Values File Settings for Containers Under Kubernetes
When Keyfactor ACME is installed in a containerized implementation, there are a number of settings that can be configured in the values file to pass to the helm chart to provide customization. These are provided in the following table.
Table 14: Keyfactor ACME Containerized Installation Values File Settings
|
Name |
Description |
Example | Default |
|---|---|---|---|
|
acme
allowedHosts
|
Set this value to something other than “*” to enable host filtering, which acts as a whitelist for hosts that can make requests to the Keyfactor ACME server. | “*” | |
|
acme
image
name
|
The name of the image for Keyfactor ACME in the Keyfactor artifactory. | acme | |
|
acme
path
|
The URL to which traffic is directed for the Keyfactor ACME application. |
/acme | |
|
acme
podDisruptionBudget
maxUnavailable
|
The maximum number of pods that can be unavailable simultaneously. | ||
|
acme
podDisruptionBudget
minAvailable
|
The minimum number of pods that must remain available during disruptions. | 1 | |
|
acme
powershell
scriptLocations
- name
|
The name of the custom PowerShell script used to generate metadata to deliver to Keyfactor Command with the request. More than one script name and location may be provided. |
YourScriptName | |
|
acme
powershell
scriptLocations
location
|
The path, in the container, and filename of the custom PowerShell script used to generate metadata to deliver to Keyfactor Command with the request. More than one script name and location may be provided. The script will need to be loaded into the container. There are a number of approaches to this. For an example using a ConfigMap, seeContainer Installations (Kubernetes). |
/app/powershell/scriptname.ps1 | |
|
acme
probeSettings
livenessProbe
failureThreshold
|
The number of failures allowed in a liveness health check before an unhealthy state is declared for the container. If the liveness probe fails, Kubernetes assumes the container is stuck or crashed and will restart it. Clear this value to unset probes. |
6 | |
|
acme
probeSettings
livenessProbe
httpGet
path
|
The path which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
/Status | |
|
acme
probeSettings
livenessProbe
httpGet
port
|
The port which Kubernetes should use to attempt to perform an HTTP GET request to check the health of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
acme
probeSettings
livenessProbe
initialDelaySeconds
|
The number of seconds to wait before firing the first health check probe. Clear this value to unset probes. |
10 | |
|
acme
probeSettings
livenessProbe
periodSeconds
|
The number of seconds in between runs of the health check probe. Clear this value to unset probes. |
5 | |
|
acme
probeSettings
readinessProbe
failureThreshold
|
The number of failures allowed in a readiness check before the container is declared unready. If the readiness probe fails, Kubernetes removes the pod from the service’s load balancer until it becomes available again. It does not restart it. Clear this value to unset probes. |
3 | |
|
acme
probeSettings
readinessProbe
httpGet
path
|
The path which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
/Status | |
|
acme
probeSettings
readinessProbe
httpGet
port
|
The port which Kubernetes should use to attempt to perform an HTTP GET request to check the readiness of the container. If the connection is successful, the probe is considered a success. Clear this value to unset probes. |
connection-port | |
|
acme
probeSettings
readinessProbe
initialDelaySeconds
|
The number of seconds to wait before firing the first readiness probe. Clear this value to unset probes. |
10 | |
|
acme
probeSettings
readinessProbe
periodSeconds
|
The number of seconds in between runs of the readiness probe. Clear this value to unset probes. |
5 | |
|
acme
replicaCount
|
The number of replicas created for deployment/stateful set. | 1 | |
|
acme
service
enabled
|
Enable the network service for the Keyfactor ACME container (true) or not (false). | true | |
|
acme
service
externalTrafficPolicy
|
The setting for external traffic policy for the network service for the Keyfactor ACME container. | null | |
|
acme
service
internalTrafficPolicy
|
The setting for internal traffic policy for the network service for the Keyfactor ACME container. | Cluster | |
|
acme
service
sessionAffinity
|
The setting for session affinity for the network service for the Keyfactor ACME container. | None | |
