############ ## Global ## ############ globalConfig: gatewayAuth: ## Supported types: access_key, certificate, universal identity, cloud identity (aws_iam/azure_ad/gcp) ## If using access_key, certificate or universal identity, you must also add gatewayCredentialsExistingSecret which includes the key/certificate/token ## https://docs.akeyless.io/docs/gateway-chart#authentication ## gatewayAccessId: gatewayAccessType: ## Use K8s secret to set the following types: access_key, certificate, uid ## Create a K8s secret, run 'kubect apply' and add secret name (see docs for examples) ## keys: gateway-access-key, gateway-certificate, gateway-certificate-key, gateway-uid-token ## gatewayCredentialsExistingSecret: ## Add one or more Access IDs to give them access to this Gateway; add the specified permissions and sub-claims. ## Name must be unique. Empty permissions will implicitly give the admin permission. ## See docs for examples https://docs.akeyless.io/docs/gateway-chart#gateway-admins ## allowedAccessPermissions: [] ## Use a K8s existing secret for Gateway Allowed Access. Must include the following key: allowed-access-permissions ## https://docs.akeyless.io/docs/gateway-chart#access-permissions ## allowedAccessPermissionsExistingSecret: ## List Access IDs that have access (comma separated list), if left empty all Access IDs will be authorised. ## To enable only specific users to use Remote Access, make sure to add the relevant `authorizedAccessIDs` in the `Global` section. ## A comma-separated list can be used for multiple IDs. ## While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message ## will appear. For more information: https://docs.akeyless.io/docs/remote-access-setup-k8s#configuration ## authorizedAccessIDs: ## If serviceAccount = false, please ensure the provided service account has the following permissions: ## 1. Create Kubernetes Secrets - The service account must be able to create secrets within the Kubernetes cluster. ## Read and Update the Gateway's Kubernetes Secret ## 2. The service account must have read and update access to the Kubernetes secret used by the Gateway. ## By default, this secret is named -cache-encryption-key, unless a custom name has been specified. ## serviceAccount: create: false serviceAccountName: annotations: ## This is the actual name of the cluster as in account/access-id/clusterName ## clusterName: ## This is the vanity display name of the cluster ## initialClusterDisplayName: ## The key which is used to encrypt the Gateway configuration. ## If left empty - the account's default key will be used. ## This key can be determined on cluster bringup only and cannot be modified afterwards ## configProtectionKeyName: ## Use k8s secret to set the CF, the k8s secret must include the key: customer-fragments ## See docs for examples https://docs.akeyless.io/docs/advanced-chart-configuration#customer-fragment ## customerFragmentsExistingSecret: ## See docs for examples https://docs.akeyless.io/docs/advanced-chart-configuration#tls-configuration ## TLSConf: enabled: false ## Specifies an existing secret for tls-certificate: tlsExistingSecret: # tlsCertificateSecretKeyName: tlsCertificate # tlsPrivateKeySecretKeyName: tlsPrivateKey ## Telemetry Metrics see docs for examples https://docs.akeyless.io/docs/telemetry-metrics-k8s ## metrics: enabled: false ## Existing secret for metrics must include: ## - otel-config.yaml (base64) secret ## metricsExistingSecret: ## Linux system HTTP Proxy httpProxySettings: http_proxy: "" https_proxy: "" no_proxy: "" # env: [] ## https://docs.akeyless.io/docs/advanced-chart-configuration#cache-configuration ## clusterCache: enabled: true ## If enableScaleOutOnDisconnectedMode is set to true, and the encryptionKeyExistingSecret parameter has a value ## Akeyless will use this specified encryption key for offline scaling support. ## If enableScaleOutOnDisconnectedMode is set to true, and the encryptionKeyExistingSecret parameter is empty or not specified, ## Akeyless will automatically generate a new encryption key and a new k8s secret encryptionKeyExistingSecret: enableScaleOutOnDisconnectedMode: false # Enable/Disable TLS between the Gateway and the cluster cache