maintenance mode before the application containers are allowed to start. | 5 | |
|
dbPoller resources limits cpu |
The maximum CPU the database polling container may use. |
200m | |
|
dbPoller resources limits memory |
The maximum memory the database polling container may use. |
500M | |
|
dbPoller resources requests cpu |
The baseline amount of CPU allocated for use by the database polling container. |
5m | |
|
dbPoller resources requests memory |
The baseline amount of memory allocated for use by the database polling container. |
300M | |
|
The claim type for the initial administrative user or group to be created in Keyfactor Command. The supported values are:
This parameter is required. |
|||
|
The value for the for the initial administrative user or group to be created in Keyfactor Command. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for more information). This parameter is required. |
|||
|
admin User
description |
A description for the initial administrative user or group to be created in Keyfactor Command to override the default, if desired. | Default Administrator | |
|
The name set by dbupgrade tool > idp > display Name for the initial administrative user or group to be created in Keyfactor Command. This parameter is required. |
Command OIDC | ||
|
agents |
Use SSL for connections to the Orchestrator API application. | true | |
|
agents |
The virtual folder name for the Orchestrator API application. If you opt to change this, these values must match:
|
Keyfactor Agents | |
|
api |
Use SSL for connections to the Keyfactor API application. | true | |
|
api |
The virtual folder name for the Keyfactor API application. If you opt to change this, these values must match:
|
Keyfactor API | |
|
console general |
The cookieExpiration value determines the length of time the authentication cookie |
||
|
console general |
The Note: For Keyfactor Identity Provider, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keyfactor Identity Provider
|
||
| The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | ||
|
password |
The plain text password for the RabbitMQ user (see also dbupgradetool > caConnector > basicAuth > username). One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is false and dbupgradetool > caConnector > configureCAConnector is true:
|
||
|
The Kubernetes secret key name given to the secret for the basic authentication RabbitMQ user’s password. One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is false and dbupgradetool > caConnector > configureCAConnector is true:
|
password | ||
|
The Kubernetes secret name that contains the basic authentication values to authenticate to RabbitMQ. This parameter is required if dbupgradetool > caConnector > jobQueueUseOAuth is false, dbupgradetool > caConnector > configureCAConnector is true, and plain text values are not provided. |
rabbit- basic- auth | ||
|
username |
The plain text username for the RabbitMQ user (see also dbupgradetool > caConnector > basicAuth > password). One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is false and dbupgradetool > caConnector > configureCAConnector is true:
|
||
|
The Kubernetes secret key name given to the secret for the basic authentication RabbitMQ user’s username. One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is false and dbupgradetool > caConnector > configureCAConnector is true:
|
username | ||
| Enable the CA connector option (true) or not (false). | true | ||
|
An audience value to be included in token requests delivered to your identity provider. This is not required when using Keyfactor Identity Provider. |
|||
|
One or more scopes that should be included in token requests delivered to your identity provider. This is not required when using Keyfactor Identity Provider. |
|||
|
The URL of the token endpoint for your identity provider. |
https:// my-keyidp-server .keyexample .com / realms/ Keyfactor/ protocol/ openid- connect/ token | ||
| The amqp or amqps URL to the RabbitMQ instance. | amqps:// appsrvr12. keyexample .com | ||
|
If set to true, uses OAuth client credentials to authenticate to RabbitMQ. If set to false, uses basic authentication (username/password) to authenticate to RabbitMQ. Keyfactor strongly recommends that if you choose basic authentication, you connect to RabbitMQ over a secure channel (amqps). |
true | ||
| Validate the job queue connection and credentials before saving to the database during configuration (true) or not (false). | true | ||
|
oAuth |
The plain text ID for the RabbitMQ client (see also dbupgradetool > caConnector > oAuth > clientSecret). One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is true and dbupgradetool > caConnector > configureCAConnector is true:
|
||
|
oAuth |
The Kubernetes secret key name given to the secret for the OAuth client credential RabbitMQ client’s ID. One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is true and dbupgradetool > caConnector > configureCAConnector is true:
|
client-id | |
|
oAuth |
The plain text secret for the RabbitMQ client (see also dbupgradetool > caConnector > oAuth > clientId). One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is true and dbupgradetool > caConnector > configureCAConnector is true:
|
||
|
oAuth |
The Kubernetes secret key name given to the secret for the OAuth client credential RabbitMQ client’s secret. One of the following is required if dbupgradetool > caConnector > jobQueueUseOAuth is true and dbupgradetool > caConnector > configureCAConnector is true:
|
client-secret | |
|
oAuth |
The Kubernetes secret name that contains the OAuth client credential values to authenticate to RabbitMQ. This parameter is required if dbupgradetool > caConnector > jobQueueUseOAuth is true, dbupgradetool > caConnector > configureCAConnector is true, and plain text values are not provided. |
