Gafaelfawr Helm values reference#
Helm values reference table for the gafaelfawr
application.
Key |
Type |
Default |
Description |
---|---|---|---|
affinity |
object |
|
Affinity rules for the Gafaelfawr frontend pod |
cloudsql.affinity |
object |
|
Affinity rules for the Cloud SQL Proxy pod |
cloudsql.enabled |
bool |
|
Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a |
cloudsql.image.pullPolicy |
string |
|
Pull policy for Cloud SQL Auth Proxy images |
cloudsql.image.repository |
string |
|
Cloud SQL Auth Proxy image to use |
cloudsql.image.tag |
string |
|
Cloud SQL Auth Proxy tag to use |
cloudsql.instanceConnectionName |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
Instance connection name for a CloudSQL PostgreSQL instance |
cloudsql.nodeSelector |
object |
|
Node selection rules for the Cloud SQL Proxy pod |
cloudsql.podAnnotations |
object |
|
Annotations for the Cloud SQL Proxy pod |
cloudsql.resources |
object |
|
Resource limits and requests for the Cloud SQL Proxy pod |
cloudsql.serviceAccount |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
The Google service account that has an IAM binding to the |
cloudsql.tolerations |
list |
|
Tolerations for the Cloud SQL Proxy pod |
config.cilogon.clientId |
string |
|
CILogon client ID. One and only one of this, |
config.cilogon.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.cilogon.gidClaim |
string |
Do not set a primary GID |
Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) |
config.cilogon.groupsClaim |
string |
|
Claim from which to get the group membership (only used if not retrieved from LDAP) |
config.cilogon.loginParams |
object |
|
Additional parameters to add |
config.cilogon.test |
bool |
|
Whether to use the test instance of CILogon |
config.cilogon.uidClaim |
string |
|
Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) |
config.cilogon.usernameClaim |
string |
|
Claim from which to get the username |
config.databaseUrl |
string |
None, must be set if |
URL for the PostgreSQL database |
config.errorFooter |
string |
|
HTML footer to add to any login error page (inside a tag). |
config.firestore.project |
string |
Firestore support is disabled |
If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. |
config.github.clientId |
string |
|
GitHub client ID. One and only one of this, |
config.groupMapping |
object |
|
Defines a mapping of scopes to groups that provide that scope. See DMTN-235 for more details on scopes. |
config.initialAdmins |
list |
|
Usernames to add as administrators when initializing a new database. Used only if there are no administrators. |
config.knownScopes |
object |
See the |
Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See DMTN-235. |
config.ldap.addUserGroup |
bool |
|
Whether to synthesize a user private group for each user with a GID equal to their UID |
config.ldap.emailAttr |
string |
|
Attribute containing the user’s email address |
config.ldap.gidAttr |
string |
Use GID of user private group |
Attribute containing the user’s primary GID (set to |
config.ldap.groupBaseDn |
string |
None, must be set |
Base DN for the LDAP search to find a user’s groups |
config.ldap.groupMemberAttr |
string |
|
Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. |
config.ldap.groupObjectClass |
string |
|
Object class containing group information |
config.ldap.nameAttr |
string |
|
Attribute containing the user’s full name |
config.ldap.uidAttr |
string |
Get UID from upstream authentication provider |
Attribute containing the user’s UID number (set to |
config.ldap.url |
string |
Do not use LDAP |
LDAP server URL from which to retrieve user group information |
config.ldap.userBaseDn |
string |
Get user metadata from the upstream authentication provider |
Base DN for the LDAP search to find a user’s entry |
config.ldap.userDn |
string |
Use anonymous binds |
Bind DN for simple bind authentication. If set, |
config.ldap.userSearchAttr |
string |
|
Search attribute containing the user’s username |
config.loglevel |
string |
|
Choose from the text form of Python logging levels |
config.oidc.audience |
string |
Value of |
Audience for the JWT token |
config.oidc.clientId |
string |
|
Client ID for generic OpenID Connect support. One and only one of this, |
config.oidc.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.oidc.gidClaim |
string |
Do not set a primary GID |
Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) |
config.oidc.groupsClaim |
string |
|
Claim from which to get the group membership (only used if not retrieved from LDAP) |
config.oidc.issuer |
string |
None, must be set |
Issuer for the JWT token |
config.oidc.loginParams |
object |
|
Additional parameters to add to the login request |
config.oidc.loginUrl |
string |
None, must be set |
