Venafi Kubernetes Agent Helm values
metrics.enabled
Property | metrics.enabled |
Type | bool |
Default | |
Enable the metrics server.
If false, the metrics server will be disabled, and the other metrics fields below will be ignored.
metrics.podmonitor.enabled
Property | metrics.podmonitor.enabled |
Type | bool |
Default | |
Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator.
For more information, see the Prometheus Operator documentation.
metrics.podmonitor.namespace
Property | metrics.podmonitor.namespace |
Type | string |
Default | |
The namespace that the pod monitor should live in.
Defaults to the venafi-kubernetes-agent namespace.
metrics.podmonitor.prometheusInstance
Property | metrics.podmonitor.prometheusInstance |
Type | string |
Default | |
Specifies the prometheus
label on the created PodMonitor.
This is used when different Prometheus instances have label selectors matching different PodMonitors.
metrics.podmonitor.interval
Property | metrics.podmonitor.interval |
Type | string |
Default | |
The interval to scrape metrics.
metrics.podmonitor.scrapeTimeout
Property | metrics.podmonitor.scrapeTimeout |
Type | string |
Default | |
The timeout before a metrics scrape fails.
metrics.podmonitor.labels
Property | metrics.podmonitor.labels |
Type | object |
Default | |
Additional labels to add to the PodMonitor.
metrics.podmonitor.annotations
Property | metrics.podmonitor.annotations |
Type | object |
Default | |
Additional annotations to add to the PodMonitor.
metrics.podmonitor.honorLabels
Property | metrics.podmonitor.honorLabels |
Type | bool |
Default | |
Keep labels from scraped data, overriding server-side labels.
metrics.podmonitor.endpointAdditionalProperties
Property | metrics.podmonitor.endpointAdditionalProperties |
Type | object |
Default | |
EndpointAdditionalProperties allows setting additional properties on the endpoint, such as relabelings, metricRelabelings, etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instance
replicaCount
Property | replicaCount |
Type | number |
Default | |
Default replicas. Do not scale up.
image.repository
Property | image.repository |
Type | string |
Default | registry.venafi.cloud/venafi-agent/venafi-agent
|
Default to Open Source image repository.
image.pullPolicy
Property | image.pullPolicy |
Type | string |
Default | |
Defaults to only pull if not already present.
imagePullSecrets
Property | imagePullSecrets |
Type | array |
Default | |
Specify image pull credentials if using a private registry.
example: - name: my-pull-secret.
nameOverride
Property | nameOverride |
Type | string |
Default | |
Helm default setting to override release name, usually leave blank.
fullnameOverride
Property | fullnameOverride |
Type | string |
Default | |
Helm default setting, use this to shorten the full install name.
serviceAccount.create
Property | serviceAccount.create |
Type | bool |
Default | |
Specifies whether a service account should be created.
serviceAccount.annotations
Property | serviceAccount.annotations |
Type | object |
Default | |
Annotations YAML to add to the service account.
serviceAccount.name
Property | serviceAccount.name |
Type | string |
Default | |
The name of the service account to use.
If blank and serviceAccount.create
is true, a name is generated using the fullname template of the release.
podAnnotations
Property | podAnnotations |
Type | object |
Default | |
Additional YAML annotations to add the the pod.
podSecurityContext
Property | podSecurityContext |
Type | object |
Default | |
Optional Pod (all containers) SecurityContext
options. For more information, see Set the security context for a Pod.
http_proxy
Property | http_proxy |
Type | string |
Default | |
Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
https_proxy
Property | https_proxy |
Type | string |
Default | |
Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
no_proxy
Property | no_proxy |
Type | string |
Default | |
Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
securityContext.capabilities.drop[0]
Property | securityContext.capabilities.drop[0] |
Type | string |
Default | |
securityContext.readOnlyRootFilesystem
Property | securityContext.readOnlyRootFilesystem |
Type | bool |
Default | |
securityContext.runAsNonRoot
Property | securityContext.runAsNonRoot |
Type | bool |
Default | |
resources.requests.memory
Property | resources.requests.memory |
Type | string |
Default | |
resources.requests.cpu
Property | resources.requests.cpu |
Type | string |
Default | |
resources.limits.memory
Property | resources.limits.memory |
Type | string |
Default | |
nodeSelector
Property | nodeSelector |
Type | object |
Default | |
Embed YAML for nodeSelector settings. For more information, see Assign Pods to Nodes.
tolerations
Property | tolerations |
Type | array |
Default | |
Embed YAML for toleration settings. For more information, see Taints and Tolerations.
affinity
Property | affinity |
Type | object |
Default | |
Embed YAML for Node affinity settings. For more information, see Assign Pods using Node Affinity.
command
Property | command |
Type | array |
Default | |
Specify the command to run overriding default binary.
