Helm Chart Values
Here is the reference for the customizable values for Helm installation. See Helm installation documentation for more information.
Values
Key | Description |
---|---|
global (object) | Global configurationDefault: {"imagePullSecrets":[],"imageRegistry":""} |
global.imageRegistry (string) | Global Docker image registryDefault: "" |
global.imagePullSecrets (list) | Global Docker registry secret names as an arrayDefault: [] |
hostname (string) | Hostname for the GitGuardian application (without https://)Default: "gitguardian.example.com" |
commonLabels (object) | Custom labels to add to all resources (includes commonMatchLabels) Format: name: value Default: {} |
postgresql (object) | PostgreSQL Database configurationDefault: Not set |
postgresql.host (string) | PostgreSQL Database host nameDefault: "" |
postgresql.port (int) | PostgreSQL Database host portDefault: 5432 |
postgresql.username (string) | PostgreSQL Database user nameDefault: "" |
postgresql.password (string) | PostgreSQL Database user password Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.tls.mode (string) | PostgreSQL Database SSL mode Possible values: disable, allow, prefer, require, verify-ca, verify-full See: PostgreSQL SSL Mode DescriptionsDefault: "allow" |
postgresql.tls.crt (string) | PostgreSQL Database Client certificate Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.tls.key (string) | PostgreSQL Database Client certificate private key Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.tls.caCrt (string) | PostgreSQL Database Custom Certificate Authority Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.existingSecret (string) | Secret used to store PostgreSQL password and Certificates (preferred method)Default: "" |
postgresql.existingSecretKeys (object) | Keys used for PostgreSQL Database secrets when using an existing secret |
postgresql.existingSecretKeys.password (string) | Existing secret key where to store PostgreSQL Database user passwordDefault: "POSTGRES_PASSWORD" |
postgresql.existingSecretKeys.tls.crt (string) | Existing secret key where to store PostgreSQL Database Client certificateDefault: "pg_client.crt" |
postgresql.existingSecretKeys.tls.key (string) | Existing secret key where to store PostgreSQL Database Client certificate private keyDefault: "pg_client.key" |
postgresql.existingSecretKeys.tls.caCrt (string) | Existing secret key where to store PostgreSQL Database Custom Certificate AuthorityDefault: "pg_server.ca_crt" |
redis (object) | Redis Database configuration You can either provide a full qualified URI or fill each parts in dedicated fields Redis is used as a broker and result backend for celery and as a Commit CacheDefault: Not set |
redis.main.url (string) | Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.main.existingSecret ) This values is not used if using Redis SentinelDefault: "" |
redis.main.user (string) | Redis Instance user (if redis.main.url is not specified) / Redis Sentinel master nameDefault: "" |
redis.main.password (string) | Redis Instance password (if redis.main.url is not specified) / Redis Sentinel master password Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.host (string) | Redis Instance host name (if redis.main.url is not specified) This values is not used if using Redis SentinelDefault: "" |
redis.main.port (int) | Redis Instance host port (if redis.main.url is not specified)Default: 6379 |
redis.main.sentinel (object) | Redis Sentinel dedicated parameters (works along with redis.main.url )Default: {"enabled":false,"masterServiceName":"","password":"","url":"","user":""} |
redis.main.sentinel.enabled (bool) | Redis Sentinel enablerDefault: false |
redis.main.sentinel.url (string) | Redis Sentinel instances list. Format: sentinel-1:26379,sentinel-2:26379 Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.sentinel.user (string) | Redis Sentinel master userDefault: "" |
redis.main.sentinel.password (string) | Redis Sentinel master password Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.sentinel.masterServiceName (string) | Redis Sentinel master service nameDefault: "" |
redis.main.tls (object) | Redis Instance TLS configurationDefault: Not set |
