Gafaelfawr Helm values reference¶
Helm values reference table for the gafaelfawr
application.
Key |
Type |
Default |
Description |
---|---|---|---|
affinity |
object |
|
Affinity rules for the Gafaelfawr frontend pod |
cloudsql.affinity |
object |
|
Affinity rules for the Cloud SQL Proxy pod |
cloudsql.enabled |
bool |
|
Enable the Cloud SQL Auth Proxy, used with Cloud SQL databases on Google Cloud. This will be run as a sidecar for the main Gafaelfawr pods, and as a separate service (behind a |
cloudsql.image.pullPolicy |
string |
|
Pull policy for Cloud SQL Auth Proxy images |
cloudsql.image.repository |
string |
|
Cloud SQL Auth Proxy image to use |
cloudsql.image.schemaUpdateTagSuffix |
string |
|
Tag suffix to use for the proxy for schema updates |
cloudsql.image.tag |
string |
|
Cloud SQL Auth Proxy tag to use |
cloudsql.instanceConnectionName |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
Instance connection name for a Cloud SQL PostgreSQL instance |
cloudsql.nodeSelector |
object |
|
Node selection rules for the Cloud SQL Proxy pod |
cloudsql.podAnnotations |
object |
|
Annotations for the Cloud SQL Proxy pod |
cloudsql.resources |
object |
See |
Resource limits and requests for the Cloud SQL Proxy pod |
cloudsql.serviceAccount |
string |
None, must be set if Cloud SQL Auth Proxy is enabled |
The Google service account that has an IAM binding to the |
cloudsql.tolerations |
list |
|
Tolerations for the Cloud SQL Proxy pod |
config.afterLogoutUrl |
string |
Top-level page of this Phalanx environment |
Where to send the user after they log out |
config.baseInternalUrl |
string |
FQDN under |
URL for direct connections to the Gafaelfawr service, bypassing the Ingress. Must use a service name of |
config.cilogon.clientId |
string |
|
CILogon client ID. One and only one of this, |
config.cilogon.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.cilogon.loginParams |
object |
|
Additional parameters to add |
config.cilogon.test |
bool |
|
Whether to use the test instance of CILogon |
config.cilogon.usernameClaim |
string |
|
Claim from which to get the username |
config.databaseUrl |
string |
None, must be set if neither |
URL for the PostgreSQL database |
config.enableSentry |
bool |
|
Whether to send trace and telemetry information to Sentry. This traces every call and therefore should only be enabled in non-production environments. |
config.errorFooter |
string |
|
HTML footer to add to any login error page (will be enclosed in a tag). |
config.firestore.project |
string |
Firestore support is disabled |
If set, assign UIDs and GIDs using Google Firestore in the given project. Cloud SQL must be enabled and the Cloud SQL service account must have read/write access to that Firestore instance. |
config.github.clientId |
string |
|
GitHub client ID. One and only one of this, |
config.groupMapping |
object |
|
Defines a mapping of scopes to groups that provide that scope. See DMTN-235 for more details on scopes. |
config.initialAdmins |
list |
|
Usernames to add as administrators when initializing a new database. Used only if there are no administrators. |
config.internalDatabase |
bool |
|
Whether to use the PostgreSQL server internal to the Kubernetes cluster |
config.knownScopes |
object |
See the |
Names and descriptions of all scopes in use. This is used to populate the new token creation page. Only scopes listed here will be options when creating a new token. See DMTN-235. |
config.ldap.addUserGroup |
bool |
|
Whether to synthesize a user private group for each user with a GID equal to their UID |
config.ldap.emailAttr |
string |
|
Attribute containing the user’s email address |
config.ldap.gidAttr |
string |
Use GID of user private group |
Attribute containing the user’s primary GID (set to |
config.ldap.groupBaseDn |
string |
None, must be set |
Base DN for the LDAP search to find a user’s groups |
config.ldap.groupMemberAttr |
string |
|
Member attribute of the object class. Values must match the username returned in the token from the OpenID Connect authentication server. |
config.ldap.groupObjectClass |
string |
|
Object class containing group information |
config.ldap.groupSearchByDn |
bool |
|
Whether to search for group membership by user DN. Most LDAP servers list group members by full DNs, but if yours uses bare usernames, set this to false. |
config.ldap.kerberosConfig |
string |
Use anonymous binds |
Enable GSSAPI (Kerberos) binds to LDAP using this |
config.ldap.nameAttr |
string |
|
Attribute containing the user’s full name |
config.ldap.uidAttr |
string |
Get UID from upstream authentication provider |
Attribute containing the user’s UID number (set to |
config.ldap.url |
string |
Do not use LDAP |
LDAP server URL from which to retrieve user group information |
config.ldap.userBaseDn |
string |
None, must be set |
Base DN for the LDAP search to find a user’s entry |
config.ldap.userDn |
string |
Use anonymous binds |
Bind DN for simple bind authentication. If set, |
config.ldap.userSearchAttr |
string |
|
Search attribute containing the user’s username |
config.logLevel |
string |
|
Choose from the text form of Python logging levels |
config.metrics.application |
string |
|
Name under which to log metrics. Generally there is no reason to change this. |
config.metrics.enabled |
bool |
|
Whether to enable sending metrics |
config.metrics.events.topicPrefix |
string |
|
Topic prefix for events. It may sometimes be useful to change this in development environments. |
config.metrics.schemaManager.registryUrl |
string |
Sasquatch in the local cluster |
URL of the Confluent-compatible schema registry server |
config.metrics.schemaManager.suffix |
string |
|
Suffix to add to all registered subjects. This is sometimes useful for experimentation during development. |
config.oidc.audience |
string |
Same as |
Audience ( |
config.oidc.clientId |
string |
|
Client ID for generic OpenID Connect support. One and only one of this, |
config.oidc.enrollmentUrl |
string |
Login fails with an error |
Where to send the user if their username cannot be found in LDAP |
config.oidc.issuer |
string |
None, must be set |
Issuer for the JWT token |
config.oidc.loginParams |
object |
|
Additional parameters to add to the login request |
config.oidc.loginUrl |
string |
None, must be set |
URL to which to redirect the user for authorization |
config.oidc.scopes |
list |
|
Scopes to request from the OpenID Connect provider. The |
config.oidc.tokenUrl |
string |
None, must be set |
URL from which to retrieve the token for the user |
config.oidc.usernameClaim |
string |
|
Claim from which to get the username |
config.oidcServer.dataRightsMapping |
object |
|
Mapping of group names to data release keywords, indicating membership in that group grants access to that data release. Used to construct the |
config.oidcServer.enabled |
bool |
|
Whether to support OpenID Connect clients |
config.oidcServer.issuer |
string |
Base URL of this Phalanx environment |
Issuer ( |
config.oidcServer.keyId |
string |
|
Key ID ( |
config.proxies |
list |
[ |
List of netblocks used for internal Kubernetes IP addresses, used to determine the true client IP for logging |
config.quota |
object |
|
Quota settings (see Quotas). |
config.realm |
string |
Hostname of this Phalanx environment |
Authentication realm for HTTP |
config.slackAlerts |
bool |
|
Whether to send certain serious alerts to Slack. If |
config.tokenLifetime |
string |
|
Session lifetime. Use |
config.updateSchema |
bool |
|
Whether to automatically update the Gafaelfawr database schema |
global.baseUrl |
string |
Set by Argo CD |
Base URL for the environment |
global.host |
string |
Set by Argo CD |
Host name for ingress |
global.vaultSecretsPath |
string |
Set by Argo CD |
Base path for Vault secrets |
image.pullPolicy |
string |
|
Pull policy for the Gafaelfawr image |
image.repository |
string |
|
Gafaelfawr image to use |
image.tag |
string |
The appVersion of the chart |
Tag of Gafaelfawr image to use |
ingress.additionalHosts |
list |
|
Defines additional FQDNs for Gafaelfawr. This doesn’t work for cookie or browser authentication, but for token-based services like git-lfs or the webdav server it does. |
maintenance.affinity |
object |
|
Affinity rules for Gafaelfawr maintenance and audit pods |
maintenance.auditSchedule |
string |
|
Cron schedule string for Gafaelfawr data consistency audit (in UTC) |
maintenance.cleanupSeconds |
int |
86400 (1 day) |
How long to keep old jobs around before deleting them |
maintenance.deadlineSeconds |
int |
300 (5 minutes) |
How long the job is allowed to run before it will be terminated |
maintenance.maintenanceSchedule |
string |
|
Cron schedule string for Gafaelfawr periodic maintenance (in UTC) |
maintenance.nodeSelector |
object |
|
Node selection rules for Gafaelfawr maintenance and audit pods |
maintenance.podAnnotations |
object |
|
Annotations for Gafaelfawr maintenance and audit pods |
maintenance.resources |
object |
See |
Resource limits and requests for Gafaelfawr maintenance and audit pods |
maintenance.tolerations |
list |
|
Tolerations for Gafaelfawr maintenance and audit pods |
nodeSelector |
object |
|
Node selector rules for the Gafaelfawr frontend pod |
operator.affinity |
object |
|
Affinity rules for the token management pod |
operator.nodeSelector |
object |
|
Node selection rules for the token management pod |
operator.podAnnotations |
object |
|
Annotations for the token management pod |
operator.resources |
object |
See |
Resource limits and requests for the Gafaelfawr Kubernetes operator. The limits are artificially higher since the operator pod is also where we manually run |
operator.tolerations |
list |
|
Tolerations for the token management pod |
podAnnotations |
object |
|
Annotations for the Gafaelfawr frontend pod |
redis.affinity |
object |
|
Affinity rules for the Redis pod |
redis.config.secretKey |
string |
|
Key inside secret from which to get the Redis password (do not change) |
redis.config.secretName |
string |
|
Name of secret containing Redis password (do not change) |
redis.nodeSelector |
object |
|
Node selection rules for the Redis pod |
redis.persistence.accessMode |
string |
|
Access mode of storage to request |
redis.persistence.enabled |
bool |
|
Whether to persist Redis storage and thus tokens. Setting this to false will use |
redis.persistence.size |
string |
|
Amount of persistent storage to request |
redis.persistence.storageClass |
string |
|
Class of storage to request |
redis.persistence.volumeClaimName |
string |
|
Use an existing PVC, not dynamic provisioning. If this is set, the size, storageClass, and accessMode settings are ignored. |
redis.podAnnotations |
object |
|
Pod annotations for the Redis pod |
redis.resources |
object |
See |
Resource limits and requests for the Redis pod |
redis.tolerations |
list |
|
Tolerations for the Redis pod |
replicaCount |
int |
|
Number of web frontend pods to start |
resources |
object |
See |
Resource limits and requests for the Gafaelfawr frontend pod |
tolerations |
list |
|
Tolerations for the Gafaelfawr frontend pod |