Bitnami package for Chainloop
Chainloop is an open-source Software Supply Chain control plane, a single source of truth for metadata and artifacts, plus a declarative attestation process.
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
TL;DR
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop
Note: You need to substitute the placeholders
REGISTRY_NAMEandREPOSITORY_NAMEwith a reference to your Helm chart registry and repository.
Introduction
This chart bootstraps a Chainloop deployment on a Kubernetes cluster using the Helm package manager.
Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure (If built-in PostgreSQL is enabled)
Compatibility with the following Ingress Controllers has been verified, other controllers might or might not work.
Installing the Chart
This chart comes in two flavors, standard and development.
Standard (default)
The default deployment mode relies on external dependencies to be available in advance.
The Helm Chart in this mode includes
- Chainloop Controlplane
- Chainloop Artifact proxy
- A PostgreSQL dependency enabled by default
During installation, youโll need to provide
- Open ID Connect Identity Provider (IDp) settings i.e Auth0 settings
- Connection settings for a secrets storage backend, either Hashicorp Vault or AWS Secrets Manager
- ECDSA (ES512) key-pair used for Controlplane to CAS Authentication
Instructions on how to create the ECDSA keypair can be found here.
Installation examples for standard mode
NOTE: We do not recommend passing nor storing sensitive data in plain text. For production, please consider having your overrides encrypted with tools such as Sops, Helm Secrets or Sealed Secrets.
Deploy Chainloop configured to talk to the bundled PostgreSQL an external OIDC IDp and a Vault instance.
helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \
# Open ID Connect (OIDC)
--set controlplane.auth.oidc.url=[OIDC URL] \
--set controlplane.auth.oidc.clientID=[clientID] \
--set controlplane.auth.oidc.clientSecret=[clientSecret] \
# Secrets backend
--set secretsBackend.vault.address="https://[vault address]:8200" \
--set secretsBackend.vault.token=[token] \
# Server Auth KeyPair
--set casJWTPrivateKey="$(cat private.ec.key)" \
--set casJWTPublicKey="$(cat public.pem)"
Deploy using AWS Secrets Manager instead of Vault
helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
--set secretsBackend.backend=awsSecretManager \
--set secretsBackend.awsSecretManager.accessKey=[AWS ACCESS KEY ID] \
--set secretsBackend.awsSecretManager.secretKey=[AWS SECRET KEY] \
--set secretsBackend.awsSecretManager.region=[AWS region]\
# Server Auth KeyPair
# ...
or using GCP Secret Manager
helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
--set secretsBackend.backend=gcpSecretManager \
--set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \
--set secretsBackend.gcpSecretManager.serviceAccountKey=[GCP Auth KEY] \
# Server Auth KeyPair
# ...
or Azure KeyVault
helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
--set secretsBackend.backend=azureKeyVault \
--set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \
--set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \
--set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \
--set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI]
# Server Auth KeyPair
# ...
Connect to an external PostgreSQL database instead
helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
# ...
# Server Auth KeyPair
# ...
# External DB setup
--set postgresql.enabled=false \
--set controlplane.externalDatabase.host=[DB_HOST] \
--set controlplane.externalDatabase.user=[DB_USER] \
--set controlplane.externalDatabase.password=[DB_PASSWORD] \
--set controlplane.externalDatabase.database=[DB_NAME]
Development
To provide an easy way to give Chainloop a try, this Helm Chart has an opt-in development mode that can be enabled with the flag development=true
IMPORTANT: DO NOT USE THIS MODE IN PRODUCTION
The Helm Chart in this mode includes
- Chainloop Controlplane
- Chainloop Artifact proxy
- A PostgreSQL dependency enabled by default
- A pre-configured Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure)
- A pre-configured Dex OIDC instance.
The pre-setup users configuration on the Chart include two users, the information is as follows:
username: [email protected]
password: password
username: [email protected]
password: password
The overall OIDC configuration can be found at the values.yaml file.
CAUTION: Do not use this mode in production, for that, use the standard mode instead.
Installation examples for development mode
Deploy by leveraging built-in Vault and PostgreSQL instances
helm install [RELEASE_NAME] oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop --set development=true
AirGap and Relocation Support
This chart is compatible with relocation processes performed by the Helm Relocation Plugin
This is a two-step process (wrap -> unwrap)
- Pull all the container images and Helm chart and wrap them in an intermediate tarball.
- Unwrap the tarball and push container images, update the Helm Chart with new image references and push it to the target registry.
For example: to relocate to an Azure Container Registry
helm dt wrap oci://REGISTRY_NAME/REPOSITORY_NAME/chainloop
# ๐ Helm chart wrapped into "chainloop-1.77.0.wrap.tgz"
# Now you can take the tarball to an air-gapped environment and unwrap it like this
helm dt unwrap chainloop-1.77.0.wrap.tgz oci://chainloop.azurecr.io --yes
# Unwrapping Helm chart "chainloop-1.77.0.wrap.tgz"
# โ All images pushed successfully
# โ Helm chart successfully pushed
#
# ๐ Helm chart unwrapped successfully: You can use it now by running "helm install oci://chainloop.azurecr.io/chart/chainloop --generate-name"
How to guides
CAS upload speeds are slow, what can I do?
Chainloop uses gRPC streaming to perform artifact uploads. This method is susceptible to being very slow on high latency scenarios. #375
To improve upload speeds, you need to increase http2 flow control buffer. This can be done in NGINX by setting the following annotation in the ingress resource.
# Improve upload speed by adding client buffering used by http2 control-flows
nginx.ingress.kubernetes.io/client-body-buffer-size: "3M"
Note: For other reverse proxies, youโll need to find the equivalent configuration.
Generate a ECDSA key-pair
An ECDSA key-pair is required to perform authentication between the control-plane and the Artifact CAS
You can generate both the private and public keys by running
# Private Key (private.ec.key)
openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key
# Public Key (public.pem)
openssl ec -in private.ec.key -pubout -out public.pem
Then, you can either provide it in a custom values.yaml file override
casJWTPrivateKey: |-
-----BEGIN EC PRIVATE KEY-----
REDACTED
-----END EC PRIVATE KEY-----
casJWTPublicKey: |
-----BEGIN PUBLIC KEY-----
REDACTED
-----END PUBLIC KEY-----
or as shown before, provide them as imperative inputs during Helm Install/Upgrade --set casJWTPrivateKey="$(cat private.ec.key)"--set casJWTPublicKey="$(cat public.pem)"
Enable a custom domain with TLS
Chainloop uses three endpoints so weโll need to enable the ingress resource for each one of them.