service # using generated certificates and keys enableTls: false # certValidityDays: 1825 ## The resources limits for the standalone cluster cache ## resources: limits: # cpu: 500m memory: 2Gi requests: cpu: 250m memory: 256Mi ## Persistent volume configuration for standalone cluster cache persistence: enabled: false # existingClaim: "" # accessMode: "ReadWriteOnce" # storageClass: "" # size: 10Gi pdb: enabled: false # minAvailable: "" # maxUnavailable: "" pod: annotations: {} cacheHA: enabled: false nameOverride: cluster-cache-ha replicas: 3 ## In case cacheHA is enabled in the Gateway, and the encryptionKeyExistingSecret parameter has a value ## Akeyless will use this specified encryption key and store it securely within Akeyless Gateway. ## If the encryptionKeyExistingSecret parameter is empty or not specified, ## Akeyless will automatically generate a new encryption key and a new ServiceAccount for K8s. ## for more information: https://docs.akeyless.io/docs/advanced-chart-configuration#cache-configuration ## encryptionKeyExistingSecret: image: repository: public.ecr.aws/docker/library/redis tag: 8.2.3-alpine auth: true authKey: redis-password existingSecret: "{{ .Release.Name }}-cluster-cache-ha" ## TLS is enabled by default when cacheHA is enabled ## To disable TLS, set tls ports (cacheHA.redis.tlsPort and cacheHA.sentinel.tlsPort) to 0 ## and set cacheHA.redis.port to 6379 and cacheHA.sentinel.port to 26379 tls: secretName: "{{ .Release.Name }}-cluster-cache-ha-tls" certFile: tls.crt keyFile: tls.key caCertFile: ca.crt # certValidityDays: 1825 redis: port: 0 tlsPort: 6379 tlsReplication: true masterGroupName: "akeyless-cache" resources: {} # requests: # memory: 200Mi # cpu: 100m # limits: # memory: 700Mi sentinel: port: 0 tlsPort: 26379 tlsReplication: true resolveHostnames: true announceHostnames: true resources: {} # requests: # memory: 200Mi # cpu: 100m # limits: # memory: 200Mi podDisruptionBudget: {} # Use only one of the two # maxUnavailable: 1 # minAvailable: 1 # prevent cache-ha pods scheduling on the same node by setting hardAntiAffinity to true hardAntiAffinity: false persistentVolume: enabled: true ## cacheHA data Persistent Volume Storage Class ## If defined, storageClassName: ## If undefined, the default storage class will be used. storageClass: ~ accessModes: - ReadWriteOnce size: 10Gi annotations: {} labels: {} topologySpreadConstraints: enabled: false # maxSkew: "1" # topologyKey: "topology.kubernetes.io/zone" # whenUnsatisfiable: "ScheduleAnyway" #################################################### ## Default values for Gateway ## #################################################### gateway: ## Default values for akeyless-gateway. deployment: annotations: {} labels: {} replicaCount: 2 ## Deployment update strategy configuration ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy strategy: {} # type: RollingUpdate # maxUnavailable: 0 # maxSurge: "25%" ## Gateway image settings: repository and tag to deploy ## Default: akeyless/base. Alternative mirror registry: docker.registry-2.akeyless.io/base image: # repository: akeyless/base # tag: latest pullPolicy: IfNotPresent pod: # Place here any pod annotations you may need annotations: {} containerPort: 8000 affinity: enabled: false data: # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity ## Pod Topology Spread Constraints ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ topologySpreadConstraints: [] nodeSelector: # iam.gke.io/gke-metadata-server-enabled: "true" tolerations: [] # - key: "key" # operator: "Equal" # value: "value" # effect: "NoSchedule" securityContext: enabled: false fsGroup: 0 runAsUser: 0 containerSecurityContext: {} ## Remove the {} and add any needed values to your SecurityContext ## # runAsUser: 0 # seccompProfile: # type: RuntimeDefault livenessProbe: initialDelaySeconds: 60 periodSeconds: 30 failureThreshold: 10 readinessProbe: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 5 service: ## Remove the {} and add any needed annotations regarding your LoadBalancer implementation ## annotations: {} labels: {} type: LoadBalancer ## Gateway service port ## port: 8000 kmip: enabled: false hvp: enabled: false ## Configure