Venafi Kubernetes Agent Helm values¶

metrics.enabled¶

true

Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.

metrics.podmonitor.enabled¶

false

Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See the Prometheus documentation.

metrics.podmonitor.namespace¶

The namespace that the pod monitor should live in. Defaults to the venafi-kubernetes-agent namespace.

metrics.podmonitor.prometheusInstance¶

default

Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.

metrics.podmonitor.interval¶

60s

The interval to scrape metrics.

metrics.podmonitor.scrapeTimeout¶

30s

The timeout before a metrics scrape fails.

metrics.podmonitor.labels¶

{}

Additional labels to add to the PodMonitor.

metrics.podmonitor.annotations¶

{}

Additional annotations to add to the PodMonitor.

metrics.podmonitor.honorLabels¶

false

Keep labels from scraped data, overriding server-side labels.

metrics.podmonitor.endpointAdditionalProperties¶

{}

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

replicaCount¶

1

Default replicas, do not scale up.

image.repository¶

registry.venafi.cloud/venafi-agent/venafi-agent

The container image for the Venafi Enhanced Issuer manager.

image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

image.tag¶

v0.0.0

Overrides the image tag whose default is the chart appVersion.

imagePullSecrets¶

[]

Specify image pull credentials if using a private registry. Example:
- name: my-pull-secret

nameOverride¶

""

Helm default setting to override release name, usually leave blank.

fullnameOverride¶

""

Helm default setting, use this to shorten the full install name.

serviceAccount.create¶

true

Specifies whether a service account should be created.

serviceAccount.annotations¶

{}

Annotations YAML to add to the service account.

serviceAccount.name¶

""

The name of the service account to use. If blank and serviceAccount.create is true, a name is generated using the fullname template of the release.

podAnnotations¶

{}

Additional YAML annotations to add the the pod.

podSecurityContext¶

{}

Optional Pod (all containers) SecurityContext options, see the Kubernetes documentation.

Example:

podSecurityContext

runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000

http_proxy¶

Configures the HTTP_PROXY environment variable where a HTTP proxy is required.

https_proxy¶

Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.

no_proxy¶

Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.

securityContext¶

allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Add Container specific SecurityContext settings to the container. Takes precedence over podSecurityContext when set. See the Kubernetes documentation.

resources¶

limits:
  memory: 500Mi
requests:
  cpu: 200m
  memory: 200Mi

Set resource requests and limits for the pod.

Read Venafi Kubernetes components deployment best practices to learn how to choose suitable CPU and memory resource requests and limits.

nodeSelector¶

{}

Embed YAML for nodeSelector settings, see the Kubernetes documentation/

tolerations¶

[]

Embed YAML for toleration settings, see the Kubernetes documentation.

affinity¶

{}

Embed YAML for Node affinity settings, see the Kubernetes documentation.

command¶

[]

Specify the command to run overriding default binary.

extraArgs¶

[]

Specify additional arguments to pass to the agent binary. For example, to enable JSON logging use --logging-format, or to increase the logging verbosity use --log-level.
The log levels are: 0=Info, 1=Debug, 2=Trace.
Use 6-9 for increasingly verbose HTTP request logging.
The default log level is 0.

Example:

extraArgs:
- --logging-format=json
- --log-level=6 # To enable HTTP request logging

volumes¶

[]

Additional volumes to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. For example:

volumes:
  - name: cabundle
    configMap:
      name: cabundle
      optional: false
      defaultMode: 0644

In order to create the ConfigMap, you can use the following command:

kubectl create configmap cabundle \  
  --from-file=cabundle=./your/custom/ca/bundle.pem

volumeMounts¶

[]

Additional volume mounts to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For

example:

volumeMounts:
  - name: cabundle
    mountPath: /etc/ssl/certs/cabundle
    subPath: cabundle
    readOnly: true

authentication.secretName¶

agent-credentials

The name of the secret containing the private key.

authentication.secretKey¶

privatekey.pem

The key name in the referenced secret.

Venafi Connection¶

Configure VenafiConnection authentication

authentication.venafiConnection.enabled¶

false

When set to true, the Venafi Kubernetes Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use venafiConnection.enabled=true for secretless authentication{:target="blank"}. When set to true, the authentication.secret values will be ignored and the. Secret with authentication.secretName will _not be mounted into the
Venafi Kubernetes Agent Pod.

authentication.venafiConnection.name¶

venafi-components

The name of a VenafiConnection resource which contains the configuration for authenticating to Venafi.

authentication.venafiConnection.namespace¶

venafi

The namespace of a VenafiConnection resource which contains the configuration for authenticating to Venafi.

config.server¶

https://api.venafi.cloud/

API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.eu.venafi.cloud. For Australia tenants, set this value to https://api.au.venafi.cloud. If you are using the VenafiConnection authentication method, you must set the API URL using the field spec.vcp.url on the VenafiConnection resource instead.

config.clientId¶

""

The client-id to be used for authenticating with the Venafi Control Plane. Only useful when using a Key Pair Service Account in the Venafi Control Plane. You can obtain the cliend ID by creating a Key Pair Service Account in the Venafi Control Plane.

config.period¶

0h1m0s

Send data back to the platform every minute unless changed.

config.clusterName¶

""

Name for the cluster resource if it needs to be created in Venafi Control
Plane.

config.clusterDescription¶

""

Description for the cluster resource if it needs to be created in Venafi Control Plane.

config.ignoredSecretTypes[0]¶

kubernetes.io/service-account-token

config.ignoredSecretTypes[1]¶

kubernetes.io/dockercfg

config.ignoredSecretTypes[2]¶

kubernetes.io/dockerconfigjson

config.ignoredSecretTypes[3]¶

kubernetes.io/basic-auth

config.ignoredSecretTypes[4]¶

kubernetes.io/ssh-auth

config.ignoredSecretTypes[5]¶

bootstrap.kubernetes.io/token

config.ignoredSecretTypes[6]¶

helm.sh/release.v1

config.excludeAnnotationKeysRegex¶

[]

You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.

Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with \..

Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']

config.excludeLabelKeysRegex¶

[]

config.configmap.name¶

null

config.configmap.key¶

null

podDisruptionBudget.enabled¶

false

Enable or disable the PodDisruptionBudget resource, which helps prevent downtime during voluntary disruptions such as during a Node upgrade.

podDisruptionBudget.minAvailable¶

Configure the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable¶

Configure the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if minAvailable is set.

CRDs¶

The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to manually remove the remaining CRDs.

crds.forceRemoveValidationAnnotations¶

false

The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.

crds.keep¶

false

This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.

crds.venafiConnection.include¶

false

When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.