See below an example of a values.yaml override
controlplane:
ingress:
enabled: true
hostname: cp.chainloop.dev
ingressAPI:
enabled: true
hostname: api.cp.chainloop.dev
cas:
ingressAPI:
enabled: true
hostname: api.cas.chainloop.dev
A complete setup that uses
- NGINX as ingress Controller
- cert-manager as TLS provider
would look like
controlplane:
ingress:
enabled: true
tls: true
ingressClassName: nginx
hostname: cp.chainloop.dev
annotations:
# This depends on your configured issuer
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingressAPI:
enabled: true
tls: true
ingressClassName: nginx
hostname: api.cp.chainloop.dev
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
cas:
ingressAPI:
enabled: true
tls: true
ingressClassName: nginx
hostname: api.cas.chainloop.dev
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# limit the size of the files that go through the proxy
# 0 means to not check the size of the request so we do not get 413 error.
# For now we are going to set a limit on 100MB files
# Even though we send data in chunks of 1MB, this size refers to all the data sent in the streaming connection
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
Remember, once you have set up your domain, make sure you use the CLI pointing to it instead of the defaults.
Connect to an external PostgreSQL database
# Disable built-in DB
postgresql:
enabled: false
# Provide with external connection
controlplane:
externalDatabase:
host: 1.2.3.4
port: 5432
user: chainloop
password: [REDACTED]
database: chainloop-controlplane-prod
Alternatively, if you are using Google Cloud SQL and you are running Chainloop in Google Kubernetes Engine. You can connect instead via a proxy
This method can also be easily enabled in this chart by doing
# Disable built-in DB
postgresql:
enabled: false
# Provide with external connection
controlplane:
sqlProxy:
# Inject the proxy sidecar
enabled: true
## @param controlplane.sqlProxy.connectionName Google Cloud SQL connection name
connectionName: "my-sql-instance"
# Then you'll need to configure your DB settings to use the proxy IP address
externalDatabase:
host: [proxy-sidecar-ip-address]
port: 5432
user: chainloop
password: [REDACTED]
database: chainloop-controlplane-prod
Use AWS secrets manager
Instead of using Hashicorp Vault (default), you can use AWS Secrets Manager by adding these settings in your values.yaml file
secretsBackend:
backend: awsSecretManager
awsSecretManager:
accessKey: [KEY]
secretKey: [SECRET]
region: [REGION]
Use GCP secret manager
Or Google Cloud Secret Manager with the following settings
secretsBackend:
backend: gcpSecretManager
gcpSecretManager:
projectId: [PROJECT_ID]
serviceAccountKey: [KEY]
Use Azure KeyVault
Azure KeyVault is also supported
secretsBackend:
backend: azureKeyVault
azureKeyVault:
tenantID: [TENANT_ID] # Active Directory Tenant ID
clientID: [CLIENT_ID] # Registered application / service principal client ID
clientSecret: [CLIENT_SECRET] # Service principal client secret
vaultURI: [VAULT URI] # Azure Key Vault URL
Deploy in keyless mode with file-based CA
This feature is experimental, as it doesnโt yet support verification.
You can enable keyless signing mode by providing a custom Certificate Authority. For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption with a validity of 365 days:
> openssl genrsa -aes256 -out ca.key 4096
...
> openssl req -new -x509 -sha256 -key ca.key -out ca.crt -days 365
...
Then you can configure your deployment values with:
controlplane:
keylessSigning:
enabled: true
backend: fileCA
fileCA:
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
keyPass: "REDACTED"
Insert custom Certificate Authorities (CAs)
In some scenarios, you might want to add custom Certificate Authorities to the Chainloop deployment. Like in the instance where your OIDC provider uses a self-signed certificate. To do so, add the PEM-encoded CA certificate to the customCAs list in either controlplane or cas sections, in your values.yaml file like in the example below.
customCAs:
- |-
-----BEGIN CERTIFICATE-----
MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
REDACTED
5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
-----END CERTIFICATE-----
Send exceptions to Sentry
You can configure different sentry projects for both the controlplane and the artifact CAS
# for controlplane
controlplane:
...
sentry:
enabled: true
dsn: [your secret sentry project DSN URL]
environment: production
# Artifact CAS
cas:
...
sentry:
enabled: true
dsn: [your secret sentry project DSN URL]
environment: production
Enable Prometheus Monitoring in GKE
Chainloop exposes Prometheus compatible /metrics endpoints that can be easily scraped by a Prometheus data collector Server.
Google Cloud has a managed Prometheus offering that could be easily enabled by setting --set GKEMonitoring.enabled=true. This will inject the required PodMonitoring custom resources.
Configure Chainloop CLI to point to your instance
Once you have your instance of Chainloop deployed, you need to configure the CLI to point to both the CAS and the Control plane gRPC APIs like this.