rabbit-oauth | |
|
overwrite |
Overwrite any existing CA connector configuration settings (true) or not (false). | false | |
| Use SSL for connections to the Keyfactor Command CA Connector API application. | true | ||
|
The virtual folder name for the CA Connector API application. If you opt to change this, these values must match:
|
Keyfactor CA Connectors | ||
| Custom timeout for the database connection during the database setup and configuration process. | |||
|
Rotate the application-level encryption keys and re-encrypt the data identified for application-level encryption in the Keyfactor Command database (true) or not (false). Application-level encryption is used to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology on top of standard SQL server encryption. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. If you enable application-level encryption, you must configure an encryption methodology (see Application-Level Encryption). |
false | ||
|
idp api |
The plain text ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself (see also dbupgradetool > idp > api > clientSecret). One of the following is required:
|
||
|
idp api |
The Kubernetes secret key name given to the ID for the service account (client) created to allow Keyfactor Command to make API requests to itself. One of the following is required:
|
client-id | |
|
idp api |
The Kubernetes secret key name given to the secret for the service account (client) created to allow Keyfactor Command to make API requests to itself. One of the following is required:
|
client-secret | |
|
idp api |
The plain text secret for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself (see also dbupgradetool > idp > api > clientId). One of the following is required:
|
||
|
idp api |
The Kubernetes secret name that contains the credential values for the service account (client) created to allow Keyfactor Command to make API requests to itself. This parameter is required if plain text values are not provided. |
idp- api- secrets | |
|
idp audience |
The audience value for tokens issued from the identity provider. For Keyfactor Identity Provider, this should be set to the same value as the dbupgrade tool > idp > client Id. This parameter is required. |
Command- OIDC- Client | |
|
idp |
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter is required if Auth0 is set as the type (see dbupgrade tool > idp > provider Type). This value is not used for Keyfactor Identity Provider. |
||
|
idp |
A unique authentication scheme (reference name) for the identity provider in Keyfactor Command. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from Keyfactor Command. For Keyfactor Identity Provider, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keyfactor Identity Provider (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. Tip: An identity provider hint can be given in the Keyfactor Command URL to indicate a specific identity provider—referenced by an
https://keyfactor. keyexample.com/ KeyfactorPortal/ Login/ Signin? idpHint= Command-OIDC-3 Where keyfactor. keyexample.com is the fully qualified domain name of the Keyfactor Command server, KeyfactorPortal is the virtual directory for the Management Portal on that server, and Command-OIDC-3 is the authentication scheme for the identity provider to use for authentication. |
Command- OIDC | |
|
idp authority |
The issuer/authority endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authority will automatically be retrieved and does not need to be provided separately. Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
idp |
The authorization endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authorization Endpoint will automatically be retrieved and does not need to be provided separately. |
https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth | |
|
idp |
The plain text ID of the client application created in the identity provider for primary application use. For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. One of the following is required:
|
Command- OIDC- Client | |
|
idp |
The Kubernetes secret key name given to the ID of the client application created in the identity provider for primary application use. One of the following is required:
|
client-id | |
|
idp |
The plain text secret for the client application created in the identity provider for primary application use. For Keyfactor Identity Provider, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for help locating this. One of the following is required:
|
||
|
idp |
The Kubernetes secret key name given to the secret for the client application created in the identity provider for primary application use. One of the following is required:
|
client-secret | |
|
idp |
The discovery URL for the identity provider. For Keyfactor Identity Provider, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration | |
|
idp |
A display name for the identity provider in Keyfactor Command. The display name may contain spaces. This parameter is required. |
Command OIDC | |
|
idp |
A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see dbupgrade tool > idp > unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type. The cid (client ID) user claim type is commonly used by OAuth providers. This parameter is required. |
cid | |
|
idp |
The JWKS (JSON Web Key Set) URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the json Web Key Set Uri will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
idp |
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com). This parameter is required. Tip: The value in this parameter is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see dbupgrade tool > idp > unique Claim Type.