redis.main.tls.enabled (bool) | Enable redis TLS (if redis.main.url is not specified)Default: false |
redis.main.tls.requireServerCert (bool) | Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for redis.main.url Default: false |
redis.main.tls.crt (string) | Redis Instance Client certificate Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.tls.key (string) | Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.tls.caCrt (string) | Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.existingSecret (string) | Secret used to store Redis Instance URL or password and Certificates (preferred method)Default: "" |
redis.main.existingSecretKeys (object) | Keys used for Redis secrets when using an existing secret |
redis.main.existingSecretKeys.tls.crt (string) | Existing secret key where to store Redis Instance Client certificateDefault: "redis_client.crt" |
redis.main.existingSecretKeys.tls.key (string) | Existing secret key where to store Redis Instance Client certificate private keyDefault: "redis_client.key" |
redis.main.existingSecretKeys.tls.caCrt (string) | Existing secret key where to store Redis Instance Custom Certificate AuthorityDefault: "redis_server.ca_crt" |
redis.main.existingSecretKeys.sentinel.url (string) | Redis Sentinel instances listDefault: "" |
redis.main.existingSecretKeys.sentinel.password (string) | Redis Sentinel passwordDefault: "" |
redis.commitCache.enabled (bool) | Enable a separate Redis instance dedicated to the Commit Cache feature. Commit Cache feature allows to not scan already scanned commit by saving in Redis scan results. If not enabled, main Redis instance will be used for the Commit CacheDefault: false |
redis.commitCache.url (string) | Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.user (string) | Redis Instance user name (if redis.commitCache.url is not specified)Default: "" |
redis.commitCache.password (string) | Redis Instance user password (if redis.commitCache.url is not specified) Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.host (string) | Redis Instance host name (if redis.commitCache.url is not specified)Default: "" |
redis.commitCache.port (int) | Redis Instance host port (if redis.commitCache.url is not specified)Default: 6379 |
redis.commitCache.tls (object) | Redis Instance TLS configurationDefault: Not set |
redis.commitCache.tls.enabled (bool) | Enable redis TLS (if redis.main.url is not specified)Default: false |
redis.commitCache.tls.requireServerCert (bool) | Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for REDIS_URL Default: false |
redis.commitCache.tls.crt (string) | Redis Instance Client certificate Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.tls.key (string) | Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.tls.caCrt (string) | Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.existingSecret (string) | Secret used to store Redis Instance URL or password and Certificates (preferred method)Default: "" |
redis.commitCache.existingSecretKeys (object) | Keys used for Redis secrets when using an existing secret |
redis.commitCache.existingSecretKeys.tls.crt (string) | Existing secret key where to store Redis Instance Client certificateDefault: "redis_client.crt" |
redis.commitCache.existingSecretKeys.tls.key (string) | Existing secret key where to store Redis Instance Client certificate private keyDefault: "redis_client.key" |
redis.commitCache.existingSecretKeys.tls.caCrt (string) | Existing secret key where to store Redis Instance Custom Certificate AuthorityDefault: "redis_server.ca_crt" |
miscEncryption (object) | Encryption keys configuration Django Secret Key, X509 certificate and key are auto-generated during installation if not setDefault: Auto-generated |
miscEncryption.djangoSecretKey (string) | Encryption key for sensitive database fields. Auto-generated at first install if empty (preferred method) IMPORTANT The key should be kept in a safe place at it is required to access all sensitive information in the databaseDefault: Auto-generated |
miscEncryption.dbEncryptionKeys (string) | DB encryption secrets (optional, only needed for djangoSecretKey key rotation)Default: "" |
miscEncryption.existingSecret (string) | Secret used to store encryption secretsDefault: "" |
