############ ## Global ## ############ globalConfig: gatewayAuth: ## Supported types: access_key, certificate, universal identity, cloud identity (aws_iam/azure_ad/gcp) ## If using access_key, certificate or universal identity, you must also add gatewayCredentialsExistingSecret which includes the key/certificate/token ## https://docs.akeyless.io/docs/gateway-chart#authentication ## gatewayAccessId: gatewayAccessType: ## Use K8s secret to set the following types: access_key, certificate, uid ## Create a K8s secret, run 'kubect apply' and add secret name (see docs for examples) ## keys: gateway-access-key, gateway-certificate, gateway-certificate-key, gateway-uid-token ## gatewayCredentialsExistingSecret: ## Add one or more Access IDs to give them access to this Gateway; add the specified permissions and sub-claims. ## Name must be unique. Empty permissions will implicitly give the admin permission. ## See docs for examples https://docs.akeyless.io/docs/gateway-chart#gateway-admins ## allowedAccessPermissions: [] ## Use a K8s existing secret for Gateway Allowed Access. Must include the following key: allowed-access-permissions ## https://docs.akeyless.io/docs/gateway-chart#access-permissions ## allowedAccessPermissionsExistingSecret: ## List Access IDs that have access (comma separated list), if left empty all Access IDs will be authorised. ## To enable only specific users to use Remote Access, make sure to add the relevant `authorizedAccessIDs` in the `Global` section. ## A comma-separated list can be used for multiple IDs. ## While this is not mandatory, it is a good security practice to limit user access. If not configured, a Warning message ## will appear. For more information: https://docs.akeyless.io/docs/remote-access-setup-k8s#configuration ## authorizedAccessIDs: ## If serviceAccount = false, please ensure the provided service account has the following permissions: ## 1. Create Kubernetes Secrets - The service account must be able to create secrets within the Kubernetes cluster. ## Read and Update the Gateway's Kubernetes Secret ## 2. The service account must have read and update access to the Kubernetes secret used by the Gateway. ## By default, this secret is named -cache-encryption-key, unless a custom name has been specified. ## serviceAccount: create: false serviceAccountName: annotations: ## This is the actual name of the cluster as in account/access-id/clusterName ## clusterName: ## This is the vanity display name of the cluster ## initialClusterDisplayName: ## The key which is used to encrypt the Gateway configuration. ## If left empty - the account's default key will be used. ## This key can be determined on cluster bringup only and cannot be modified afterwards ## configProtectionKeyName: ## Use k8s secret to set the CF, the k8s secret must include the key: customer-fragments ## See docs for examples https://docs.akeyless.io/docs/advanced-chart-configuration#customer-fragment ## customerFragmentsExistingSecret: ## See docs for examples https://docs.akeyless.io/docs/advanced-chart-configuration#tls-configuration ## TLSConf: enabled: false ## Specifies an existing secret for tls-certificate: tlsExistingSecret: ## Telemetry Metrics see docs for examples https://docs.akeyless.io/docs/telemetry-metrics-k8s ## metrics: enabled: false ## Existing secret for metrics must include: ## - otel-config.yaml (base64) secret ## metricsExistingSecret: ## Linux system HTTP Proxy httpProxySettings: http_proxy: "" https_proxy: "" no_proxy: "" # env: [] ## https://docs.akeyless.io/docs/advanced-chart-configuration#cache-configuration ## clusterCache: ## In case Cache is enabled in the Gateway, and the encryptionKeyExistingSecret parameter has a value ## Akeyless will use this specified encryption key and store it securely within Akeyless Gateway. ## If the encryptionKeyExistingSecret parameter is empty or not specified, ## Akeyless will automatically generate a new encryption key and a new ServiceAccount for K8s. ## for more information: https://docs.akeyless.io/docs/advanced-chart-configuration#cache-configuration ## encryptionKeyExistingSecret: # Enable/Disable TLS between the Gateway and the cluster cache service # using generated certificates and keys enableTls: false ## The resources limits for the redis cluster cache ## resources: limits: # cpu: 500m memory: 2Gi requests: cpu: 250m memory: 256Mi #################################################### ## Default values for Gateway ## #################################################### gateway: ## Default values for akeyless-gateway. deployment: annotations: {} labels: {} replicaCount: 2 image: # repository: akeyless/base ## Alternative mirror registry # repository: docker.registry-2.akeyless.io/base # tag: latest pullPolicy: IfNotPresent # Place here any pod annotations you may need pod: annotations: {} affinity: enabled: false data: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: # nodeSelectorTerms: # - matchExpressions: # - key: kubernetes.io/arch # operator: In # values: # - amd64 # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity nodeSelector: # iam.gke.io/gke-metadata-server-enabled: "true" securityContext: enabled: false fsGroup: 0 runAsUser: 0 containerSecurityContext: {} ## Remove the {} and add any needed values to your SecurityContext ## # runAsUser: 0 # seccompProfile: # type: RuntimeDefault livenessProbe: initialDelaySeconds: 60 periodSeconds: 30 failureThreshold: 10 readinessProbe: initialDelaySeconds: 60 periodSeconds: 10 timeoutSeconds: 5 service: ## Remove the {} and add any needed annotations regarding your LoadBalancer implementation ## annotations: {} labels: {} type: LoadBalancer ## Gateway service port ## port: 8000 kmip: enabled: false ## Configure the ingress resource that allows you to access the ## akeyless-api-gateway installation. Set up the URL ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: ## Set to true to enable ingress record generation enabled: false ## A reference to an IngressClass resource ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation # ingressClassName: labels: {} annotations: {} ## Example for Nginx ingress ## # annotations: # kubernetes.io/ingress.class: nginx # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" # nginx.ingress.kubernetes.io/proxy-buffer-size: "8k" # nginx.ingress.kubernetes.io/proxy-buffers-number: "4" ## Example for Istio ingress ## # labels: # istio-injection: enabled # annotations: # kubernetes.io/ingress.class: "istio" # ## You can set ingressClassName instead annotation and label ## # ingressClassName: istio # ## In addition if you are using istio ingress, you must add the following annotation to the gateway pod annotations ## # pod: # annotations: # proxy.istio.io/config: '{"holdApplicationUntilProxyStarts": true }' ## Example for AWS ELB ingress ## # annotations: # kubernetes.io/ingress.class: alb # alb.ingress.kubernetes.io/scheme: internet-facing rules: - servicePort: gateway hostname: "gateway.local" ## Path for the default host path: / ## Ingress Path type the value can be ImplementationSpecific, Exact or Prefix pathType: ImplementationSpecific ## Enable TLS configuration for the hostname defined at ingress.hostname parameter ## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.gateway.ingress.hostname }} ## or a custom one if you use the tls.existingSecret parameter ## tls: false # existingSecret: name-of-existing-secret ## Set this to true in order to add the corresponding annotations for cert-manager and secret name certManager: false resources: {} ## The following resource settings represent minimum recommended requests without defined limits. ## We've set a base recommended requests of 1 vCPU and 2GB memory. ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource ## limits, uncomment the 'limits' section and adjust values as needed. ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. ## If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## # limits: # cpu: # memory: # requests: # cpu: 1 # memory: 2G hpa: ## Set the below to false in case you do not want to add Horizontal Pod AutoScaling ## Note that metrics server must be installed for this to work: ## https://github.com/kubernetes-sigs/metrics-server ## enabled: false minReplicas: 1 maxReplicas: 10 cpuAvgUtil: 70 memAvgUtil: 70 annotations: {} ## HSM configuration hsm: enabled: false ## In case hsm is enabled you must add pinExistingSecret which includes the hsm pcks11 pin ## https://docs.akeyless.io/docs/k8s-hsm-integration ## pinExistingSecret: "" ## pkcs11LibPath: ## slot: ## tokenLabel: ## tokenSerial: ## useRand: false persistence: enabled: false ## existingClaim: "" ## mountPath: "" ## accessMode: "ReadWriteMany" ## storageClass: "" ## size: 100Mi secretsStore: # Enable Secret Store CSI