When Keyfactor Command is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 113: Keyfactor Command Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
| additional Environment Variables |
Other environment variables that should be included for all containers. See, for example: |
||
|
appConfig analysis image name |
The name of the image for the Analysis container in the Keyfactor artifactory. | analysis | |
|
appConfig analysis path |
The URL to which traffic is directed for the Analysis application. |
KeyfactorAnalysis | |
|
appConfig analysis probeSettings |
Liveness and readiness probe settings used to identify whether the container is operating as expected. Liveness probes are health checks while the readiness probes determine when the pod is considered ready and can start serving requests. Clear this value to unset probes. No probes are set for the Analysis container by default. |
||
|
appConfig analysis resources limits cpu |
The maximum CPU the Analysis application container may use. | 500m | |
|
appConfig analysis resources limits memory |
The maximum memory the Analysis application container may use. | 2G | |
|
appConfig analysis resources requests cpu |
The baseline amount of CPU allocated for use by the Analysis application container. | 100m | |
|
appConfig analysis resources requests memory |
The baseline amount of memory allocated for use by the Analysis application container. | 600M | |
|
appConfig api image name |
The name of the image for the Keyfactor API container in the Keyfactor artifactory. | api | |
|
appConfig api path |
The URL to which traffic is directed for the Keyfactor API application. |
Keyfactor API | |
|
appConfig image name |
The name of the image for the CA Connector API container in the Keyfactor artifactory. | ca- connector- api | |
|
appConfig path |
The URL to which traffic is directed for the CA Connector API application. |
Keyfactor CA Connectors | |
|
appConfig image name |
The name of the image for the Claims Proxy container in the Keyfactor artifactory. | claims-proxy | |
|
appConfig path |
The URL to which traffic is directed for the Claims Proxy application. |
Keyfactor Proxy | |
|
appConfig image name |
The name of the image for the Orchestrator API container in the Keyfactor artifactory. | orchestrator- api | |
|
appConfig path |
The URL to which traffic is directed for the Orchestrator API application. |
Keyfactor Agents | |
|
appConfig portal image name |
The name of the image for the Management Portal container in the Keyfactor artifactory. | console | |
|
appConfig portal image path |
The URL to which traffic is directed for the Management Portal application. |
Keyfactor Portal | |
|
appConfig image name |
The name of the image for the Keyfactor Command Service (timer service) container in the Keyfactor artifactory. | timer- service | |
|
appConfig |
The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it. Clear this value to unset probes. |
6 | |
|
appConfig |
The number of seconds to wait before firing the first health check probe. Clear this value to unset probes. |
10 | |
|
appConfig |
The number of seconds in between runs of the health check probe. Clear this value to unset probes. |
5 | |
|
appConfig port |
The port to which Kubernetes should attempt to establish a TCP connection for health checks. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
appConfig |
The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it. Clear this value to unset probes. |
6 | |
|
appConfig |
The number of seconds to wait before firing the first readiness probe. Clear this value to unset probes. |
10 | |
|
appConfig |
The number of seconds in between runs of the readiness probe. Clear this value to unset probes. |
5 | |
|
appConfig port |
The port to which Kubernetes should attempt to establish a TCP connection for readiness checks. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
appConfig resources limits cpu |
The maximum CPU the Keyfactor Command Service (timer service) application container may use. | 500m | |
|
appConfig resources limits memory |
The maximum memory the Keyfactor Command Service (timer service) application container may use. | 2G | |
|
appConfig timer service service enabled |
The Keyfactor Command Service controls CA synchronization jobs, alert generation, reporting, and database cleanup tasks, among other jobs. The parameter enables the service (true) or not (false). | false | |
|
database |
The plain text name of the database in SQL server for Keyfactor Command. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
The template for generating entity framework connection strings using plain text values. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
metadata= res://*/EFModels.csdl \\|res://*/EFModels.ssdl \\|res://*/EFModels.msl; provider= Microsoft. Data. SqlClient; provider connection string= 'Data Source=%s; Initial Catalog=%s; Integrated Security=False; User ID=%s; Password=%s; Persist Security Info=True; Command Timeout=360; Multiple Active Result Sets=True; Application Name=EntityFramework' |
||
|
The Kubernetes secret key name given to the secret for the entity framework connection string. This parameter is required if plain text values are not provided. |
ef | ||