|
acme
service
type
|
The service type to use for the network service for the Keyfactor ACME container. For information about the service types, see: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
ClusterIP | |
|
acme
validators
enableDNS01
|
Enable the DNS01Validator (true) or not (false). This validator handles DNS-01 challenges by verifying a DNS record associated with the domain. For more information about validators, see Validators and the Identifiers Command. |
false | |
|
acme
validators
enableDNSRegex
|
Enable the Keyfactor custom DNSRegexValidator (true) or not (false). This validator validates domain names based on specific regular expressions. For more information about validators, see Validators and the Identifiers Command. |
true | |
|
acme
validators
enableHttp01
|
Enable the Http01ACMEValidator (true) or not (false). This validator supports HTTP-01 challenges by having the ACME client (e.g. Certbot) place a file on the server containing validation information. With Certbot, this is specified by the -d DOMAINS parameter. For more information about validators, see Validators and the Identifiers Command. |
false | |
|
acme
validators
enableIPSubnet
|
Enable the Keyfactor custom IPSubnetValidator (true) or not (false). This validator validates domain ownership based on IP subnet restrictions. For more information about validators, see Validators and the Identifiers Command. |
true | |
|
config
acmeConnection
authority
|
The issuer/authority endpoint URL for the identity provider that is used to authenticate entities connecting to the Keyfactor ACME server. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page. This parameter is required. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
config
acmeConnection
jsonWebKeySetUri
|
The JWKS (JSON Web Key Set) URL for the identity provider that is used to authenticate entities connecting to the Keyfactor ACME server. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page. This parameter is required. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /certs | |
|
config
acmeConnection
nameClaimType
|
A type of user claim for the identity provider containing a friendly name for the user. Although the value for this field may not necessarily be unique within your identity provider (so might resolve to John Smith and the organization might have two users called John Smith), this can be confusing in Keyfactor ACME. It is best to avoid duplicates. For Okta, this might be preferred_ names (e.g. john.smith@ keyexample.com) or just name (e.g. John Smith). For Auth0 this might be name (e.g. johnsmith@ keyexample.com). This parameter is required. Tip: Claims to grant permissions and map templates are configured using the Claims API endpoints (see Keyfactor ACME API).
|
preferred_ username | |
|
config
acmeConnection
roleClaimType
|
The value used to reference the type of group claim for the identity provider that is used to authenticate entities connecting to the Keyfactor ACME server. This parameter is required. |
groups | |
|
config
acmeConnection
uniqueClaimType
|
A type of user claim for the identity provider containing a unique name for the user. The sub (subject) user claim type is commonly used by OAuth providers. In Keycloak, the sub is a GUID uniquely identifying the user. This parameter is required. |
sub | |
|
config
backoffLimit
|
The number of attempts the database setup and configuration tool will make to run, if a failure occurs, before terminating. | 5 | |
|
config
commandConnection
basicAuth
password
secretKey
|
The key within the Kubernetes secret named by secretName referencing the password for the Keyfactor ACME user. This parameter is required if useOAuth is false. |
client-secret | |
|
config
commandConnection
basicAuth
password
secretName
|
The name of the Kubernetes secret containing the password of the Keyfactor ACME user. This parameter is required if useOAuth is false. |
basic-secret | |
|
config
commandConnection
basicAuth
username
|
The plain text ID for the Keyfactor ACME user. This parameter is required if useOAuth is false. |
||
|
config
commandConnection
oAuth
audience
|
The audience value for tokens issued from the identity provider that is used when authenticating the Keyfactor ACME server to Keyfactor Command. This parameter is required if useOAuth is true. |
||
|
config
commandConnection
oAuth
authority
|