chainloop config save \
--control-plane my-controlplane.acme.com:443 \
--artifact-cas cas.acme.com:443
Parameters
Global parameters
| Name | Description | Value |
|---|---|---|
global.imageRegistry |
Global Docker image registry | "" |
global.imagePullSecrets |
Global Docker registry secret names as an array | [] |
global.compatibility.openshift.adaptSecurityContext |
Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | auto |
development |
Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | true |
Common parameters
| Name | Description | Value |
|---|---|---|
kubeVersion |
Override Kubernetes version | "" |
commonAnnotations |
Annotations to add to all deployed objects | {} |
commonLabels |
Labels to add to all deployed objects | {} |
extraDeploy |
Array of extra objects to deploy with the release | [] |
rbac.create |
Specifies whether RBAC resources should be created | false |
rbac.rules |
Custom RBAC rules to set | [] |
Secrets Backend
| Name | Description | Value |
|---|---|---|
secretsBackend.backend |
Secrets backend type (โvaultโ, โawsSecretManagerโ or โgcpSecretManagerโ, โazureKeyVaultโ) | vault |
secretsBackend.secretPrefix |
Prefix that will be pre-pended to all secrets in the storage backend | chainloop |
secretsBackend.vault.address |
Vault address | "" |
secretsBackend.vault.token |
Vault authentication token | "" |
secretsBackend.awsSecretManager.accessKey |
AWS Access KEY ID | "" |
secretsBackend.awsSecretManager.secretKey |
AWS Secret Key | "" |
secretsBackend.awsSecretManager.region |
AWS Secrets Manager Region | "" |
secretsBackend.gcpSecretManager.projectId |
GCP Project ID | "" |
secretsBackend.gcpSecretManager.serviceAccountKey |
GCP Auth Key | "" |
secretsBackend.azureKeyVault.tenantID |
Active Directory Tenant ID | "" |
secretsBackend.azureKeyVault.clientID |
Registered application / service principal client ID | "" |
secretsBackend.azureKeyVault.clientSecret |
Service principal client secret | "" |
secretsBackend.azureKeyVault.vaultURI |
Azure Key Vault URL | "" |
Authentication
| Name | Description | Value |
|---|---|---|
casJWTPrivateKey |
ECDSA (ES512) private key used for Controlplane to CAS Authentication | "" |
casJWTPublicKey |
ECDSA (ES512) public key | "" |
Control Plane
| Name | Description | Value |
|---|---|---|
controlplane.replicaCount |
Number of replicas | 2 |
controlplane.image.registry |
image registry | REGISTRY_NAME |
controlplane.image.repository |
image repository | REPOSITORY_NAME/chainloop-control-plane |
controlplane.image.digest |
image digest in the way sha256:aaโฆ. Please note this parameter, if set, will override the tag | "" |
controlplane.image.pullPolicy |
image pull policy | IfNotPresent |
controlplane.image.pullSecrets |
image pull secrets | [] |
controlplane.containerPorts.http |
controlplane HTTP container port | 8000 |
controlplane.containerPorts.grpc |
controlplane gRPC container port | 9000 |
controlplane.containerPorts.metrics |
controlplane prometheus metrics container port | 5000 |
controlplane.tls.existingSecret |
Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | "" |
controlplane.existingConfigMap |
"" |
|
controlplane.pluginsDir |
Directory where to look for plugins | /plugins |
controlplane.referrerSharedIndex |
Configure the shared, public index API endpoint that can be used to discover metadata referrers | |
controlplane.referrerSharedIndex.enabled |
Enable index API endpoint | false |
controlplane.referrerSharedIndex.allowedOrgs |
List of UUIDs of organizations that are allowed to publish to the shared index | [] |
controlplane.onboarding |
List of organizations to automatically onboard when a user logs in | [] |
controlplane.prometheus_org_metrics |
List of organizations to expose metrics for using Prometheus | [] |
controlplane.migration.ssl |
Connect to the database using SSL (required fro AWS RDS, etc) | false |
controlplane.migration.image.registry |
image registry | REGISTRY_NAME |
controlplane.migration.image.repository |
image repository | REPOSITORY_NAME/chainloop-control-plane-migrations |
controlplane.migration.image.digest |
image digest in the way sha256:aaโฆ. Please note this parameter, if set, will override the tag | "" |
controlplane.migration.image.pullPolicy |
image pull policy | IfNotPresent |
controlplane.migration.image.pullSecrets |
image pull secrets | [] |
controlplane.serviceAccount.create |
Specifies whether a ServiceAccount should be created | true |
controlplane.serviceAccount.annotations |
Annotations for service account. Evaluated as a template. Only used if create is true. |
{} |
controlplane.serviceAccount.name |
Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | "" |
controlplane.serviceAccount.automountServiceAccountToken |
Mount Service Account token in controlplane pods | false |
Control Plane Database
| Name | Description | Value |
|---|---|---|
controlplane.externalDatabase |
External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false | |
controlplane.externalDatabase.host |
Database host | "" |
controlplane.externalDatabase.port |
Database port number | 5432 |
controlplane.externalDatabase.user |
Non-root username | "" |
controlplane.externalDatabase.database |
Database name | "" |
controlplane.externalDatabase.password |
Password for the non-root username | "" |
Control Plane Authentication
| Name | Description | Value |
|---|---|---|
controlplane.auth.passphrase |
Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation | "" |
controlplane.auth.oidc.url |
Full authentication path, it should match the issuer URL of the Identity provider (IDp) | "" |
controlplane.auth.oidc.clientID |
OIDC IDp clientID | "" |
controlplane.auth.oidc.clientSecret |
OIDC IDp clientSecret | "" |
controlplane.auth.oidc.loginURLOverride |
Optional OIDC login URL override, useful to point to custom login pages | "" |
controlplane.auth.oidc.externalURL |
Optional External URL for the controlplane to the outside world | "" |
controlplane.auth.allowList |
Content of the allow_list.yaml config file | {} |
controlplane.auth.allowList.rules |
List of domains or emails to allow | |
controlplane.auth.allowList.selectedRoutes |
List of selected routes to allow. If not set it applies to all routes | |
controlplane.auth.allowList.customMessage |
Custom message to display when a user is not allowed |
Control Plane Networking
| Name | Description | Value |
|---|---|---|
controlplane.service.type |
Service type | ClusterIP |
controlplane.service.ports.http |
controlplane service HTTP port | 80 |
controlplane.service.nodePorts.http |
Node port for HTTP | "" |
controlplane.service.nodePorts.https |
Node port for HTTPS | "" |
controlplane.service.clusterIP |
controlplane service Cluster IP | "" |
controlplane.service.loadBalancerIP |
controlplane service Load Balancer IP | "" |
controlplane.service.loadBalancerSourceRanges |
controlplane service Load Balancer sources | [] |
controlplane.service.externalTrafficPolicy |
controlplane service external traffic policy | Cluster |
controlplane.service.annotations |