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | ||
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
sqlDirect | ||
|
hostname |
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
password |
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; Command Timeout=360; User ID=%s; Password=%s; |
||
|
username |
The plain text username for a SQL user with sufficient permissions to complete the install (see Grant Permissions in SQL). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
dbPoller |
The interval of time between checks to the SQL database to confirm that it’s online and not in maintenance mode before the application containers are allowed to start. | 5 | |
|
The claim type for the initial administrative user or group to be created in Keyfactor Command. The supported values are:
This parameter is required. |
|||
|
The value for the for the initial administrative user or group to be created in Keyfactor Command. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation for more information). This parameter is required. |
|||
|
admin User
description |
A description for the initial administrative user or group to be created in Keyfactor Command to override the default, if desired. | Default Administrator | |
|
The name set by dbupgrade tool > idp > display Name for the initial administrative user or group to be created in Keyfactor Command. This parameter is required. |
Command OIDC | ||
|
agents |
Use SSL for connections to the Orchestrator API application. | true | |
|
api |
Use SSL for connections to the Keyfactor API application. | true | |
|
console general |
The cookieExpiration value determines the length of time the authentication cookie |
||
|
console general |
The Note: For Keyfactor Identity Provider, the cookieExpiration and sessionExpiration values should match those configured for the SSO Session Max and Access Token Lifespan in Keyfactor Identity Provider
|
||
| The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | ||
|
basicAuth clientId |
The plain text ID for the RabbitMQ user. |
||
|
basicAuth clientIdSecretKey |
The key within the Kubernetes secret named by secretName referencing the ID for the RabbitMQ user. |
client-id | |
|
basicAuth secretName |
The name of the Kubernetes secret containing the ID of the RabbitMQ user. |
rabbit- basic- auth | |
|
basicAuth source |
The source for the RabbitMQ user. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with Basic authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
basicAuth |
The key within the Kubernetes secret named by secretName referencing the secret value for the RabbitMQ user. |
client-secret | |
|
basicAuth clientSecret |
The plain text secret value for the RabbitMQ user. |
||
|
basicAuth secretName |
The name of the Kubernetes secret containing the secret value for the RabbitMQ user. |
rabbit- basic- auth | |
|
basicAuth source |
The source for the secret for the RabbitMQ user. Supported options are:
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with Basic authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
| Enable the CA connector option (true) or not (false). | true | ||
|
An audience value to be included in token requests delivered to your identity provider. This is not required when using Keyfactor Identity Provider. |
|||
|
One or more scopes that should be included in token requests delivered to your identity provider. This is not required when using Keyfactor Identity Provider. |
|||
|
The URL of the token endpoint for your identity provider. |
https:// my-keyidp-server .keyexample .com / realms/ Keyfactor/ protocol/ openid- connect/ token | ||
| The amqp or amqps URL to the RabbitMQ instance. | amqps:// appsrvr12. keyexample .com | ||
|
If set to true, uses OAuth client credentials to authenticate to RabbitMQ. If set to false, uses basic authentication (username/password) to authenticate to RabbitMQ. Keyfactor strongly recommends that if you choose basic authentication, you connect to RabbitMQ over a secure channel (amqps). |
true | ||
| Validate the job queue connection and credentials before saving to the database during configuration (true) or not (false). | true | ||
|
oAuth clientId |
The plain text ID for the RabbitMQ client. |
||
|
oAuth clientIdSecretKey |
The key within the Kubernetes secret named by secretName referencing the ID for the RabbitMQ client. |
client-id | |
|
oAuth secretName |
The name of the Kubernetes secret containing the ID of the RabbitMQ client. |
rabbit-oauth | |
|
oAuth source |
The source for the RabbitMQ client. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with OAuth authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
oAuth |
The key within the Kubernetes secret named by secretName referencing the secret value for the RabbitMQ client. |
client-secret | |
|
oAuth clientSecret |
The plain text secret value for the RabbitMQ client. |
||
|
oAuth secretName |
The name of the Kubernetes secret containing the secret value for the RabbitMQ client. |
rabbit-oauth | |
|
oAuth source |
The source for the secret for the RabbitMQ client. Supported options are:
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required if a CA connector with OAuth authentication will be used. See dbupgradetool > caConnector > jobQueueUseOAuth is and dbupgradetool > caConnector > configureCAConnector. |
