When AnyCAGateway REST is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 1056: AnyCAGateway REST Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
|
additionalEnvironmentVariables
|
Other environment variables that should be included for all containers. |
||
|
authentication
cookieExpirationMinutes
|
The cookie Expiration Minutes value determines the length of time the authentication cookie for the AnyCAGateway REST Portal browser session is considered valid. After half of the setting's duration, the AnyCAGateway REST will attempt to use a refresh token to update the cookie. If this fails, the user's session will be terminated. The cookie renewal is seamless from the user’s perspective (there is no prompt for credentials). |
|
5 |
|
authentication
defaultIdentityProviderAuthScheme
|
The authentication scheme of the default identity provider used for login. For example, Keycloak. Tip: An identity provider hint can be given in the AnyCAGateway REST URL to indicate a specific identity provider—referenced by an authentication Scheme—at login. For example:
https://restgateway. keyexample.com/ AnyGatewayREST/ Login/ Signin? idpHint= REST-Gateway-3 Where restgateway. keyexample.com is the fully qualified domain name of the AnyCAGateway REST server, AnyGatewayREST is the virtual directory for the Portal on that server, and REST-Gateway-3 is the authentication scheme for the identity provider to use for authentication. The default Identity Provider AuthScheme value is not required if only one identity provider will be used. If more than one identity provider is configured and the default Identity Provider AuthScheme is not specified, the first configured authentication Scheme will be used if no hint is provided at login. Additional identity providers can be added using the AnyCAGateway REST API endpoints (see Managing Multiple Identity Providers via API Endpoints). |
|
|
|
authentication
oauth
authenticationScheme
|
A unique authentication scheme (reference name) for the identity provider in the AnyCAGateway REST. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from AnyCAGateway REST. For Keyfactor Identity Provider, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keyfactor Identity Provider (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
||
|
authentication
oauth
displayName
|
A display name for the identity provider in AnyCAGateway REST. The display name may contain spaces. This parameter is required. |
||
|
authentication
oauth
parameters
auth0ApiUrl
|
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter is required if Auth0 is set as the type (see authentication > oauth > provider Type). This value is not used for Keyfactor Identity Provider. |
||
|
authentication
oauth
parameters
authority
|
The issuer/authority endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
authentication
oauth
parameters
authorizationEndpoint
|
The authorization endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth | |
|
authentication
oauth
parameters
clientIdSecretKey
|
The Kubernetes secret key name given to the ID of the client application created in the identity provider for this AnyCAGateway REST to use. |
client-id | |
|
authentication
oauth
parameters
clientSecretSecretKey
|
The Kubernetes secret key name given to the secret for the client application created in the identity provider for this AnyCAGateway REST to use. |
client- secret | |
|
authentication
oauth
parameters
disableBearerTokenScopeRequirement
|
Optional. If true, the scope will not be required when using OAuth token authentication with the AnyCAGateway REST. Tip: You will need to set this to true if your identity provider does not provide a scope. Some identity providers do not offer the option to include a scope value (e.g. Azure AD). Other identity providers offer this option but do not include the scope by default (e.g. Keyfactor Identity Provider).
Important: If you configure the Disable Bearer Token Scope Requirement option to false (no), you must either configure the client you’re using to connect from Keyfactor Command to the gateway to always include the scope keyfactor-anyca-gateway in the token or you must configure the keyfactor-anyca-gateway scope on the authentication methods tab when configuring the CA record in Keyfactor Command. Your OAuth identity provider needs to be configured to recognize keyfactor-anyca-gateway as a scope.
|
false | |
|
authentication
oauth
parameters
jsonWebKeySetUri
|
The JWKS (JSON Web Key Set) URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
authentication
oauth
parameters
nameClaimType
|
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in AnyCAGateway REST, since the value is used as the user’s display name. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com). This parameter is required. Tip: The value in this parameter is used to populate the username in the AnyCAGateway REST Portal header.
