Skip to main content

Helm Chart Values

Version: 2024.11.0

Here is the reference for the customizable values for Helm installation. See Helm installation documentation for more information.

Values

KeyDescription
global
(object)
Global configuration
Default: {"imagePullSecrets":[],"imageRegistry":""}
global.imageRegistry
(string)
Global Docker image registry
Default: ""
global.imagePullSecrets
(list)
Global Docker registry secret names as an array
Default: []
hostname
(string)
Hostname for the GitGuardian application (without https://)
Default: "gitguardian.example.com"
commonLabels
(object)
Custom labels to add to all resources (includes commonMatchLabels) Format: name: value
Default: {}
postgresql
(object)
PostgreSQL Database configuration
Default: Not set
postgresql.host
(string)
PostgreSQL Database host name
Default: ""
postgresql.port
(int)
PostgreSQL Database host port
Default: 5432
postgresql.username
(string)
PostgreSQL Database user name
Default: ""
postgresql.password
(string)
PostgreSQL Database user password Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.mode
(string)
PostgreSQL Database SSL mode Possible values: disable, allow, prefer, require, verify-ca, verify-full See: PostgreSQL SSL Mode Descriptions
Default: "allow"
postgresql.tls.crt
(string)
PostgreSQL Database Client certificate Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.key
(string)
PostgreSQL Database Client certificate private key Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.caCrt
(string)
PostgreSQL Database Custom Certificate Authority Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.existingSecretKeys.crt
(string)
Existing secret key where to store PostgreSQL Database Client certificate
Default: ""
postgresql.tls.existingSecretKeys.key
(string)
Existing secret key where to store PostgreSQL Database Client certificate private key
Default: ""
postgresql.tls.existingSecretKeys.caCrt
(string)
Existing secret key where to store PostgreSQL Database Custom Certificate Authority
Default: ""
postgresql.existingSecret
(string)
Secret used to store PostgreSQL password and Certificates (preferred method)
Default: ""
postgresql.existingSecretKeys
(object)
Keys used for PostgreSQL Database secrets when using an existing secret
postgresql.existingSecretKeys.password
(string)
Existing secret key where to store PostgreSQL Database user password
Default: ""
redis
(object)
Redis Database configuration You can either provide a full qualified URI or fill each parts in dedicated fields Redis is used as a broker and result backend for celery and as a Commit Cache
Default: Not set
redis.main.url
(string)
Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.main.existingSecret) This values is not used if using Redis Sentinel
Default: ""
redis.main.user
(string)
Redis Instance user (if redis.main.url is not specified) / Redis Sentinel master name
Default: ""
redis.main.password
(string)
Redis Instance password (if redis.main.url is not specified) / Redis Sentinel master password Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.host
(string)
Redis Instance host name (if redis.main.url is not specified) This values is not used if using Redis Sentinel
Default: ""
redis.main.port
(int)
Redis Instance host port (if redis.main.url is not specified)
Default: 6379
redis.main.sentinel
(object)
Redis Sentinel dedicated parameters (works along with redis.main.url)
Default: {"enabled":false,"masterServiceName":"","password":"","url":"","user":""}
redis.main.sentinel.enabled
(bool)
Redis Sentinel enabler
Default: false
redis.main.sentinel.url
(string)
Redis Sentinel instances list. Format: sentinel-1:26379,sentinel-2:26379 Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.sentinel.user
(string)
Redis Sentinel master user
Default: ""
redis.main.sentinel.password
(string)
Redis Sentinel master password Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.sentinel.masterServiceName
(string)
Redis Sentinel master service name
Default: ""
redis.main.tls
(object)
Redis Instance TLS configuration
Default: Not set
redis.main.tls.enabled
(bool)
Enable redis TLS (if redis.main.url is not specified)
Default: false
redis.main.tls.requireServerCert
(bool)
Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for redis.main.url
Default: false
redis.main.tls.crt
(string)
Redis Instance Client certificate Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.tls.key
(string)
Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.tls.caCrt
(string)
Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.tls.existingSecretKeys.crt
(string)
Existing secret key where to store Redis Instance Client certificate
Default: ""
redis.main.tls.existingSecretKeys.key
(string)
Existing secret key where to store Redis Instance Client certificate private key
Default: ""
redis.main.tls.existingSecretKeys.caCrt
(string)
Existing secret key where to store Redis Instance Custom Certificate Authority
Default: ""
redis.main.existingSecret
(string)
Secret used to store Redis Instance URL or password and Certificates (preferred method)
Default: ""
redis.main.existingSecretKeys
(object)
Keys used for Redis secrets when using an existing secret
redis.main.existingSecretKeys.url
(string)
Redis url
Default: ""
redis.main.existingSecretKeys.password
(string)
Redis password (You can't use this parameter with Argo CD, use url parameter instead)
Default: ""
redis.main.existingSecretKeys.sentinelUrl
(string)
Redis Sentinel instances list
Default: ""
redis.main.existingSecretKeys.sentinelPassword
(string)
Redis Sentinel password
Default: ""
redis.commitCache.enabled
(bool)