SecretRef | |
|
overwrite |
Overwrite any existing CA connector configuration settings (true) or not (false). | false | |
| Use SSL for connections to the Keyfactor Command CA Connector API application. | true | ||
| Custom timeout for the database connection during the database setup and configuration process. | |||
|
Rotate the application-level encryption keys and re-encrypt the data identified for application-level encryption in the Keyfactor Command database (true) or not (false). Application-level encryption is used to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology on top of standard SQL server encryption. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. If you enable application-level encryption, you must configure an encryption methodology (see Application-Level Encryption). |
false | ||
|
idp api clientId |
The plain text ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
||
|
idp api clientIdSecretKey |
The key within the Kubernetes secret named by secretName referencing the ID for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
client-id | |
|
idp api secretName |
The name of the Kubernetes secret containing the ID of the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
idp-api-secrets | |
|
idp api source |
The source for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
idp api |
The key within the Kubernetes secret named by secretName referencing the secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
client-secret | |
|
idp api clientSecret |
The plain text secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
||
|
idp api secretName |
The name of the Kubernetes secret containing the secret value for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. |
idp-api-secrets | |
|
idp api source |
The source for the secret for the service account (client) you have created in one of your identity providers to allow Keyfactor Command to make API requests to itself. Supported options are:
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
idp audience |
The audience value for tokens issued from the identity provider. For Keyfactor Identity Provider, this should be set to the same value as the dbupgrade tool > idp > client Id. This parameter is required. |
Command- OIDC- Client | |
|
idp |
The unique identifier defined in Auth0 or a similar identity provider for the API. This parameter is required if Auth0 is set as the type (see dbupgrade tool > idp > provider Type). This value is not used for Keyfactor Identity Provider. |
||
|
idp |
A unique authentication scheme (reference name) for the identity provider in Keyfactor Command. The authentication Scheme should be entered without spaces. This is used in constructing URLs that reference the identity provider from Keyfactor Command. For Keyfactor Identity Provider, the authentication Scheme you enter here must match the name you used when configuring the redirect URLs for Keyfactor Identity Provider (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. Tip: An identity provider hint can be given in the Keyfactor Command URL to indicate a specific identity provider—referenced by an
https://keyfactor. keyexample.com/ KeyfactorPortal/ Login/ Signin? idpHint= Command-OIDC-3 Where keyfactor. keyexample.com is the fully qualified domain name of the Keyfactor Command server, KeyfactorPortal is the virtual directory for the Management Portal on that server, and Command-OIDC-3 is the authentication scheme for the identity provider to use for authentication. |
Command- OIDC | |
|
idp authority |
The issuer/authority endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authority will automatically be retrieved and does not need to be provided separately. Tip: When you add or update an identity provider, the provider’s discovery document is validated based on this authority URL. The discovery document is also validated periodically in the background. The following are validated:
If any of these validation tests fail, any identity provider changes in process will not be saved and an error will be displayed or logged. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
idp |
The authorization endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the authorization Endpoint will automatically be retrieved and does not need to be provided separately. |
https:// my- keyidp- server .keyexample.com /realms /Keyfactor /protocol /openid-connect /auth | |
| dbupgrade tool idp clientId |
The plain text ID of the client application created in the identity provider for primary application use. |
Command- OIDC- Client | |
| dbupgrade tool idp clientIdSecretKey |
The key within the Kubernetes secret named by secretName referencing the ID for the client application created in the identity provider for primary application use. |
client-id | |
| dbupgrade tool idp secretName |
The name of the Kubernetes secret containing the ID of the client application created in the identity provider for primary application use. |
idp-secrets | |
|
idp source |
The source for the client ID for the client application created for primary application use. Supported options are:
Note: PAM is not supported for client IDs.
