Skip to main content

Helm Chart Values

Version: 2023.7.0

Here is the reference for the customizable values for Helm installation. See Helm installation documentation for more information.

Values

KeyDescription
hostname
(string)
Hostname for the GitGuardian application (without https://)
Default: nil
postgresql
(object)
PostgreSQL Database configuration
Default: Not set
postgresql.host
(string)
PostgreSQL Database host name
Default: ""
postgresql.port
(int)
PostgreSQL Database host port
Default: 5432
postgresql.username
(string)
PostgreSQL Database user name
Default: ""
postgresql.password
(string)
PostgreSQL Database user password Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.mode
(string)
PostgreSQL Database SSL mode Possible values: disable, allow, prefer, require, verify-ca, verify-full See: PostgreSQL SSL Mode Descriptions
Default: "require"
postgresql.tls.crt
(string)
PostgreSQL Database Client certificate Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.key
(string)
PostgreSQL Database Client certificate private key Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.tls.caCrt
(string)
PostgreSQL Database Custom Certificate Authority Should preferably be set in existing secret (see: postgresql.existingSecret)
Default: ""
postgresql.existingSecret
(string)
Secret used to store PostgreSQL password and Certificates (preferred method)
Default: ""
postgresql.existingSecretKeys
(object)
Keys used for PostgreSQL Database secrets when using an existing secret
postgresql.existingSecretKeys.password
(string)
Existing secret key where to store PostgreSQL Database user password
Default: "POSTGRES_PASSWORD"
postgresql.existingSecretKeys.tls.crt
(string)
Existing secret key where to store PostgreSQL Database Client certificate
Default: "pg_client.crt"
postgresql.existingSecretKeys.tls.key
(string)
Existing secret key where to store PostgreSQL Database Client certificate private key
Default: "pg_client.key"
postgresql.existingSecretKeys.tls.caCrt
(string)
Existing secret key where to store PostgreSQL Database Custom Certificate Authority
Default: "pg_server.ca_crt"
redis
(object)
Redis Database configuration You can either provide a full qualified URI or fill each parts in dedicated fields Redis is used as a broker and result backend for celery and as a Commit Cache
Default: Not set
redis.main.url
(string)
Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.user
(string)
Redis Instance user name (if redis.main.url is not specified)
Default: ""
redis.main.password
(string)
Redis Instance user password (if redis.main.url is not specified) Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.host
(string)
Redis Instance host name (if redis.main.url is not specified)
Default: ""
redis.main.port
(int)
Redis Instance host port (if redis.main.url is not specified)
Default: 6379
redis.main.tls
(object)
Redis Instance TLS configuration
Default: Not set
redis.main.tls.enabled
(bool)
Enable redis TLS (if redis.main.url is not specified)
Default: false
redis.main.tls.requireServerCert
(bool)
Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for redis.main.url
Default: false
redis.main.tls.crt
(string)
Redis Instance Client certificate Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.tls.key
(string)
Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.tls.caCrt
(string)
Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.main.existingSecret)
Default: ""
redis.main.existingSecret
(string)
Secret used to store Redis Instance URL or password and Certificates (preferred method)
Default: ""
redis.main.existingSecretKeys
(object)
Keys used for Redis secrets when using an existing secret
redis.main.existingSecretKeys.tls.crt
(string)
Existing secret key where to store Redis Instance Client certificate
Default: "redis_client.crt"
redis.main.existingSecretKeys.tls.key
(string)
Existing secret key where to store Redis Instance Client certificate private key
Default: "redis_client.key"
redis.main.existingSecretKeys.tls.caCrt
(string)
Existing secret key where to store Redis Instance Custom Certificate Authority
Default: "redis_server.ca_crt"
redis.commitCache.enabled
(bool)
Enable a separate Redis instance dedicated to the Commit Cache feature. Commit Cache feature allows to not scan already scanned commit by saving in Redis scan results. If not enabled, main Redis instance will be used for the Commit Cache
Default: false
redis.commitCache.url
(string)
Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.user
(string)
Redis Instance user name (if redis.commitCache.url is not specified)
Default: ""
redis.commitCache.password
(string)
Redis Instance user password (if redis.commitCache.url is not specified) Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.host
(string)
Redis Instance host name (if redis.commitCache.url is not specified)
Default: ""
redis.commitCache.port
(int)
Redis Instance host port (if redis.commitCache.url is not specified)
Default: 6379
redis.commitCache.tls
(object)
Redis Instance TLS configuration
Default: Not set
redis.commitCache.tls.enabled
(bool)
Enable redis TLS (if redis.main.url is not specified)
Default: false
redis.commitCache.tls.requireServerCert
(bool)
Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for REDIS_URL
Default: false
redis.commitCache.tls.crt