Enable a separate Redis instance dedicated to the Commit Cache feature. Commit Cache feature allows to not scan already scanned commit by saving in Redis scan results. If not enabled, main Redis instance will be used for the Commit Cache
Default: false
redis.commitCache.url
(string)
Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.user
(string)
Redis Instance user name (if redis.commitCache.url is not specified)
Default: ""
redis.commitCache.password
(string)
Redis Instance user password (if redis.commitCache.url is not specified) Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.host
(string)
Redis Instance host name (if redis.commitCache.url is not specified)
Default: ""
redis.commitCache.port
(int)
Redis Instance host port (if redis.commitCache.url is not specified)
Default: 6379
redis.commitCache.tls
(object)
Redis Instance TLS configuration
Default: Not set
redis.commitCache.tls.enabled
(bool)
Enable redis TLS (if redis.main.url is not specified)
Default: false
redis.commitCache.tls.requireServerCert
(bool)
Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for REDIS_URL
Default: false
redis.commitCache.tls.crt
(string)
Redis Instance Client certificate Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.tls.key
(string)
Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.tls.caCrt
(string)
Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.tls.existingSecretKeys.crt
(string)
Existing secret key where to store Redis Instance Client certificate
Default: ""
redis.commitCache.tls.existingSecretKeys.key
(string)
Existing secret key where to store Redis Instance Client certificate private key
Default: ""
redis.commitCache.tls.existingSecretKeys.caCrt
(string)
Existing secret key where to store Redis Instance Custom Certificate Authority
Default: ""
redis.commitCache.existingSecret
(string)
Secret used to store Redis Instance URL or password and Certificates (preferred method)
Default: ""
redis.commitCache.existingSecretKeys
(object)
Keys used for Redis secrets when using an existing secret
redis.commitCache.existingSecretKeys.url
(string)
Redis url can be set directly, or it will be recomposed from host, user, ...
Default: ""
redis.commitCache.existingSecretKeys.password
(string)
Redis password (You can't use this parameter with Argo CD, use url parameter instead)
Default: ""
miscEncryption
(object)
Encryption keys configuration Django Secret Key, X509 certificate and key are auto-generated during installation if not set
Default: Auto-generated
miscEncryption.djangoSecretKey
(string)
Encryption key for sensitive database fields. Auto-generated at first install if empty (preferred method) IMPORTANT The key should be kept in a safe place at it is required to access all sensitive information in the database
Default: Auto-generated
miscEncryption.dbEncryptionKeys
(string)
DB encryption secrets (optional, only needed for djangoSecretKey key rotation)
Default: ""
miscEncryption.existingSecret
(string)
Secret used to store encryption secrets
Default: ""
miscEncryption.existingSecretKeys
(object)
Keys used for encryption secrets when using an existing secret
miscEncryption.existingSecretKeys.djangoSecretKey
(string)
Existing secret key where to store Django Secret Key Auto-generated at first install if empty (preferred method)
Default: ""
miscEncryption.existingSecretKeys.dbEncryptionKeys
(string)
Existing secret key where to store DB encryption keys (optional, only needed for djangoSecretKey key rotation)
Default: ""
miscEncryption.existingSecretKeys.x509Cert
(string)
Existing secret key where to store certificate for SAML/SSO auth Auto-generated at first install if empty (preferred method)
Default: ""
miscEncryption.existingSecretKeys.x509PrivateKey
(string)
Existing secret key where to store certificate private key for SAML/SSO auth Auto-generated at first install if empty (preferred method)
Default: ""
externalSecrets.enabled
(bool)
Enable https://external-secrets.io/
Default: false
externalSecrets.refreshInterval
(string)
Specify the refreshInterval for externalSecrets
Default: "15s"
externalSecrets.path
(string)
External Secret Path
Default: ""
externalSecrets.secretStoreRef.kind
(string)
https://external-secrets.io/ Class
Default: "SecretStore"
externalSecrets.secretStoreRef.name
(string)
https://external-secrets.io/ Name
Default: "vault"
autoscaling
(object)
Autoscaling configuration
Default: {"keda":{"prometheus":{}}}
autoscaling.keda.prometheus
(object)
Prometheus scaler configguration
Default: {}
front
(object)
Frontend configuration The Frontend serves the Dashboard and acts as a proxy for other web deployments
front.nginx.replicas
(int)
Dashboard Frontend replicas count
Default: 1
front.nginx.nodeSelector
(object)
Node selection constraint for Frontend
Default: {}
front.nginx.tolerations
(list)
Schedule Frontend pods with matching taints
Default: []
front.nginx.resources
(object)
Dashboard Frontend resources
Default: {"requests":{"cpu":"100m","memory":"200Mi"}}
front.service.type
(string)
Service type. Can be ClusterIP, NodePort or LoadBalancer
Default: "ClusterIP"
front.service.port
(int)
Dashboard Frontend Service port
Default: 80
front.service.annotations
(object)
Dashboard Frontend Service annotations
Default: {}
front.ingress.enabled
(bool)
Enable ingress resource
Default: false
front.ingress.pathType
(string)
Ingress Path type
Default: "Prefix"
front.ingress.ingressClassName
(string)
IngressClass that will be used to implement the Ingress
Default: ""
front.ingress.path
(string)
The routing path to the GitGuardian instance. You may need to set this to '/*' in order to use this with ALB ingress controllers.
Default: "/"
front.ingress.annotations
(object)
