Venafi Kubernetes Agent Helm values¶
metrics.enabled¶
Property | metrics.enabled |
---|---|
Type | bool |
Default |
|
Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.
metrics.podmonitor.enabled¶
Property | metrics.podmonitor.enabled |
---|---|
Type | bool |
Default |
|
Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See the Prometheus documentation.
metrics.podmonitor.namespace¶
Property | metrics.podmonitor.namespace |
---|---|
Type | string |
Default |
The namespace that the pod monitor should live in. Defaults to the venafi-kubernetes-agent
namespace.
metrics.podmonitor.prometheusInstance¶
Property | metrics.podmonitor.prometheusInstance |
---|---|
Type | string |
Default |
|
Specifies the prometheus
label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.
metrics.podmonitor.interval¶
Property | metrics.podmonitor.interval |
---|---|
Type | string |
Default |
|
The interval to scrape metrics.
metrics.podmonitor.scrapeTimeout¶
Property | metrics.podmonitor.scrapeTimeout |
---|---|
Type | string |
Default |
|
The timeout before a metrics scrape fails.
metrics.podmonitor.labels¶
Property | metrics.podmonitor.labels |
---|---|
Type | object |
Default |
|
Additional labels to add to the PodMonitor.
metrics.podmonitor.annotations¶
Property | metrics.podmonitor.annotations |
---|---|
Type | object |
Default |
|
Additional annotations to add to the PodMonitor.
metrics.podmonitor.honorLabels¶
Property | metrics.podmonitor.honorLabels |
---|---|
Type | bool |
Default |
|
Keep labels from scraped data, overriding server-side labels.
metrics.podmonitor.endpointAdditionalProperties¶
Property | metrics.podmonitor.endpointAdditionalProperties |
---|---|
Type | object |
Default |
|
EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instance
replicaCount¶
Property | replicaCount |
---|---|
Type | number |
Default |
|
Default replicas, do not scale up.
image.repository¶
Property | image.repository |
---|---|
Type | string |
Default |
|
The container image for the Venafi Enhanced Issuer manager.
image.pullPolicy¶
Property | image.pullPolicy |
---|---|
Type | string |
Default |
|
Kubernetes imagePullPolicy on Deployment.
image.tag¶
Property | image.tag |
---|---|
Type | string |
Default |
|
Overrides the image tag whose default is the chart appVersion.
imagePullSecrets¶
Property | imagePullSecrets |
---|---|
Type | array |
Default |
|
Specify image pull credentials if using a private registry. Example:
- name: my-pull-secret
nameOverride¶
Property | nameOverride |
---|---|
Type | string |
Default |
|
Helm default setting to override release name, usually leave blank.
fullnameOverride¶
Property | fullnameOverride |
---|---|
Type | string |
Default |
|
Helm default setting, use this to shorten the full install name.
serviceAccount.create¶
Property | serviceAccount.create |
---|---|
Type | bool |
Default |
|
Specifies whether a service account should be created.
serviceAccount.annotations¶
Property | serviceAccount.annotations |
---|---|
Type | object |
Default |
|
Annotations YAML to add to the service account.
serviceAccount.name¶
Property | serviceAccount.name |
---|---|
Type | string |
Default |
|
The name of the service account to use. If blank and serviceAccount.create
is true, a name is generated using the fullname template of the release.
podAnnotations¶
Property | podAnnotations |
---|---|
Type | object |
Default |
|
Additional YAML annotations to add the the pod.
podSecurityContext¶
Property | podSecurityContext |
---|---|
Type | object |
Default |
|
Optional Pod (all containers) SecurityContext
options, see the Kubernetes documentation.
Example:
podSecurityContext
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
http_proxy¶
Property | http_proxy |
---|---|
Type | string |
Default |
Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
https_proxy¶
Property | https_proxy |
---|---|
Type | string |
Default |
Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
no_proxy¶
Property | no_proxy |
---|---|
Type | string |
Default |
Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
securityContext¶
Property | securityContext |
---|---|
Type | object |
Default |
|
Add Container specific SecurityContext settings to the container. Takes precedence over podSecurityContext
when set. See the Kubernetes documentation.
resources¶
Property | resources |
---|---|
Type | object |
Default |
|
Set resource requests and limits for the pod.
Read Venafi Kubernetes components deployment best practices to learn how to choose suitable CPU and memory resource requests and limits.
nodeSelector¶
Property | nodeSelector |
---|---|
Type | object |
Default |
|
Embed YAML for nodeSelector settings, see the Kubernetes documentation/
tolerations¶
Property | tolerations |
---|---|
Type | array |
Default |
|
Embed YAML for toleration settings, see the Kubernetes documentation.
affinity¶
Property | affinity |
---|---|
Type | object |
Default |
|
Embed YAML for Node affinity settings, see the Kubernetes documentation.
command¶
Property | command |
---|---|
Type | array |
Default |
|
Specify the command to run overriding default binary.
extraArgs¶
Property | extraArgs |
---|---|
Type | array |
Default |
|
Specify additional arguments to pass to the agent binary. For example, to enable JSON logging use --logging-format
, or to increase the logging verbosity use --log-level
.
The log levels are: 0=Info, 1=Debug, 2=Trace.
Use 6-9 for increasingly verbose HTTP request logging.
The default log level is 0.