Additional custom annotations for controlplane service | {} |
controlplane.service.extraPorts |
Extra ports to expose in controlplane service (normally used with the sidecars value) |
[] |
controlplane.service.sessionAffinity |
Control where client requests go, to the same pod or round-robin | None |
controlplane.service.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
controlplane.serviceAPI.type |
Service type | ClusterIP |
controlplane.serviceAPI.ports.http |
controlplane service HTTP port | 80 |
controlplane.serviceAPI.ports.https |
controlplane service HTTPS port | 443 |
controlplane.serviceAPI.nodePorts.http |
Node port for HTTP | "" |
controlplane.serviceAPI.nodePorts.https |
Node port for HTTPS | "" |
controlplane.serviceAPI.clusterIP |
controlplane service Cluster IP | "" |
controlplane.serviceAPI.loadBalancerIP |
controlplane service Load Balancer IP | "" |
controlplane.serviceAPI.loadBalancerSourceRanges |
controlplane service Load Balancer sources | [] |
controlplane.serviceAPI.externalTrafficPolicy |
controlplane service external traffic policy | Cluster |
controlplane.serviceAPI.annotations |
Additional custom annotations for controlplane service | |
controlplane.serviceAPI.extraPorts |
Extra ports to expose in controlplane service (normally used with the sidecars value) |
[] |
controlplane.serviceAPI.sessionAffinity |
Control where client requests go, to the same pod or round-robin | None |
controlplane.serviceAPI.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
controlplane.ingress.enabled |
Enable ingress record generation for controlplane | false |
controlplane.ingress.pathType |
Ingress path type | ImplementationSpecific |
controlplane.ingress.hostname |
Default host for the ingress record | cp.dev.local |
controlplane.ingress.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
controlplane.ingress.path |
Default path for the ingress record | / |
controlplane.ingress.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
controlplane.ingress.tls |
Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter |
false |
controlplane.ingress.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
controlplane.ingress.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
controlplane.ingress.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
controlplane.ingress.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
controlplane.ingress.secrets |
Custom TLS certificates as secrets | [] |
controlplane.ingress.extraRules |
Additional rules to be covered with this ingress record | [] |
controlplane.ingressAPI.enabled |
Enable ingress record generation for controlplane | false |
controlplane.ingressAPI.pathType |
Ingress path type | ImplementationSpecific |
controlplane.ingressAPI.hostname |
Default host for the ingress record | api.cp.dev.local |
controlplane.ingressAPI.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
controlplane.ingressAPI.path |
Default path for the ingress record | / |
controlplane.ingressAPI.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | |
controlplane.ingressAPI.tls |
Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter |
false |
controlplane.ingressAPI.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
controlplane.ingressAPI.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
controlplane.ingressAPI.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
controlplane.ingressAPI.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
controlplane.ingressAPI.secrets |
Custom TLS certificates as secrets | [] |
controlplane.ingressAPI.extraRules |
Additional rules to be covered with this ingress record | [] |
Controlplane Misc
| Name | Description | Value |
|---|---|---|
controlplane.resourcesPreset |
Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | micro |
controlplane.resources |
Set controlplane container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
controlplane.podSecurityContext.enabled |
Enable controlplane podsโ Security Context | true |
controlplane.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy for controlplane pods | Always |
controlplane.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface for controlplane pods | [] |
controlplane.podSecurityContext.supplementalGroups |
Set filesystem extra groups for controlplane pods | [] |
controlplane.podSecurityContext.fsGroup |
Set fsGroup in controlplane podsโ Security Context | 1001 |
controlplane.containerSecurityContext.enabled |
Enabled controlplane containerโ Security Context | true |
controlplane.containerSecurityContext.seLinuxOptions |
Set SELinux options in controlplane container | {} |
controlplane.containerSecurityContext.runAsUser |
Set runAsUser in controlplane containerโ Security Context | 1001 |
controlplane.containerSecurityContext.runAsGroup |
Set runAsGroup in controlplane containerโ Security Context | 1001 |
controlplane.containerSecurityContext.runAsNonRoot |
Set runAsNonRoot in controlplane containerโ Security Context | true |
controlplane.containerSecurityContext.readOnlyRootFilesystem |
Set readOnlyRootFilesystem in controlplane containerโ Security Context | true |
controlplane.containerSecurityContext.privileged |
Set privileged in controlplane containerโ Security Context | false |
controlplane.containerSecurityContext.allowPrivilegeEscalation |
Set allowPrivilegeEscalation in controlplane containerโ Security Context | false |
controlplane.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped in controlplane container | ["ALL"] |
controlplane.containerSecurityContext.seccompProfile.type |
Set seccomp profile in controlplane container | RuntimeDefault |
controlplane.sentry.enabled |
Enable sentry.io alerting | false |
controlplane.sentry.dsn |
DSN endpoint | "" |
controlplane.sentry.environment |
Environment tag | production |
Keyless signing configuration
| Name | Description | Value |
|---|---|---|
controlplane.keylessSigning.enabled |
Activates or deactivates the feature | false |
controlplane.keylessSigning.backend |
The backend to use. Currently only โfileCAโ and โejbcaCAโ are supported | fileCA |
controlplane.keylessSigning.fileCA.cert |
The PEM-encoded certificate of the file based CA | "" |
controlplane.keylessSigning.fileCA.key |
The PEM-encoded private key of the file based CA | "" |
controlplane.keylessSigning.fileCA.keyPass |
The secret key pass | "" |
controlplane.keylessSigning.ejbcaCA.serverURL |
The url of the EJBCA service (โhttps://host/ejbcaโ) | "" |
controlplane.keylessSigning.ejbcaCA.clientKey |
PEM-encoded the private key for EJBCA cert authentication | "" |
controlplane.keylessSigning.ejbcaCA.clientCert |
PEM-encoded certificate for EJBCA cert authentication | "" |
controlplane.keylessSigning.ejbcaCA.certProfileName |
Name of the certificate profile to use in EJBCA | "" |
controlplane.keylessSigning.ejbcaCA.endEntityProfileName |
Name of the Entity Profile to use in EJBCA | "" |
controlplane.keylessSigning.ejbcaCA.caName |
Name of the CA issuer to use in EJBCA | "" |
controlplane.customCAs |