Additional annotations for the Ingress resource.
Default: {}
front.ingress.labels
(object)
Additional labels for the Ingress resource.
Default: {}
front.ingress.tls.enabled
(bool)
Enable TLS configuration for the hostname defined at ingress.hostname parameter
Default: false
front.ingress.tls.existingSecret
(string)
Existing secret containing TLS certificates
Default: ""
front.ingress.tls.crt
(string)
TLS certificate in PEM format Should preferably be set in existing secret (see: front.ingress.tls.existingSecret)
Default: ""
front.ingress.tls.key
(string)
TLS private key Should preferably be set in existing secret (see: front.ingress.tls.existingSecret)
Default: ""
webapps
(object)
Backend deployments configuration
webapps.internal_api.replicas
(int)
Internal API replicas count
Default: 1
webapps.internal_api.nodeSelector
(object)
Node selection constraint for Internal API
Default: {}
webapps.internal_api.tolerations
(list)
Schedule Internal API pods with matching taints
Default: []
webapps.internal_api_long.replicas
(int)
Internal API for long requests replicas count
Default: 1
webapps.internal_api_long.nodeSelector
(object)
Node selection constraint for Internal long API
Default: {}
webapps.internal_api_long.tolerations
(list)
Schedule Internal long API pods with matching taints
Default: []
webapps.public_api.replicas
(int)
Public API (used for ggshield scans) replicas count
Default: 1
webapps.public_api.nodeSelector
(object)
Node selection constraint for Public API
Default: {}
webapps.public_api.tolerations
(list)
Schedule Public API pods with matching taints
Default: []
webapps.hook.replicas
(int)
VCS Webhooks Receivers replicas count
Default: 1
webapps.hook.nodeSelector
(object)
Node selection constraint for Hook
Default: {}
webapps.hook.tolerations
(list)
Schedule Hook pods with matching taints
Default: []
webapps.app_exporter.replicas
(string)
Prometheus exporter replicas count Will be set to 1 if .Values.observability.exporter.statefulAppExporter.enabled is true
Default: 0
webapps.app_exporter.nodeSelector
(object)
Node selection constraint for App Exporter
Default: {}
webapps.app_exporter.tolerations
(list)
Schedule App Exporter pods with matching taints
Default: []
celeryWorkers
(object)
Asynchronous Workers deployments configuration
celeryWorkers.worker.queues
(string)
Queues consumed by default workers
Default: "celery,check_run,realtime,realtime_retry,honeytoken,reports"
celeryWorkers.worker.replicas
(int)
Default workers (incl. realtime scans) replicas count
Default: 2
celeryWorkers.worker.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.worker.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.worker.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.worker.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.worker.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 10
celeryWorkers.worker.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"celery":10,"check_run":10,"honeytoken":10,"realtime":10,"realtime_retry":10,"reports":10,"sca":10}
celeryWorkers.worker.nodeSelector
(object)
Node selection constraint for Default Worker
Default: {}
celeryWorkers.worker.tolerations
(list)
Schedule Default Worker pods with matching taints
Default: []
celeryWorkers.worker.ephemeralStorage
(object)
Worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.email.queues
(string)
Queues consumed by Messaging workers
Default: "email,notifier"
celeryWorkers.email.replicas
(int)
Messaging workers replicas count
Default: 2
celeryWorkers.email.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.email.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.email.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.email.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.email.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 10
celeryWorkers.email.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"email":10,"notifier":10}
celeryWorkers.email.nodeSelector
(object)
Node selection constraint for Email Worker
Default: {}
celeryWorkers.email.tolerations
(list)
Schedule Email Worker pods with matching taints
Default: []
celeryWorkers.email.ephemeralStorage
(object)
Worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.scanners.queues
(string)
Queues consumed by Historical Scan workers
Default: "basic_repo_scan,premium_repo_scan,manual_repo_scan"
celeryWorkers.scanners.replicas
(int)
Historical Scan workers replicas count
Default: 2
celeryWorkers.scanners.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.scanners.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.scanners.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.scanners.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.scanners.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 10
celeryWorkers.scanners.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"basic_repo_scan":10,"manual_repo_scan":10,"premium_repo_scan":10}
celeryWorkers.scanners.nodeSelector
(object)
Node selection constraint for Scanner Worker
Default: {}
celeryWorkers.scanners.tolerations
(list)
Schedule Scanner Worker pods with matching taints
Default: []
celeryWorkers.scanners.ephemeralStorage
(object)
Worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.long.queues
(string)
Queues consumed by Long Tasks workers
Default: "celery_long,background_validity_check"
celeryWorkers.long.replicas
(int)
Long Tasks workers replicas count
Default: 2
celeryWorkers.long.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.long.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.long.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.long.autoscaling.minReplicas
(int)
HPA minReplicas
Default: 1
celeryWorkers.long.autoscaling.maxReplicas
(int)
HPA maxReplicas
Default: 10
celeryWorkers.long.autoscaling.metrics
(object)
HPA metrics threshold
Default: {"background_validity_check":10,"celery_long":10}
celeryWorkers.long.nodeSelector
(object)
Node selection constraint for Long Worker
Default: {}
celeryWorkers.long.tolerations
(list)
Schedule Long Worker pods with matching taints
Default: []
celeryWorkers.long.ephemeralStorage
(object)
Schedule Long Worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.scanners-ods.queues
(string)
Queues consumed by non-VCS Historical Scan workers
Default: "ods_scan"
celeryWorkers.scanners-ods.replicas
(int)
Non-VCS Historical Scan workers replicas count
Default: 0
celeryWorkers.scanners-ods.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.scanners-ods.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.scanners-ods.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.scanners-ods.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.scanners-ods.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 10
celeryWorkers.scanners-ods.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"ods_scan":10}
celeryWorkers.scanners-ods.ephemeralStorage
(object)
Non-VCS Historical Scan worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.realtime-ods.queues
(string)
Queues consumed by default workers
Default: "realtime_ods,realtime_retry_ods"
celeryWorkers.realtime-ods.replicas
(int)
Default workers (incl. realtime scans) replicas count
Default: 0
celeryWorkers.realtime-ods.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.realtime-ods.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.realtime-ods.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.realtime-ods.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.realtime-ods.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 10
celeryWorkers.realtime-ods.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"realtime_ods":10,"realtime_retry_ods":10}
celeryWorkers.realtime-ods.ephemeralStorage
(object)
Realtime ODS worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.long-ods.queues
(string)
Queues consumed by none-VCS Long Tasks workers
Default: "long_ods"
celeryWorkers.long-ods.replicas
(int)
Non-VCS Long Tasks workers replicas count
Default: 0
celeryWorkers.long-ods.autoscaling.hpa.enabled
(bool)
Enable Horizontal Pod Autoscaler
Default: false
celeryWorkers.long-ods.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.long-ods.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.long-ods.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.long-ods.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 15
celeryWorkers.long-ods.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"long_ods":10}
celeryWorkers.long-ods.ephemeralStorage
(object)
Schedule Non-VCS Long Worker ephemeral storage
Default: {"annotations":{},"enabled":false,"labels":{},"size":"1Gi","storageClass":""}
celeryWorkers.long-ods-io.replicas
(int)
Number of replica for Non-VCS workers specialized in IO operations
Default: 0
celeryWorkers.long-ods-io.autoscaling.keda.enabled
(bool)
Enable Keda Autoscaler
Default: false
celeryWorkers.long-ods-io.autoscaling.keda.triggers
(list)
Additional Keda triggers
Default: []
celeryWorkers.long-ods-io.autoscaling.minReplicas
(int)
Minimum number of workers created by autoscaler
Default: 1
celeryWorkers.long-ods-io.autoscaling.maxReplicas
(int)
Maximum number of workers created by autoscaler
Default: 1
celeryWorkers.long-ods-io.autoscaling.metrics
(object)
Autoscaling metrics threshold
Default: {"long_ods_io":10}
beat
(object)
Asynchronous tasks scheduler
beat.replicas
(int)
Asynchronous tasks scheduler replicas count
Default: 1
beat.resources
(object)
Asynchronous tasks scheduler resources
Default: {"requests":{"cpu":"10m","memory":"200Mi"}}
onPrem.adminUser
(object)
GitGuardian Admin User A temporary password has to be set in secret "gim-secrets" under ADMIN_PASSWORD key. You'll be asked to change this password on your connection
Default: {"email":"admin@example.com","existingSecret":"","existingSecretKeys":{"password":""},"firstname":"Admin"}
replicated.image.repository
(string)
Replicated SDK image repository
Default: "replicated/replicated-sdk"
replicated.image.tag
(string)
Replicated SDK image tag
Default: "1.0.0-beta.31"
replicated.imagePullSecrets
(list)
Image pullsecrets
Default: []
replicated.extraEnv
(list)
Replicated SDK env vars
Default: [{"name":"HTTP_PROXY","value":""},{"name":"HTTPS_PROXY","value":""},{"name":"NO_PROXY","value":""}]
replicated.isAirgap
(bool)
Disable Replicated outbound connections
Default: false
replicated.privateCASecret
(string)
Specify secret containing Custom Certificate Authority certificate
Default: ""
replicated.supportBundle.logs.maxLines
(int)
Set the max number of lines in the support bundle logs
Default: 10000
sentry.enabled
(bool)
Enable Sentry tracing
Default: false
sentry.apm.enabled
(bool)
Enable Sentry APM
Default: false
sentry.dsn
(string)
Sentry Data Source Name URL
Default: "https://sentry.io"
tls
(object)
HTTPS TLS configuration You can manage the certificate manually or use https://cert-manager.io/
tls.certManager.enabled
(bool)
Use https://cert-manager.io/ instead of a manual certificate
Default: false
tls.certManager.certificatesSecret
(string)
Name of the created cert-manager Certificate object
Default: "gitguardian-certificate"
tls.certManager.certificatesNamespace
(string)
Namespace where certificate will be created
Default: .Release.Namespace
tls.certManager.issuer.kind
(string)
https://cert-manager.io/ Issuer Class
Default: "ClusterIssuer"
tls.certManager.issuer.name
(string)
https://cert-manager.io/ Issuer Name
Default: "gitguardian"
tls.customCa
(object)
Custom Certificate Authority certificate for integrations (VCS, notifiers, webhooks, ...)
tls.customCa.caCrt
(string)
Certificates full chain in the PEM format Should preferably be set in existing secret (see: tls.customCa.existingSecret)
Default: ""
tls.customCa.existingSecret
(string)
Existing secret containing certificates full chain in the PEM format
Default: ""
tls.customCa.existingSecretKeys.caCrt
(string)
Key name of the certificate authority entry
Default: ""
tls.customCa.image
(object)
Custom CA nginx-unprivileged (used for init-containers only) image configuration
Default: {"name":"services/nginx-unprivileged","pullSecrets":[],"registry":"513715405986.dkr.ecr.us-west-2.amazonaws.com","tag":"stable"}
tls.customCa.image.registry
(string)
Registry source to fetch the image Empty = from dockerhub
Default: "513715405986.dkr.ecr.us-west-2.amazonaws.com"
tls.customCa.image.name
(string)
Image name
Default: "services/nginx-unprivileged"
tls.customCa.image.tag
(string)
Image tag
Default: "stable"
tls.customCa.image.pullSecrets
(list)
Image pullsecrets
Default: []
tls.clientAuth
(object)
Client (end user) authentication
tls.clientAuth.enabled
(bool)
Enable client authentication. This is required for Common Access Card
Default: false
tls.clientAuth.mode
(string)
Set client authentication mode (one of enforce, audit). audit mode must be used for initial setup.
Default: "enforce"
tls.clientAuth.userRegex
(string)
Regex to extract the unique user identifier from the certificate DN. You must use a capture group using parenthesis to catch the user ID. Default regex will match 117 here: CN=hubert.bonisseur.delabath.117,O=DGSE,C=FR
Default: "(?:.+,)?CN=[^.]+\\.[^.]+\\.[^.]+\\.(\\d+)(?:,.+)?"
tls.clientAuth.crt
(string)
NGINX Server certificate (PEM) Should preferably be set in existing secret (see: tls.clientAuth.existingSecret)
Default: ""
tls.clientAuth.key
(string)
NGINX Server key (PEM) Should preferably be set in existing secret (see: tls.clientAuth.existingSecret)
Default: ""
tls.clientAuth.caCrt
(string)
NGINX Authority that validates user certificates (PEM) Should preferably be set in existing secret (see: tls.clientAuth.existingSecret)
Default: ""
tls.clientAuth.crl
(object)
Nginx CRL usage for clientAuth
Default: {"cron":"0 0 * * *","persistence":{"accessModes":["ReadWriteMany"],"annotations":{},"labels":{},"size":"1Gi","storageClass":""},"url":""}
tls.clientAuth.crl.url
(string)
Nginx CRL URL. Use a CRL instead of OCSP to check revokations status. Keep empty to use OCSP.
Default: ""
tls.clientAuth.crl.cron
(string)
Nginx CRL refresh cron expression. This example means daily at 00:00
Default: "0 0 * * *"
tls.clientAuth.crl.persistence.storageClass
(string)
storageClass to use for the CRL PVC
Default: ""
tls.clientAuth.crl.persistence.accessModes
(list)
accessModes to use for the CRL PVC. Use only ReadWriteMany (HA) if available.
Default: ["ReadWriteMany"]
tls.clientAuth.crl.persistence.size
(string)
PVC size
Default: "1Gi"
tls.clientAuth.crl.persistence.labels
(object)
PVC Labels
Default: {}
tls.clientAuth.crl.persistence.annotations
(object)
PVC Annotations
Default: {}
tls.clientAuth.existingSecret
(string)
Existing secret name
Default: ""
networkPolicy.enabled
(bool)
Use default network policy. If enabled, you must ensure ingress traffic is allowed to nginx
Default: false
securityContext.enabled
(bool)
Enable security Context in deployments. Set to false when deploying on OpenShift
Default: true
containerSecurityContext
(object)
Specify Container Security Context in deployments. Note: Enabled if securityContext.enabled is true.
Default: {"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"seccompProfile":{"type":"RuntimeDefault"}}
istio.enabled
(bool)
Enable https://istio.io/ If istio is deactivated, you must configure your own ingress redirecting to nginx service on port 80, or set the service to be LoadBalancer
Default: false
istio.gateway.enabled
(bool)
Enable Istio gateway handling
Default: true
istio.gateway.name
(string)
Istio Gateway name
Default: "{{.Release.Name}}-{{.Release.Namespace}}"
istio.gateway.namespace
(string)
Istio Gateway namespace
Default: "istio-system"
observability.exporters
(object)
Prometheus exporters configuration
observability.exporters.webAppExporter.enabled
(bool)
Enable GitGuardian Applicative metrics on Webapp pods and Celery Workers
Default: false
observability.exporters.statefulAppExporter.enabled
(bool)
Enable Stateful metrics on Applicative Exporter See: https://docs.gitguardian.com/self-hosting/management/application-management/metrics
Default: false
observability.exporters.statefulAppExporter.resources
(object)
Applicative Exporter resources
Default: {"requests":{"cpu":"100m","memory":"500Mi"}}
observability.serviceMonitors.enabled
(bool)
Enable ServiceMonitors for Prometheus Operator Note: this requires to install Prometheus Operator (not included in this chart) See: https://prometheus-operator.dev
Default: false
rbac
(object)
Gitguardian pods will use a limited role if enabled
Default: {"enabled":true}
rbac.enabled
(bool)
Creates a Role and bind it to GitGuardian ServiceAccount (see serviceAccount.name)
Default: true
serviceAccount
(object)
GitGuardian Pods are using this ServiceAccount
Default: {"annotations":{},"autoMount":true,"create":true,"labels":{},"name":"gim"}
serviceAccount.create
(bool)
create the serviceAccount
Default: true
serviceAccount.name
(string)
name of the serviceAccount (if serviceAccount.create is false, it must exists prior to chart deployment)
Default: "gim"
migration.labels
(object)

Default: {}
migration.podLabels
(object)

Default: {}
migration.resources
(object)
Pre/Post Deployment Jobs resources
Default: {"requests":{"cpu":"100m","memory":"100Mi"}}
migration.serviceAccount
(object)
GitGuardian migration pods are using this ServiceAccount
Default: {"annotations":{},"autoMount":true,"create":true,"labels":{},"name":"gim-migration"}
migration.serviceAccount.create
(bool)
create the migration serviceAccount
Default: true
migration.serviceAccount.name
(string)
name of the serviceAccount (if migration.serviceAccount.create is false, it must exists prior to chart deployment)
Default: "gim-migration"
proxy
(object)
HTTP(s) proxy configuration You can configure a proxy server for outgoing traffic from the application
Default: Not set
proxy.httpProxyUrl
(string)
Url of the proxy server to be used for HTTP requests Username and password in the url are not supported
Default: nil
proxy.httpsProxyUrl
(string)
Url of the proxy server to be used for HTTPS requests Username and password in the url are not supported
Default: nil
proxy.noProxyHostNames
(list)
List of host names through which the traffic should not go via the proxy
Default: []
experimental
(object)
Experimental features
Default: Not set
experimental.chainguard
(bool)
Enable Chainguard images for backend and frontend GitGuardian images
Default: true
experimental.tini
(bool)
Enable tini to terminate zombie processes on workers
Default: true

Helm Chart Changes Between Versions

This section outlines the version-to-version changes in the Helm chart values, providing information into updates, new features, and deprecations.

2024.11.0 vs 2024.10.0

Upgrading to 2024.11

This release includes breaking changes. Upgrade to 2024.11.0 using the upgrade notes.

New:

  • Removed settings.healthCheck.periodicInterval parameter since health checks are now distributed over time rather than executing them simultaneously. This parameter is replaced by spread_periodic_range_minutes in the admin area.
  • Added replicated.privateCASecret parameter to specify a custom CA when using a proxy. Learn more.
  • Replace the legacy parameter replicated.images.replicated-sdk with the new parameters replicated.image.repository and replicated.image.tag

Updated:

  • Changed the default value of replicated.image.tag from v1.0.0-beta.27 to 1.0.0-beta.31.

2024.10.0 vs 2024.9.0

New:

  • Added two new worker types long-ods (Productivity tools such as Slack, Jira Cloud, Confluence, ...) and long-ods-io (long tasks specialized in Input/Output).
  • Added the support of CRL (instead of default OCSP) for certificate-based authentication.

Updated:

  • Decreased the default value of celeryWorkers.realtime-ods.replicas from 2 to 0.

2024.9.0 vs 2024.8.0

New:

  • Added a new autoscaling object to configure autoscaling settings.
  • Enhanced the celeryWorkers.<all>.autoscaling settings to support both Horizontal Pod Autoscaler (HPA) and KEDA autoscaling options, including enabling/disabling and setting triggers.
  • Introduced a new setting replicated.supportBundle.logs.maxLines to specify the maximum number of lines included in support bundle logs.
  • Added experimental.tini, a new option to enable tini for terminating zombie processes on workers.

Updated:

  • Changed the default value of replicated.images.replicated-sdk from v1.0.0-beta.26 to v1.0.0-beta.27.

2024.8.0 vs 2024.7.0

New:

  • Introduced tls.clientAuth to support authentication using Common Access Card (CAC) or Personal Identity Verification (PIV). For detailed information, refer to the documentation here.

Updated:

  • Updated the default version of replicated.images.replicated-sdk from v1.0.0-beta.23 to v1.0.0-beta.26.

2024.7.0 vs 2024.6.0

Upgrading to 2024.7

This release includes breaking changes. Upgrade to 2024.7.0 using the upgrade notes.

New:

  • Added settings.healthCheck.periodicInterval allowing you to change the frequency of health checks.

Updated:

  • Renamed front.ingress.tls.secretName to front.ingress.tls.existingSecret.
  • Renamed tls.customCa.caCert to tls.customCa.caCrt.
  • Renamed tls.customCa.existingSecretCaCertKey to tls.customCa.existingSecretKeys.caCrt and set the Default to "".
  • Renamed redis.main.existingSecretKeys.sentinel.password to redis.main.existingSecretKeys.sentinelPassword.
  • Renamed redis.main.existingSecretKeys.sentinel.url to redis.main.existingSecretKeys.sentinelUrl.
  • Updated default value front.nginx.resources from {"requests":{"cpu":"200m","memory":"500Mi"}} to {"requests":{"cpu":"100m","memory":"200Mi"}}
  • Changed the default value of replicated.images.replicated-sdk from v1.0.0-beta.21 to v1.0.0-beta.23.

2024.6.0 vs 2024.5.0

Updated:

  • Added new task background_validity_check to celeryWorkers.long.queues.
  • Changed the default value of replicated.images.replicated-sdk from v1.0.0-beta.16 to v1.0.0-beta.21.

2024.5.0 vs 2024.4.0

Upgrading to 2024.5

This release includes breaking changes. Upgrade to 2024.5.0 using the upgrade notes.

New:

  • Introduce externalSecrets.refreshIntervaloption to give the ability to customize the refresh interval for external secrets.
  • Added istio.gateway.enabled parameter to be able to disable Istio Gateway handling when Istio is enabled.
  • Added redis.main.existingSecretKeys.url and redis.main.existingSecretKeys.password.
  • Added redis.commitCache.existingSecretKeys.url and redis.commitCache.existingSecretKeys.password.
  • Added migration.labels and migration.podLabels for migrations resources.

Updated:

  • Replaced postgresql.existingSecretKeys.tls with postgresql.tls.existingSecretKeys and set the Default to "" for
    • password instead of POSTGRES_PASSWORD.
    • crt instead of `"pg_client.crt".
    • key instead of "pg_client.key".
    • caCrt instead of "pg_server.ca_crt".
  • Replaced redis.main.existingSecretKeys.tls with redis.main.tls.existingSecretKeys and set the Default values to "" for
    • crt instead of `"redis_client.crt".
    • key instead of "redis_client.key".
    • caCrt instead of "redis_server.ca_crt".
  • Replaced redis.commitCache.existingSecretKeys.tls with redis.commitCache.tls.existingSecretKeys and set the Default values to "" for
    • crt instead of `"redis_client.crt".
    • key instead of "redis_client.key".
    • caCrt instead of "redis_server.ca_crt".
  • Rename celeryWorkers.realtime_ods to celeryWorkers.realtime-ods.
  • Set the Default for miscEncryption.existingSecretKeys attributes to "" for
    • djangoSecretKey instead of "DJANGO_SECRET_KEY".
    • dbEncryptionKeys instead of "ENCRYPTION_KEYS".
    • x509Cert instead of "SP_X509_CERT".
    • x509PrivateKey instead of "SP_PRIVATE_KEY".
  • Added "existingSecret":"","existingSecretKeys":{"password":""} in onPrem.adminUser offering the option to specify the admin password in a secret.
  • Rename Default value for tls.customCa.existingSecretCaCertKey to "ca.crt" instead of "custom-ca.pem".
  • Added report to celeryWorkers.worker.queues.

Removed:

  • Removed argoCd.enabled originally used to inject Argo CD phase annotations in Kubernetes resources but, since Argo CD supports Helm hooks annotations by mapping them onto its own hook annotations, it is not used anymore in 2024.5.0.

2024.4.0 vs 2024.3.0

New:

  • Added commonLabels to add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster.
  • Introduce ephemeralStorage option for all celeryWorkers to support Generic Ephemeral Inline Volumes.
  • Introduced new celeryWorkers.realtime-ods worker for Other Data Sources (ODS) real time scanning.

Updated:

  • Modified celeryWorkers.worker.queues and moved realtime_ods,realtime_retry_ods tasks into new celeryWorkers.realtime-ods.queue.

2024.3.0 vs 2024.2.0

Updated:

  • Changed the default value of replicated.images.replicated-sdk from v1.0.0-beta.14 to v1.0.0-beta.16.
  • Decreased the default value of celeryWorkers.scanners_ods.replicas from 2 to 0.

2024.2.0 vs 2024.1.0

New:

  • Added redis.main.sentinel configuration options for managing Redis Sentinel settings.
  • Introduced new settings for redis.main.existingSecretKeys.sentinel.url and redis.main.existingSecretKeys.sentinel.password.
  • Added miscEncryption.dbEncryptionKeys and miscEncryption.existingSecretKeys.dbEncryptionKeys for database encryption key management.
  • Introduced new celeryWorkers.scanners_ods worker for Other Data Sources (ODS) scanning.

Updated:

  • Changed the default value of replicated.images.replicated-sdk from v1.0.0-beta.12 to v1.0.0-beta.14.

Removed:

  • Removed observability.exporters.celeryExporter.

2024.1.0 vs 2023.12.0

New:

  • Expanded nodeSelector and tolerations settings across multiple services: front.nginx, webapps.internal_api, webapps.internal_api_long, webapps.public_api, webapps.hook, webapps.app_exporter, celeryWorkers.worker, celeryWorkers.email, celeryWorkers.scanners, and celeryWorkers.long.
  • New replicated.isAirgap setting to manage air-gapped environments.
  • Introduced tls.customCa.image configuration for custom CA management.
  • Added new settings related to Kubernetes Roles and RoleBindings: rbac.enabled, serviceAccount.create, serviceAccount.name, migration.serviceAccount.create, and migration.serviceAccount.name.

Updated:

  • Added new tasks realtime_ods,realtime_retry_ods to celeryWorkers.worker.queues to support additional task types.
  • Enabled experimental.chainguard by default, changing from false to true, to utilize Chainguard images for backend and frontend services.

How can I help you ?