|
preferred_ username | |
|
idp overwrite |
Overwrite existing settings for the named authentication Scheme on run. | false | |
|
idp |
The provider type defined for the identity provider in Keyfactor Command. Supported values are:
Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type. |
Generic | |
|
idp |
The value used to reference the type of group claim for the identity provider. This parameter is required. |
groups | |
|
idp scope |
One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
||
|
idp |
The Kubernetes secret name that contains the credential values for the client application created in the identity provider for primary application use. This parameter is required if plain text values are not provided. |
idp-secrets | |
|
idp |
The signout URL for the identity provider. This parameter is required if Auth0 is set as the dbupgradetool > idp > providerType. This value is not used for Keyfactor Identity Provider. |
||
|
idp timeout |
The number of seconds a request to the identity provider is allowed to process before timing out with an error. | ||
|
idp |
An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. This value is not used for Keyfactor Identity Provider. |
||
|
idp |
The token endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the tokenEndpoint will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
|
idp |
One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
||
|
idp |
A type of user claim for the identity provider containing a unique name for the user. The sub (subject) user claim type is commonly used by OAuth providers. In Keyfactor Identity Provider, the sub is a GUID uniquely identifying the user. See also dbupgradetool > idp > fallbackUniqueClaimType. This parameter is required. Tip: The value in this field is used as the second choice to populate the username in the Keyfactor CommandManagement Portal header if the dbupgradetool > idp > nameClaimType does not contain a value in the token.
The value in this field is the one to use when logging into Keyfactor Command. |
sub | |
|
idp |
The user info endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the userInfoEndpoint will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
license |
The plain text Keyfactor Command license. This is provided as the raw XML content of the license file One of the following is required:
|
<?xml version="1.0" encoding="utf-8"?><LicenseData> [data removed for display] </LicenseData> | |
|
license |
The Kubernetes secret key name given to the secret for the Keyfactor Command license. One of the following is required:
|
license- content | |
|
license |
The Kubernetes secret name given to the secret for the Keyfactor Command license. One of the following is required:
|
command- license | |
|
logi |
Use SSL for connections to the Analysis application. | true | |
|
logi |
The virtual folder name for the Analysis application. If you opt to change this, these values must match:
|
Keyfactor Analysis | |
|
proxy |
Use SSL for connections to the Claims Proxy application. | true | |
|
proxy |
The virtual folder name for the Claims Proxy application. If you opt to change this, these values must match:
|
Keyfactor Proxy | |
|
resources limits cpu |
The maximum CPU the database setup and configuration container may use. |
500m | |
|
resources limits memory |
The maximum memory the database setup and configuration container may use. |
2G | |
|
resources requests cpu |
The baseline amount of CPU allocated for use by the database setup and configuration container. |
50m | |
|
resources requests memory |
The baseline amount of memory allocated for use by the database setup and configuration container. |
300M | |
| Use SSL for connections to the Management Portal application. | true | ||
|
The virtual folder name for the Management Portal application. If you opt to change this, these values must match:
|
Keyfactor Portal | ||
|
hostName |
The Keyfactor Command hostname parameter. Set this to a value that resolves in DNS to your Kubernetes server. This is the hostname that will make up part of the URL you will use to reach the Keyfactor Command Management Portal and Keyfactor API. The SSL certificate to secure connections to the server needs to contain this name. This parameter is required. |
“command185 .keyexample .com” | your .k8s .cluster .hostname .here |
|
ingress |
The inbound URL to the Analysis application. If you opt to change this, these values must match:
|
/Keyfactor Analysis | |
|
ingress |
The inbound URL to the Keyfactor API application. If you opt to change this, these values must match:
|
/Keyfactor API | |
|
ingress |
The inbound URL to the CA Connector API application. If you opt to change this, these values must match:
|
/Keyfactor CA Connectors | |
|
ingress |
The inbound URL to the Claims Proxy application. If you opt to change this, these values must match:
|
/Keyfactor Proxy | |
|
ingress |
The ingress class name to use. | nginx | |
|
ingress enabled |
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
|
ingress |
The inbound URL to the Orchestrator API application. If you opt to change this, these values must match:
|
/Keyfactor Agents | |
|
ingress |
The inbound URL to the Management Portal application. If you opt to change this, these values must match:
|
/Keyfactor Portal | |
|
ingress |
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor Command. | ingress-tls | |