the ingress resource that allows you to access the ## akeyless-api-gateway installation. Set up the URL ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: ## Set to true to enable ingress record generation enabled: false ## A reference to an IngressClass resource ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation # ingressClassName: labels: {} annotations: {} ## Example for Nginx ingress ## # annotations: # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" # nginx.ingress.kubernetes.io/proxy-buffers-number: "4" ## Example for Istio ingress ## # labels: # istio-injection: enabled # annotations: # kubernetes.io/ingress.class: "istio" # ## You can set ingressClassName instead annotation and label ## # ingressClassName: istio # ## In addition if you are using istio ingress, you must add the following annotation to the gateway pod annotations ## # pod: # annotations: # proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true }' ## Example for AWS ELB ingress ## # annotations: # kubernetes.io/ingress.class: alb # alb.ingress.kubernetes.io/scheme: internet-facing rules: - servicePort: gateway hostname: "gateway.local" ## Path for the default host path: / ## Ingress Path type the value can be ImplementationSpecific, Exact or Prefix pathType: ImplementationSpecific ## Enable TLS configuration for the hostname defined at ingress.hostname parameter ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.gateway.ingress.hostname }} ## or a custom one if you use the tls.existingSecret parameter ## tls: false # existingSecret: name-of-existing-secret ## Set this to true in order to add the corresponding annotations for cert-manager and secret name certManager: false resources: {} ## The following resource settings represent minimum recommended requests without defined limits. ## We've set a base recommended requests of 1 vCPU and 2GB memory. ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource ## limits, uncomment the 'limits' section and adjust values as needed. ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. ## If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## # limits: # cpu: # memory: # requests: # cpu: 1 # memory: 2G hpa: ## Set the below to false in case you do not want to add Horizontal Pod AutoScaling ## Note that metrics server must be installed for this to work: ## https://github.com/kubernetes-sigs/metrics-server ## enabled: false minReplicas: 1 maxReplicas: 10 cpuAvgUtil: 70 memAvgUtil: 70 annotations: {} ## Pod Disruption Budget configuration pdb: enabled: false # minAvailable: "" # maxUnavailable: "" ## HSM configuration hsm: enabled: false ## In case hsm is enabled you must add pinExistingSecret which includes the hsm pcks11 pin ## https://docs.akeyless.io/docs/k8s-hsm-integration ## pinExistingSecret: "" ## pkcs11LibPath: ## slot: ## tokenLabel: ## tokenSerial: ## useRand: false persistence: enabled: false # existingClaim: "" # mountPath: "" # accessMode: "ReadWriteMany" # storageClass: "" # size: 5Gi ## Optional volume config for akeyless-config. Leave empty for default emptyDir: {}. akeylessConfigVol: {} # emptyDir: # sizeLimit: "500Mi" customCA: enabled: false # Name of the volume to mount volumeName: "ca-certificates" # Type of the volume to mount: either 'configMap' or 'secret' volumeType: "configMap" # Name of the ConfigMap or Secret containing the custom CA certificates. volumeSourceName: "" # Must have a key named 'ca-certificates.crt'. secretsStore: # Enable Secret Store CSI integration enabled: false # Mount path for secrets mountPath: "" provider: existingClass: false # Name of the SecretProviderClass to use secretProviderClassName: "" # Secret provider type (aws, azure, gcp) type: "" ###################################################### ## Default values for akeyless-secure-remote-access ## ###################################################### ## If you are only using Akeyless Gateway, ignore this section ## sra: ## Enable secure-remote-access. Valid values: true/false. ## For more information on a Quick Start guide for Remote Access ## Or setup SRA on K8s enabled: false image: ## Default image repository is: akeyless/zero-trust-bastion ## pullPolicy: IfNotPresent # tag: latest env: [] ## The below section is for the Remote Access Web app ## webConfig: deployment: annotations: {} labels: {} nodeSelector: tolerations: [] affinity: enabled: false data: topologySpreadConstraints: [] strategy: {} replicaCount: 1 # Example for enabling pod-level securityContext for volume permissions: # securityContext: # enabled: true # runAsUser: 1000 # fsGroup: 1000 ## Persistence Volume is used to store RDP recordings when it is configured to save recordings locally ## Akeyless requires data persistence to be shared within all pods in the cluster ## accessMode: ReadWriteMany ## Make sure to change the below values according to your environment except for the hostPath values ## see docs for more information ## persistence: volumes: {} # volumes: # - name: akeyless-data # storageClassName: efs-zero-trust-bastion-sc # # storageClassDriver: efs.csi.aws.com # size: 100Mi # annotations: # volume.beta.kubernetes.io/storage-class: "" livenessProbe: initialDelaySeconds: 15 periodSeconds: 30 failureThreshold: 10 readinessProbe: initialDelaySeconds: 15 periodSeconds: 30 timeoutSeconds: 5 resources: ## The following resource settings represent minimum recommended requests without defined limits. ## We've set a base recommended requests of 1 vCPU and 2GB memory. ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource ## limits, uncomment the 'limits' section and adjust values as needed. ## For more information on system requirements ## ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. ## If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## # limits: # cpu: # memory: requests: cpu: 1 memory: 2G hpa: ## Set the below to false in case you do not want to add Horizontal Pod AutoScaling to the Deployment ## If HPA is enabled resources requests must be set ## enabled: false minReplicas: 1 maxReplicas: 10 cpuAvgUtil: 70 memAvgUtil: 70 ## Pod Disruption Budget configuration pdb: enabled: false # minAvailable: "" # maxUnavailable: "" ## The below section is for the Remote Access SSH app ## For more information: ## sshConfig: deployment: annotations: {} labels: {} nodeSelector: tolerations: [] affinity: enabled: false data: topologySpreadConstraints: [] strategy: {} replicaCount: 1 ## This is a required RSA Public Key for your Akeyless SSH Cert Issuer ## See docs for examples ## CAPublicKey: # CAPublicKey: | ## Use this parameter to store fingerprint information in a specific folder within your Akeyless account. ## This approach prevents the need to manually re-accept the SSH host key fingerprint after upgrades or other changes. ## In the example below, the fingerprints will be stored in the /MY_SSH_REMOTE_ACCESS_HOST_KEYS folder. ## Note: Ensure that your Remote Access default authentication method has the necessary permissions to create, read, and list within this folder. ## See docs for more information ## sshHostKeysPath: annotations: {} labels: {} nodeSelector: # iam.gke.io/gke-metadata-server-enabled: "true" securityContext: enabled: false fsGroup: 0 runAsUser: 0 service: ## Remove the {} and add any needed annotations regarding your LoadBalancer implementation ## annotations: {} labels: {} type: LoadBalancer port: 22 livenessProbe: failureThreshold: 5 periodSeconds: 30 timeoutSeconds: 5 readinessProbe: initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 5 resources: ## The following resource settings represent minimum recommended requests without defined limits. ## We've set a base recommended requests of 1 vCPU and 2GB memory. ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource ## limits, uncomment the 'limits' section and adjust values as needed. ## For more information on system requirments ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. ## If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## # limits: # cpu: # memory: requests: cpu: 1 memory: 2G hpa: ## Set the below to true only when using a shared persistent storage (defined at .persistence.volumes) ## If HPA is enabled resources requests must be set ## enabled: false minReplicas: 1 maxReplicas: 10 cpuAvgUtil: 70 memAvgUtil: 70 ## Pod Disruption Budget configuration pdb: enabled: false # minAvailable: "" # maxUnavailable: ""