List of custom CA certificates content | [] |
controlplane.automountServiceAccountToken |
Mount Service Account token in controlplane pods | false |
controlplane.hostAliases |
controlplane pods host aliases | [] |
controlplane.deploymentAnnotations |
Annotations for controlplane deployment | {} |
controlplane.podLabels |
Extra labels for controlplane pods | {} |
controlplane.podAffinityPreset |
Pod affinity preset. Ignored if controlplane.affinity is set. Allowed values: soft or hard |
"" |
controlplane.podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if controlplane.affinity is set. Allowed values: soft or hard |
soft |
controlplane.nodeAffinityPreset.type |
Node affinity preset type. Ignored if controlplane.affinity is set. Allowed values: soft or hard |
"" |
controlplane.nodeAffinityPreset.key |
Node label key to match. Ignored if controlplane.affinity is set |
"" |
controlplane.nodeAffinityPreset.values |
Node label values to match. Ignored if controlplane.affinity is set |
[] |
controlplane.affinity |
Affinity for controlplane pods assignment | {} |
controlplane.nodeSelector |
Node labels for controlplane pods assignment | {} |
controlplane.tolerations |
Tolerations for controlplane pods assignment | [] |
controlplane.updateStrategy.type |
controlplane deployment strategy type | RollingUpdate |
controlplane.priorityClassName |
controlplane podsโ priorityClassName | "" |
controlplane.topologySpreadConstraints |
Topology Spread Constraints for controlplane pod assignment spread across your cluster among failure-domains | [] |
controlplane.schedulerName |
Name of the k8s scheduler (other than default) for controlplane pods | "" |
controlplane.terminationGracePeriodSeconds |
Seconds controlplane pods need to terminate gracefully | "" |
controlplane.lifecycleHooks |
for controlplane containers to automate configuration before or after startup | {} |
controlplane.extraEnvVars |
Array with extra environment variables to add to controlplane containers | [] |
controlplane.extraEnvVarsCM |
Name of existing ConfigMap containing extra env vars for controlplane containers | "" |
controlplane.extraEnvVarsSecret |
Name of existing Secret containing extra env vars for controlplane containers | "" |
controlplane.extraVolumes |
Optionally specify extra list of additional volumes for the controlplane pods | [] |
controlplane.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the controlplane containers | [] |
controlplane.sidecars |
Add additional sidecar containers to the controlplane pods | [] |
controlplane.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
controlplane.networkPolicy.allowExternal |
Donโt require client label for connections | true |
controlplane.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
controlplane.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
controlplane.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
controlplane.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
controlplane.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
controlplane.initContainers |
Add additional init containers to the controlplane pods | [] |
controlplane.autoscaling.vpa.enabled |
Enable VPA for %%MAIN_CONTAINER_NAME%% pods | false |
controlplane.autoscaling.vpa.annotations |
Annotations for VPA resource | {} |
controlplane.autoscaling.vpa.controlledResources |
VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | [] |
controlplane.autoscaling.vpa.maxAllowed |
VPA Max allowed resources for the pod | {} |
controlplane.autoscaling.vpa.minAllowed |
VPA Min allowed resources for the pod | {} |
controlplane.autoscaling.vpa.updatePolicy.updateMode |
Autoscaling update policy | Auto |
controlplane.autoscaling.hpa.enabled |
Enable HPA for controlplane pods | false |
controlplane.autoscaling.hpa.minReplicas |
Minimum number of replicas | "" |
controlplane.autoscaling.hpa.maxReplicas |
Maximum number of replicas | "" |
controlplane.autoscaling.hpa.targetCPU |
Target CPU utilization percentage | "" |
controlplane.autoscaling.hpa.targetMemory |
Target Memory utilization percentage | "" |
controlplane.pdb.enabled |
Create Pod Disruption Budget for the controlplane component | false |
controlplane.pdb.minAvailable |
Sets the min number of pods availables for the Pod Disruption Budget | "" |
controlplane.pdb.maxUnavailable |
Sets the max number of pods unavailable for the Pod Disruption Budget | "" |
Artifact Content Addressable (CAS) API
| Name | Description | Value |
|---|---|---|
cas.replicaCount |
Number of replicas | 2 |
cas.image.registry |
image registry | REGISTRY_NAME |
cas.image.repository |
image repository | REPOSITORY_NAME/chainloop-artifact-cas |
cas.image.digest |
image digest in the way sha256:aaโฆ. Please note this parameter, if set, will override the tag | "" |
cas.image.pullPolicy |
image pull policy | IfNotPresent |
cas.image.pullSecrets |
image pull secrets | [] |
cas.containerPorts.http |
controlplane HTTP container port | 8000 |
cas.containerPorts.grpc |
controlplane gRPC container port | 9000 |
cas.containerPorts.metrics |
controlplane prometheus metrics container port | 5000 |
cas.tls.existingSecret |
Existing secret with TLS certificates. The secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. | "" |
cas.existingConfigMap |
"" |
|
cas.serviceAccount.create |
Specifies whether a ServiceAccount should be created | true |
cas.serviceAccount.annotations |
Annotations for service account. Evaluated as a template. Only used if create is true. |
{} |
cas.serviceAccount.name |
Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | "" |
cas.serviceAccount.automountServiceAccountToken |
Mount Service Account token in controlplane pods | false |
CAS Networking
| Name | Description | Value |
|---|---|---|
cas.service.type |
Service type | ClusterIP |
cas.service.ports.http |
cas service HTTP port | 80 |
cas.service.ports.https |
cas service HTTPS port | 443 |
cas.service.nodePorts.http |
Node port for HTTP | "" |
cas.service.nodePorts.https |
Node port for HTTPS | "" |
cas.service.clusterIP |
cas service Cluster IP | "" |
cas.service.loadBalancerIP |
cas service Load Balancer IP | "" |
cas.service.loadBalancerSourceRanges |
cas service Load Balancer sources | [] |
cas.service.externalTrafficPolicy |
cas service external traffic policy | Cluster |
cas.service.annotations |
Additional custom annotations for cas service | {} |
cas.service.extraPorts |
Extra ports to expose in cas service (normally used with the sidecars value) |
[] |
cas.service.sessionAffinity |
Control where client requests go, to the same pod or round-robin | None |
cas.service.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
cas.serviceAPI.type |
Service type | ClusterIP |
cas.serviceAPI.ports.http |
cas service HTTP port | 80 |
cas.serviceAPI.ports.https |
cas service HTTPS port | 443 |
cas.serviceAPI.nodePorts.http |
Node port for HTTP | "" |
cas.serviceAPI.nodePorts.https |
Node port for HTTPS | "" |
cas.serviceAPI.clusterIP |
cas service Cluster IP | "" |
cas.serviceAPI.loadBalancerIP |