integration enabled: false # Name of the SecretProviderClass to use secretProviderClassName: "" # Mount path for secrets mountPath: "" # Secret provider type (akeyless, aws, azure, gcp) provider: "akeyless" # Example configurations for different providers: # akeyless: # # Akeyless API URL # url: "https://api.akeyless.io" # # Access ID for authentication # accessId: "your-access-id" # # Optional: Access Key for authentication (should be provided via SecretProviderClass) # accessKey: "your-access-key" # # Optional: JWT for authentication # jwt: "your-jwt-token" # # Optional: File permission for mounted secrets (default: 0644) # filePermission: "0644" # # List of objects to fetch from Akeyless # objects: | # # Example 1: Fetch a single secret # - objectName: "my-secret" # objectType: "secret" # objectVersion: "" # objectAlias: "my-secret" # # # Example 2: Fetch an SSH key # - objectName: "my-ssh-key" # objectType: "ssh" # objectVersion: "" # objectAlias: "ssh-key" # # # Example 3: Fetch a certificate # - objectName: "my-cert" # objectType: "cert" # objectVersion: "" # objectAlias: "certificate" # # aws: # # AWS region where secrets are stored # region: "us-east-1" # # Optional: Failover region for high availability # failoverRegion: "us-east-2" # # Optional: Use FIPS endpoint # useFipsEndpoint: false # # Optional: Pod identity endpoint type (ipv4, ipv6, or auto) # podIdentityEndpointType: "" # # List of secrets to fetch from AWS Secrets Manager and SSM Parameter Store # objects: | # # Example 1: Fetch from AWS Secrets Manager with JMESPath # - objectName: "arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret" # objectType: "secretsmanager" # jmesPath: # - path: "username" # objectAlias: "MySecretUsername" # - path: "password" # objectAlias: "MySecretPassword" # # Optional: Specific version of the secret # objectVersion: "12345678-1234-1234-1234-123456789012" # # Optional: Version stage/alias # objectVersionLabel: "AWSCURRENT" # # Optional: Failover object for cross-region failover # failoverObject: # objectName: "arn:aws:secretsmanager:us-east-2:123456789012:secret:MySecret" # objectVersion: "12345678-1234-1234-1234-123456789012" # objectVersionLabel: "AWSCURRENT" # # # Example 2: Fetch from AWS SSM Parameter Store # - objectName: "/my-app/credentials" # objectType: "ssmparameter" # objectAlias: "api-key" # # Optional: Specific version of the parameter # objectVersion: "1" # # Optional: Parameter label # objectVersionLabel: "prod" # # # Example 3: Fetch from AWS Secrets Manager with hyphenated paths # - objectName: "arn:aws:secretsmanager:us-east-1:123456789012:secret:MySecret" # objectType: "secretsmanager" # jmesPath: # - path: '"hyphenated-path"' # objectAlias: '"hyphenated-alias"' # # azure: # # Azure Key Vault name # keyvaultName: "kvname" # # Azure Tenant ID # tenantID: "tid" # # Optional: Use pod identity for authentication # usePodIdentity: "false" # # Optional: Use VM managed identity # useVMManagedIdentity: "false" # # Optional: User assigned identity ID # userAssignedIdentityID: "client_id" # # Optional: Client ID for workload identity # clientID: "client_id" # # Optional: Azure cloud name (AzurePublicCloud, AzureUSGovernmentCloud, etc.) # cloudName: "" # # Optional: File permission for mounted secrets (default: 0644) # filePermission: "0644" # # List of objects to fetch from Azure Key Vault # objects: | # array: # - | # objectName: secret1 # objectAlias: SECRET_1 # objectType: secret # objectVersion: "" # objectVersionHistory: 5 # filePermission: 0755 # - | # objectName: key1 # objectAlias: KEY_1 # objectType: key # objectVersion: "" # - | # objectName: cert1 # objectAlias: CERT_1 # objectType: cert # objectVersion: "" # objectFormat: pem # objectEncoding: utf-8 # # gcp: # # GCP project ID # projectID: "my-project" # # Optional: File permission for mounted secrets (default: 0644) # filePermission: "0644" # # List of secrets to fetch from GCP Secret Manager # secrets: | # # Example 1: Fetch a single secret # - resourceName: "projects/my-project/secrets/my-secret/versions/latest" # path: "my-secret" # # # Example 2: Fetch multiple secrets # - resourceName: "projects/my-project/secrets/api-key/versions/latest" # path: "api-key" # # # Example 3: Fetch a specific version of a secret # - resourceName: "projects/my-project/secrets/my-secret/versions/2" # path: "my-secret" # # # Example 4: Fetch a secret with