miscEncryption.existingSecretKeys (object) | Keys used for encryption secrets when using an existing secret |
miscEncryption.existingSecretKeys.djangoSecretKey (string) | Existing secret key where to store Django Secret Key Auto-generated at first install if empty (preferred method)Default: "DJANGO_SECRET_KEY" |
miscEncryption.existingSecretKeys.dbEncryptionKeys (string) | Existing secret key where to store DB encryption keys (optional, only needed for djangoSecretKey key rotation)Default: "ENCRYPTION_KEYS" |
miscEncryption.existingSecretKeys.x509Cert (string) | Existing secret key where to store certificate for SAML/SSO auth Auto-generated at first install if empty (preferred method)Default: "SP_X509_CERT" |
miscEncryption.existingSecretKeys.x509PrivateKey (string) | Existing secret key where to store certificate private key for SAML/SSO auth Auto-generated at first install if empty (preferred method)Default: "SP_PRIVATE_KEY" |
externalSecrets.enabled (bool) | Enable https://external-secrets.io/Default: false |
externalSecrets.path (string) | External Secret PathDefault: "" |
externalSecrets.secretStoreRef.kind (string) | https://external-secrets.io/ ClassDefault: "SecretStore" |
externalSecrets.secretStoreRef.name (string) | https://external-secrets.io/ NameDefault: "vault" |
front (object) | Frontend configuration The Frontend serves the Dashboard and acts as a proxy for other web deployments |
front.nginx.replicas (int) | Dashboard Frontend replicas countDefault: 1 |
front.nginx.nodeSelector (object) | Node selection constraint for FrontendDefault: {} |
front.nginx.tolerations (list) | Schedule Frontend pods with matching taintsDefault: [] |
front.nginx.resources (object) | Dashboard Frontend resourcesDefault: {"requests":{"cpu":"200m","memory":"500Mi"}} |
front.service.type (string) | Service type. Can be ClusterIP, NodePort or LoadBalancerDefault: "ClusterIP" |
front.service.port (int) | Dashboard Frontend Service portDefault: 80 |
front.service.annotations (object) | Dashboard Frontend Service annotationsDefault: {} |
front.ingress.enabled (bool) | Enable ingress resourceDefault: false |
front.ingress.pathType (string) | Ingress Path typeDefault: "Prefix" |
front.ingress.ingressClassName (string) | IngressClass that will be used to implement the IngressDefault: "" |
front.ingress.path (string) | The routing path to the GitGuardian instance. You may need to set this to '/*' in order to use this with ALB ingress controllers.Default: "/" |
front.ingress.annotations (object) | Additional annotations for the Ingress resource.Default: {} |
front.ingress.labels (object) | Additional labels for the Ingress resource.Default: {} |
webapps (object) | Backend deployments configuration |
webapps.internal_api.replicas (int) | Internal API replicas countDefault: 1 |
webapps.internal_api.nodeSelector (object) | Node selection constraint for Internal APIDefault: {} |
webapps.internal_api.tolerations (list) | Schedule Internal API pods with matching taintsDefault: [] |
webapps.internal_api_long.replicas (int) | Internal API for long requests replicas countDefault: 1 |
webapps.internal_api_long.nodeSelector (object) | Node selection constraint for Internal long APIDefault: {} |
webapps.internal_api_long.tolerations (list) | Schedule Internal long API pods with matching taintsDefault: [] |
webapps.public_api.replicas (int) | Public API (used for ggshield scans) replicas countDefault: 1 |
webapps.public_api.nodeSelector (object) | Node selection constraint for Public APIDefault: {} |
webapps.public_api.tolerations (list) | Schedule Public API pods with matching taintsDefault: [] |
webapps.hook.replicas (int) | VCS Webhooks Receivers replicas countDefault: 1 |
webapps.hook.nodeSelector (object) | Node selection constraint for HookDefault: {} |
webapps.hook.tolerations (list) | Schedule Hook pods with matching taintsDefault: [] |
webapps.app_exporter.replicas (string) | Prometheus exporter replicas count Will be set to 1 if .Values.observability.exporter.statefulAppExporter.enabled is trueDefault: 0 |
webapps.app_exporter.nodeSelector (object) | Node selection constraint for App ExporterDefault: {} |
webapps.app_exporter.tolerations (list) | Schedule App Exporter pods with matching taintsDefault: [] |
celeryWorkers (object) | Asynchronous Workers deployments configuration |
celeryWorkers.worker.queues (string) | Queues consumed by default workersDefault: "celery,check_run,realtime,realtime_retry,honeytoken" |
celeryWorkers.worker.replicas (int) | Default workers (incl. realtime scans) replicas countDefault: 2 |
celeryWorkers.worker.nodeSelector (object) | Node selection constraint for Default WorkerDefault: {} |
celeryWorkers.worker.tolerations (list) | Schedule Default Worker pods with matching taintsDefault: [] |
celeryWorkers.worker.ephemeralStorage (object) | Worker ephemeral storageDefault: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""} |
celeryWorkers.email.queues (string) | Queues consumed by Messaging workersDefault: "email,notifier" |
celeryWorkers.email.replicas (int) | Messaging workers replicas countDefault: 2 |
celeryWorkers.email.nodeSelector (object) | Node selection constraint for Email WorkerDefault: {} |
celeryWorkers.email.tolerations (list) | Schedule Email Worker pods with matching taintsDefault: [] |
celeryWorkers.email.ephemeralStorage (object) | Worker ephemeral storageDefault: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""} |
celeryWorkers.scanners.queues (string) | Queues consumed by Historical Scan workersDefault: "basic_repo_scan,premium_repo_scan,manual_repo_scan" |
celeryWorkers.scanners.replicas (int) | Historical Scan workers replicas countDefault: 2 |
celeryWorkers.scanners.nodeSelector (object) | Node selection constraint for Scanner WorkerDefault: {} |
celeryWorkers.scanners.tolerations (list) | Schedule Scanner Worker pods with matching taintsDefault: [] |
celeryWorkers.scanners.ephemeralStorage (object) | Worker ephemeral storageDefault: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""} |
celeryWorkers.scanners_ods.queues (string) | Queues consumed by non-VCS Historical Scan workersDefault: "ods_scan" |
celeryWorkers.scanners_ods.replicas (int) | Non-VCS Historical Scan workers replicas countDefault: 0 |
celeryWorkers.scanners_ods.ephemeralStorage (object) | Non-VCS Historical Scan worker ephemeral storageDefault: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""} |
celeryWorkers.realtime-ods.queues (string) | Realtime ODS workerDefault: "realtime_ods,realtime_retry_ods" |
celeryWorkers.realtime-ods.replicas (int) | ODS workers (incl. realtime scans) replicas countDefault: 2 |
celeryWorkers.realtime-ods.ephemeralStorage (object) | Realtime ODS worker ephemeral storageDefault: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""} |
celeryWorkers.long.queues (string) | Queues consumed by Long Tasks workersDefault: "celery_long" |
celeryWorkers.long.replicas (int) | Long Tasks workers replicas countDefault: 2 |
celeryWorkers.long.nodeSelector (object) | Node selection constraint for Long WorkerDefault: {} |
celeryWorkers.long.tolerations (list) | Schedule Long Worker pods with matching taintsDefault: [] |
celeryWorkers.long.ephemeralStorage (object) | Schedule Long Worker ephemeral storageDefault: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""} |
beat (object) | Asynchronous tasks scheduler |
beat.replicas (int) | Asynchronous tasks scheduler replicas countDefault: 1 |
beat.resources (object) | Asynchronous tasks scheduler resourcesDefault: {"requests":{"cpu":"10m","memory":"200Mi"}} |
onPrem.adminUser (object) | GitGuardian Admin User A temporary password has to be set in secret "gim-secrets" under ADMIN_PASSWORD key. You'll be asked to change this password on your connectionDefault: {"email":"admin@example.com","firstname":"Admin"} |
replicated (object) | Replicated SDK configurationDefault: {"extraEnv":[{"name":"HTTP_PROXY","value":""},{"name":"HTTPS_PROXY","value":""},{"name":"NO_PROXY","value":""}],"imagePullSecrets":[],"images":{"replicated-sdk":"replicated/replicated-sdk:v1.0.0-beta.16"},"isAirgap":false} |
replicated.images (object) | Replicated image configuration, this cannot benefit from global values !Default: {"replicated-sdk":"replicated/replicated-sdk:v1.0.0-beta.16"} |
replicated.images.replicated-sdk (string) | Replicated SDK full image pathDefault: "replicated/replicated-sdk:v1.0.0-beta.16" |
replicated.imagePullSecrets (list) | Image pullsecretsDefault: [] |
replicated.extraEnv (list) | Replicated SDK env varsDefault: [{"name":"HTTP_PROXY","value":""},{"name":"HTTPS_PROXY","value":""},{"name":"NO_PROXY","value":""}] |
replicated.isAirgap (bool) | - Disable Replicated outbound connectionsDefault: false |
sentry.enabled (bool) | Enable Sentry tracingDefault: false |
sentry.apm.enabled (bool) | Enable Sentry APMDefault: false |
sentry.dsn (string) | Sentry Data Source Name URLDefault: "https://sentry.io" |
tls (object) | HTTPS TLS configuration You can manage the certificate manually or use https://cert-manager.io/ |
tls.certManager.enabled (bool) | Use https://cert-manager.io/ instead of a manual certificateDefault: false |
tls.certManager.certificatesSecret (string) | Name of the created cert-manager Certificate objectDefault: "gitguardian-certificate" |
tls.certManager.certificatesNamespace (string) | Namespace where certificate will be createdDefault: .Release.Namespace |
tls.certManager.issuer.kind (string) | https://cert-manager.io/ Issuer ClassDefault: "ClusterIssuer" |
tls.certManager.issuer.name (string) | https://cert-manager.io/ Issuer NameDefault: "gitguardian" |
tls.customCa (object) | Custom Certificate Authority certificate for integrations (VCS, notifiers, webhooks, ...) |
tls.customCa.caCert (string) | Certificates full chain in the PEM format Should preferably be set in existing secret (see: tls.customCa.existingSecret )Default: "" |
tls.customCa.existingSecret (string) | Existing secret containing certificates full chain in the PEM formatDefault: "" |
tls.customCa.existingSecretCaCertKey (string) | Key name of the certificate entryDefault: "custom-ca.pem" |
tls.customCa.image (object) | Custom CA nginx-unprivileged (used for init-containers only) image configurationDefault: {"name":"services/nginx-unprivileged","pullSecrets":[],"registry":"513715405986.dkr.ecr.us-west-2.amazonaws.com","tag":"stable"} |
tls.customCa.image.registry (string) | Registry source to fetch the image Empty = from dockerhubDefault: "513715405986.dkr.ecr.us-west-2.amazonaws.com" |
tls.customCa.image.name (string) | Image nameDefault: "services/nginx-unprivileged" |
tls.customCa.image.tag (string) | Image tagDefault: "stable" |
tls.customCa.image.pullSecrets (list) | Image pullsecretsDefault: [] |
networkPolicy.enabled (bool) | Use default network policy. If enabled, you must ensure ingress traffic is allowed to nginxDefault: false |
securityContext.enabled (bool) | Enable security Context in deployments. Set to false when deploying on OpenShiftDefault: true |
containerSecurityContext (object) | Specify Container Security Context in deployments. Note: Enabled if securityContext.enabled is true.Default: {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"seccompProfile":{"type":"RuntimeDefault"}} |
argoCd.enabled (bool) | Enable ArgoCD hook and sync-wave annotationsDefault: false |
istio.enabled (bool) | Enable https://istio.io/ If istio is deactivated, you must configure your own ingress redirecting to nginx service on port 80, or set the service to be LoadBalancer Default: false |
istio.gateway.name (string) | Istio Gateway nameDefault: "{{.Release.Name}}-{{.Release.Namespace}}" |
istio.gateway.namespace (string) | Istio Gateway namespaceDefault: "istio-system" |
observability.exporters (object) | Prometheus exporters configuration |
observability.exporters.webAppExporter.enabled (bool) | Enable GitGuardian Applicative metrics on Webapp pods and Celery WorkersDefault: false |
observability.exporters.statefulAppExporter.enabled (bool) | Enable Stateful metrics on Applicative Exporter See: https://docs.gitguardian.com/self-hosting/management/application-management/metricsDefault: false |
observability.exporters.statefulAppExporter.resources (object) | Applicative Exporter resourcesDefault: {"requests":{"cpu":"100m","memory":"500Mi"}} |
observability.serviceMonitors.enabled (bool) | Enable ServiceMonitors for Prometheus Operator Note: this requires to install Prometheus Operator (not included in this chart) See: https://prometheus-operator.devDefault: false |
rbac (object) | Gitguardian pods will use a limited role if enabledDefault: {"enabled":true} |
