Applying Changes to Cloudentity Helm Charts Configuration
There are two ways to apply changes to the configuration:
-
Specify each parameter using the
--set key=value[,key=value]argument to commandhelm installorhelm upgrade.Example
helm install my-release --set certManager.enabled=true acp/acp -
While installing the chart, provide the YAML file that specifies default parameter overrides.
Example
Create
myvalues.yamlfile:certManager enabled: truehelm install myrelease -f my_values.yaml acp/acp
Result
cert-manager has been enabled in Cloudentity and is ready to be used.
Generic configuration
-
Resources define compute resources available to a pod. It is also required for autoscaling. If no limits are specified, pod will be able to use all resources available on a node. It is not recommended to set CPU limit unless you use integer value to assign full vCPUs. CPU consumption highly depends on the number of incomming request while memory is more static value. Below example is good starting point for your deployment.
Example
resources: requests: cpu: 500m memory: 1.2Gi limits: memory: 2Gi -
Affinity allows user to control scheduling of pods based on labels of other pods or nodes. Cloudentity is highly efficient and its not recommended to run more then one instance on a same node as this might lead to degraded performance (if there is no CPU limit set). Below example provides a way to force one Cloudentity instance per host.
Example
affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/instance: acp app.kubernetes.io/name: acp-primary topologyKey: kubernetes.io/hostname -
Topology Spread Constraints provides a way to spread pods across topology domain like cloud provider zone. For high availability purpose, Cloudentity should be spread across multiple zones as well as hosts in the same zone. Below example provides soft requirement for zone spread with a maximum distribution difference of 1 pod per zone.
Example
topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/instance: acp app.kubernetes.io/name: acp maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway -
Pod Disruption Budget is a feature that provides pods resilence to voluntary (application update) and involuntary (hardware failure) disruptions. It definies minimum number of pods that must be running at any times. Below example shows that Cloudentity should not be taken below 50% of desired replicas.
Example
podDisruptionBudget: minAvailable: 50%
Cloudentity Helm Chart Configuration Reference
Source: values.yaml
## ACP image parameters
##
image:
## Image repository
##
repository: docker.cloudentity.io/acp
## Image pull policy
##
pullPolicy: IfNotPresent
## Image tag (immutable tags are recommended)
##
tag:
## Global Docker registry secret names as an array
##
imagePullSecrets:
- name: docker.cloudentity.io
## Public ACP URL
##
serverURL: "https://acp.local:8443"
## Public ACP URL for Ingress working in mTLS
##
serverURLMtls: "https://mtls.acp.local:8443"
## String to partially override acp.name
##
# nameOverride: ""
## String to fully override acp.fullname
##
# fullnameOverride: ""
## Additional labels to apply to all Kubernetes resources created by this chart.
##
labels: {}
## Define serviceAccount
##
serviceAccount:
## Specifies whether a service account should be created
##
create: true
## Annotations to add to the service account
##
annotations: {}
## The name of the service account to use.
## If not set and create is true, a name is generated using the fullname template
# name: ""
## Array with container arguments to add to the ACP container
##
args:
- server
- start
- --demo
- --metrics
- --create-default-tenant
- --create-default-workspaces
## Enables custom config
##
# configPath:
## Array with environment variables to add to the ACP container
##
# env: []
## Define service
##
service:
## ACP service type
##
type: ClusterIP
## Define ingress
##
ingress:
## Enables the Ingress for ACP
##
enabled: true
## Name of the ingress class
##
ingressClassName: nginx
## Ingress additional custom annotations
##
customAnnotations:
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
nginx.ingress.kubernetes.io/service-upstream: "true"
## Ingress hostnames with paths
##
hosts:
- host: acp.local
paths:
- path: /
pathType: ImplementationSpecific
## Ingress TLS configuration
## Secrets must be manually created in the namespace
## or automatically using `tlsSecrets` variable
##
tls: []
# - secretName: ingress-tls
# hosts:
# - acp.acp-system
## Ingress TLS secrets
## List of certificates to be created for Ingress
##
tlsSecrets: []
# - name: ingress-tls
# cert: |
# -----BEGIN CERTIFICATE-----
#
# -----END CERTIFICATE-----
# key: |
# -----BEGIN RSA PRIVATE KEY-----
#
# -----END RSA PRIVATE KEY-----
ingressMtls:
## Enables mTLS Ingress for ACP
## This is an independent instance from the one above.
##
enabled: false
## Name of the ingress class
##
ingressClassName: nginx
## mTLS Ingress additional custom annotations
##
customAnnotations:
nginx.ingress.kubernetes.io/enable-modsecurity: "true"
nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
nginx.ingress.kubernetes.io/service-upstream: "true"
## mTLS Ingress hostnames with paths
##
hosts:
- host: mtls.acp.local
paths:
- path: /
pathType: ImplementationSpecific
## Ingress mTLS configuration
## Secrets must be manually created in the namespace
## or automatically using `tlsSecrets` variable
##
tls: []
# - secretName: ingress-mtls
# hosts:
# - mtls.acp.acp-system
## Ingress mTLS secrets
## List of certificates to be created for Ingress
##
tlsSecrets:
# - name: ingress-mtls
# cert: |
# -----BEGIN CERTIFICATE-----
#
# -----END CERTIFICATE-----
# key: |
# -----BEGIN RSA PRIVATE KEY-----
#
# -----END RSA PRIVATE KEY-----
# caCert: |
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
## ServiceMonitor configuration
##
serviceMonitor:
## Enables the ServiceMonitor integration
##
enabled: false
## Define ServiceMonitor endpoint config
##
endpointConfig: {}
## Deployment annotations
##
# annotations: {}
## Autoscaling parameters
##
autoscaling:
## Enable autoscaling
##
enabled: false
## Define mix replica count
##
# minReplicas: 0
## Define max replica count
##
# maxReplicas: 1
## The average CPU usage of a all pods in a deployment
##
# targetCPUUtilizationPercentage: ""
## The average memory usage of a all pods in a deployment
##
# targetMemoryUtilizationPercentage: ""
## Custom scaling behavior
##
# behavior: {}
## Number of ACP replicas to deploy
##
replicaCount: 1
## Pod annotations
##
# podAnnotations: {}
## ACP resource requests and limits
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}
## ACP node selector
##
# nodeSelector: {}
## ACP pod affinity
##
# affinity: {}
## ACP pod tolerations
##
# tolerations: {}
## ACP pod topology spread constraints
##
# topologySpreadConstraints: {}
## ACP Pod disruption budget
##
# podDisruptionBudget: {}
## A security context defines privilege and access control settings for a Pod or Container
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
## Pod security context
##
podSecurityContext:
fsGroup: 65535
runAsNonRoot: true
## Container security context
##
containerSecurityContext:
runAsUser: 65535
runAsGroup: 65535
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
## ACP feature flags
## To enable a feature, enter its key-value pair, as in:
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
# features: {}
## Cert-manager configuration
##
certManager:
## Enables the cert-manager integration
##
enabled: false
## The requested ‘duration’ (i.e. lifetime) of the Certificate
##
duration: 2160h
## How long before the currently issued certificate’s expiry cert-manager should renew the certificate.
##
renewBefore: 720h
## The Common Name (AKA CN) represents the server name protected by the SSL certificate
##
# commonName:
## Options to control private keys used for the Certificate.
##
privateKey:
size: 2048
algorithm: RSA
## extraNames is a list of DNS subjectAltNames to be set on the Certificate.
##
extraNames: []
## IssuerRef is a reference to the issuer for this certificate
##
issuerRef:
name: ca-issuer
kind: ClusterIssuer
## Disables TLS in ACP
##
tlsDisabled: false
## Migrate Job configuration
##
migrateJob:
## Enables the SQL migrate job
##
enabled: false
## Enables custom config
##
# configPath:
## The data should match acp configuration options
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
config: {}
## Import Job configuration
##
importJob:
## Enables the import job
##
enabled: false
## Enables custom config
##
# configPath:
## Import mode (update, fail, ignore)
##
mode: update
## Input file format: yaml or json
##
format: yaml
## Path to the input file
##
input: /import/seed.yaml
## Extra args for import command
##
extraArgs: []
## The data should match import configuration endpoint request body
## https://docs.authorization.cloudentity.com/api/system/#operation/importConfiguration
##
data:
tenants: []
servers: []
clients: []
## ACP import job resource requests and limits
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}
## Enable Default ACP config
##
config:
create: true
## The data should match acp configuration options
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
data:
# logging:
# level: debug
## Config name if create false
##
# name:
## ACP config file from secret
##
secretConfig:
## Enable secret config
##
create: true
## Secret name if create false
##
# name:
## Secret annotations
##
# annotations: {}
## The data should match acp configuration options
## https://docs.operations.cloudentity.com/reference/acp-configuration/
##
data: {}
# system:
# secret: mysecret
## ACP http client configuration
##
# client:
# rootCa: |
# -----BEGIN CERTIFICATE-----
#
# -----END CERTIFICATE-----
## ACP certificate
##
certificate:
## If true certificate will be taken from files/ folder stored in this chart
## root folder.
##
create: true
## Enable if want to take certificate and key from values instead of
## files/ folder
##
# cert: |
# -----BEGIN CERTIFICATE-----
#
# -----END CERTIFICATE-----
#
# key: |
# -----BEGIN RSA PRIVATE KEY-----
#
# -----END RSA PRIVATE KEY-----
## SQL client
## The data should match acp configuration options
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# sql: {}
## Redis client
## The data should match acp configuration options
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# redis: {}
## Timescaledb client
## The data should match acp configuration options
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# timescale: {}
## Workers chart configuration
## Worker nodes are used to create seperate ACP deployment for asynchronous jobs handling
##
workers:
## Enables worker nodes for ACP
##
enabled: false
## Autoscaling parameters
##
autoscaling:
## Enable autoscaling
##
enabled: false
## Define mix replica count
##
# minReplicas: 0
## Define max replica count
##
# maxReplicas: 1
## The average CPU usage of a all pods in a deployment
##
# targetCPUUtilizationPercentage: ""
## The average memory usage of a all pods in a deployment
##
# targetMemoryUtilizationPercentage: ""
## Custom scaling behavior
##
# behavior: {}
## Number of ACP workers replicas to deploy
##
replicaCount: 1
## Define workers service
##
service:
## Enables workers service for ACP
##
enabled: false
## ACP workers service type
##
type: ClusterIP
## Service annotations
##
# annotations: {}
## ServiceMonitor configuration
##
serviceMonitor:
## Enables workers ServiceMonitor integration
##
enabled: false
## Define workers ServiceMonitor endpoint config
##
endpointConfig: {}
## Deployment annotations
##
# annotations: {}
## Pod annotations
##
# podAnnotations: {}
## ACP workers resource requests and limits
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}
## ACP workers node selector
##
# nodeSelector: {}
## ACP workers pod affinity
##
# affinity: {}
## ACP workers pod tolerations
##
# tolerations: {}
## ACP workers pod topology spread constraints
##
# topologySpreadConstraints: {}
## ACP workers Pod disruption budget
##
# podDisruptionBudget: {}
## Fission chart configuration
##
fission:
## Enables the Fission for ACP
##
enabled: false
## Define provider mode
##
provider: fission
## Define namespace where the Fission Environment can be deployed
##
namespace: acp-faas
## Define NetworkPolicy Egress rules for Fission deployment
##
networkPolicy:
ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/20
## Pod security context
##
podSecurityContext:
fsGroup: 65535
runAsUser: 65535
runAsGroup: 65535
runAsNonRoot: true
## Container security context
##
containerSecurityContext:
runAsUser: 65535
runAsGroup: 65535
runAsNonRoot: true
privileged: false
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
## Annotations to add to the Environment resource created for Fission
annotations: {}
# cluster-autoscaler.kubernetes.io/safe-to-evict: "true"
## Define the pool size
##
poolsize: 3
## Define docker images for Fission environments
images:
## nodejs environment image
node: docker.cloudentity.io/node-env:4
## rego environment image
rego: docker.cloudentity.io/rego-env:5
## Specify a imagePullPolicy
##
imagePullPolicy: IfNotPresent
## Docker registry secret name
##
imagepullsecret: docker.cloudentity.io
## Affinity for pod assignment
affinity: {}
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: fission
# operator: In
# values:
# - "true"
## Tolerations for pod assignment
tolerations: []
# - key: fission
# value: "true"
# effect: NoSchedule
## Pod resources definition
resources: {}
# requests:
# cpu: 10m
# memory: 48Mi
# limits:
# cpu: 100m
# memory: 96Mi
## Fission function idle timeout
##
idleTimeout: 3m0s