Workload Identity Manager Helm values¶

acceptTerms¶

null

REQUIRED: Set to true to indicate acceptance of CyberArk's
End User License Agreement.

fullnameOverride¶

Override the "firefly.fullname" value. This value is used as part of most of the names of the resources created by this Helm chart.

nameOverride¶

Override the "firefly.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name").

CRDs¶

The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep". This prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to remove the remaining CRDs manually.

crds.forceRemoveValidationAnnotations¶

false

The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 or earlier. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.

venafiConnection¶

venafiConnection.include¶

false

When set to false, the rendered output does not contain the VenafiConnection CRDs and RBAC. This is useful for when the VenafiConnection CRDs are already installed separately. When true, you must set deployment.config.bootstrap.tpp.connection.create: false, because you can not install the VenafiConnection CRD and a VenafiConnection resource in the same chart.

venafiConnection.serviceAccountNamespace¶

The namespace in which the 'venafi-connection' service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running)

deployment.enabled¶

true

Toggle for running the Workload Identity Manager controller inside the kubernetes cluster as an in-cluster Certificate Authority (CA).

deployment.venafiClientID¶

DEPRECATED Use deployment.config.bootstrap.vaas.clientID instead.

deployment.venafiURL¶

DEPRECATED Use deployment.config.bootstrap.vaas.url instead.

deployment.venafiCredentialsSecretName¶

DEPRECATED Use deployment.config.bootstrap.vaas.credentialsSecretName instead

deployment.venafiCredentialsSecretEnabled¶

DEPRECATED Use deployment.config.bootstrap.vaas.credentialsSecretEnabled instead

deployment.config.bootstrap.selfSigned.enabled¶

false

Set to true, to bootstrap using a self-signed certificate.

deployment.config.bootstrap.selfSigned.csr.commonName¶

""

Set the common name of the self-signed certificate

deployment.config.bootstrap.tpp.enabled¶

false

Set to true, to bootstrap from Certificate Manager Self-Hosted server (formerly TPP).

deployment.config.bootstrap.tpp.configurationDN¶

""

The DN of the Workload Identity Manager configuration in Certificate Manager Self-Hosted server (formerly TPP).
For example:
firefly\us-west-1\service-mesh\firefly

deployment.config.bootstrap.tpp.connection.create¶

false

When set to true, the rendered output will include a VenafiConnection resource and some associated RBAC. These will be installed in the same namespace as Workload Identity Manager. This is useful for when the VenafiConnection CRDs have already been installed by another CyberArk component.
When true, you must set venafiConnection.include: false because the VenafiConnection CRD can not be installed in the same Helm chart as a VenafiConnection resource. When true, you must also supply url, and one of:
usernamePassword.enabled: true or serviceAccountToken.enabled: true.
When false, you only need fill in the name field. In this case you must manually create the VenafiConnection with the given name and associated RBAC. See https://docs.venafi.cloud/vaas/k8s-components/c-cfg-vc-auth/

deployment.config.bootstrap.tpp.connection.name¶

""

The name of a VenafiConnection resource in the same namespace as Workload Identity Manager. If create: true this name can be omitted and by default the chart name will be used. If create: false this name is a required field and you are responsible for creating the VenafiConnection resource and the associated RBAC.

deployment.config.bootstrap.tpp.connection.url¶

The base URL of your Certificate Manager Self-Hosted server (formerly TPP) server
For example:
https://tpp.example.internal

deployment.config.bootstrap.tpp.connection.clientID¶

The OAuth clientID (application integration) to authenticate with.

deployment.config.bootstrap.tpp.connection.usernamePassword.enabled¶

Enable username-password authentication.
You must put the credentials in a Secret called name, in the same namespace as Workload Identity Manager, with the following keys: username, password.

deployment.config.bootstrap.tpp.connection.usernamePassword.name¶

Override the name of the username-password Secret. By default a Secret with the full chart name is assumed.
For example:
firefly-credentials

deployment.config.bootstrap.tpp.connection.serviceAccountToken.enabled¶

Enable JWT authentication using a Kubernetes ServiceAcccount token.

deployment.config.bootstrap.tpp.connection.serviceAccountToken.audiences¶

Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.

deployment.config.bootstrap.tpp.csr.instanceNaming¶

A name for the Workload Identity Manager instance (should be unique). This, plus a suffix defined by the Certificate Manager SubCA provider, will be the common name of the Workload Identity Manager CA certificate. Supports environment variable substitution using {ENV_VAR_NAME} syntax. If the specified environment variable is set (has a value), that value will be substituted.

deployment.config.bootstrap.vaas.enabled¶

Set to true, to bootstrap from VaaS.

deployment.config.bootstrap.vaas.clientID¶

The ClientID of a your Certificate Manager, SaaS service account associated with the desired configuration.

deployment.config.bootstrap.vaas.url¶

The Certificate Manager, SaaS API endpoint. Change this if your Certificate Manager, SaaS tenant is not in the United States.
For the EU use: https://api.venafi.eu

deployment.config.bootstrap.vaas.credentialsSecretName¶

Provide the name of the Secret containing the credentials of your Certificate Manager, SaaS service account. This will be used when enableCredentialsSecret is true.

deployment.config.bootstrap.vaas.credentialsSecretEnabled¶

By default a secret is used to store the credentials for access to CyberArk Cloud, but you can also use the CSI Secret Store Driver and disable the Kubernetes Secret. This disables the usage and mounting of the Kubernetes Secret in the Workload Identity Manager deployment.

deployment.config.policies¶

DevMode: Policies to be included in the config.
Only allowed when using a DevMode bootstrap method.

