Gafaelfawr Helm values reference#
Helm values reference table for the gafaelfawr application.
Key |
Type |
Default |
Description |
|---|---|---|---|
affinity |
object |
|
Affinity rules for the Gafaelfawr frontend pod |
cloudsql.affinity |
object |
|
Affinity rules for the Cloud SQL Proxy pod |
cloudsql.enabled |
bool |
|
Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a |
cloudsql.image.pullPolicy |
string |
|
Pull policy for Cloud SQL Auth Proxy images |
cloudsql.image.repository |
string |
|
Cloud SQL Auth Proxy image to use |
cloudsql.image.tag |
string |
|
Cloud SQL Auth Proxy tag to use |
cloudsql.instanceConnectionName |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
Instance connection name for a CloudSQL PostgreSQL instance |
cloudsql.nodeSelector |
object |
|
Node selection rules for the Cloud SQL Proxy pod |
cloudsql.podAnnotations |
object |
|
Annotations for the Cloud SQL Proxy pod |
cloudsql.resources |
object |
|
Resource limits and requests for the Cloud SQL Proxy pod |
cloudsql.serviceAccount |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
The Google service account that has an IAM binding to the |
cloudsql.tolerations |
list |
|
Tolerations for the Cloud SQL Proxy pod |
config.cilogon.clientId |
string |
|
CILogon client ID. One and only one of this, |
config.cilogon.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.cilogon.gidClaim |
string |
Do not set a primary GID |
Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) |
config.cilogon.groupsClaim |
string |
|
Claim from which to get the group membership (only used if not retrieved from LDAP) |
config.cilogon.loginParams |
object |
|
Additional parameters to add |
config.cilogon.test |
bool |
|
Whether to use the test instance of CILogon |
config.cilogon.uidClaim |
string |
|
Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) |
config.cilogon.usernameClaim |
string |
|
Claim from which to get the username |
config.databaseUrl |
string |
None, must be set if |
URL for the PostgreSQL database |
config.errorFooter |
string |
|
HTML footer to add to any login error page (will be enclosed in a tag). |
config.firestore.project |
string |
Firestore support is disabled |
If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. |
config.forgerock.url |
string |
ForgeRock Identity Management support is disabled |
If set, obtain the GIDs for groups from this ForgeRock Identity Management server. |
config.forgerock.username |
string |
None, must be set if |
Username to use for HTTP Basic authentication to ForgeRock Identity Managemnt. The corresponding password must be in the |
config.github.clientId |
string |
|
GitHub client ID. One and only one of this, |
config.groupMapping |
object |
|
Defines a mapping of scopes to groups that provide that scope. See DMTN-235 for more details on scopes. |
config.initialAdmins |
list |
|
Usernames to add as administrators when initializing a new database. Used only if there are no administrators. |
config.knownScopes |
object |
See the |
Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See DMTN-235. |
config.ldap.addUserGroup |
bool |
|
Whether to synthesize a user private group for each user with a GID equal to their UID |
config.ldap.emailAttr |
string |
|
Attribute containing the user’s email address |
config.ldap.gidAttr |
string |
Use GID of user private group |
Attribute containing the user’s primary GID (set to |
config.ldap.groupBaseDn |
string |
None, must be set |
Base DN for the LDAP search to find a user’s groups |
config.ldap.groupMemberAttr |
string |
|
Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. |
config.ldap.groupObjectClass |
string |
|
Object class containing group information |
config.ldap.kerberosConfig |
string |
Use anonymous binds |
Enable GSSAPI (Kerberos) binds to LDAP using this |
config.ldap.nameAttr |
string |
|
Attribute containing the user’s full name |
config.ldap.uidAttr |
string |
Get UID from upstream authentication provider |
Attribute containing the user’s UID number (set to |
config.ldap.url |
string |
Do not use LDAP |
LDAP server URL from which to retrieve user group information |
config.ldap.userBaseDn |
string |
Get user metadata from the upstream authentication provider |
Base DN for the LDAP search to find a user’s entry |
config.ldap.userDn |
string |
Use anonymous binds |
Bind DN for simple bind authentication. If set, |
config.ldap.userSearchAttr |
string |
|
Search attribute containing the user’s username |
config.logLevel |
string |
|
Choose from the text form of Python logging levels |
config.oidc.audience |
string |
Value of |
Audience for the JWT token |
config.oidc.clientId |
string |
|
Client ID for generic OpenID Connect support. One and only one of this, |
config.oidc.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.oidc.gidClaim |
string |
Do not set a primary GID |
Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) |
config.oidc.groupsClaim |
string |
|
Claim from which to get the group membership (only used if not retrieved from LDAP) |
config.oidc.issuer |
string |
None, must be set |
Issuer for the JWT token |
config.oidc.loginParams |
object |
|
Additional parameters to add to the login request |
config.oidc.loginUrl |
string |
None, must be set |
URL to which to redirect the user for authorization |
config.oidc.scopes |
list |
|
Scopes to request from the OpenID Connect provider |
config.oidc.tokenUrl |
string |
None, must be set |
URL from which to retrieve the token for the user |
config.oidc.uidClaim |
string |
|
Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) |
config.oidc.usernameClaim |
string |
|
Claim from which to get the username |
config.oidcServer.enabled |
bool |
|
Whether to support OpenID Connect clients. If set to true, |
config.proxies |
list |
[ |
List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging |
config.quota |
object |
|
Quota settings (see Quotas). |
config.slackAlerts |
bool |
|
Whether to send certain serious alerts to Slack. If |
config.tokenLifetimeMinutes |
int |
|
Session length and token expiration (in minutes) |
fullnameOverride |
string |
|
Override the full name for resources (includes the release name) |
global.baseUrl |
string |
Set by Argo CD |
Base URL for the environment |
global.host |
string |
Set by Argo CD |
Host name for ingress |
global.vaultSecretsPath |
string |
Set by Argo CD |
Base path for Vault secrets |
image.pullPolicy |
string |
|
Pull policy for the Gafaelfawr image |
image.repository |
string |
|
Gafaelfawr image to use |
image.tag |
string |
The appVersion of the chart |
Tag of Gafaelfawr image to use |
maintenance.affinity |
object |
|
Affinity rules for Gafaelfawr maintenance and audit pods |
maintenance.auditSchedule |
string |
|
Cron schedule string for Gafaelfawr data consistency audit (in UTC) |
maintenance.maintenanceSchedule |
string |
|
Cron schedule string for Gafaelfawr periodic maintenance (in UTC) |
maintenance.nodeSelector |
object |
|
Node selection rules for Gafaelfawr maintenance and audit pods |
maintenance.podAnnotations |
object |
|
Annotations for Gafaelfawr maintenance and audit pods |
maintenance.resources |
object |
|
Resource limits and requests for Gafaelfawr maintenance and audit pods |
maintenance.tolerations |
list |
|
Tolerations for Gafaelfawr maintenance and audit pods |
nameOverride |
string |
|
Override the base name for resources |
nodeSelector |
object |
|
Node selector rules for the Gafaelfawr frontend pod |
operator.affinity |
object |
|
Affinity rules for the token management pod |
operator.nodeSelector |
object |
|
Node selection rules for the token management pod |
operator.podAnnotations |
object |
|
Annotations for the token management pod |
operator.resources |
object |
|
Resource limits and requests for the Gafaelfawr Kubernetes operator |
operator.tolerations |
list |
|
Tolerations for the token management pod |
podAnnotations |
object |
|
Annotations for the Gafaelfawr frontend pod |
redis.affinity |
object |
|
Affinity rules for the Redis pod |
redis.config.secretKey |
string |
|
Key inside secret from which to get the Redis password (do not change) |
redis.config.secretName |
string |
|
Name of secret containing Redis password (may require changing if fullnameOverride is set) |
redis.nodeSelector |
object |
|
Node selection rules for the Redis pod |
redis.persistence.accessMode |
string |
|
Access mode of storage to request |
redis.persistence.enabled |
bool |
|
Whether to persist Redis storage and thus tokens. Setting this to false will use |
redis.persistence.size |
string |
|
Amount of persistent storage to request |
redis.persistence.storageClass |
string |
|
Class of storage to request |
redis.persistence.volumeClaimName |
string |
|
Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. |
redis.podAnnotations |
object |
|
Pod annotations for the Redis pod |
redis.resources |
object |
See |
Resource limits and requests for the Redis pod |
redis.tolerations |
list |
|
Tolerations for the Redis pod |
replicaCount |
int |
|
Number of web frontend pods to start |
resources |
object |
|
Resource limits and requests for the Gafaelfawr frontend pod |
tolerations |
list |
|
Tolerations for the Gafaelfawr frontend pod |