Property | extraArgs |
Type | array |
Default | |
Specify additional arguments to pass to the agent binary.
For example ["--strict", "--oneshot"]
volumes
Property | volumes |
Type | array |
Default | |
Additional volumes to add to the Venafi Kubernetes Agent container. This is
useful for mounting a custom CA bundle. For example:
volumes:
- name: cabundle
configMap:
name: cabundle
optional: false
defaultMode: 0644
In order to create the ConfigMap, you can use the following command:
kubectl create configmap cabundle \
--from-file=cabundle=./your/custom/ca/bundle.pem
volumeMounts
Property | volumeMounts |
Type | array |
Default | |
Additional volume mounts to add to the Venafi Kubernetes Agent container.
This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For
volumeMounts:
- name: cabundle
mountPath: /etc/ssl/certs/cabundle
subPath: cabundle
readOnly: true
authentication.secretName
Property | authentication.secretName |
Type | string |
Default | |
Name of the secret containing the private key
authentication.secretKey
Property | authentication.secretKey |
Type | string |
Default | |
Key name in the referenced secret
Venafi Connection
Configure VenafiConnection authentication
authentication.venafiConnection.enabled
Property | authentication.venafiConnection.enabled |
Type | bool |
Default | |
When set to true, the Venafi Kubernetes Agent will authenticate to
Venafi is using the configuration in a VenafiConnection resource. Use venafiConnection.enabled=true
for secretless authentication. When set to true, the authentication.secret
values will be ignored and the. Secret with authentication.secretName
will not be mounted into the Venafi Kubernetes Agent Pod.
authentication.venafiConnection.name
Property | authentication.venafiConnection.name |
Type | string |
Default | |
The name of a VenafiConnection resource which contains the configuration
for authenticating to Venafi.
authentication.venafiConnection.namespace
Property | authentication.venafiConnection.namespace |
Type | string |
Default | |
The namespace of a VenafiConnection resource which contains the
configuration for authenticating to Venafi.
config.server
Property | config.server |
Type | string |
Default | https://api.venafi.cloud/
|
API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.venafi.eu/
. If you are using the VenafiConnection authentication method, you must set the API URL using the field spec.vcp.url
on the
VenafiConnection resource instead.
config.clientId
Property | config.clientId |
Type | string |
Default | |
The client-id to be used for authenticating with the Venafi Control Plane. Only useful when using a Key Pair Service Account in the Venafi Control Plane. You can obtain the cliend ID by creating a Key Pair Service Account in the Venafi Control Plane.
config.period
Property | config.period |
Type | string |
Default | |
Send data back to the platform every minute unless changed.
config.clusterName
Property | config.clusterName |
Type | string |
Default | |
Name for the cluster resource if it needs to be created in Venafi Control Plane.
config.clusterDescription
Property | config.clusterDescription |
Type | string |
Default | |
Description for the cluster resource if it needs to be created in Venafi Control Plane.
config.ignoredSecretTypes[0]
Property | config.ignoredSecretTypes[0] |
Type | string |
Default | kubernetes.io/service-account-token
|
config.ignoredSecretTypes[1]
Property | config.ignoredSecretTypes[1] |
Type | string |
Default | |
config.ignoredSecretTypes[2]
Property | config.ignoredSecretTypes[2] |
Type | string |
Default | kubernetes.io/dockerconfigjson
|
config.ignoredSecretTypes[3]
Property | config.ignoredSecretTypes[3] |
Type | string |
Default | |
config.ignoredSecretTypes[4]
Property | config.ignoredSecretTypes[4] |
Type | string |
Default | |
config.ignoredSecretTypes[5]
Property | config.ignoredSecretTypes[5] |
Type | string |
Default | bootstrap.kubernetes.io/token
|
config.ignoredSecretTypes[6]
Property | config.ignoredSecretTypes[6] |
Type | string |
Default | |
config.configmap.name
Property | config.configmap.name |
Type | unknown |
Default | |
config.configmap.key
Property | config.configmap.key |
Type | unknown |
Default | |
podDisruptionBudget.enabled
Property | podDisruptionBudget.enabled |
Type | bool |
Default | |
Enable or disable the PodDisruptionBudget resource, which helps prevent downtime
during voluntary disruptions such as a Node upgrade.
CRDs
The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to manually remove the remaining CRDs.
crds.forceRemoveValidationAnnotations
Property | crds.forceRemoveValidationAnnotations |
Type | bool |
Default | |
The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below.
This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.
crds.venafiConnection.include
Property | crds.venafiConnection.include |
Type | bool |
Default | |