|
preferred_ username | |
|
authentication
oauth
parameters
oidcAudience
|
The audience value for tokens issued from the identity provider. This parameter is required. |
||
|
authentication
oauth
parameters
secretName
|
The Kubernetes secret name that contains the credential values for the client application created in the identity provider for this AnyCAGateway REST to use. |
idp- secrets | |
|
authentication
oauth
parameters
signOutUrl
|
The signout URL for the identity provider. This parameter is required if Auth0 is set as the authentication > oauth > provider Type. This value is not used for Keyfactor Identity Provider. |
||
|
authentication
oauth
parameters
timeout
|
The number of seconds a request to the OAuth identity provider is allowed to process before timing out with an error. |
60 | |
|
authentication
oauth
parameters
tokenEndpoint
|
The token endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
|
authentication
oauth
parameters
userInfoEndpoint
|
The user info endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
authentication
oauth
providerType
|
The provider type defined for the identity provider in the AnyCAGateway REST. Supported values are:
Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type. This parameter is required. |
Generic | |
|
authentication
overwrite
|
Overwrite existing settings for the named authentication Scheme on run. |
|
false |
|
authentication
sessionExpirationMinutes
|
The sessionExpirationMinutes value determines the length of time a AnyCAGateway REST browser session in the Portal will remain logged in before the user is prompted to re-authenticate regardless of whether the session is idle or in active use. Note: For Keyfactor Identity Provider, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keyfactor Identity Provider
|
|
60 |
|
authentication
superAdmin
description
|
A description for the initial administrative user to be created in the AnyCAGateway REST to override the default, if desired. | SuperAdmin | |
|
authentication
superAdmin
provider
|
The name set by authentication > oauth > display Name for the initial administrative user to be created in the AnyCAGateway REST. This parameter is required. |
yourProvider | |
|
authentication
superAdmin
type
|
The claim type for the initial administrative user to be created in AnyCAGateway REST. Values are provided as OAuth_ followed by the claim type. For example:
|
OAuth_sub | |
|
authentication
superAdmin
value
|
The value for the for the initial administrative user to be created in the AnyCAGateway REST. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client This parameter is required. |
yourSubClaim | |
|
connectionStrings
database
|
The plain text name of the database in SQL server for AnyCAGateway REST. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
existingSecretKey
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
connection- key | |
|
connectionStrings
existingSecretName
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | |
|
connectionStrings
hostname
|
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
password
|
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
template
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; User ID=%s; Password=%s; | |
|
connectionStrings
username
|
The plain text username for a SQL user with sufficient permissions to complete the install. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
containerSecurityContext
allowPrivilegeEscalation
|
The container security context to use for all containers. | false | |
|
dbmanagement
backoffLimit
|
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | |
|
dbmanagement
image
name
|
The name of the image for the dbmanagement container in the Keyfactor artifactory. | anygateway- dbmanagement | |
|
dbmanagement
resources
limits
cpu
|
The maximum CPU the database management container may use. |
500m | |
|
dbmanagement
resources
limits
memory
|
The maximum memory the database management container may use. |
2G | |
|
dbmanagement
servicePasswordSecretKey
|
The Kubernetes secret key name given to the secret for the password for the SQL user that will create or update the database for the gateway in SQL. | service- password | |
|
dbmanagement
servicePasswordSecretName
|
The Kubernetes secret name that contains the password for the SQL user that will create or update the database for the gateway in SQL. |
service- password | |
|
dbmanagement
serviceUsername
|
The plain text name of the SQL user that will create or update the database for the gateway in SQL. This user must already exist in SQL and have sufficient permissions for the create/ update/ populate task. | sa | |
|
dbmanagement
ttlSecondsAfterFinished
|
The number of seconds after the database management tasks are complete before the database management container shuts down. | 60 | |
|
ingress
className
|
The ingress class name to use. | nginx | |
|
ingress
enabled
|
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
|
ingress
hostname
|
The hostname to use for the ingress controller. This will be the name you use to access your AnyCAGateway REST portal. This parameter is required. |
your .k8s .cluster .hostname .here | |
|
ingress
tlsSecretName
|
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor Command. | ingress-tls | |
|
initContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ By default, one init container is included that polls the database to check whether it is online and in an operational state before allowing any deployments to begin. |
||
|
metadata
annotations
|
Additional annotations to add to all resources deployed by the helm chart. | ||
|
metadata
labels
|
Additional labels to add to all resources deployed by the helm chart. | ||
|
podSecurityContext
runAsNonRoot
|
The security context to use for all pods in all deployments—run as root (false) or not (true). | true | |
|
podSecurityContext
runAsUser
|
The security context to use for all pods in all deployments—run as the specified user, if runAsNonRoot is true. | 1000 | |
|
portal
allowedHosts
|
Set this value to something other than “*” to enable host filtering, which acts as a whitelist for hosts that can make requests to the AnyCAGateway REST server. | “*” | |
|
portal
cache
caConfigurationCacheExpirationMinutes
|