Example:
extraArgs:
- --logging-format=json
- --log-level=6 # To enable HTTP request logging
volumes¶
Property | volumes |
---|---|
Type | array |
Default |
|
Additional volumes to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. For example:
volumes:
- name: cabundle
configMap:
name: cabundle
optional: false
defaultMode: 0644
In order to create the ConfigMap, you can use the following command:
kubectl create configmap cabundle \
--from-file=cabundle=./your/custom/ca/bundle.pem
volumeMounts¶
Property | volumeMounts |
---|---|
Type | array |
Default |
|
Additional volume mounts to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs
will be loaded by the Venafi Kubernetes Agent. For
example:
volumeMounts:
- name: cabundle
mountPath: /etc/ssl/certs/cabundle
subPath: cabundle
readOnly: true
authentication.secretName¶
Property | authentication.secretName |
---|---|
Type | string |
Default |
|
The name of the secret containing the private key.
authentication.secretKey¶
Property | authentication.secretKey |
---|---|
Type | string |
Default |
|
The key name in the referenced secret.
Venafi Connection¶
Configure VenafiConnection authentication
authentication.venafiConnection.enabled¶
Property | authentication.venafiConnection.enabled |
---|---|
Type | bool |
Default |
|
When set to true, the Venafi Kubernetes Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use venafiConnection.enabled=true
for secretless authentication{:target="blank"}. When set to true, the authentication.secret
values will be ignored and the. Secret with authentication.secretName
will _not be mounted into the
Venafi Kubernetes Agent Pod.
authentication.venafiConnection.name¶
Property | authentication.venafiConnection.name |
---|---|
Type | string |
Default |
|
The name of a VenafiConnection resource which contains the configuration for authenticating to Venafi.
authentication.venafiConnection.namespace¶
Property | authentication.venafiConnection.namespace |
---|---|
Type | string |
Default |
|
The namespace of a VenafiConnection resource which contains the configuration for authenticating to Venafi.
config.server¶
Property | config.server |
---|---|
Type | string |
Default |
|
API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.eu.venafi.cloud
. For Australia tenants, set this value to https://api.au.venafi.cloud
. If you are using the VenafiConnection authentication method, you must set the API URL using the field spec.vcp.url
on the VenafiConnection resource instead.
config.clientId¶
Property | config.clientId |
---|---|
Type | string |
Default |
|
The client-id to be used for authenticating with the Venafi Control Plane. Only useful when using a Key Pair Service Account in the Venafi Control Plane. You can obtain the cliend ID by creating a Key Pair Service Account in the Venafi Control Plane.
config.period¶
Property | config.period |
---|---|
Type | string |
Default |
|
Send data back to the platform every minute unless changed.
config.clusterName¶
Property | config.clusterName |
---|---|
Type | string |
Default |
|
Name for the cluster resource if it needs to be created in Venafi Control
Plane.
config.clusterDescription¶
Property | config.clusterDescription |
---|---|
Type | string |
Default |
|
Description for the cluster resource if it needs to be created in Venafi Control Plane.
config.ignoredSecretTypes[0]¶
Property | config.ignoredSecretTypes[0] |
---|---|
Type | string |
Default |
|
config.ignoredSecretTypes[1]¶
Property | config.ignoredSecretTypes[1] |
---|---|
Type | string |
Default |
|
config.ignoredSecretTypes[2]¶
Property | config.ignoredSecretTypes[2] |
---|---|
Type | string |
Default |
|
config.ignoredSecretTypes[3]¶
Property | config.ignoredSecretTypes[3] |
---|---|
Type | string |
Default |
|
config.ignoredSecretTypes[4]¶
Property | config.ignoredSecretTypes[4] |
---|---|
Type | string |
Default |
|
config.ignoredSecretTypes[5]¶
Property | config.ignoredSecretTypes[5] |
---|---|
Type | string |
Default |
|
config.ignoredSecretTypes[6]¶
Property | config.ignoredSecretTypes[6] |
---|---|
Type | string |
Default |
|
config.excludeAnnotationKeysRegex¶
Property | config.excludeAnnotationKeysRegex |
---|---|
Type | array |
Default |
|
You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.
Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with \.
.
Example: excludeAnnotationKeysRegex: ['^kapp\.k14s\.io/original.*']
config.excludeLabelKeysRegex¶
Property | config.excludeLabelKeysRegex |
---|---|
Type | array |
Default |
|
config.configmap.name¶
Property | config.configmap.name |
---|---|
Type | unknown |
Default |
|
config.configmap.key¶
Property | config.configmap.key |
---|---|
Type | unknown |
Default |
|
podDisruptionBudget.enabled¶
Property | podDisruptionBudget.enabled |
---|---|
Type | bool |
Default |
|
Enable or disable the PodDisruptionBudget resource, which helps prevent downtime during voluntary disruptions such as during a Node upgrade.
podDisruptionBudget.minAvailable¶
Property | podDisruptionBudget.minAvailable |
---|---|
Type | number |
Default |
Configure the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if maxUnavailable
is set.
podDisruptionBudget.maxUnavailable¶
Property | podDisruptionBudget.maxUnavailable |
---|---|
Type | number |
Default |
Configure the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if minAvailable
is set.
CRDs¶
The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to manually remove the remaining CRDs.
crds.forceRemoveValidationAnnotations¶
Property | crds.forceRemoveValidationAnnotations |
---|---|
Type | bool |
Default |
|
The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.
crds.keep¶
Property | crds.keep |
---|---|
Type | bool |
Default |
|
This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.
crds.venafiConnection.include¶
Property | crds.venafiConnection.include |
---|---|
Type | bool |
Default |
|
When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.