Firefly Helm values¶

acceptTerms¶

null

REQUIRED: Set to true to indicate acceptance of Venafi's
End User License Agreement.

fullnameOverride¶

Override the "firefly.fullname" value. This value is used as part of most of the names of the resources created by this Helm chart.

nameOverride¶

Override the "firefly.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name").

CRDs¶

The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep". This prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to remove the remaining CRDs manually.

crds.forceRemoveValidationAnnotations¶

false

The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 or earlier. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.

Venafi Connection¶

venafiConnection.include¶

false

When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the VenafiConnection CRDs are already installed separately. When true, you must set deployment.config.bootstrap.tpp.connection.create: false, because you can not install the VenafiConnection CRD and a VenafiConnection resource in the same chart.

deployment.enabled¶

true

Toggle for running the Firefly controller inside the kubernetes cluster as an in-cluster Certificate Authority (CA).

deployment.venafiClientID¶

null

DEPRECATED: Use deployment.config.bootstrap.vaas.clientID instead.

deployment.venafiURL¶

DEPRECATED: Use deployment.config.bootstrap.vaas.url instead.

deployment.venafiCredentialsSecretName¶

DEPRECATED: Use deployment.config.bootstrap.vaas.credentialsSecretName instead

deployment.venafiCredentialsSecretEnabled¶

DEPRECATED: Use deployment.config.bootstrap.vaas.credentialsSecretEnabled instead

deployment.config.bootstrap.selfSigned.enabled¶

false

Set to true, to bootstrap using a self-signed certificate.

deployment.config.bootstrap.selfSigned.csr.commonName¶

""

Set the common name of the self-signed certificate

deployment.config.bootstrap.tpp.enabled¶

false

Set to true, to bootstrap from TLS Protect Datacenter.

deployment.config.bootstrap.tpp.configurationDN¶

""

The DN of the Firefly configuration in TLS Protect Datacenter.
For example:
firefly\us-west-1\service-mesh\firefly

deployment.config.bootstrap.tpp.connection.create¶

false

When set to true, the rendered output will include a. VenafiConnection resource and some associated RBAC. These will be installed in the same namespace as Firefly. This is useful for when the VenafiConnection CRDs have already been installed by another
Venafi component.
When true, you must set venafiConnection.include: false because the VenafiConnection CRD can not be installed in the same Helm chart as a VenafiConnection resource. When true, you must also supply url, and one of:
usernamePassword.enabled: true or serviceAccountToken.enabled: true.
When false, you only need fill in the name field. In this case you must manually create the VenafiConnection with the given name and associated RBAC. See https://docs.venafi.cloud/vaas/k8s-components/c-cfg-vc-auth/

deployment.config.bootstrap.tpp.connection.name¶

""

The name of a VenafiConnection resource in the same namespace as Firefly. If create: true this name can be omitted and by default the chart name will be used. If create: false this name is a required field and you are responsible for creating the VenafiConnection resource and the associated RBAC.

deployment.config.bootstrap.tpp.connection.url¶

""

The base URL of your Venafi TLS Protect Datacenter server
For example:
https://tpp.example.internal

deployment.config.bootstrap.tpp.connection.clientID¶

firefly

The OAuth clientID (application integration) to authenticate with.

deployment.config.bootstrap.tpp.connection.usernamePassword.enabled¶

false

Enable username-password authentication.
You must put the credentials in a Secret called name, in the same namespace as Firefly, with the following keys: username, password.

deployment.config.bootstrap.tpp.connection.usernamePassword.name¶

""

Override the name of the username-password Secret. By default a Secret with the full chart name is assumed.
For example:
firefly-credentials

deployment.config.bootstrap.tpp.connection.serviceAccountToken.enabled¶

false

Enable JWT authentication using a Kubernetes ServiceAcccount token.

deployment.config.bootstrap.tpp.connection.serviceAccountToken.audiences¶

- tpp

Audiences are the intendend audiences of the token. A recipient of a token must identify themselves with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.

deployment.config.bootstrap.tpp.csr.instanceNaming¶

""

A name for the Firefly instance (should be unique). This, plus a suffix defined by the Control Plane SubCA provider, will be the common name of the Firefly CA certificate. Supports environment variable substitution using {ENV_VAR_NAME} syntax. If the specified environment variable is set (has a value), that value will be substituted.

deployment.config.bootstrap.vaas.enabled¶

true

Set to true, to bootstrap from VaaS.

deployment.config.bootstrap.vaas.clientID¶

null

The ClientID of a your TLS Protect Cloud service account associated with the desired configuration.

deployment.config.bootstrap.vaas.url¶

https://api.venafi.cloud

The Venafi TLS Protect Cloud API endpoint. Change this if your TLS Protect Cloud tenant is not in the United States.
For the EU use: https://api.venafi.eu

deployment.config.bootstrap.vaas.credentialsSecretName¶

venafi-credentials

Provide the name of the Secret containing the credentials of your TLS Protect Cloud service account. This will be used when enableCredentialsSecret is true.

deployment.config.bootstrap.vaas.credentialsSecretEnabled¶

true

By default a secret is used to store the credentials for access to Venafi Cloud, but you can also use the CSI Secret Store Driver and disable the Kubernetes Secret. This disables the usage and mounting of the Kubernetes Secret in the Firefly deployment.

deployment.config.policies¶

DevMode: Policies to be included in the config.
Only allowed when using a DevMode bootstrap method.