An integer that sets the time between which modifications or additions to the CA configuration (in minutes) will be available to the AnyCAGateway REST portal. Any changes to the CA configuration will not appear in the portal for this amount of time, but caching may improve performance during CA sync and enrollment. |
10 | |
|
portal
cache
roleClaimsCacheExpirationMinutes
|
An integer that sets the time between when modification to Roles on the Claims page will be available on the AnyCAGateway REST portal. |
10 | |
|
portal
extensionsDirectory
|
The name of the directory where third-party integration artifacts will be installed. | “Extensions” | |
|
portal
image
name
|
The name of the image for the portal container in the Keyfactor artifactory. | anygateway- rest | |
|
portal
lockHeartbeatIntervalMilliseconds
|
In the case of a High Availability implementation, the three Lock settings will set the lockout intervals (in milliseconds) during CA sync so multiple CA syncs are not running at the same time. It is unlikely these would need to be modified. The lock heartbeat interval. |
60000 | |
|
portal
lockTimeoutMilliseconds
|
The lock timeout. | 5000 | |
|
portal
lockHoldTimeoutMilliseconds
|
The lock hold timeout. | 900000 | |
|
portal
path
|
The URL to which traffic is directed for the AnyCAGateway REST application. |
/AnyGateway REST | |
|
portal
podDisruptionBudget
maxUnavailable
|
The maximum number of pods that can be unavailable simultaneously. | ||
|
portal
podDisruptionBudget
minAvailable
|
The minimum number of pods that must remain available during disruptions. | 1 | |
|
portal
replicaCount
|
The number of replicas created for deployment/stateful set. | 1 | |
|
portal
service
enabled
|
Enable the network service for the portal container (true) or not (false). | true | |
|
portal
service
sessionAffinity
|
The setting for session affinity for the network service for the portal container. | None | |
|
portal
service
type
|
The service type to use for the network service for the portal container. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP | |
|
portal
sqlRetryConfiguration
deltaTime
|
The preferred gap time to delay before the next attempt to connect to SQL will be made. | “00:00:00.5” | |
|
portal
sqlRetryConfiguration
maxTimeInterval
|
The maximum time interval before the next attempt to connect to SQL will be made. | “00:02:00” | |
|
portal
sqlRetryConfiguration
numberOfTries
|
The number of times a connection attempt will be made to SQL before an exception is thrown. | 5 | |
|
serviceAccount
annotations
|
Additional annotations for a created service account. | ||
|
serviceAccount
create
|
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
serviceAccount
name
|
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
|
sidecarContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecar containers are included by default. A PKCS#11 container may be utilized as a sidecar container. |
||
|
topologySpreadConstraints
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
volumeMounts
- name
|
An array of volume mounts to use on all deployments. This parameter specifies the name of the volume mount. This value should match the value set by volumes > -name. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. For more information on this data structure, see: |
root-cas | |
|
volumeMounts
mountPath
|
The path, and file name for a single file, in the container to which to mount the file or directory. | /etc /ssl /certs /ca-certificates .crt | |
|
volumeMounts
subPath
|
The file or subdirectory within the container volume to mount to the container. | ca-certificates.crt | |
|
volumes
- name
|
An array of volumes to use on all deployments. This parameter specifies the name of the volume. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. |
root-cas | |
|
volumes
configMap
items
- key
|
The Kubernetes config map key name given to the reference value in the config map. |
ca-certificates.crt | |
|
volumes
configMap
items
path
|
The name of the mounted file, referenced by the Kubernetes config map, as it will appear in the volume. In the example values file, the data from the config map key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
volumes
configMap
name
|
The name given to the Kubernetes config map for the volume. | ca-roots | |
|
workloadDefaults
image
name
|
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the AnyCAGateway REST installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for portal > image > name and dbmanagement > image > name.
|
||
|
workloadDefaults
image
path
|
The path in the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images. | charts/ command | |
|
workloadDefaults
image
pullPolicy
|
Retrieve a fresh copy of the AnyCAGateway REST images from the Keyfactor artifactory on start? | Always | |
|
workloadDefaults
image
pullSecrets
- name
|
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the AnyCAGateway REST components. This parameter is required. |
image-creds | |
|
workloadDefaults
image
repo
|
The name of the Keyfactor artifactory from which to retrieve the AnyCAGateway REST images. | repo .keyfactor .com | |
|
workloadDefaults
image
version
|
The version of AnyCAGateway REST to retrieve from the Keyfactor artifactory. | 25.1.2 | |
|
workloadDefaults
labels
|
Labels that should be applied to deployment/stateful set and pods. | ||
|
workloadDefaults
logLevel
|
The level of logging output for all containers. Supported values are:
If desired, this may be set on an application container basis using appConfig. |
|
INFO |
|
workloadDefaults
resources
limits
cpu
|
The maximum CPU each of the application containers may use. If desired, this may be set uniquely on the database management container basis using dbmanagement. |
250m | |
|
workloadDefaults
resources
limits
memory
|
The maximum memory each of the application containers may use. If desired, this may be set uniquely on the database management container basis using dbmanagement. |
1G | |
|
workloadDefaults
resources
requests
cpu
|
The baseline amount of CPU allocated for use by each of the application containers. |
50m | |
|
workloadDefaults
resources
requests
memory
|
The baseline amount of memory allocated for use by each of the application containers. |
300M |
Was this page helpful? Provide Feedback