The issuer/authority endpoint URL for the identity provider that is used when authenticating the Keyfactor ACME server to Keyfactor Command. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page. This parameter is required if useOAuth is true. |
https:// my- keyidp- server .keyexample .com /realms /Keyfactor | |
|
config
commandConnection
oAuth
clientId
|
The plaintext ID of the client application for the Keyfactor ACME user created in the identity provider that is used when authenticating the Keyfactor ACME server to Keyfactor Command. This parameter is required if useOAuth is true. |
||
|
config
commandConnection
oAuth
clientSecret
secretKey
|
The Kubernetes secret key name given to the secret for the client application created for the Keyfactor ACME user in the identity provider that is used when authenticating the Keyfactor ACME server to Keyfactor Command. This parameter is required if useOAuth is true. |
client-secret | your-secret-key |
|
config
commandConneton
oAuth
clientSecret
secretName
|
The Kubernetes secret name that contains the secret for the client application created for the Keyfactor ACME user in the identity provider that is used when authenticating the Keyfactor ACME server to Keyfactor Command. This parameter is required if useOAuth is true. |
oauth-secret | your-secret-name |
|
config
commandConnection
oAuth
scope
|
One or more scopes that are requested during the OIDC protocol when Keyfactor ACME is the relying party. Multiple scopes should be separated by spaces. This value is not used for Keycloak. |
||
|
config
commandConnection
oAuth
tokenUrl
|
The token endpoint URL for the identity provider that is used when authenticating the Keyfactor ACME server to Keyfactor Command. For Keycloak, this is included among the information that can be found on the OpenID Endpoint Configuration page, a link to which can be found on the Realm Settings page. This parameter is required if useOAuth is true. |
https:// my-keyidp-server .keyexample.com /realms /Keyfactor /protocol /openid-connect /token | |
|
config
commandConnection
useOAuth
|
If set to true, uses OAuth client credentials to authenticate to Keyfactor Command. If set to false, uses basic authentication (username/password) to authenticate to Keyfactor Command. Note: The IIS virtual directory for the Keyfactor API must be configured to support basic authentication and not Windows authentication if this value is set to true.
|
true | |
|
config
dbcommandtimeout
|
Custom timeout for the database connection during the database setup and configuration process. | ||
|
config
enrollmentUrl
|
The full URL to the Keyfactor API. This parameter is required. |
https:// command.keyexample.com /KeyfactorAPI | |
|
config
forceSecretReencryption
|
Rotate the application-level encryption keys and re-encrypt the data identified for application-level encryption in the Keyfactor ACME database (true) or not (false). Application-level encryption is used to encrypt select sensitive data stored in the Keyfactor ACME database using a separate encryption methodology on top of standard SQL server encryption. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. If you enable application-level encryption, you must configure an encryption methodology (see Application-Level Encryption). |
false | |
|
config
forceUpgrade
|
Forces an existing SQL database that is not a Keyfactor ACME database to be used as a Keyfactor ACME database. |
false | |
|
config
image
name
|
The name of the image for the configuration container in the Keyfactor artifactory. | acme-config | |
|
config
resources
limits
cpu
|
The maximum CPU the configuration container may use. |
500m | |
|
config
resources
limits
memory
|
The maximum memory the configuration container may use. |
2G | |
|
config
superUsers
- claimType
|
The claim type for the initial SuperAdmin administrative user(s) to be created in Keyfactor ACME. For example:
This parameter is required. |
||
|
config
superUsers
claimValue
|
The value for the for the initial SuperAdmin administrative user(s) to be created in Keyfactor ACME. For example, a GUID for a user account sub, a role name for a role, or a client ID for a client. This parameter is required. |
||
|
config
ttlSecondsAfterFinished
|
The number of seconds after the configuration tasks are complete before the configuration container shuts down. | 60 | |
|
connectionStrings
database
|
The plain text name of the database in SQL server for Keyfactor ACME. The database will be created if it does not already exist. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