For example:

policies:
- name: Sample Policy
  validityPeriod: P7D
  keyAlgorithm:
    defaultValue: EC_P256
    allowedValues:
    - EC_P256
  keyUsages:
  - digitalSignature
  extendedKeyUsages:
  - ANY

deployment.config.controller.enabled¶

true

Enable the Kubernetes Controller of Firefly to listen for cert-manager Certificates

deployment.config.controller.certManager.caRootChainPopulation¶

false

Automatically populate the status.ca field with the CA information when set to true

deployment.config.controller.certManager.checkApproval¶

true

Set to False if you want Firefly to issue CertificateRequest resources without waiting for them to be approved.

deployment.config.server.grpc.enabled¶

false

Enable the GRPC server of Firefly

deployment.config.server.grpc.port¶

8081

Port of the GRPC server

deployment.config.server.grpc.ipAddress¶

0.0.0.0

Interface that the GRPC Server will listen on

deployment.config.server.grpc.dnsNames¶

[]

DNS Names that the GRPC Server will listen on

deployment.config.server.graphql.enabled¶

false

Enable the GraphQL server of Firefly.
DEPRECATED: GraphQL support will be removed in a future release of Firefly. We strongly recommend against enabling or relying on Firefly's GraphQL API; the REST and gRPC APIs provide the same functionality.

deployment.config.server.graphql.port¶

8123

Port of the GraphQL server

deployment.config.server.graphql.ipAddress¶

0.0.0.0

Interface that the GraphQL Server will listen on

deployment.config.server.graphql.dnsNames¶

[]

DNS Names that the GraphQL Server will listen on

deployment.config.server.rest.enabled¶

false

Enable the Rest server of Firefly

deployment.config.server.rest.port¶

8281

Port of the Rest server

deployment.config.server.rest.ipAddress¶

0.0.0.0

Interface that the Rest Server will listen on

deployment.config.server.rest.dnsNames¶

[]

DNS Names that the Rest Server will listen on

deployment.replicaCount¶

2

A Minimum of 2 is needed to achieve active-passive standby HA.

deployment.image¶

registry.venafi.cloud/public/venafi-images/firefly

The Docker image repo.
Override image if you are using an on-prem image registry. Do not include a tag. Set deployment.imageDigest instead.

deployment.imageDigest¶

REPLACE_WITH_IMAGE_DIGEST

The digest of the image.

deployment.imagePullPolicy¶

IfNotPresent

Override the image pullPolicy.

deployment.mlock¶

true

It is not recommended to disable mlock except for development or testing!

deployment.logLevel¶

2

Log level, goes from 1 to 5 (highest).

deployment.imagePullSecrets¶

[]

Set a list of image pull secrets

For example:
- name: jss-pull-secret

deployment.nodeSelector¶

{}

It is recommended to set a nodeSelector for resource isolation.

For example:

firefly-runner: "true"

deployment.securityContext¶

allowPrivilegeEscalation: false
capabilities:
  add:
    - IPC_LOCK
  drop:
    - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

The default is the minimum security context to allow for the mlock operation.

deployment.resources¶

{}

We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'.

For example:

limits:
  cpu: 100m
  memory: 512Mi
requests:
  cpu: 100m
  memory: 512Mi

deployment.tolerations¶

[]

deployment.affinity¶

{}

deployment.extraVolumes¶

[]

For example:
- name: ca-bundle-cert

secret:
  secretName: <secret-name>

deployment.extraVolumeMounts¶

[]

For example:
- mountPath: /etc/ssl/certs/

name: ca-bundle-cert

deployment.metrics.enabled¶

true

Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.

deployment.metrics.port¶

9402

The TCP port for exposing Prometheus metrics on 0.0.0.0 on the HTTP path '/metrics'.

deployment.metrics.podmonitor.enabled¶

false

Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor

deployment.metrics.podmonitor.namespace¶

The namespace that the pod monitor should live in.
Defaults to the firefly namespace.

deployment.metrics.podmonitor.prometheusInstance¶

default

Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.

deployment.metrics.podmonitor.interval¶

60s

The interval to scrape metrics.

deployment.metrics.podmonitor.scrapeTimeout¶

30s

The timeout before a metrics scrape fails.

deployment.metrics.podmonitor.labels¶

{}

Additional labels to add to the PodMonitor.

deployment.metrics.podmonitor.annotations¶

{}

Additional annotations to add to the PodMonitor.

deployment.metrics.podmonitor.honorLabels¶

false

Keep labels from scraped data, overriding server-side labels.

deployment.metrics.podmonitor.endpointAdditionalProperties¶

{}

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

serviceAccount.annotations¶

{}

Set annotations on the Firefly Service Account.

service.type¶

ClusterIP

Type of the Service

crd.enabled¶

true

Installs the CRD in the cluster. Required to enable Firefly with the given group.

crd.groupName¶

firefly.venafi.com

Group name of the issuer.

crd.approver.enabled¶

true

Enable or disable the creation of a ClusterRole and ClusterRoleBinding to allow an approver to approve CertificateRequest resources which use the Firefly issuer group name.

crd.approver.subject.kind¶

ServiceAccount

crd.approver.subject.namespace¶

cert-manager

crd.approver.subject.name¶

cert-manager-approver-policy

overrideSignerSubject¶

{}

Optional subject to assign permissions to sign firefly. CertificateRequests. This should be used when Firefly is running outside the cluster, and likely takes the identity of a Kubernetes User.

For example:

apiGroup: rbac.authorization.k8s.io
kind: User
name: firefly

openshift.securityContextConstraint.enabled¶

detect

Include RBAC to allow the DaemonSet to "use" the specified
SecurityContextConstraints.

This value can either be a boolean true or false, or the string "detect". If set to "detect" then the securityContextConstraint is automatically enabled for openshift installs.

openshift.securityContextConstraint.name¶

privileged

Name of the SecurityContextConstraints to create RBAC for.