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
| dbupgrade tool idp |
The key within the Kubernetes secret named by secretName referencing the secret value for the client application created in the identity provider for primary application use. |
client-secret | |
| dbupgrade tool idp clientSecret |
The plain text secret value for the client application created in the identity provider for primary application use. |
||
| dbupgrade tool idp secretName |
The name of the Kubernetes secret containing the secret value for the client application created in the identity provider for primary application use. |
idp-secrets | |
|
idp source |
The source for the secret for the client application created for primary application use. Supported options are:
For more information, see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation. This value and the selected option’s associated settings are required. |
SecretRef | |
|
idp |
The discovery URL for the identity provider. For Keyfactor Identity Provider, this is the link to the OpenID Endpoint Configuration page, which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /.well-known /openid-configuration | |
|
idp |
A display name for the identity provider in Keyfactor Command. The display name may contain spaces. This parameter is required. |
Command OIDC | |
|
idp |
A type of user claim for the identity provider containing a backup unique name for the user. This is provided in case the primary referenced name (see dbupgrade tool > idp > unique Claim Type) does not contain a value. Some OAuth providers may provide one type of claim for users/clients of one type and another type of claim for users/clients of another type. The cid (client ID) user claim type is commonly used by OAuth providers. This parameter is required. |
cid | |
|
idp |
The JWKS (JSON Web Key Set) URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the json Web Key Set Uri will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
idp |
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor Command, since the value is used as the user’s display name in areas such as the requester of a certificate, actors in audit logs, and users referenced in workflow instances. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com). This parameter is required. Tip: The value in this parameter is used as the first choice to populate the username in the Keyfactor Command Management Portal header, if available. This is not the value to use when logging into Keyfactor Command. For that, see dbupgrade tool > idp > unique Claim Type.
|
preferred_ username | |
|
idp overwrite |
Overwrite existing settings for the named authentication Scheme on run. | false | |
|
idp |
The provider type defined for the identity provider in Keyfactor Command. Supported values are:
Most identity providers can be supported with the Generic type. For Auth0, use the Auth0 type. |
Generic | |
|
idp |
The value used to reference the type of group claim for the identity provider. This parameter is required. |
groups | |
|
idp scope |
One or more scopes that are requested during the OIDC protocol when Keyfactor Command is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
||
|
idp |
The signout URL for the identity provider. This parameter is required if Auth0 is set as the dbupgradetool > idp > providerType. This value is not used for Keyfactor Identity Provider. |
||
|
idp timeout |
The number of seconds a request to the identity provider is allowed to process before timing out with an error. | ||
|
idp |
An audience value to be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. This value is not used for Keyfactor Identity Provider. |
||
|
idp |
The token endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the tokenEndpoint will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
|
idp |
One or more scopes that should be included in token requests delivered to the identity provider when making a token request where Keyfactor Command is acting as the OAuth client. Multiple scopes should be separated by spaces. This value is not used for Keyfactor Identity Provider. |
||
|
idp |
A type of user claim for the identity provider containing a unique name for the user. The sub (subject) user claim type is commonly used by OAuth providers. In Keyfactor Identity Provider, the sub is a GUID uniquely identifying the user. See also dbupgradetool > idp > fallbackUniqueClaimType. This parameter is required. Tip: The value in this field is used as the second choice to populate the username in the Keyfactor CommandManagement Portal header if the dbupgradetool > idp > nameClaimType does not contain a value in the token.
The value in this field is the one to use when logging into Keyfactor Command. |
sub | |
|
idp |
The user info endpoint URL for the identity provider. For Keyfactor Identity Provider, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). This parameter is required. If the discovery document endpoint (see dbupgrade tool > idp > discovery Document Endpoint) is provided in the values file, the userInfoEndpoint will automatically be retrieved and does not need to be provided separately. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
license |
The plain text Keyfactor Command license. This is provided as the raw XML content of the license file One of the following is required:
|
<?xml version="1.0" encoding="utf-8"?><LicenseData> [data removed for display] </LicenseData> | |
|
license |
The Kubernetes secret key name given to the secret for the Keyfactor Command license. One of the following is required:
|
license- content | |
|
license |
The Kubernetes secret name given to the secret for the Keyfactor Command license. One of the following is required:
|
command- license | |
|
logi |
Use SSL for connections to the Analysis application. | true | |
|
proxy |
Use SSL for connections to the Claims Proxy application. | true | |
|
resources limits cpu |
The maximum CPU the database setup and configuration container may use. |
500m | |
|
resources limits memory |
The maximum memory the database setup and configuration container may use. |
2G | |
|
resources requests cpu |
The baseline amount of CPU allocated for use by the database setup and configuration container. |
50m | |
|
resources requests memory |
The baseline amount of memory allocated for use by the database setup and configuration container. |
300M | |
| dbupgrade tool Overwrite |
A Boolean indicating whether PAM providers and provider types included in the values file should update to the Keyfactor Command database. If set to true, new providers will be added and existing providers will be updated with the information given in PamProviderTypes and PamProviders. See example for PamProviderTypes. | ||
| dbupgrade tool |
A JSON string indicating the PAM provider type information to add or update in the database for each PAM provider type in the format shown in the example. Important notes:
Note: The provider type for Keyfactor Command local PAM providers is defined by default and does not need to be created. Secrets cannot be seeded into a Keyfactor Command local PAM database using this method.