rbac.enabled (bool) | Creates a Role and bind it to GitGuardian ServiceAccount (see serviceAccount.name)Default: true |
serviceAccount (object) | GitGuardian Pods are using this ServiceAccountDefault: {"annotations":{},"autoMount":true,"create":true,"labels":{},"name":"gim"} |
serviceAccount.create (bool) | create the serviceAccountDefault: true |
serviceAccount.name (string) | name of the serviceAccount (if serviceAccount.create is false, it must exists prior to chart deployment)Default: "gim" |
migration.resources (object) | Pre/Post Deployment Jobs resourcesDefault: {"requests":{"cpu":"100m","memory":"100Mi"}} |
migration.serviceAccount (object) | GitGuardian migration pods are using this ServiceAccountDefault: {"annotations":{},"autoMount":true,"create":true,"labels":{},"name":"gim-migration"} |
migration.serviceAccount.create (bool) | create the migration serviceAccountDefault: true |
migration.serviceAccount.name (string) | name of the serviceAccount (if migration.serviceAccount.create is false, it must exists prior to chart deployment)Default: "gim-migration" |
proxy (object) | HTTP(s) proxy configuration You can configure a proxy server for outgoing traffic from the applicationDefault: Not set |
proxy.httpProxyUrl (string) | Url of the proxy server to be used for HTTP requests Username and password in the url are not supportedDefault: nil |
proxy.httpsProxyUrl (string) | Url of the proxy server to be used for HTTPS requests Username and password in the url are not supportedDefault: nil |
proxy.noProxyHostNames (list) | List of host names through which the traffic should not go via the proxyDefault: [] |
experimental (object) | Experimental featuresDefault: Not set |
experimental.chainguard (bool) | Enable Chainguard images for backend and frontend GitGuardian imagesDefault: true |
Helm Chart Changes Between Versions
This section outlines the version-to-version changes in the Helm chart values, providing information into updates, new features, and deprecations.
2024.4.0 versus 2024.3.0
New:
- Added
commonLabels
to add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster. - Introduce
ephemeralStorage
option for allceleryWorkers
to support Generic Ephemeral Inline Volumes. - Introduced new
celeryWorkers.realtime-ods
worker for Other Data Sources (ODS) real time scanning.
Updated:
- Modified
celeryWorkers.worker.queues
and movedrealtime_ods,realtime_retry_ods
tasks into newceleryWorkers.realtime-ods.queue
.
2024.3.0 versus 2024.2.0
Updated:
- Updated default value
replicated.images.replicated-sdk
fromv1.0.0-beta.14
tov1.0.0-beta.16
. - Decreased the default value of
celeryWorkers.scanners_ods.replicas
from2
to0
.
2024.2.0 versus 2024.1.0
New:
- Added
redis.main.sentinel
configuration options for managing Redis Sentinel settings. - Introduced new settings for
redis.main.existingSecretKeys.sentinel.url
andredis.main.existingSecretKeys.sentinel.password
. - Added
miscEncryption.dbEncryptionKeys
andmiscEncryption.existingSecretKeys.dbEncryptionKeys
for database encryption key management. - Introduced new
celeryWorkers.scanners_ods
worker for Other Data Sources (ODS) scanning.
Updated:
- Updated default value
replicated.images.replicated-sdk
fromv1.0.0-beta.12
tov1.0.0-beta.14
.
Removed:
- Removed
observability.exporters.celeryExporter
.
2024.1.0 versus 2023.12.0
New:
- Expanded
nodeSelector
andtolerations
settings across multiple services:front.nginx
,webapps.internal_api
,webapps.internal_api_long
,webapps.public_api
,webapps.hook
,webapps.app_exporter
,celeryWorkers.worker
,celeryWorkers.email
,celeryWorkers.scanners
, andceleryWorkers.long
. - New
replicated.isAirgap
setting to manage air-gapped environments. - Introduced
tls.customCa.image
configuration for custom CA management. - Added new settings related to Kubernetes Roles and RoleBindings:
rbac.enabled
,serviceAccount.create
,serviceAccount.name
,migration.serviceAccount.create
, andmigration.serviceAccount.name
.
Updated:
- Added new tasks
realtime_ods,realtime_retry_ods
toceleryWorkers.worker.queues
to support additional task types. - Enabled
experimental.chainguard
by default, changing fromfalse
totrue
, to utilize Chainguard images for backend and frontend services.