Gafaelfawr Helm values reference#
Helm values reference table for the gafaelfawr
application.
Key |
Type |
Default |
Description |
---|---|---|---|
affinity |
object |
|
Affinity rules for the Gafaelfawr frontend pod |
cloudsql.affinity |
object |
|
Affinity rules for the Cloud SQL Proxy pod |
cloudsql.enabled |
bool |
|
Enable the Cloud SQL Auth Proxy, used with CloudSQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a |
cloudsql.image.pullPolicy |
string |
|
Pull policy for Cloud SQL Auth Proxy images |
cloudsql.image.repository |
string |
|
Cloud SQL Auth Proxy image to use |
cloudsql.image.tag |
string |
|
Cloud SQL Auth Proxy tag to use |
cloudsql.instanceConnectionName |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
Instance connection name for a CloudSQL PostgreSQL instance |
cloudsql.nodeSelector |
object |
|
Node selection rules for the Cloud SQL Proxy pod |
cloudsql.podAnnotations |
object |
|
Annotations for the Cloud SQL Proxy pod |
cloudsql.resources |
object |
See |
Resource limits and requests for the Cloud SQL Proxy pod |
cloudsql.serviceAccount |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
The Google service account that has an IAM binding to the |
cloudsql.tolerations |
list |
|
Tolerations for the Cloud SQL Proxy pod |
config.cadcBaseUuid |
string |
Disabled |
Whether to support the |
config.cilogon.clientId |
string |
|
CILogon client ID. One and only one of this, |
config.cilogon.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.cilogon.gidClaim |
string |
Do not set a primary GID |
Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) |
config.cilogon.groupsClaim |
string |
|
Claim from which to get the group membership (only used if not retrieved from LDAP) |
config.cilogon.loginParams |
object |
|
Additional parameters to add |
config.cilogon.test |
bool |
|
Whether to use the test instance of CILogon |
config.cilogon.uidClaim |
string |
|
Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) |
config.cilogon.usernameClaim |
string |
|
Claim from which to get the username |
config.databaseUrl |
string |
None, must be set if neither |
URL for the PostgreSQL database nor |
config.errorFooter |
string |
|
HTML footer to add to any login error page (will be enclosed in a tag). |
config.firestore.project |
string |
Firestore support is disabled |
If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. |
config.forgerock.url |
string |
ForgeRock Identity Management support is disabled |
If set, obtain the GIDs for groups from this ForgeRock Identity Management server. |
config.forgerock.username |
string |
None, must be set if |
Username to use for HTTP Basic authentication to ForgeRock Identity Managemnt. The corresponding password must be in the |
config.github.clientId |
string |
|
GitHub client ID. One and only one of this, |
config.groupMapping |
object |
|
Defines a mapping of scopes to groups that provide that scope. See DMTN-235 for more details on scopes. |
config.initialAdmins |
list |
|
Usernames to add as administrators when initializing a new database. Used only if there are no administrators. |
config.internalDatabase |
bool |
|
Whether to use the PostgreSQL server internal to the Kubernetes cluster |
config.knownScopes |
object |
See the |
Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See DMTN-235. |
config.ldap.addUserGroup |
bool |
|
Whether to synthesize a user private group for each user with a GID equal to their UID |
config.ldap.emailAttr |
string |
|
Attribute containing the user’s email address |
config.ldap.gidAttr |
string |
Use GID of user private group |
Attribute containing the user’s primary GID (set to |
config.ldap.groupBaseDn |
string |
None, must be set |
Base DN for the LDAP search to find a user’s groups |
config.ldap.groupMemberAttr |
string |
|
Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. |
config.ldap.groupObjectClass |
string |
|
Object class containing group information |
config.ldap.groupSearchByDn |
bool |
|
Whether to search for group membership by user DN rather than bare usernames. Most LDAP servers use full DNs for group membership, so normally this should be set to true, but it requires |
config.ldap.kerberosConfig |
string |
Use anonymous binds |
Enable GSSAPI (Kerberos) binds to LDAP using this |
config.ldap.nameAttr |
string |
|
Attribute containing the user’s full name |
config.ldap.uidAttr |
string |
Get UID from upstream authentication provider |
Attribute containing the user’s UID number (set to |
config.ldap.url |
string |
Do not use LDAP |
LDAP server URL from which to retrieve user group information |
config.ldap.userBaseDn |
string |
Get user metadata from the upstream authentication provider |
Base DN for the LDAP search to find a user’s entry |
config.ldap.userDn |
string |
Use anonymous binds |
Bind DN for simple bind authentication. If set, |
config.ldap.userSearchAttr |
string |
|
Search attribute containing the user’s username |
config.logLevel |
string |
|
Choose from the text form of Python logging levels |
config.oidc.audience |
string |
Value of |
Audience for the JWT token |
config.oidc.clientId |
string |
|
Client ID for generic OpenID Connect support. One and only one of this, |
config.oidc.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.oidc.gidClaim |
string |
Do not set a primary GID |
Claim from which to get the primary GID (only used if not retrieved from LDAP or Firestore) |
config.oidc.groupsClaim |
string |
|
Claim from which to get the group membership (only used if not retrieved from LDAP) |
config.oidc.issuer |
string |
None, must be set |
Issuer for the JWT token |
config.oidc.loginParams |
object |
|
Additional parameters to add to the login request |
config.oidc.loginUrl |
string |
None, must be set |
URL to which to redirect the user for authorization |
config.oidc.scopes |
list |
|
Scopes to request from the OpenID Connect provider |
config.oidc.tokenUrl |
string |
None, must be set |
URL from which to retrieve the token for the user |
config.oidc.uidClaim |
string |
|
Claim from which to get the numeric UID (only used if not retrieved from LDAP or Firestore) |
config.oidc.usernameClaim |
string |
|
Claim from which to get the username |
config.oidcServer.enabled |
bool |
|
Whether to support OpenID Connect clients. If set to true, |
config.proxies |
list |
[ |
List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging |
config.quota |
object |
|
Quota settings (see Quotas). |
config.slackAlerts |
bool |
|
Whether to send certain serious alerts to Slack. If |
config.tokenLifetimeMinutes |
int |
|
Session length and token expiration (in minutes) |
fullnameOverride |
string |
|
Override the full name for resources (includes the release name) |
global.baseUrl |
string |
Set by Argo CD |
Base URL for the environment |
global.host |
string |
Set by Argo CD |
Host name for ingress |
global.vaultSecretsPath |
string |
Set by Argo CD |
Base path for Vault secrets |
image.pullPolicy |
string |
|
Pull policy for the Gafaelfawr image |
image.repository |
string |
|
Gafaelfawr image to use |
image.tag |
string |
The appVersion of the chart |
Tag of Gafaelfawr image to use |
ingress.additionalHosts |
list |
|
Defines additional FQDNs for Gafaelfawr. This doesn’t work for cookie or browser authentication, but for token-based services like git-lfs or the webdav server it does. |
maintenance.affinity |
object |
|
Affinity rules for Gafaelfawr maintenance and audit pods |
maintenance.auditSchedule |
string |
|
Cron schedule string for Gafaelfawr data consistency audit (in UTC) |
maintenance.cleanupSeconds |
int |
86400 (1 day) |
How long to keep old jobs around before deleting them |
maintenance.deadlineSeconds |
int |
300 (5 minutes) |
How long the job is allowed to run before it will be terminated |
maintenance.maintenanceSchedule |
string |
|
Cron schedule string for Gafaelfawr periodic maintenance (in UTC) |
maintenance.nodeSelector |
object |
|
Node selection rules for Gafaelfawr maintenance and audit pods |
maintenance.podAnnotations |
object |
|
Annotations for Gafaelfawr maintenance and audit pods |
maintenance.resources |
object |
See |
Resource limits and requests for Gafaelfawr maintenance and audit pods |
maintenance.tolerations |
list |
|
Tolerations for Gafaelfawr maintenance and audit pods |
nameOverride |
string |
|
Override the base name for resources |
nodeSelector |
object |
|
Node selector rules for the Gafaelfawr frontend pod |
operator.affinity |
object |
|
Affinity rules for the token management pod |
operator.nodeSelector |
object |
|
Node selection rules for the token management pod |
operator.podAnnotations |
object |
|
Annotations for the token management pod |
operator.resources |
object |
See |
Resource limits and requests for the Gafaelfawr Kubernetes operator. The limits are artificially higher since the operator pod is also where we manually run |
operator.tolerations |
list |
|
Tolerations for the token management pod |
podAnnotations |
object |
|
Annotations for the Gafaelfawr frontend pod |
redis.affinity |
object |
|
Affinity rules for the Redis pod |
redis.config.secretKey |
string |
|
Key inside secret from which to get the Redis password (do not change) |
redis.config.secretName |
string |
|
Name of secret containing Redis password (may require changing if fullnameOverride is set) |
redis.nodeSelector |
object |
|
Node selection rules for the Redis pod |
redis.persistence.accessMode |
string |
|
Access mode of storage to request |
redis.persistence.enabled |
bool |
|
Whether to persist Redis storage and thus tokens. Setting this to false will use |
redis.persistence.size |
string |
|
Amount of persistent storage to request |
redis.persistence.storageClass |
string |
|
Class of storage to request |
redis.persistence.volumeClaimName |
string |
|
Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. |
redis.podAnnotations |
object |
|
Pod annotations for the Redis pod |
redis.resources |
object |
See |
Resource limits and requests for the Redis pod |
redis.tolerations |
list |
|
Tolerations for the Redis pod |
replicaCount |
int |
|
Number of web frontend pods to start |
resources |
object |
See |
Resource limits and requests for the Gafaelfawr frontend pod |
tolerations |
list |
|
Tolerations for the Gafaelfawr frontend pod |