|
dbupgradetool:
seededConfig: |
{
"Overwrite": true,
"PamProviderTypes": [
{
"Name":"DelineaExample",
"Parameters": [
{
"Name": "Host",
"DisplayName":"Secret Server URL",
"InstanceLevel": false,
"DataType": "1"
},
{
"Name": "Username",
"DisplayName": "Secret Server Username",
"DataType": "2",
"InstanceLevel": false
},
{
"Name": "Password",
"DisplayName": "Secret Server Password",
"DataType": "2",
"InstanceLevel": false
},
{
"Name": "SecretId",
"DisplayName": "Secret Server Secret ID",
"DataType": "1",
"InstanceLevel": true
},
{
"Name": "SecretFieldName",
"DisplayName": "Secret Field Name",
"DataType": "1",
"InstanceLevel": true
}
]
},
{
// If desired, provider two type info goes here
}
],
"PamProviders": [
{
"Name": "DelineaProvider",
"ProviderType":"DelineaExample",
"Parameters": [
{
"Name":"Host",
"Value":"https://MyDelineaURL"
},
{
"Name":"Username",
"Value":"MyDelineaServiceAccountUser"
},
{
"Name":"Password",
"Value":"MySuperSecretPasswordtoAccessDelinea"
}
]
},
{
// If desired, provider two info goes here
}
]
}
|
|
| dbupgrade tool | A JSON string indicating the PAM provider information to add or update in the database for each PAM provider in the format shown in the example for PamProviderTypes. | ||
|
ttlSecondsAfterFinished |
The number of seconds after the Keyfactor Command installation/upgrade job completes before it is deleted. | 60 | |
| Use SSL for connections to the Management Portal application. | true | ||
|
hostName |
The Keyfactor Command hostname parameter. Set this to a value that resolves in DNS to your Kubernetes server/cluster. This is the hostname that will make up part of the URL you will use to reach the Keyfactor Command Management Portal and Keyfactor API. The SSL certificate to secure connections to the server needs to contain this name. This parameter is required. |
“command185 .keyexample .com” | your .k8s .cluster .hostname .here |
|
ingress |
The ingress class name to use. | nginx | |
|
ingress enabled |
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
|
ingress |
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor Command. | ingress-tls | |
| init Containers |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ By default, one init container is included that polls the database to check whether it is online and in an operational state before allowing any deployments to begin. |
||
|
jobConfig image name |
The name of the image for the database setup and configuration container in the Keyfactor artifactory. | database- upgrade- tool | |
|
jobConfig limits cpu |
The maximum CPU the database setup and configuration container may use. |
500m | |
|
jobConfig limits memory |
The maximum memory the database setup and configuration container may use. |
2G | |
|
metadata annotations |
Additional annotations to add to all resources deployed by the helm chart. | ||
|
metadata labels |
Additional labels to add to all resources deployed by the helm chart. | ||
|
annotations |
Additional annotations for a created service account. | ||
|
create |
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
name |
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
| sidecar Containers |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecar containers are included by default. A PKCS#11 container may be utilized as a sidecar container. |
||
| sql Root Fingerprint |
The thumbprint for the root (not issuing) CA to which the SSL certificate on the SQL certificate chains. This parameter is required if Encrypt=true is set in the connection string. The thumbprint should be provided with colons between each octet. |
fingerprint:for:sql:SSL:cert:Root:CA | |
| topology Spread Constraints |
For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
- name |
An array of volume mounts to use on all deployments. This parameter specifies the name of the volume mount. This value should match the value set by volumes > -name. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. For more information on this data structure, see: |
root-cas | |
| The path, and file name for a single file, in the container to which to mount the file or directory. | /etc /ssl /certs /ca-certificates .crt | ||
| The file or subdirectory within the container volume to mount to the container. | ca-certificates.crt | ||
|
volumes - name |
An array of volumes to use on all deployments. This parameter specifies the name of the volume. The example values file (see Helm Chart Customization) includes a volume mount for the config map ca-roots to mount trusted CA certificates. |
root-cas | |
|
volumes items - key |
The Kubernetes config map key name given to the reference value in the config map. |
ca-certificates.crt | |
|
volumes items path |
The name of the mounted file, referenced by the Kubernetes config map, as it will appear in the volume. In the example values file, the data from the config map key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
volumes name |
The name given to the Kubernetes config map for the volume. | ca-roots | |
| The container security context to use for application containers. | false | ||
|
enabled |
Enables or disables resources associated with the given workload. | true | |
| workload Defaults env |
Other environment variables that should be included for application containers. See, for example: If desired, this may be set on an application container basis using appConfig and a job basis using JobConfig. |
||
|
image name |
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the Keyfactor Command installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for appConfig > [application] > image > name and jobConfig > dbupgradetool > image > name.