cas service Load Balancer IP | "" |
cas.serviceAPI.loadBalancerSourceRanges |
cas service Load Balancer sources | [] |
cas.serviceAPI.externalTrafficPolicy |
cas service external traffic policy | Cluster |
cas.serviceAPI.annotations |
Additional custom annotations for cas service | |
cas.serviceAPI.extraPorts |
Extra ports to expose in cas service (normally used with the sidecars value) |
[] |
cas.serviceAPI.sessionAffinity |
Control where client requests go, to the same pod or round-robin | None |
cas.serviceAPI.sessionAffinityConfig |
Additional settings for the sessionAffinity | {} |
cas.ingress.enabled |
Enable ingress record generation for controlplane | false |
cas.ingress.pathType |
Ingress path type | ImplementationSpecific |
cas.ingress.hostname |
Default host for the ingress record | cas.dev.local |
cas.ingress.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
cas.ingress.path |
Default path for the ingress record | / |
cas.ingress.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
cas.ingress.tls |
Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter |
false |
cas.ingress.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
cas.ingress.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
cas.ingress.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
cas.ingress.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
cas.ingress.secrets |
Custom TLS certificates as secrets | [] |
cas.ingress.extraRules |
Additional rules to be covered with this ingress record | [] |
cas.ingressAPI.enabled |
Enable ingress record generation for controlplane | false |
cas.ingressAPI.pathType |
Ingress path type | ImplementationSpecific |
cas.ingressAPI.hostname |
Default host for the ingress record | api.cas.dev.local |
cas.ingressAPI.ingressClassName |
IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
cas.ingressAPI.path |
Default path for the ingress record | / |
cas.ingressAPI.annotations |
Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | |
cas.ingressAPI.tls |
Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter |
false |
cas.ingressAPI.selfSigned |
Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
cas.ingressAPI.extraHosts |
An array with additional hostname(s) to be covered with the ingress record | [] |
cas.ingressAPI.extraPaths |
An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
cas.ingressAPI.extraTls |
TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
cas.ingressAPI.secrets |
Custom TLS certificates as secrets | [] |
cas.ingressAPI.extraRules |
Additional rules to be covered with this ingress record | [] |
CAS Misc
| Name | Description | Value |
|---|---|---|
cas.sentry.enabled |
Enable sentry.io alerting | false |
cas.sentry.dsn |
DSN endpoint | "" |
cas.sentry.environment |
Environment tag | production |
cas.customCAs |
List of custom CA certificates content | [] |
cas.resourcesPreset |
Set init container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production). | micro |
cas.resources |
Set cas container requests and limits for different resources like CPU or memory (essential for production workloads) | {} |
cas.podSecurityContext.enabled |
Enable cas podsโ Security Context | true |
cas.podSecurityContext.fsGroupChangePolicy |
Set filesystem group change policy for cas pods | Always |
cas.podSecurityContext.sysctls |
Set kernel settings using the sysctl interface for cas pods | [] |
cas.podSecurityContext.supplementalGroups |
Set filesystem extra groups for cas pods | [] |
cas.podSecurityContext.fsGroup |
Set fsGroup in cas podsโ Security Context | 1001 |
cas.containerSecurityContext.enabled |
Enabled cas containerโ Security Context | true |
cas.containerSecurityContext.seLinuxOptions |
Set SELinux options in cas container | {} |
cas.containerSecurityContext.runAsUser |
Set runAsUser in cas containerโ Security Context | 1001 |
cas.containerSecurityContext.runAsGroup |
Set runAsGroup in cas containerโ Security Context | 1001 |
cas.containerSecurityContext.runAsNonRoot |
Set runAsNonRoot in cas containerโ Security Context | true |
cas.containerSecurityContext.readOnlyRootFilesystem |
Set readOnlyRootFilesystem in cas containerโ Security Context | true |
cas.containerSecurityContext.privileged |
Set privileged in cas containerโ Security Context | false |
cas.containerSecurityContext.allowPrivilegeEscalation |
Set allowPrivilegeEscalation in cas containerโ Security Context | false |
cas.containerSecurityContext.capabilities.drop |
List of capabilities to be dropped in cas container | ["ALL"] |
cas.containerSecurityContext.seccompProfile.type |
Set seccomp profile in cas container | RuntimeDefault |
cas.automountServiceAccountToken |
Mount Service Account token in cas pods | false |
cas.hostAliases |
cas pods host aliases | [] |
cas.deploymentAnnotations |
Annotations for cas deployment | {} |
cas.podLabels |
Extra labels for cas pods | {} |
cas.podAffinityPreset |
Pod affinity preset. Ignored if cas.affinity is set. Allowed values: soft or hard |
"" |
cas.podAntiAffinityPreset |
Pod anti-affinity preset. Ignored if cas.affinity is set. Allowed values: soft or hard |
soft |
cas.nodeAffinityPreset.type |
Node affinity preset type. Ignored if cas.affinity is set. Allowed values: soft or hard |
"" |
cas.nodeAffinityPreset.key |
Node label key to match. Ignored if cas.affinity is set |
"" |
cas.nodeAffinityPreset.values |
Node label values to match. Ignored if cas.affinity is set |
[] |
cas.affinity |
Affinity for cas pods assignment | {} |
cas.nodeSelector |
Node labels for cas pods assignment | {} |
cas.tolerations |
Tolerations for cas pods assignment | [] |
cas.updateStrategy.type |
cas deployment strategy type | RollingUpdate |
cas.priorityClassName |
cas podsโ priorityClassName | "" |
cas.topologySpreadConstraints |
Topology Spread Constraints for cas pod assignment spread across your cluster among failure-domains | [] |
cas.schedulerName |
Name of the k8s scheduler (other than default) for cas pods | "" |
cas.terminationGracePeriodSeconds |
Seconds cas pods need to terminate gracefully | "" |
cas.lifecycleHooks |
for cas containers to automate configuration before or after startup | {} |
cas.extraEnvVars |
Array with extra environment variables to add to cas containers | [] |
cas.extraEnvVarsCM |
Name of existing ConfigMap containing extra env vars for cas containers | "" |
cas.extraEnvVarsSecret |
Name of existing Secret containing extra env vars for cas containers | "" |
cas.extraVolumes |
Optionally specify extra list of additional volumes for the cas pods | [] |
cas.extraVolumeMounts |
Optionally specify extra list of additional volumeMounts for the cas containers | [] |
cas.sidecars |
Add additional sidecar containers to the cas pods | [] |
cas.networkPolicy.enabled |
Specifies whether a NetworkPolicy should be created | true |
cas.networkPolicy.allowExternal |
Donโt require client label for connections | true |
cas.networkPolicy.allowExternalEgress |
Allow the pod to access any range of port and all destinations. | true |
cas.networkPolicy.extraIngress |
Add extra ingress rules to the NetworkPolicy | [] |
cas.networkPolicy.extraEgress |
Add extra ingress rules to the NetworkPolicy | [] |
cas.networkPolicy.ingressNSMatchLabels |
Labels to match to allow traffic from other namespaces | {} |
cas.networkPolicy.ingressNSPodMatchLabels |
Pod labels to match to allow traffic from other namespaces | {} |
cas.initContainers |
Add additional init containers to the cas pods | [] |
cas.autoscaling.vpa.enabled |
Enable VPA for %%MAIN_CONTAINER_NAME%% pods | false |
cas.autoscaling.vpa.annotations |
Annotations for VPA resource | {} |
cas.autoscaling.vpa.controlledResources |
VPA List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory | [] |
cas.autoscaling.vpa.maxAllowed |
VPA Max allowed resources for the pod | {} |
cas.autoscaling.vpa.minAllowed |
VPA Min allowed resources for the pod | {} |
cas.autoscaling.vpa.updatePolicy.updateMode |
Autoscaling update policy | Auto |
cas.autoscaling.hpa.enabled |
Enable HPA for cas pods | false |
cas.autoscaling.hpa.minReplicas |
Minimum number of replicas | "" |
cas.autoscaling.hpa.maxReplicas |
Maximum number of replicas | "" |
cas.autoscaling.hpa.targetCPU |
Target CPU utilization percentage | "" |
cas.autoscaling.hpa.targetMemory |
Target Memory utilization percentage | "" |
cas.pdb.enabled |
Create Pod Disruption Budget for the cas component | false |
cas.pdb.minAvailable |
Sets the min number of pods available for the Pod Disruption Budget | "" |
cas.pdb.maxUnavailable |
Sets the max number of pods unavailable for the Pod Disruption Budget | "" |
Dependencies
| Name | Description | Value |
|---|---|---|
postgresql.enabled |
Switch to enable or disable the PostgreSQL helm chart | true |
postgresql.auth.enablePostgresUser |
Assign a password to the โpostgresโ admin user. Otherwise, remote access will be blocked for this user | false |
postgresql.auth.username |
Name for a custom user to create | chainloop |
postgresql.auth.password |
Password for the custom user to create | chainlooppwd |
postgresql.auth.database |
Name for a custom database to create | chainloop-cp |
postgresql.auth.existingSecret |
Name of existing secret to use for PostgreSQL credentials | "" |
vault.server.args |
Arguments to pass to the vault server. This is useful for setting the server in development mode | ["server","-dev"] |
vault.server.config |
Configuration for the vault server. Small override of default Bitnami configuration | `storage โinmemโ {} |
disable_mlock = true ui = true service_registration โkubernetesโ {}| |vault.server.extraEnvVars[0].name| Root token for the vault server |VAULT_DEV_ROOT_TOKEN_ID| |vault.server.extraEnvVars[0].value| The value of the root token. Default: notasecret |notasecret| |vault.server.extraEnvVars[1].name| Address to listen on development mode |VAULT_DEV_LISTEN_ADDRESS| |vault.server.extraEnvVars[1].value| The address to listen on. Default: [::]:8200 |[::]:8200| |dex.image.registry| Dex image registry |REGISTRY_NAME| |dex.image.repository| Dex image repository |REPOSITORY_NAME/dex| |dex.image.pullPolicy| Dex image pull policy |IfNotPresent| |dex.image.pullSecrets| Dex image pull secrets |[]| |dex.image.debug| Enable Dex image debug mode |false| |dex.replicaCount| Number of Dex replicas to deploy |1| |dex.startupProbe.enabled| Enable startupProbe on Dex nodes |true| |dex.startupProbe.initialDelaySeconds| Initial delay seconds for startupProbe |10| |dex.startupProbe.periodSeconds| Period seconds for startupProbe |10| |dex.startupProbe.timeoutSeconds| Timeout seconds for startupProbe |1| |dex.startupProbe.failureThreshold| Failure threshold for startupProbe |3| |dex.startupProbe.successThreshold| Success threshold for startupProbe |1| |dex.livenessProbe.enabled| Enable livenessProbe on Dex nodes |true| |dex.livenessProbe.initialDelaySeconds| Initial delay seconds for livenessProbe |10| |dex.livenessProbe.periodSeconds| Period seconds for livenessProbe |10| |dex.livenessProbe.timeoutSeconds| Timeout seconds for livenessProbe |1| |dex.livenessProbe.failureThreshold| Failure threshold for livenessProbe |3| |dex.livenessProbe.successThreshold| Success threshold for livenessProbe |1| |dex.readinessProbe.enabled| Enable readinessProbe on Dex nodes |true| |dex.readinessProbe.initialDelaySeconds| Initial delay seconds for readinessProbe |10| |dex.readinessProbe.periodSeconds| Period seconds for readinessProbe |10| |dex.readinessProbe.timeoutSeconds| Timeout seconds for readinessProbe |1| |dex.readinessProbe.failureThreshold| Failure threshold for readinessProbe |3| |dex.readinessProbe.successThreshold| Success threshold for readinessProbe |1| |dex.customStartupProbe| Custom startupProbe that overrides the default one |{}| |dex.customLivenessProbe| Custom livenessProbe that overrides the default one |{}| |dex.customReadinessProbe| Custom readinessProbe that overrides the default one |{}| |dex.resourcesPreset| Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if dex.resources is set (dex.resources is recommended for production). |nano| |dex.resources| Set container requests and limits for different resources like CPU or memory (essential for production workloads) |{}| |dex.podSecurityContext.enabled| Enabled Dex pods' Security Context |true| |dex.podSecurityContext.fsGroupChangePolicy| Set filesystem group change policy |Always| |dex.podSecurityContext.sysctls| Set kernel settings using the sysctl interface |[]| |dex.podSecurityContext.supplementalGroups| Set filesystem extra groups |[]| |dex.podSecurityContext.fsGroup| Set Dex pod's Security Context fsGroup |1001| |dex.containerSecurityContext.enabled| Enabled Dex containers' Security Context |true| |dex.containerSecurityContext.seLinuxOptions| Set SELinux options in container |{}| |dex.containerSecurityContext.runAsUser| Set Dex containers' Security Context runAsUser |1001| |dex.containerSecurityContext.runAsGroup| Set Dex containers' Security Context runAsGroup |1001| |dex.containerSecurityContext.allowPrivilegeEscalation| Set Dex containers' Security Context allowPrivilegeEscalation |false| |dex.containerSecurityContext.readOnlyRootFilesystem| Set Dex containers' server Security Context readOnlyRootFilesystem |true| |dex.containerSecurityContext.runAsNonRoot| Set Dex containers' Security Context runAsNonRoot |true| |dex.containerSecurityContext.capabilities.drop| Set Chainloop containers' Security Context capabilities to be dropped |[โALLโ]| |dex.containerSecurityContext.privileged| Set dex container's Security Context privileged |false| |dex.containerSecurityContext.seccompProfile.type| Set container's Security Context seccomp profile |RuntimeDefault| |dex.service.type| Dex service type |ClusterIP| |dex.service.ports.http| Dex HTTP service port |5556| |dex.service.ports.grpc| Dex grpc service port |5557| |dex.service.nodePorts.http| HTTP node port for the Dex service |โโ| |dex.service.nodePorts.grpc| gRPC node port for the Dex service |โโ| |dex.service.clusterIP| Dex service Cluster IP |โโ| |dex.service.loadBalancerIP| Dex service Load Balancer IP |โโ| |dex.service.loadBalancerSourceRanges| Dex service Load Balancer sources |[]| |dex.service.externalTrafficPolicy| Dex service external traffic policy |Cluster| |dex.service.annotations| Additional custom annotations for Dex service |{}| |dex.service.extraPorts| Extra ports to expose (normally used with thesidecarvalue) |[]| |dex.service.sessionAffinity| Session Affinity for Kubernetes service, can be "None" or "ClientIP" |None| |dex.service.sessionAffinityConfig| Additional settings for the sessionAffinity |{}| |dex.networkPolicy.enabled| Specifies whether a NetworkPolicy should be created |true| |dex.networkPolicy.allowExternal| Don't require server label for connections |true| |dex.networkPolicy.allowExternalEgress| Allow the pod to access any range of port and all destinations. |true| |dex.networkPolicy.kubeAPIServerPorts| List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) |[]| |dex.networkPolicy.extraIngress| Add extra ingress rules to the NetworkPolicy |[]| |dex.networkPolicy.extraEgress| Add extra ingress rules to the NetworkPolicy (ignored if allowExternalEgress=true) |[]| |dex.networkPolicy.ingressNSMatchLabels| Labels to match to allow traffic from other namespaces |{}| |dex.networkPolicy.ingressNSPodMatchLabels| Pod labels to match to allow traffic from other namespaces |{}| |dex.containerPorts.http| Dex container HTTP port |5556| |dex.containerPorts.grpc| Dex gRPC port |5557| |dex.containerPorts.metrics| Dex metrics port |5558| |dex.metrics.enabled| Enable metrics service for Dex |false| |dex.metrics.service.type| Dex service type |ClusterIP| |dex.metrics.service.ports.metrics| Dex metrics service port |5558| |dex.metrics.service.nodePorts.metrics| Node port for the Dex service |โโ| |dex.metrics.service.clusterIP| Dex service metrics service Cluster IP |โโ| |dex.metrics.service.loadBalancerIP| Dex service Load Balancer IP |โโ| |dex.metrics.service.loadBalancerSourceRanges| Dex service Load Balancer sources |[]| |dex.metrics.service.externalTrafficPolicy| Dex service external traffic policy |Cluster| |dex.metrics.service.annotations| Additional custom annotations for Dex service |{}| |dex.metrics.service.sessionAffinity| Session Affinity for Kubernetes service, can be "None" or "ClientIP" |None| |dex.metrics.service.sessionAffinityConfig| Additional settings for the sessionAffinity |{}| |dex.metrics.serviceMonitor.enabled| Create ServiceMonitor Resource for scraping metrics using PrometheusOperator |false| |dex.metrics.serviceMonitor.namespace| Namespace which Prometheus is running in |โโ| |dex.metrics.serviceMonitor.jobLabel| The name of the label on the target service to use as the job name in prometheus. |โโ| |dex.metrics.serviceMonitor.interval| Interval at which metrics should be scraped |30s| |dex.metrics.serviceMonitor.scrapeTimeout| Timeout after which the scrape is ended |10s| |dex.metrics.serviceMonitor.relabelings| RelabelConfigs to apply to samples before scraping |[]| |dex.metrics.serviceMonitor.metricRelabelings| MetricRelabelConfigs to apply to samples before ingestion |[]| |dex.metrics.serviceMonitor.selector| ServiceMonitor selector labels |{}| |dex.metrics.serviceMonitor.honorLabels| honorLabels chooses the metric's labels on collisions with target labels |false| |dex.serviceAccount.create| Specifies whether a ServiceAccount should be created for Dex |true| |dex.serviceAccount.name| The name of the ServiceAccount to use. |โโ| |dex.serviceAccount.automountServiceAccountToken| Automount service account token for the Dex service account |false| |dex.serviceAccount.annotations| Annotations for service account. Evaluated as a template. Only used ifcreateistrue. |{}| |dex.command| Override default container command (useful when using custom images) |[]| |dex.args| Override default container args (useful when using custom images) |[]| |dex.extraArgs| Add extra args to the default args for Dex |[]| |dex.automountServiceAccountToken| Mount Service Account token in pod |true| |dex.hostAliases| Dex pods host aliases |[]| |dex.podLabels| Extra labels for Dex pods |{}| |dex.podAnnotations| Annotations for Dex pods |{}| |dex.podAffinityPreset| Pod affinity preset. Ignored ifdex.affinityis set. Allowed values:softorhard|โโ| |dex.podAntiAffinityPreset| Pod anti-affinity preset. Ignored ifdex.affinityis set. Allowed values:softorhard|soft| |dex.nodeAffinityPreset.type| Node affinity preset type. Ignored ifdex.affinityis set. Allowed values:softorhard|โโ| |dex.nodeAffinityPreset.key| Node label key to match. Ignored ifdex.affinityis set |โโ| |dex.nodeAffinityPreset.values| Node label values to match. Ignored ifdex.affinityis set |[]| |dex.affinity| Affinity for Dex pods assignment |{}| |dex.nodeSelector| Node labels for Dex pods assignment |{}| |dex.tolerations| Tolerations for Dex pods assignment |[]| |dex.schedulerName| Name of the k8s scheduler (other than default) |โโ| |dex.shareProcessNamespace| Enable shared process namespace in a pod. |false| |dex.topologySpreadConstraints| Topology Spread Constraints for pod assignment |[]| |dex.updateStrategy.type| Dex statefulset strategy type |RollingUpdate| |dex.priorityClassName| Dex pods' priorityClassName |โโ| |dex.runtimeClassName| Name of the runtime class to be used by pod(s) |โโ| |dex.lifecycleHooks| for the Dex container(s) to automate configuration before or after startup |{}| |dex.extraEnvVars| Array with extra environment variables to add to Dex nodes |[]| |dex.extraEnvVarsCM| Name of existing ConfigMap containing extra env vars for Dex nodes |โโ| |dex.extraEnvVarsSecret| Name of existing Secret containing extra env vars for Dex nodes |โโ| |dex.extraVolumes| Optionally specify extra list of additional volumes for the Dex pod(s) |[]| |dex.extraVolumeMounts| Optionally specify extra list of additional volumeMounts for the Dex container(s) |[]| |dex.sidecars| Add additional sidecar containers to the Dex pod(s) |[]| |dex.initContainers| Add additional init containers to the Dex pod(s) |[]| |dex.pdb.create| Enable/disable a Pod Disruption Budget creation |true| |dex.pdb.minAvailable| Minimum number/percentage of pods that should remain scheduled |โโ| |dex.pdb.maxUnavailable| Maximum number/percentage of pods that may be made unavailable. Defaults to1if bothdex.pdb.minAvailableanddex.pdb.maxUnavailableare empty. |โโ` |
Upgrading
To 2.0.0
This major updates the PostgreSQL subchart to its newest major, 16.0.0, which uses PostgreSQL 17.x. Follow the official instructions to upgrade to 17.x.
To 1.0.0
This major changes default mode from Standard mode to Development mode. This way the chart should not need any default values when running helm install, but adding the value development=false would be required if willing to use the standard mode.
License
Copyright ยฉ 2023 The Chainloop Authors
Licensed under the Apache License, Version 2.0 (the โLicenseโ); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an โAS ISโ BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