existingSecretKey
|
The Kubernetes secret key name given to the secret for the SQL connection string. This parameter is required if plain text values are not provided. |
connection- key | |
|
connectionStrings
existingSecretName
|
The Kubernetes secret name that contains the connection string values. This parameter is required if plain text values are not provided. |
connection- strings | |
|
connectionStrings
hostname
|
The plain text name, IP address, or fully qualified domain name (FQDN) of the Microsoft SQL server. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
password
|
The plain text password for the SQL user (see connection Strings > username). This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
connectionStrings
template
|
The template for generating SQL connection strings using plain text values for the connection string. This value is used if a Kubernetes secret is not used to provide a connection string. To provide the connection strings as a secret, see:
|
Data Source=%s; Initial Catalog=%s; Integrated Security=False; Persist Security Info=True; User ID=%s; Password=%s; | |
|
connectionStrings
username
|
The plain text username for a SQL user with sufficient permissions to complete the install. This value is required if a Kubernetes secret is not used to provide this information as part of a connection string. To provide the connection strings as a secret, see:
|
||
|
ingress
className
|
The ingress class name to use. | nginx | |
|
ingress
enabled
|
Creation of the ingress controller is enabled (true) or disabled (false). | true | |
|
ingress
hostname
|
The hostname to use for the ingress controller. This will be the name you use to access your Keyfactor ACME portal. This parameter is required. |
your .k8s .cluster .hostname .here | |
|
ingress
tlsSecretName
|
The Kubernetes secret name given to the TLS certificate used to secure HTTPS connections to Keyfactor ACME. | ingress-tls | |
|
metadata
annotations
|
Additional annotations to apply to the connection string secret that is created if the connectionStrings > existingSecret settings are not set. | ||
|
metadata
labels
|
Additional labels to add to all resources deployed by the helm chart. | ||
|
serviceAccount
annotations
|
Additional annotations for a created service account. | ||
|
serviceAccount
create
|
Create a new service account (true) or not (false). For more information on service accounts, see: https://kubernetes.io/docs/concepts/security/service-accounts/ |
true | |
|
serviceAccount
name
|
The name of an existing service account to use, or the name to give to a service account to be created. If create is true but the name is not provided, the default name will be used. |
||
|
workloadDefaults
additionalEnvironmentVariables
|
Other environment variables that should be included for all containers. |
||
|
workloadDefaults
containerSecurityContext
allowPrivilegeEscalation
|
The container security context to use for all containers. | false | |
|
workloadDefaults
image
name
|
The name of the image to retrieve from the Keyfactor artifactory. Important: Because the Keyfactor ACME installation consists of multiple containers supported by multiple images, the name cannot be set at this level. See the parameters for acme > image > name and config> image > name.
|
||
|
workloadDefaults
image
path
|
The path in the Keyfactor artifactory from which to retrieve the Keyfactor ACME images. | charts/ command | |
|
workloadDefaults
image
pullPolicy
|
Retrieve a fresh copy of the Keyfactor ACME images from the Keyfactor artifactory on start? | Always | |
|
workloadDefaults
image
pullSecrets
- name
|
The Kubernetes secret name given to the credentials used to authenticate to the Keyfactor artifactory to retrieve the Keyfactor ACME components. This parameter is required. |
image-creds | |
|
workloadDefaults
image
repo
|
The name of the Keyfactor artifactory from which to retrieve the Keyfactor ACME images. | repo .keyfactor .com | |
|
workloadDefaults
image
version
|
The version of Keyfactor ACME to retrieve from the Keyfactor artifactory. | ||
|
workloadDefaults
initContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ |
||
|
workloadDefaults
labels
|
Labels that should be applied to deployment/stateful set and pods. | ||
|
workloadDefaults
logLevel
|
The level of logging output for all containers. Supported values are:
If desired, this may be set on an application container basis using appConfig. |
|
INFO |
|
workloadDefaults
metadata
annotations
|
Additional annotations to add to configuration and server pods deployed by the helm chart. | ||
|
workloadDefaults
podDisruptionBudget
maxUnavailable
|
The maximum number of pods that can be disrupted at the same time. Either maxUnavailable or minUnavailable should be set, but not both. A Pod Disruption Budget (PDB) ensures that a certain number of pods remain available during voluntary disruptions (e.g., draining a node for maintenance). It does not protect against node failures or crashes. A PDB is only generated when the replicaCount is greater than 1. |
||
|
workloadDefaults
podDisruptionBudget
minUnavailable
|
The minimum number of pods that must remain available at any time. Either maxUnavailable or minUnavailable should be set, but not both. |
1 | |
|
workloadDefaults
replicaCount
|
The number of replicas created for deployment/stateful set. |
1 | |
|
workloadDefaults resources
limits
cpu
|
The maximum CPU each of the application containers may use. If desired, this may be set uniquely on the database management container basis using config. |
250m | |
|
workloadDefaults resources
limits
memory
|
The maximum memory each of the application containers may use. If desired, this may be set uniquely on the database management container basis using config. |
1G | |
|
workloadDefaults
resources
requests
cpu
|
The baseline amount of CPU allocated for use by each of the application containers. If desired, this may be set uniquely on the database management container basis using config. |
50m | |
|
workloadDefaults
resources
requests
memory
|
The baseline amount of memory allocated for use by each of the application containers. If desired, this may be set uniquely on the database management container basis using config. |
300M | |
|
workloadDefaults
sidecarContainers
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/ No sidecar containers are included by default. A PKCS#11 container may be utilized as a sidecar container. |
||
|
workloadDefaults
sqlRetryConfiguration
deltaTime
|
The preferred gap time to delay before the next attempt to connect to SQL will be made. | “00:00:00.5” | |
|
workloadDefaults
sqlRetryConfiguration
maxTimeInterval
|
The maximum time interval before the next attempt to connect to SQL will be made. | “00:02:00” | |
|
workloadDefaults
sqlRetryConfiguration
numberOfTries
|
The number of times a connection attempt will be made to SQL before an exception is thrown. | 5 | |
|
workloadDefaults
topologySpreadConstraints
|
For more information on this data structure, see: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ No topology spread constraints are included by default. |
||
|
workloadDefaults
volumeMounts
- name
|
An array of volume mounts to use on all deployments. This parameter specifies the name of the volume mount. This value should match the value set by volumes > -name. The example values file (see Helm Chart Customization) includes a volume mount for the ConfigMap ca-roots to mount trusted CA certificates. For more information on this data structure, see: |
root-cas | |
|
workloadDefaults
volumeMounts
mountPath
|
The path, and file name for a single file, in the container to which to mount the file or directory. | /etc /ssl /certs /ca-certificates .crt | |
|
workloadDefaults
volumeMounts
subPath
|
The file or subdirectory within the container volume to mount to the container. | ca-certificates.crt | |
|
workloadDefaults
volumes
- name
|
An array of volumes to use on all deployments. This parameter specifies the name of the volume. The example values file (see Helm Chart Customization) includes a volume mount for the ConfigMap ca-roots to mount trusted CA certificates. |
root-cas | |
|
workloadDefaults
volumes
configMap
items
- key
|
The Kubernetes ConfigMap key name given to the reference value in the ConfigMap. |
ca-certificates.crt | |
|
workloadDefaults
volumes
configMap
items
path
|
The name of the mounted file, referenced by the Kubernetes ConfigMap, as it will appear in the volume. In the example values file, the data from the ConfigMap key ca-certificates.crt will be written to a file called ca-certificates.crt in the container volume. |
ca-certificates.crt | |
|
workloadDefaults
volumes
configMap
name
|
The name given to the Kubernetes ConfigMap for the volume. | ca-roots |
Was this page helpful? Provide Feedback