|
||
|
image path |
The path in the Keyfactor artifactory from which to retrieve the Keyfactor Command images. | images/ command | |
|
image |
Retrieve a fresh copy of the Keyfactor Command images from the Keyfactor artifactory on start? | Always | |
|
image - name |
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the Keyfactor Command components. This parameter is required. |
image-creds | |
|
image repo |
The name of the Keyfactor artifactory from which to retrieve the Keyfactor Command images. | repo .keyfactor .com | |
|
image version |
The version of Keyfactor Command to retrieve from the Keyfactor artifactory. | 25.1 | |
|
labels |
Labels that should be applied to deployment/stateful set and pods. | ||
|
The level of logging output for all containers. Supported values are:
If desired, this may be set on an application container basis using appConfig. See also Editing NLog. |
|
INFO | |
|
path |
The path to the network service. This should only have a value if workloadDefaults > service > enabled is true. |
||
|
The maximum number of pads that can be disrupted at the same time. Either maxUnavailable or minUnavailable should be set, but not both. A Pod Disruption Budget (PDB) ensures that a certain number of pods remain available during voluntary disruptions (e.g., draining a node for maintenance). It does not protect against node failures or crashes. A PDB is only generated when the replicaCount is greater than 1. |
|||
|
The minimum number of pods that must remain available at any time. Either maxUnavailable or minUnavailable should be set, but not both. |
1 | ||
| The security context to use for all pods in all deployments—run as root (false) or not (true). | true | ||
| The security context to use for all pods in all deployments—run as the specified user, if runAsNonRoot is true. | 1000 | ||
| workload Defaults podEnableServiceLinks |
Controls whether Kubernetes automatically injects environment variables for services into your pods. When set to true, Kubernetes automatically adds environment variables for all Services in the same namespace. | true | |
|
The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it. Clear this value to unset probes. |
6 | ||
|
path |
The path which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
/Status/HealthCheck | |
|
port |
The port which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
The number of seconds to wait before firing the first health check probe. Clear this value to unset probes. |
10 | ||
|
The number of seconds in between runs of the health check probe. Clear this value to unset probes. |
5 | ||
|
The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it. Clear this value to unset probes. |
6 | ||
|
path |
The path which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
/Status/HealthCheck | |
|
port |
The port which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
The number of seconds to wait before firing the first readiness probe. Clear this value to unset probes. |
10 | ||
|
The number of seconds in between runs of the readiness probe. Clear this value to unset probes. |
5 | ||
| The number of replicas created for deployment/stateful set. | 1 | ||
|
resources limits cpu |
The maximum CPU each of the application containers may use. If desired, this may be set on an application container basis using appConfig. |
250m | |
|
resources limits memory |
The maximum memory each of the application containers may use. If desired, this may be set on an application container basis using appConfig. |
1G | |
|
resources requests cpu |
The baseline amount of CPU allocated for use by each of the application containers. If desired, this may be set on an application container basis using appConfig. |
50m | |
|
resources requests memory |
The baseline amount of memory allocated for use by each of the application containers. If desired, this may be set on an application container basis using appConfig. |
300M | |
| workload Defaults service annotations |
Additional annotations for the network service. | ||
|
service enabled |
Enable the network service for each of the application containers (true) or not (false). | true | |
|
service |
The setting for session affinity for the network service for each of the application containers. | None | |
|
service type |
The service type to use for the network service for each of the application containers. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP |