Reference: Venafi Kubernetes Agent Helm values
metrics.enabled
| Property | metrics.enabled |
| Type | bool |
| Default | |
Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.
metrics.podmonitor.enabled
| Property | metrics.podmonitor.enabled |
| Type | bool |
| Default | |
Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor
metrics.podmonitor.namespace
| Property | metrics.podmonitor.namespace |
| Type | string |
| Default | |
The namespace that the pod monitor should live in. Defaults to the venafi-kubernetes-agent namespace.
metrics.podmonitor.prometheusInstance
| Property | metrics.podmonitor.prometheusInstance |
| Type | string |
| Default | |
Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.
metrics.podmonitor.interval
| Property | metrics.podmonitor.interval |
| Type | string |
| Default | |
The interval to scrape metrics.
metrics.podmonitor.scrapeTimeout
| Property | metrics.podmonitor.scrapeTimeout |
| Type | string |
| Default | |
The timeout before a metrics scrape fails.
metrics.podmonitor.labels
| Property | metrics.podmonitor.labels |
| Type | object |
| Default | |
Additional labels to add to the PodMonitor.
metrics.podmonitor.annotations
| Property | metrics.podmonitor.annotations |
| Type | object |
| Default | |
Additional annotations to add to the PodMonitor.
metrics.podmonitor.honorLabels
| Property | metrics.podmonitor.honorLabels |
| Type | bool |
| Default | |
Keep labels from scraped data, overriding server-side labels.
metrics.podmonitor.endpointAdditionalProperties
| Property | metrics.podmonitor.endpointAdditionalProperties |
| Type | object |
| Default | |
EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instance
replicaCount
| Property | replicaCount |
| Type | number |
| Default | |
default replicas, do not scale up
image.repository
| Property | image.repository |
| Type | string |
| Default | registry.venafi.cloud/venafi-agent/venafi-agent
|
The container image for the Venafi Enhanced Issuer manager.
image.pullPolicy
| Property | image.pullPolicy |
| Type | string |
| Default | |
Kubernetes imagePullPolicy on Deployment.
image.tag
| Property | image.tag |
| Type | string |
| Default | |
Overrides the image tag whose default is the chart appVersion.
imagePullSecrets
| Property | imagePullSecrets |
| Type | array |
| Default | |
Specify image pull credentials if using a private registry. Example:
- name: my-pull-secret
nameOverride
| Property | nameOverride |
| Type | string |
| Default | |
Helm default setting to override release name, usually leave blank.
fullnameOverride
| Property | fullnameOverride |
| Type | string |
| Default | |
Helm default setting, use this to shorten the full install name.
serviceAccount.create
| Property | serviceAccount.create |
| Type | bool |
| Default | |
Specifies whether a service account should be created.
serviceAccount.annotations
| Property | serviceAccount.annotations |
| Type | object |
| Default | |
Annotations YAML to add to the service account.
serviceAccount.name
| Property | serviceAccount.name |
| Type | string |
| Default | |
The name of the service account to use. If blank and serviceAccount.create is true, a name is generated using the fullname template of the release.
podAnnotations
| Property | podAnnotations |
| Type | object |
| Default | |
Additional YAML annotations to add the the pod.
podSecurityContext
| Property | podSecurityContext |
| Type | object |
| Default | |
Optional Pod (all containers) SecurityContext options, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
Example:
podSecurityContext
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
http_proxy
| Property | http_proxy |
| Type | string |
| Default | |
Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
https_proxy
| Property | https_proxy |
| Type | string |
| Default | |
Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
no_proxy
| Property | no_proxy |
| Type | string |
| Default | |
Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
securityContext.capabilities.drop[0]
| Property | securityContext.capabilities.drop[0] |
| Type | string |
| Default | |
securityContext.readOnlyRootFilesystem
| Property | securityContext.readOnlyRootFilesystem |
| Type | bool |
| Default | |
securityContext.runAsNonRoot
| Property | securityContext.runAsNonRoot |
| Type | bool |
| Default | |
resources.requests.memory
| Property | resources.requests.memory |
| Type | string |
| Default | |
resources.requests.cpu
| Property | resources.requests.cpu |
| Type | string |
| Default | |
resources.limits.memory
| Property | resources.limits.memory |
| Type | string |
| Default | |
nodeSelector
| Property | nodeSelector |
| Type | object |
| Default | |
Embed YAML for nodeSelector settings, see
https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
tolerations
| Property | tolerations |
| Type | array |
| Default | |
Embed YAML for toleration settings, see
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
affinity
| Property | affinity |
| Type | object |
| Default | |
Embed YAML for Node affinity settings, see
https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/.
command
| Property | command |
| Type | array |
| Default | |
Specify the command to run overriding default binary.
| Property | extraArgs |
| Type | array |
| Default | |
Specify additional arguments to pass to the agent binary.
Example: ["--strict", "--oneshot"]
volumes
| Property | volumes |
| Type | array |
| Default | |
Additional volumes to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. For example:
volumes:
- name: cabundle
configMap:
name: cabundle
optional: false
defaultMode: 0644
In order to create the ConfigMap, you can use the following command:
kubectl create configmap cabundle \
--from-file=cabundle=./your/custom/ca/bundle.pem
volumeMounts
| Property | volumeMounts |
| Type | array |
| Default | |
Additional volume mounts to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For
volumeMounts:
- name: cabundle
mountPath: /etc/ssl/certs/cabundle
subPath: cabundle
readOnly: true
authentication.secretName
| Property | authentication.secretName |
| Type | string |
| Default | |
Name of the secret containing the private key
authentication.secretKey
| Property | authentication.secretKey |
| Type | string |
| Default | |
Key name in the referenced secret
Venafi Connection
Configure VenafiConnection authentication
authentication.venafiConnection.enabled
| Property | authentication.venafiConnection.enabled |
| Type | bool |
| Default | |
When set to true, the Venafi Kubernetes Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use venafiConnection.enabled=true for secretless authentication. When set to true, the authentication.secret values will be ignored and the. Secret with authentication.secretName will not be mounted into the
Venafi Kubernetes Agent Pod.
authentication.venafiConnection.name
| Property | authentication.venafiConnection.name |
| Type | string |
| Default | |
The name of a VenafiConnection resource which contains the configuration for authenticating to Venafi.
authentication.venafiConnection.namespace
| Property | authentication.venafiConnection.namespace |
| Type | string |
| Default | |
The namespace of a VenafiConnection resource which contains the configuration for authenticating to Venafi.
config.server
| Property | config.server |
| Type | string |
| Default | https://api.venafi.cloud/
|
API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field spec.vcp.url on the
VenafiConnection resource instead.
config.clientId
| Property | config.clientId |
| Type | string |
| Default | |
The client-id to be used for authenticating with the Venafi Control. Plane. Only useful when using a Key Pair Service Account in the Venafi. Control Plane. You can obtain the cliend ID by creating a Key Pair Service
Account in the Venafi Control Plane.
config.period
| Property | config.period |
| Type | string |
| Default | |
Send data back to the platform every minute unless changed.
config.clusterName
| Property | config.clusterName |
| Type | string |
| Default | |
Name for the cluster resource if it needs to be created in Venafi Control
Plane.
config.clusterDescription
| Property | config.clusterDescription |
| Type | string |
| Default | |
Description for the cluster resource if it needs to be created in Venafi
Control Plane.
config.ignoredSecretTypes[0]
| Property | config.ignoredSecretTypes[0] |
| Type | string |
| Default | kubernetes.io/service-account-token
|
config.ignoredSecretTypes[1]
| Property | config.ignoredSecretTypes[1] |
| Type | string |
| Default | |
config.ignoredSecretTypes[2]
| Property | config.ignoredSecretTypes[2] |
| Type | string |
| Default | kubernetes.io/dockerconfigjson
|
config.ignoredSecretTypes[3]
| Property | config.ignoredSecretTypes[3] |
| Type | string |
| Default | |
config.ignoredSecretTypes[4]
| Property | config.ignoredSecretTypes[4] |
| Type | string |
| Default | |
config.ignoredSecretTypes[5]
| Property | config.ignoredSecretTypes[5] |
| Type | string |
| Default | bootstrap.kubernetes.io/token
|
config.ignoredSecretTypes[6]
| Property | config.ignoredSecretTypes[6] |
| Type | string |
| Default | |
config.configmap.name
| Property | config.configmap.name |
| Type | unknown |
| Default | |
config.configmap.key
| Property | config.configmap.key |
| Type | unknown |
| Default | |
podDisruptionBudget.enabled
| Property | podDisruptionBudget.enabled |
| Type | bool |
| Default | |
Enable or disable the PodDisruptionBudget resource, which helps prevent downtime during voluntary disruptions such as during a Node upgrade.
podDisruptionBudget.minAvailable
| Property | podDisruptionBudget.minAvailable |
| Type | number |
| Default | |
Configure the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if maxUnavailable is set.
podDisruptionBudget.maxUnavailable
| Property | podDisruptionBudget.maxUnavailable |
| Type | number |
| Default | |
Configure the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if minAvailable is set.
CRDs
The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to manually remove the remaining CRDs.
crds.forceRemoveValidationAnnotations
| Property | crds.forceRemoveValidationAnnotations |
| Type | bool |
| Default | |
The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.
crds.keep
| Property | crds.keep |
| Type | bool |
| Default | |
This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.
crds.venafiConnection.include
| Property | crds.venafiConnection.include |
| Type | bool |
| Default | |
When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.