For example:

yaml false2

deployment.config.controller.enabled¶

Enable the Kubernetes Controller of Workload Identity Manager to listen for cert-manager Certificates

deployment.config.controller.certManager.caRootChainPopulation¶

Automatically populate the status.ca field with the CA information when set to true

deployment.config.controller.certManager.checkApproval¶

Set to False if you want Workload Identity Manager to issue CertificateRequest resources without waiting for them to be approved.

deployment.config.server.grpc.enabled¶

Enable the GRPC server of Workload Identity Manager.

deployment.config.server.grpc.port¶

Port of the GRPC server

deployment.config.server.grpc.ipAddress¶

Interface that the GRPC Server will listen on

deployment.config.server.grpc.dnsNames¶

DNS Names that the GRPC Server will listen on

deployment.config.server.rest.enabled¶

Enable the Rest server of Workload Identity Manager.

deployment.config.server.rest.port¶

Port of the Rest server

deployment.config.server.rest.ipAddress¶

Interface that the Rest Server will listen on

deployment.config.server.rest.dnsNames¶

DNS Names that the Rest Server will listen on

deployment.replicaCount¶

A Minimum of 2 is needed to achieve active-passive standby HA.

deployment.image¶

The Docker image repo.
Override image if you are using an on-prem image registry. Do not include a tag. Set deployment.imageDigest instead.

deployment.imageDigest¶

The digest of the image.

deployment.imagePullPolicy¶

Override the image pullPolicy.

deployment.mlock¶

It is not recommended to disable mlock except for development or testing!

deployment.logLevel¶

Log level. 0=Info, 1=Debug, 2=Trace. Use 6-9 for increasingly verbose HTTP request logging.

deployment.logFormat¶

Log format, either 'text' or 'json'.

deployment.imagePullSecrets¶

Set a list of image pull secrets

For example:
- name: jss-pull-secret

deployment.nodeSelector¶

It is recommended to set a nodeSelector for resource isolation.

For example:

yaml false3

deployment.resources¶

We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'.

For example:

yaml false5

deployment.tolerations¶

deployment.affinity¶

deployment.extraVolumes¶

For example:
- name: ca-bundle-cert

yaml false9

deployment.extraVolumeMounts¶

For example:
- mountPath: /etc/ssl/certs/

yaml ""1

deployment.extraEnv¶

Additional environment variables to add to the Pod.
For example:

yaml ""3

deployment.metrics.enabled¶

Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.

deployment.metrics.port¶

The TCP port for exposing Prometheus metrics on 0.0.0.0 on the HTTP path '/metrics'.

deployment.metrics.podmonitor.enabled¶

Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor

deployment.metrics.podmonitor.namespace¶

The namespace that the pod monitor should live in.
Defaults to the firefly namespace.

deployment.metrics.podmonitor.prometheusInstance¶

Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.

deployment.metrics.podmonitor.interval¶

The interval to scrape metrics.

deployment.metrics.podmonitor.scrapeTimeout¶

The timeout before a metrics scrape fails.

deployment.metrics.podmonitor.labels¶

Additional labels to add to the PodMonitor.

deployment.metrics.podmonitor.annotations¶

Additional annotations to add to the PodMonitor.

deployment.metrics.podmonitor.honorLabels¶

Keep labels from scraped data, overriding server-side labels.

deployment.metrics.podmonitor.endpointAdditionalProperties¶

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

yaml false4

serviceAccount.annotations¶

Set annotations on the Workload Identity Manager Service Account.

service.type¶

Type of the Service

service.annotations¶

Optional additional annotations to add to the service.

crd.enabled¶

Installs the CRD in the cluster. Required to enable Workload Identity Manager with the given group.

crd.groupName¶

Group name of the issuer.

crd.approver.enabled¶

Enable or disable the creation of a ClusterRole and ClusterRoleBinding to allow an approver to approve CertificateRequest resources which use the Workload Identity Manager issuer group name.

crd.approver.subject.kind¶

crd.approver.subject.namespace¶

crd.approver.subject.name¶

overrideSignerSubject¶

Optional subject to assign permissions to sign Workload Identity Manager. CertificateRequests. This should be used when Workload Identity Manager is running outside the cluster, and likely takes the identity of a Kubernetes User.

For example:

yaml ""4

openshift.securityContextConstraint.enabled¶

Include RBAC to allow the DaemonSet to "use" the specified
SecurityContextConstraints.

This value can either be a boolean true or false, or the string "detect". If set to "detect" then the securityContextConstraint is automatically enabled for openshift installs.

openshift.securityContextConstraint.name¶

Name of the SecurityContextConstraints to create RBAC for.