| init Containers |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ By default, one init container is included that polls the database to check whether it is online and in an operational state before allowing any deployments to begin. |
||
|
jobConfig image name |
The name of the image for the database setup and configuration container in the Keyfactor artifactory. | database- upgrade- tool | |
|
jobConfig limits cpu |
The maximum CPU the database setup and configuration container may use. |
500m | |
|
jobConfig limits memory |
The maximum memory the database setup and configuration container may use. |
2G | |
|
metadata annotations |
Additional annotations to add to all resources deployed by the helm chart. | ||
|
metadata labels |
Additional labels to add to all resources deployed by the helm chart. | ||
| The security context to use for all pods in all deployments—run as root (false) or not (true). | true | ||
| The security context to use for all pods in all deployments—run as the specified user, if runAsNonRoot is true. | 1000 | ||
|
annotations |
Additional annotations for a created service account. | ||
|
create |
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
name |
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
| sidecar Containers |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecar containers are included by default. A PKCS#11 container may be utilized as a sidecar container. |
||
| sql Root Fingerprint | The thumbprint for the root CA certificate that issued the certificate used to secure the connection to your SQL server. | ||
| topology Spread Constraints |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
- name |
An array of volume mounts to use on all deployments. This parameter specifies the name of the volume mount. This value should match the value set by volumes > -name. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. For more information on this data structure, see: |
root-cas | |
| The path, and file name for a single file, in the container to which to mount the file or directory. | /etc /ssl /certs /ca-certificates .crt | ||
| The file or subdirectory within the container volume to mount to the container. | ca-certificates.crt | ||
|
volumes - name |
An array of volumes to use on all deployments. This parameter specifies the name of the volume. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. |
root-cas | |
|
volumes items - key |
The Kubernetes config map key name given to the reference value in the config map. |
ca-certificates.crt | |
|
volumes items path |
The name of the mounted file, referenced by the Kubernetes config map, as it will appear in the volume. In the example values file, the data from the config map key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
volumes name |
The name given to the Kubernetes config map for the volume. | ca-roots | |
|
enabled |
Enables or disables resources associated with given workload. | true | |
|
image name |
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the Keyfactor Command installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for appConfig > [application] > image > name and jobConfig > dbupgradetool > image > name.
|
||
|
image path |
The path in the Keyfactor artifactory from which to retrieve the Keyfactor Command images. | charts/ command | |
|
image |
Retrieve a fresh copy of the Keyfactor Command images from the Keyfactor artifactory on start? | Always | |
|
image - name |
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the Keyfactor Command components. This parameter is required. |
image-creds | |
|
image repo |
The name of the Keyfactor artifactory from which to retrieve the Keyfactor Command images. | repo .keyfactor .com | |
|
image version |
The version of Keyfactor Command to retrieve from the Keyfactor artifactory. | 24.4 | |
|
labels |
Labels that should be applied to deployment/stateful set and pods. | ||
|
The level of logging output for all containers. Supported values are:
If desired, this may be set on an application container basis using appConfig. |
|
INFO | |
|
path |
The path to the network service. This should only have a value if workloadDefaults > service > enabled is true. |
||
| The number of replicas created for deployment/stateful set. | 1 | ||
|
resources limits cpu |
The maximum CPU each of the application containers may use. If desired, this may be set on an application container basis using appConfig. |
250m | |
|
resources limits memory |
The maximum memory each of the application containers may use. If desired, this may be set on an application container basis using appConfig. |
1G | |
|
resources requests cpu |
The baseline amount of CPU allocated for use by each of the application containers. If desired, this may be set on an application container basis using appConfig. |
50m | |
|
resources requests memory |
The baseline amount of memory allocated for use by each of the application containers. If desired, this may be set on an application container basis using appConfig. |
300M | |
|
service enabled |
Enable the network service for each of the application containers (true) or not (false). | true | |
|
service |
The setting for session affinity for the network service for each of the application containers. | None | |
|
service type |
The service type to use for the network service for each of the application containers. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP |