Configuring Cloudentity Helm Charts
Learn how to configure Cloudentity Helm Charts and apply changes to your deployments.
Applying Changes to Cloudentity Helm Charts Configuration
There are two ways to apply changes to the configuration:
Specify each parameter using the
--set key=value[,key=value]
argument to commandhelm install
orhelm upgrade
.For example:
helm install my-release --set certManager.enabled=true acp/acp
While installing the chart, provide the YAML file that specifies default parameter overrides.
See below for an example of how to create
myvalues.yaml
file:certManager enabled: true
helm install myrelease -f my_values.yaml acp/acp
Result: cert-manager has been enabled in Cloudentity and is ready to be used.
Generic configuration
Resources define compute resources available to a pod. It is also required for autoscaling. If no limits are specified, pod will be able to use all resources available on a node. It is not recommended to set CPU limit unless you use integer value to assign full vCPUs. CPU consumption highly depends on the number of incoming request while memory is more static value. Below example is good starting point for your deployment.
resources: requests: cpu: 500m memory: 1.2Gi limits: memory: 2Gi
Affinity allows user to control scheduling of pods based on labels of other pods or nodes. Cloudentity is highly efficient and its not recommended to run more then one instance on a same node as this might lead to degraded performance (if there is no CPU limit set). Below example provides a way to force one Cloudentity instance per host.
affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchLabels: app.kubernetes.io/instance: acp app.kubernetes.io/name: acp-primary topologyKey: kubernetes.io/hostname
Topology Spread Constraints provides a way to spread pods across topology domain like cloud provider zone. For high availability purpose, Cloudentity should be spread across multiple zones as well as hosts in the same zone. Below example provides soft requirement for zone spread with a maximum distribution difference of 1 pod per zone.
topologySpreadConstraints: - labelSelector: matchLabels: app.kubernetes.io/instance: acp app.kubernetes.io/name: acp maxSkew: 1 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway
Pod Disruption Budget is a feature that provides pods resilence to voluntary (application update) and involuntary (hardware failure) disruptions. It definies minimum number of pods that must be running at any times. Below example shows that Cloudentity should not be taken below 50% of desired replicas.
podDisruptionBudget: minAvailable: 50%
Platform Configuration
The Cloudentity platform configuration can be provided by including the required parameters via dedicated keys and optional parameters via the custom config
.
If you wish to enable features behind a feature flag, it can be done in two ways:
You can enable System feature flags globally for all tenants within the deployment by configuring them in the
features
section of the Helm Chart.Tenant feature flags can be turned on either in the
features
section of the Helm Chart, or in the Tenant Management view in the Admin Workspace in the System Tenant.
Learn more about platform configuration or see the Cloudentity Platform Configuration Reference to view all available settings.
Cloudentity Helm Chart Configuration Reference
Source: values.yaml
## ACP image parameters ## image: ## Image repository ## repository: docker.cloudentity.io/acp-distroless ## Image pull policy ## pullPolicy: IfNotPresent ## Image tag (immutable tags are recommended) ## tag: ## Global Docker registry secret names as an array ## imagePullSecrets: - name: docker.cloudentity.io ## Public ACP URL ## serverURL: "https://acp.local:8443" ## Public ACP URL for Ingress working in mTLS ## serverURLMtls: "https://mtls.acp.local:8443" ## String to partially override acp.name ## # nameOverride: "" ## String to fully override acp.fullname ## # fullnameOverride: "" ## Additional labels to apply to all Kubernetes resources created by this chart. ## labels: {} ## Define serviceAccount ## serviceAccount: ## Specifies whether a service account should be created ## create: true ## Annotations to add to the service account ## annotations: {} ## The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template # name: "" ## Array with container arguments to add to the ACP container ## args: - server - start - --demo - --metrics - --create-default-tenant - --create-default-workspaces ## Enables custom config ## # configPath: ## Array with environment variables to add to the ACP container ## # env: [] ## Define service ## service: ## Enables ACP service ## enabled: true ## ACP service type ## type: ClusterIP ## Define ingress ## ingress: ## Enables the Ingress for ACP ## enabled: true ## Name of the ingress class ## ingressClassName: nginx ## Ingress additional custom annotations ## customAnnotations: nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true" nginx.ingress.kubernetes.io/service-upstream: "true" ## Ingress hostnames with paths ## hosts: - host: acp.local paths: - path: / pathType: ImplementationSpecific ## Ingress TLS configuration ## Secrets must be manually created in the namespace ## or automatically using `tlsSecrets` variable ## tls: [] # - secretName: ingress-tls # hosts: # - acp.acp-system ## Ingress TLS secrets ## List of certificates to be created for Ingress ## tlsSecrets: [] # - name: ingress-tls # cert: | # -----BEGIN CERTIFICATE----- # # -----END CERTIFICATE----- # key: | # -----BEGIN RSA PRIVATE KEY----- # # -----END RSA PRIVATE KEY----- ingressMtls: ## Enables mTLS Ingress for ACP ## This is an independent instance from the one above. ## enabled: false ## Name of the ingress class ## ingressClassName: nginx ## mTLS Ingress additional custom annotations ## customAnnotations: nginx.ingress.kubernetes.io/enable-modsecurity: "true" nginx.ingress.kubernetes.io/enable-owasp-core-rules: "true" nginx.ingress.kubernetes.io/service-upstream: "true" ## mTLS Ingress hostnames with paths ## hosts: - host: mtls.acp.local paths: - path: / pathType: ImplementationSpecific ## Ingress mTLS configuration ## Secrets must be manually created in the namespace ## or automatically using `tlsSecrets` variable ## tls: [] # - secretName: ingress-mtls # hosts: # - mtls.acp.acp-system ## Ingress mTLS secrets ## List of certificates to be created for Ingress ## tlsSecrets: # - name: ingress-mtls # cert: | # -----BEGIN CERTIFICATE----- # # -----END CERTIFICATE----- # key: | # -----BEGIN RSA PRIVATE KEY----- # # -----END RSA PRIVATE KEY----- # caCert: | # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- ## ServiceMonitor configuration ## serviceMonitor: ## Enables the ServiceMonitor integration ## enabled: false ## Define ServiceMonitor endpoint config ## endpointConfig: {} ## Deployment annotations ## # annotations: {} ## Autoscaling parameters ## autoscaling: ## Enable autoscaling ## enabled: false ## Define mix replica count ## # minReplicas: 0 ## Define max replica count ## # maxReplicas: 1 ## The average CPU usage of a all pods in a deployment ## # targetCPUUtilizationPercentage: "" ## The average memory usage of a all pods in a deployment ## # targetMemoryUtilizationPercentage: "" ## Custom scaling behavior ## # behavior: {} ## Number of ACP replicas to deploy ## replicaCount: 1 ## Pod annotations ## # podAnnotations: {} ## Custom Startup Probe ## customStartupProbe: {} # failureThreshold: 10 # periodSeconds: 10 # timeoutSeconds: 10 # httpGet: # path: /alive # scheme: HTTPS # port: 8443 ## Custom Liveness Probe customLivenessProbe: {} # failureThreshold: 10 # initialDelaySeconds: 3 # periodSeconds: 10 # timeoutSeconds: 10 # httpGet: # path: /alive # scheme: HTTPS # port: 8443 ## Custom Readiness Probe customReadinessProbe: {} # failureThreshold: 3 # initialDelaySeconds: 5 # periodSeconds: 10 # timeoutSeconds: 10 # httpGet: # path: /alive # scheme: HTTPS # port: 8443 ## ACP resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} ## ACP node selector ## # nodeSelector: {} ## ACP pod affinity ## # affinity: {} ## ACP pod tolerations ## # tolerations: {} ## ACP pod topology spread constraints ## # topologySpreadConstraints: {} ## ACP Pod disruption budget ## # podDisruptionBudget: {} ## A security context defines privilege and access control settings for a Pod or Container ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ ## ## Pod security context ## podSecurityContext: fsGroup: 65535 runAsNonRoot: true seccompProfile: type: RuntimeDefault ## Container security context ## containerSecurityContext: runAsUser: 65535 runAsGroup: 65535 runAsNonRoot: true privileged: false readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL ## ACP feature flags ## To enable a feature, enter its key-value pair, as in: ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## # features: {} ## Cert-manager configuration ## certManager: ## Enables the cert-manager integration ## enabled: false ## The requested ‘duration’ (i.e. lifetime) of the Certificate ## duration: 2160h ## How long before the currently issued certificate’s expiry cert-manager should renew the certificate. ## renewBefore: 720h ## The Common Name (AKA CN) represents the server name protected by the SSL certificate ## # commonName: ## Options to control private keys used for the Certificate. ## privateKey: size: 2048 algorithm: RSA ## extraNames is a list of DNS subjectAltNames to be set on the Certificate. ## extraNames: [] ## IssuerRef is a reference to the issuer for this certificate ## issuerRef: name: ca-issuer kind: ClusterIssuer ## Disables TLS in ACP ## tlsDisabled: false ## Migrate Job configuration ## migrateJob: ## Enables the SQL migrate job ## enabled: false ## Enables custom config ## # configPath: ## The data should match acp configuration options ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## config: {} ## Import Job configuration ## importJob: ## Enables the import job ## enabled: false ## Enables custom config ## # configPath: ## Import mode (update, fail, ignore) ## mode: update ## Input file format: yaml or json ## format: yaml ## Path to the input file ## input: /import/seed.yaml ## Extra args for import command ## extraArgs: [] ## The data should match import configuration endpoint request body ## https://docs.authorization.cloudentity.com/api/system/#operation/importConfiguration ## data: tenants: [] servers: [] clients: [] ## ACP import job resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} ## Enable Default ACP config ## config: create: true ## The data should match acp configuration options ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## data: # logging: # level: debug ## Config name if create false ## # name: ## ACP config file from secret ## secretConfig: ## Enable secret config ## create: true ## Secret name if create false ## # name: ## Secret annotations ## # annotations: {} ## The data should match acp configuration options ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## data: {} # system: # secret: mysecret ## ACP http client configuration ## # client: # rootCa: | # -----BEGIN CERTIFICATE----- # # -----END CERTIFICATE----- ## ACP certificate ## certificate: ## If true certificate will be taken from files/ folder stored in this chart ## root folder. ## create: true ## Enable if want to take certificate and key from values instead of ## files/ folder ## # cert: | # -----BEGIN CERTIFICATE----- # # -----END CERTIFICATE----- # # key: | # -----BEGIN RSA PRIVATE KEY----- # # -----END RSA PRIVATE KEY----- ## SQL client ## The data should match acp configuration options ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## # sql: {} ## Redis client ## The data should match acp configuration options ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## # redis: {} ## Timescaledb client ## The data should match acp configuration options ## https://cloudentity.com/developers/deployment-and-operations/reference/configuration-reference/ ## # timescale: {} ## Workers chart configuration ## Worker nodes are used to create seperate ACP deployment for asynchronous jobs handling ## workers: ## Enables worker nodes for ACP ## enabled: false ## Autoscaling parameters ## autoscaling: ## Enable autoscaling ## enabled: false ## Define mix replica count ## # minReplicas: 0 ## Define max replica count ## # maxReplicas: 1 ## The average CPU usage of a all pods in a deployment ## # targetCPUUtilizationPercentage: "" ## The average memory usage of a all pods in a deployment ## # targetMemoryUtilizationPercentage: "" ## Custom scaling behavior ## # behavior: {} ## Number of ACP workers replicas to deploy ## replicaCount: 1 ## Define workers service ## service: ## Enables workers service for ACP ## enabled: false ## ACP workers service type ## type: ClusterIP ## Service annotations ## # annotations: {} ## ServiceMonitor configuration ## serviceMonitor: ## Enables workers ServiceMonitor integration ## enabled: false ## Define workers ServiceMonitor endpoint config ## endpointConfig: {} ## Deployment annotations ## # annotations: {} ## Pod annotations ## # podAnnotations: {} ## ACP workers resource requests and limits ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} ## ACP workers node selector ## # nodeSelector: {} ## ACP workers pod affinity ## # affinity: {} ## ACP workers pod tolerations ## # tolerations: {} ## ACP workers pod topology spread constraints ## # topologySpreadConstraints: {} ## ACP workers Pod disruption budget ## # podDisruptionBudget: {} ## Available FaaS providers: fission, docker, hybrid ## https://cloudentity.com/developers/deployment-and-operations/configure/configure-fission-for-faas/#fission-integration-for-faas ## faas: ## Enables the FaaS function for ACP ## enabled: false ## Define type of the Environment can be deployed ## provider: "docker" namespace: ## Define namespace name where the environments can be deployed ## name: acp-faas ## Create namespace ## create: true environments: node: v4: ## Enables environment ## enabled: false ## Environment image ## image: docker.cloudentity.io/node-env:v4-20240613-085335-5267d099 ## Environment expiration date ## valid_until: "" ## Environment packages ## package_json: {} v5: ## Enables environment ## enabled: true ## Environment image ## image: docker.cloudentity.io/node-env:v5-20240607-143144-b240b824 ## Environment expiration date ## valid_until: "" ## Environment packages ## package_json: {} v6: ## Enables environment ## enabled: false ## Environment image ## image: docker.cloudentity.io/node-env:v6-20240716-173159-7af79717 ## Environment expiration date ## valid_until: "" ## Environment packages ## package_json: {} rego: v6: ## Enables environment ## enabled: true ## Environment image ## image: docker.cloudentity.io/rego-env:v6-20240716-173159-7af79717 ## Environment expiration date ## valid_until: "" ## Each setting below can be set in a version specific block within 'environments' to override these default settings ## settings: ## Enviornment number of replicas ## replicaCount: 3 ## Annotations to add to the Environment deployment ## # annotations: {} ## Specify a imagePullPolicy ## imagePullPolicy: IfNotPresent ## Docker registry secret name ## imagePullSecrets: - name: docker.cloudentity.io ## Array with environment variables to add to the container ## # env: [] ## Array with volumes to add to the pod ## # volumes: [] ## Array with volumeMounts to add to the container ## # volumeMounts: [] ## Array with ports to add to the container ## ports: http: 8888 ## Define service ## service: ## Enables service ## enabled: true ## Service type ## type: ClusterIP ## Pod security context ## podSecurityContext: fsGroup: 65535 runAsUser: 65535 runAsGroup: 65535 runAsNonRoot: true ## Container security context ## containerSecurityContext: runAsUser: 65535 runAsGroup: 65535 runAsNonRoot: true privileged: false readOnlyRootFilesystem: true allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault capabilities: drop: - ALL ## Startup Probe configuration ## startupProbe: failureThreshold: 3 initialDelaySeconds: 2 periodSeconds: 2 httpGet: path: /healthz port: 8888 ## Liveness Probe configuration ## livenessProbe: failureThreshold: 3 periodSeconds: 10 timeoutSeconds: 1 httpGet: path: /healthz port: 8888 ## Readiness Probe configuration ## readinessProbe: failureThreshold: 3 periodSeconds: 10 timeoutSeconds: 1 httpGet: path: /healthz port: 8888 ## Pod resources definition ## # resources: {} ## Pod node selector ## # nodeSelector: {} ## Pod affinity ## # affinity: {} ## Pod tolerations ## # tolerations: {} ## Pod topology spread constraints ## # topologySpreadConstraints: {} ## Deployment lifecycle ## lifecycle: preStop: exec: command: - /bin/sleep - "10" ## Autoscaling parameters ## autoscaling: ## Keda based autoscaling ## keda: ## Enable autoscaling ## enabled: false ## Define mix replica count ## minReplicas: 1 ## Define max replica count ## maxReplicas: 3 ## Define scaled object port ## port: 8080 ## Define scaled object targetPendingRequests ## targetPendingRequests: 1 ## Define keda interceptor proxy dns ## interceptor_dns: keda-add-ons-http-interceptor-proxy.keda.svc.cluster.local hpa: ## Enable autoscaling ## enabled: false ## Define mix replica count ## minReplicas: 1 ## Define max replica count ## maxReplicas: 3 ## The average CPU usage of a all pods in a deployment ## targetCPUUtilizationPercentage: "50" ## The average memory usage of a all pods in a deployment ## targetMemoryUtilizationPercentage: "50" ## Custom scaling behavior ## # behavior: {} serviceAccount: ## Specifies whether a service account should be created ## create: true ## Annotations to add to the service account ## annotations: {} ## The name of the service account to use. ## If not set and create is true, a name is generated using the fullname template # name: "" ## Define NetworkPolicy Egress rules for FaaS deployment ## networkPolicy: create: true ipBlock: cidr: 0.0.0.0/0 except: - 10.0.0.0/8 - 192.168.0.0/16 - 172.16.0.0/20