Skip to main content

Configuring SecureAuth Helm Charts

Learn how to configure SecureAuth Helm Charts and apply changes to your deployments.

Applying Changes to SecureAuth Helm Charts Configuration

There are two ways to apply changes to the configuration:

  • Specify each parameter using the --set key=value[,key=value] argument to command helm install or helm upgrade.

    For example:

    helm install my-release --set certManager.enabled=true acp/acp

  • While installing the chart, provide the YAML file that specifies default parameter overrides.

    See below for an example of how to create myvalues.yaml file:

    certManager
      enabled: true                  
    helm install myrelease -f my_values.yaml acp/acp

    Result: cert-manager has been enabled in SecureAuth and is ready to be used.

Generic configuration

  • Resources define compute resources available to a pod. It is also required for autoscaling. If no limits are specified, pod will be able to use all resources available on a node. It is not recommended to set CPU limit unless you use integer value to assign full vCPUs. CPU consumption highly depends on the number of incoming request while memory is more static value. Below example is good starting point for your deployment.

    resources:
      requests:
        cpu: 500m
        memory: 1.2Gi
      limits:
        memory: 2Gi                  
  • Affinity allows user to control scheduling of pods based on labels of other pods or nodes. SecureAuth is highly efficient and its not recommended to run more then one instance on a same node as this might lead to degraded performance (if there is no CPU limit set). Below example provides a way to force one SecureAuth instance per host.

    affinity:
      podAntiAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          - labelSelector:
              matchLabels:
                app.kubernetes.io/instance: acp
                app.kubernetes.io/name: acp-primary
            topologyKey: kubernetes.io/hostname                  
  • Topology Spread Constraints provides a way to spread pods across topology domain like cloud provider zone. For high availability purpose, SecureAuth should be spread across multiple zones as well as hosts in the same zone. Below example provides soft requirement for zone spread with a maximum distribution difference of 1 pod per zone.

    topologySpreadConstraints:
      - labelSelector:
          matchLabels:
            app.kubernetes.io/instance: acp
            app.kubernetes.io/name: acp
        maxSkew: 1
        topologyKey: topology.kubernetes.io/zone
        whenUnsatisfiable: ScheduleAnyway                  
  • Pod Disruption Budget is a feature that provides pods resilence to voluntary (application update) and involuntary (hardware failure) disruptions. It definies minimum number of pods that must be running at any times. Below example shows that SecureAuth should not be taken below 50% of desired replicas.

    podDisruptionBudget:
      minAvailable: 50%                  

Platform Configuration

The SecureAuth platform configuration can be provided by including the required parameters via dedicated keys and optional parameters via the custom config.

If you wish to enable features behind a feature flag, it can be done in two ways:

  • You can enable System feature flags globally for all tenants within the deployment by configuring them in the features section of the Helm Chart.

  • Tenant feature flags can be turned on either in the features section of the Helm Chart, or in the Tenant Management view in the Admin Workspace in the System Tenant.

Learn more about platform configuration or see the SecureAuth Platform Configuration Reference to view all available settings.

SecureAuth Helm Chart Configuration Reference

Source: values.yaml

## ACP image parameters
##
image:
  ## Image repository
  ##
  repository: docker.cloudentity.io/acp-distroless

  ## Image pull policy
  ##
  pullPolicy: IfNotPresent

  ## Image tag (immutable tags are recommended)
  ##
  tag:

## Global Docker registry secret names as an array
##
imagePullSecrets:
  - name: docker.cloudentity.io

## Public ACP URL
##
serverURL: "https://acp.local:8443"

## Public ACP URL for Ingress working in mTLS
##
serverURLMtls: "https://mtls.acp.local:8443"

## String to partially override acp.name
##
# nameOverride: ""

## String to fully override acp.fullname
##
# fullnameOverride: ""

## Additional labels to apply to all Kubernetes resources created by this chart.
##
labels: {}

## Define serviceAccount
##
serviceAccount:
  ## Specifies whether a service account should be created
  ##
  create: true

  ## Annotations to add to the service account
  ##
  annotations: {}

  ## The name of the service account to use.
  ## If not set and create is true, a name is generated using the fullname template
  # name: ""

## Array with container arguments to add to the ACP container
##
args:
  - server
  - start
  - --demo
  - --metrics
  - --create-default-tenant
  - --create-default-workspaces

## Enables custom config
##
# configPath:

## Array with environment variables to add to the ACP container
##
# env: []

## Define service
##
service:
  ## Enables ACP service
  ##
  enabled: true

  ## ACP service type
  ##
  type: ClusterIP

## Define ingress
##
ingress:
  ## Enables the Ingress for ACP
  ##
  enabled: true

  ## Name of the ingress class
  ##
  ingressClassName: nginx

  ## Ingress additional custom annotations
  ##
  customAnnotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
    nginx.ingress.kubernetes.io/service-upstream: "true"

  ## Ingress hostnames with paths
  ##
  hosts:
    - host: acp.local
      paths:
        - path: /
          pathType: ImplementationSpecific

  ## Ingress TLS configuration
  ## Secrets must be manually created in the namespace
  ## or automatically using `tlsSecrets` variable
  ##
  tls: []
  # - secretName: ingress-tls
  #   hosts:
  #     - acp.acp-system

  ## Ingress TLS secrets
  ## List of certificates to be created for Ingress
  ##
  tlsSecrets: []
  # - name: ingress-tls
  #   cert: |
  #     -----BEGIN CERTIFICATE-----
  #
  #     -----END CERTIFICATE-----
  #   key: |
  #     -----BEGIN RSA PRIVATE KEY-----
  #
  #     -----END RSA PRIVATE KEY-----

ingressMtls:
  ## Enables mTLS Ingress for ACP
  ## This is an independent instance from the one above.
  ##
  enabled: false

  ## Name of the ingress class
  ##
  ingressClassName: nginx

  ## mTLS Ingress additional custom annotations
  ##
  customAnnotations:
    nginx.ingress.kubernetes.io/enable-modsecurity: "true"
    nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true"
    nginx.ingress.kubernetes.io/service-upstream: "true"

  ## mTLS Ingress hostnames with paths
  ##
  hosts:
    - host: mtls.acp.local
      paths:
        - path: /
          pathType: ImplementationSpecific

  ## Ingress mTLS configuration
  ## Secrets must be manually created in the namespace
  ## or automatically using `tlsSecrets` variable
  ##
  tls: []
  # - secretName: ingress-mtls
  #   hosts:
  #     - mtls.acp.acp-system

  ## Ingress mTLS secrets
  ## List of certificates to be created for Ingress
  ##
  tlsSecrets:
  # - name: ingress-mtls
  #   cert: |
  #     -----BEGIN CERTIFICATE-----
  #
  #     -----END CERTIFICATE-----
  #   key: |
  #     -----BEGIN RSA PRIVATE KEY-----
  #
  #     -----END RSA PRIVATE KEY-----
  #   caCert: |
  #     -----BEGIN CERTIFICATE-----
  #     -----END CERTIFICATE-----

## ServiceMonitor configuration
##
serviceMonitor:
  ## Enables the ServiceMonitor integration
  ##
  enabled: false

  ## Define ServiceMonitor endpoint config
  ##
  endpointConfig: {}

## Deployment annotations
##
# annotations: {}

## Autoscaling parameters
##
autoscaling:
  ## Enable autoscaling
  ##
  enabled: false

  ## Define mix replica count
  ##
  # minReplicas: 0

  ## Define max replica count
  ##
  # maxReplicas: 1

  ## The average CPU usage of a all pods in a deployment
  ##
  # targetCPUUtilizationPercentage: ""

  ## The average memory usage of a all pods in a deployment
  ##
  # targetMemoryUtilizationPercentage: ""

  ## Custom scaling behavior
  ##
  #  behavior: {}

## Number of ACP replicas to deploy
##
replicaCount: 1

## Pod annotations
##
# podAnnotations: {}

## Custom Startup Probe
##
customStartupProbe: {}
  # failureThreshold: 10
  # periodSeconds: 10
  # timeoutSeconds: 10
  # httpGet:
  #   path: /alive
  #   scheme: HTTPS
  #   port: 8443

## Custom Liveness Probe
customLivenessProbe: {}
  # failureThreshold: 10
  # initialDelaySeconds: 3
  # periodSeconds: 10
  # timeoutSeconds: 10
  # httpGet:
  #   path: /alive
  #   scheme: HTTPS
  #   port: 8443

## Custom Readiness Probe
customReadinessProbe: {}
  # failureThreshold: 3
  # initialDelaySeconds: 5
  # periodSeconds: 10
  # timeoutSeconds: 10
  # httpGet:
  #   path: /alive
  #   scheme: HTTPS
  #   port: 8443

## ACP resource requests and limits
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}

## ACP node selector
##
# nodeSelector: {}

## ACP pod affinity
##
# affinity: {}

## ACP pod tolerations
##
# tolerations: {}

## ACP pod topology spread constraints
##
# topologySpreadConstraints: {}

## ACP Pod disruption budget
##
# podDisruptionBudget: {}

## A security context defines privilege and access control settings for a Pod or Container
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
##
## Pod security context
##
podSecurityContext:
  fsGroup: 65535
  runAsNonRoot: true
  seccompProfile:
    type: RuntimeDefault

## Container security context
##
containerSecurityContext:
  runAsUser: 65535
  runAsGroup: 65535
  runAsNonRoot: true
  privileged: false
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL

## ACP feature flags
## To enable a feature, enter its key-value pair, as in:
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# features: {}

## Cert-manager configuration
##
certManager:
  ## Enables the cert-manager integration
  ##
  enabled: false

  ## The requested ‘duration’ (i.e. lifetime) of the Certificate
  ##
  duration: 2160h

  ## How long before the currently issued certificate’s expiry cert-manager should renew the certificate.
  ##
  renewBefore: 720h

  ## The Common Name (AKA CN) represents the server name protected by the SSL certificate
  ##
  # commonName:

  ## Options to control private keys used for the Certificate.
  ##
  privateKey:
    size: 2048
    algorithm: RSA

  ## extraNames is a list of DNS subjectAltNames to be set on the Certificate.
  ##
  extraNames: []

  ## IssuerRef is a reference to the issuer for this certificate
  ##
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer

## Disables TLS in ACP
##
tlsDisabled: false

## Migrate Job configuration
##
migrateJob:
  ## Enables the SQL migrate job
  ##
  enabled: false

  ## Enables custom config
  ##
  # configPath:

  ## The data should match acp configuration options
  ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
  ##
  config: {}

## Import Job configuration
##
importJob:
  ## Enables the import job
  ##
  enabled: false

  ## Enables custom config
  ##
  # configPath:

  ## Import mode (update, fail, ignore)
  ##
  mode: update

  ## Input file format: yaml or json
  ##
  format: yaml

  ## Path to the input file
  ##
  input: /import/seed.yaml

  ## Extra args for import command
  ##
  extraArgs: []

  ## The data should match import configuration endpoint request body
  ## https://docs.authorization.cloudentity.com/api/system/#operation/importConfiguration
  ##
  data:
    tenants: []
    servers: []
    clients: []

  ## ACP import job resource requests and limits
  ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources: {}

## Enable Default ACP config
##
config:
  create: true

  ## The data should match acp configuration options
  ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
  ##
  data:
  #  logging:
  #     level: debug

  ## Config name if create false
  ##
  # name:

## ACP config file from secret
##
secretConfig:
  ## Enable secret config
  ##
  create: true

  ## Secret name if create false
  ##
  # name:

  ## Secret annotations
  ##
  # annotations: {}

  ## The data should match acp configuration options
  ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
  ##
  data: {}
  #  system:
  #     secret: mysecret

## ACP http client configuration
##
# client:
  # rootCa: |
  #   -----BEGIN CERTIFICATE-----
  #
  #   -----END CERTIFICATE-----

## ACP certificate
##
certificate:
  ## If true certificate will be taken from files/ folder stored in this chart
  ## root folder.
  ##
  create: true

  ## Enable if want to take certificate and key from values instead of
  ## files/ folder
  ##
  # cert: |
  #   -----BEGIN CERTIFICATE-----
  #
  #   -----END CERTIFICATE-----
  #
  # key: |
  #   -----BEGIN RSA PRIVATE KEY-----
  #
  #   -----END RSA PRIVATE KEY-----

## SQL client
## The data should match acp configuration options
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# sql: {}

## Redis client
## The data should match acp configuration options
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# redis: {}

## Timescaledb client
## The data should match acp configuration options
## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/
##
# timescale: {}

## Workers chart configuration
## Worker nodes are used to create seperate ACP deployment for asynchronous jobs handling
##
workers:
  ## Enables worker nodes for ACP
  ##
  enabled: false

  ## Autoscaling parameters
  ##
  autoscaling:
    ## Enable autoscaling
    ##
    enabled: false

    ## Define mix replica count
    ##
    # minReplicas: 0

    ## Define max replica count
    ##
    # maxReplicas: 1

    ## The average CPU usage of a all pods in a deployment
    ##
    # targetCPUUtilizationPercentage: ""

    ## The average memory usage of a all pods in a deployment
    ##
    # targetMemoryUtilizationPercentage: ""

    ## Custom scaling behavior
    ##
    #  behavior: {}

  ## Number of ACP workers replicas to deploy
  ##
  replicaCount: 1

  ## Define workers service
  ##
  service:
    ## Enables workers service for ACP
    ##
    enabled: false

    ## ACP workers service type
    ##
    type: ClusterIP

    ## Service annotations
    ##
    # annotations: {}

  ## ServiceMonitor configuration
  ##
  serviceMonitor:
    ## Enables workers ServiceMonitor integration
    ##
    enabled: false

    ## Define workers ServiceMonitor endpoint config
    ##
    endpointConfig: {}

  ## Deployment annotations
  ##
  # annotations: {}

  ## Pod annotations
  ##
  # podAnnotations: {}

  ## ACP workers resource requests and limits
  ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources: {}

  ## ACP workers node selector
  ##
  # nodeSelector: {}

  ## ACP workers pod affinity
  ##
  # affinity: {}

  ## ACP workers pod tolerations
  ##
  # tolerations: {}

  ## ACP workers pod topology spread constraints
  ##
  # topologySpreadConstraints: {}

  ## ACP workers Pod disruption budget
  ##
  # podDisruptionBudget: {}

## Available FaaS providers: fission, docker, hybrid
## https://cloudentity.com/developers/deployment-and-operations/configure/configure-fission-for-faas/#fission-integration-for-faas
##
faas:
  ## Enables the FaaS function for ACP
  ##
  enabled: false

  ## Define type of the Environment can be deployed
  ##
  provider: "docker"

  namespace:
    ## Define namespace name where the environments can be deployed
    ##
    name: acp-faas

    ## Create namespace
    ##
    create: true

  environments:
    node:
      v4:
        ## Enables environment
        ##
        enabled: false

        ## Environment image
        ##
        image: docker.cloudentity.io/node-env:v4-20240613-085335-5267d099

        ## Environment expiration date
        ##
        valid_until: ""

        ## Environment packages
        ##
        package_json: {}

      v5:
        ## Enables environment
        ##
        enabled: true

        ## Environment image
        ##
        image: docker.cloudentity.io/node-env:v5-20240607-143144-b240b824

        ## Environment expiration date
        ##
        valid_until: ""

        ## Environment packages
        ##
        package_json: {}

      v6:
        ## Enables environment
        ##
        enabled: false

        ## Environment image
        ##
        image: docker.cloudentity.io/node-env:v6-20240716-173159-7af79717

        ## Environment expiration date
        ##
        valid_until: ""

        ## Environment packages
        ##
        package_json: {}

    rego:
      v6:
        ## Enables environment
        ##
        enabled: true

        ## Environment image
        ##
        image: docker.cloudentity.io/rego-env:v6-20240716-173159-7af79717

        ## Environment expiration date
        ##
        valid_until: ""

    ## Each setting below can be set in a version specific block within 'environments' to override these default settings
    ##
    settings:
      ## Enviornment number of replicas
      ##
      replicaCount: 3

      ## Annotations to add to the Environment deployment
      ##
      # annotations: {}

      ## Specify a imagePullPolicy
      ##
      imagePullPolicy: IfNotPresent
  
      ## Docker registry secret name
      ##
      imagePullSecrets:
        - name: docker.cloudentity.io
  
      ## Array with environment variables to add to the container
      ##
      # env: []

      ## Array with volumes to add to the pod
      ##
      # volumes: []

      ## Array with volumeMounts to add to the container
      ##
      # volumeMounts: []

      ## Array with ports to add to the container
      ##
      ports:
        http: 8888
      
      ## Define service
      ##
      service:
        ## Enables service
        ##
        enabled: true
      
        ## Service type
        ##
        type: ClusterIP

      ## Pod security context
      ##
      podSecurityContext:
        fsGroup: 65535
        runAsUser: 65535
        runAsGroup: 65535
        runAsNonRoot: true

      ## Container security context
      ##
      containerSecurityContext:
        runAsUser: 65535
        runAsGroup: 65535
        runAsNonRoot: true
        privileged: false
        readOnlyRootFilesystem: true
        allowPrivilegeEscalation: false
        seccompProfile:
          type: RuntimeDefault
        capabilities:
          drop:
            - ALL

      ## Startup Probe configuration
      ##
      startupProbe:
        failureThreshold: 3
        initialDelaySeconds: 2
        periodSeconds: 2
        httpGet:
          path: /healthz
          port: 8888
      
      ## Liveness Probe configuration
      ##
      livenessProbe:
        failureThreshold: 3
        periodSeconds: 10
        timeoutSeconds: 1
        httpGet:
          path: /healthz
          port: 8888
      
      ## Readiness Probe configuration
      ##
      readinessProbe:
        failureThreshold: 3
        periodSeconds: 10
        timeoutSeconds: 1
        httpGet:
          path: /healthz
          port: 8888
 
      ## Pod resources definition
      ##
      # resources: {}

      ## Pod node selector
      ##
      # nodeSelector: {}

      ## Pod affinity
      ##
      # affinity: {}

      ## Pod tolerations
      ##
      # tolerations: {}

      ## Pod topology spread constraints
      ##
      # topologySpreadConstraints: {}

      ## Deployment lifecycle
      ##
      lifecycle:
        preStop:
          exec:
            command:
              - /bin/sleep
              - "10"

    ## Autoscaling parameters
    ##
    autoscaling:
      ## Keda based autoscaling
      ##
      keda:
        ## Enable autoscaling
        ##
        enabled: false

        ## Define mix replica count
        ##
        minReplicas: 1

        ## Define max replica count
        ##
        maxReplicas: 3

        ## Define scaled object port
        ##
        port: 8080

        ## Define scaled object targetPendingRequests
        ##
        targetPendingRequests: 1

        ## Define keda interceptor proxy dns
        ##
        interceptor_dns: keda-add-ons-http-interceptor-proxy.keda.svc.cluster.local

      hpa:
        ## Enable autoscaling
        ##
        enabled: false

        ## Define mix replica count
        ##
        minReplicas: 1

        ## Define max replica count
        ##
        maxReplicas: 3

        ## The average CPU usage of a all pods in a deployment
        ##
        targetCPUUtilizationPercentage: "50"

        ## The average memory usage of a all pods in a deployment
        ##
        targetMemoryUtilizationPercentage: "50"

        ## Custom scaling behavior
        ##
        #  behavior: {}

  serviceAccount:
    ## Specifies whether a service account should be created
    ##
    create: true
  
    ## Annotations to add to the service account
    ##
    annotations: {}
  
    ## The name of the service account to use.
    ## If not set and create is true, a name is generated using the fullname template
    # name: ""

  ## Define NetworkPolicy Egress rules for FaaS deployment
  ##
  networkPolicy:
    create: true
    ipBlock:
      cidr: 0.0.0.0/0
      except:
        - 10.0.0.0/8
        - 192.168.0.0/16
        - 172.16.0.0/20