URL to which to redirect the user for authorization |
config.oidc.scopes |
list |
|
Scopes to request from the OpenID Connect provider |
config.oidc.tokenUrl |
string |
None, must be set |
URL from which to retrieve the token for the user |
config.oidc.uidClaim |
string |
|
Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) |
config.oidc.usernameClaim |
string |
|
Claim from which to get the username |
config.oidcServer.enabled |
bool |
|
Whether to support OpenID Connect clients. If set to true, |
config.proxies |
list |
[ |
List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging |
config.slackAlerts |
bool |
|
Whether to send certain serious alerts to Slack. If |
config.tokenLifetimeMinutes |
int |
|
Session length and token expiration (in minutes) |
fullnameOverride |
string |
|
Override the full name for resources (includes the release name) |
global.baseUrl |
string |
Set by Argo CD |
Base URL for the environment |
global.host |
string |
Set by Argo CD |
Host name for ingress |
global.vaultSecretsPath |
string |
Set by Argo CD |
Base path for Vault secrets |
image.pullPolicy |
string |
|
Pull policy for the Gafaelfawr image |
image.repository |
string |
|
Gafaelfawr image to use |
image.tag |
string |
The appVersion of the chart |
Tag of Gafaelfawr image to use |
maintenance.affinity |
object |
|
Affinity rules for Gafaelfawr maintenance and audit pods |
maintenance.auditSchedule |
string |
|
Cron schedule string for Gafaelfawr data consistency audit (in UTC) |
maintenance.maintenanceSchedule |
string |
|
Cron schedule string for Gafaelfawr periodic maintenance (in UTC) |
maintenance.nodeSelector |
object |
|
Node selection rules for Gafaelfawr maintenance and audit pods |
maintenance.podAnnotations |
object |
|
Annotations for Gafaelfawr maintenance and audit pods |
maintenance.resources |
object |
|
Resource limits and requests for Gafaelfawr maintenance and audit pods |
maintenance.tolerations |
list |
|
Tolerations for Gafaelfawr maintenance and audit pods |
nameOverride |
string |
|
Override the base name for resources |
nodeSelector |
object |
|
Node selector rules for the Gafaelfawr frontend pod |
operator.affinity |
object |
|
Affinity rules for the token management pod |
operator.nodeSelector |
object |
|
Node selection rules for the token management pod |
operator.podAnnotations |
object |
|
Annotations for the token management pod |
operator.resources |
object |
|
Resource limits and requests for the Gafaelfawr Kubernetes operator |
operator.tolerations |
list |
|
Tolerations for the token management pod |
podAnnotations |
object |
|
Annotations for the Gafaelfawr frontend pod |
redis.auth |
object |
See |
Authentication configuration for Redis (should not need to be changed unless you set |
redis.master.persistence.enabled |
bool |
|
Whether to persist Redis master storage and thus tokens. Setting this to false will use |
redis.master.persistence.size |
string |
|
Amount of persistent storage to request for Redis master |
redis.master.persistence.storageClass |
string |
|
Class of storage to request for Redis master |
redis.master.resources |
object |
See |
Resource limits for the master Redis pod |
redis.master.serviceAccount.automountServiceAccountToken |
bool |
|
Whether to automount the default service account token in the Redis master pod (this should never be necessary) |
redis.master.serviceAccount.create |
bool |
|
Whether to create a service account for the Redis master (required to disable automounting) |
redis.networkPolicy.allowExternal |
bool |
|
Allow connections from pods without a client label |
redis.networkPolicy.enabled |
bool |
|
Whether to install a |
redis.replica.persistence.enabled |
bool |
|
Whether to persist Redis replica storage and thus tokens. Setting this to false will use |
redis.replica.persistence.size |
string |
|
Amount of persistent storage to request for Redis replicas (should match the setting for the Redis master) |
redis.replica.persistence.storageClass |
string |
|
Class of storage to request for Redis replicas |
redis.replica.replicaCount |
int |
|
How many Redis replicas to create |
redis.replica.resources |
object |
See |
Resource limits for the replica Redis pods |
redis.replica.serviceAccount.automountServiceAccountToken |
bool |
|
Whether to automount the default service account token in the Redis replica pods (this should never be necessary) |
redis.replica.serviceAccount.create |
bool |
|
Whether to create a service account for the Redis replica pods (required to disable automounting) |
replicaCount |
int |
|
Number of web frontend pods to start |
resources |
object |
|
Resource limits and requests for the Gafaelfawr frontend pod |
tolerations |
list |
|
Tolerations for the Gafaelfawr frontend pod |