custom file permission # - resourceName: "projects/my-project/secrets/ssl-cert/versions/latest" # path: "ssl-cert" # filePermission: "0600" ###################################################### ## Default values for akeyless-secure-remote-access ## ###################################################### ## If you are only using Akeyless Gateway, ignore this section ## sra: ## Enable secure-remote-access. Valid values: true/false. ## For more information on a Quick Start guide for Remote Access ## Or setup SRA on K8s enabled: false image: ## Default image repository is: akeyless/zero-trust-bastion ## pullPolicy: IfNotPresent # tag: latest env: [] ## The below section is for the Remote Access Web app ## webConfig: deployment: annotations: {} labels: {} replicaCount: 1 ## Persistence Volume is used to store RDP recordings when it is configured to save recordings locally ## Akeyless requires data persistence to be shared within all pods in the cluster ## accessMode: ReadWriteMany ## Make sure to change the below values according to your environment except for the hostPath values ## see docs for more information ## persistence: volumes: {} # volumes: # - name: akeyless-data # storageClassName: efs-zero-trust-bastion-sc # # storageClassDriver: efs.csi.aws.com # size: 100Mi # annotations: # volume.beta.kubernetes.io/storage-class: "" livenessProbe: initialDelaySeconds: 15 periodSeconds: 30 failureThreshold: 10 readinessProbe: initialDelaySeconds: 15 periodSeconds: 30 timeoutSeconds: 5 resources: ## The following resource settings represent minimum recommended requests without defined limits. ## We've set a base recommended requests of 1 vCPU and 2GB memory. ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource ## limits, uncomment the 'limits' section and adjust values as needed. ## For more information on system requirements ## ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. ## If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## # limits: # cpu: # memory: requests: cpu: 1 memory: 2G hpa: ## Set the below to false in case you do not want to add Horizontal Pod AutoScaling to the Deployment ## If HPA is enabled resources requests must be set ## enabled: false minReplicas: 1 maxReplicas: 10 cpuAvgUtil: 70 memAvgUtil: 70 ## The below section is for the Remote Access SSH app ## For more information: ## sshConfig: replicaCount: 1 ## This is a required RSA Public Key for your Akeyless SSH Cert Issuer ## See docs for examples ## CAPublicKey: # CAPublicKey: | ## Use this parameter to store fingerprint information in a specific folder within your Akeyless account. ## This approach prevents the need to manually re-accept the SSH host key fingerprint after upgrades or other changes. ## In the example below, the fingerprints will be stored in the /MY_SSH_REMOTE_ACCESS_HOST_KEYS folder. ## Note: Ensure that your Remote Access default authentication method has the necessary permissions to create, read, and list within this folder. ## See docs for more information ## sshHostKeysPath: annotations: {} labels: {} nodeSelector: # iam.gke.io/gke-metadata-server-enabled: "true" securityContext: enabled: false fsGroup: 0 runAsUser: 0 service: ## Remove the {} and add any needed annotations regarding your LoadBalancer implementation ## annotations: {} labels: {} type: LoadBalancer port: 22 livenessProbe: failureThreshold: 5 periodSeconds: 30 timeoutSeconds: 5 readinessProbe: initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 5 resources: ## The following resource settings represent minimum recommended requests without defined limits. ## We've set a base recommended requests of 1 vCPU and 2GB memory. ## We intentionally leave resource limits unspecified to enable customization. If you wish to set specific resource ## limits, uncomment the 'limits' section and adjust values as needed. ## For more information on system requirments ## If Horizontal Pod Autoscaler (HPA) usage is desired, you must set requests values. ## If you do want to specify resources, uncomment the following ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. ## # limits: # cpu: # memory: requests: cpu: 1 memory: 2G hpa: ## Set the below to true only when using a shared persistent storage (defined at .persistence.volumes) ## If HPA is enabled resources requests must be set ## enabled: false minReplicas: 1 maxReplicas: 10 cpuAvgUtil: 70 memAvgUtil: 70