(string)
Redis Instance Client certificate Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.tls.key
(string)
Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.tls.caCrt
(string)
Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.commitCache.existingSecret)
Default: ""
redis.commitCache.existingSecret
(string)
Secret used to store Redis Instance URL or password and Certificates (preferred method)
Default: ""
redis.commitCache.existingSecretKeys
(object)
Keys used for Redis secrets when using an existing secret
redis.commitCache.existingSecretKeys.tls.crt
(string)
Existing secret key where to store Redis Instance Client certificate
Default: "redis_client.crt"
redis.commitCache.existingSecretKeys.tls.key
(string)
Existing secret key where to store Redis Instance Client certificate private key
Default: "redis_client.key"
redis.commitCache.existingSecretKeys.tls.caCrt
(string)
Existing secret key where to store Redis Instance Custom Certificate Authority
Default: "redis_server.ca_crt"
miscEncryption
(object)
Encryption keys configuration Django Secret Key, X509 certificate and key are auto-generated during installation if not set
Default: Auto-generated
miscEncryption.djangoSecretKey
(string)
Encryption key for sensitive database fields. Auto-generated at first install if empty (preferred method) IMPORTANT The key should be kept in a safe place at it is required to access all sensitive information in the database
Default: Auto-generated
miscEncryption.existingSecret
(string)
Secret used to store encryption secrets
Default: ""
miscEncryption.existingSecretKeys
(object)
Keys used for encryption secrets when using an existing secret
miscEncryption.existingSecretKeys.djangoSecretKey
(string)
Existing secret key where to store Django Secret Key Auto-generated at first install if empty (preferred method)
Default: "DJANGO_SECRET_KEY"
miscEncryption.existingSecretKeys.x509Cert
(string)
Existing secret key where to store certificate for SAML/SSO auth Auto-generated at first install if empty (preferred method)
Default: "SP_X509_CERT"
miscEncryption.existingSecretKeys.x509PrivateKey
(string)
Existing secret key where to store certificate private key for SAML/SSO auth Auto-generated at first install if empty (preferred method)
Default: "SP_PRIVATE_KEY"
externalSecrets.enabled
(bool)
Enable https://external-secrets.io/
Default: false
externalSecrets.path
(string)
External Secret Path
Default: ""
externalSecrets.secretStoreRef.kind
(string)
https://external-secrets.io/ Class
Default: "SecretStore"
externalSecrets.secretStoreRef.name
(string)
https://external-secrets.io/ Name
Default: "vault"
front
(object)
Frontend configuration The Frontend serves the Dashboard and acts as a proxy for other web deployments
front.nginx.replicas
(int)
Dashboard Frontend replicas count
Default: 1
front.nginx.resources
(object)
Dashboard Frontend resources requests and limits
Default: {"limits":{"memory":"2Gi"},"requests":{"cpu":"200m","memory":"500Mi"}}
front.service.type
(string)
Service type. Can be ClusterIP, NodePort or LoadBalancer
Default: "ClusterIP"
front.service.port
(int)
Dashboard Frontend Service port
Default: 80
front.service.annotations
(object)
Dashboard Frontend Service annotations
Default: {}
webapps
(object)
Backend deployments configuration
webapps.internal_api.replicas
(int)
Internal API replicas count
Default: 1
webapps.internal_api_long.replicas
(int)
Internal API for long requests replicas count
Default: 1
webapps.public_api.replicas
(int)
Public API (used for ggshield scans) replicas count
Default: 1
webapps.hook.replicas
(int)
VCS Webhooks Receivers replicas count
Default: 1
webapps.app_exporter.replicas
(string)
Prometheus exporter replicas count Will be set to 1 if .Values.observability.exporter.appExporter.enabled is true
Default: 0
celeryWorkers
(object)
Asynchronous Workers deployments configuration
celeryWorkers.worker.queues
(string)
Queues consumed by default workers
Default: "celery,check_run,realtime,realtime_retry"
celeryWorkers.worker.replicas
(int)
Default workers (incl. realtime scans) replicas count
Default: 2
celeryWorkers.email.queues
(string)
Queues consumed by Messaging workers
Default: "email,notifier"
celeryWorkers.email.replicas
(int)
Messaging workers replicas count
Default: 2
celeryWorkers.scanners.queues
(string)
Queues consumed by Historical Scan workers
Default: "basic_repo_scan,premium_repo_scan,manual_repo_scan"
celeryWorkers.scanners.replicas
(int)
Historical Scan workers replicas count
Default: 2
celeryWorkers.long.queues
(string)
Queues consumed by Long Tasks workers
Default: "celery_long"
celeryWorkers.long.replicas
(int)
Long Tasks workers replicas count
Default: 2
beat
(object)
Asynchronous tasks scheduler
beat.replicas
(int)
Asynchronous tasks scheduler replicas count
Default: 1
beat.resources
(object)
Asynchronous tasks scheduler resources requests and limits
Default: {"limits":{"memory":"200Mi"},"requests":{"cpu":"10m","memory":"200Mi"}}
onPrem.adminUser
(object)
GitGuardian Admin User A temporary password has to be set in secret "gim-secrets" under ADMIN_PASSWORD key. You'll be asked to change this password on your connection
Default: {"email":"","firstname":""}
sentry.enabled
(bool)
Enable Sentry tracing and APM
Default: false
sentry.dsn
(string)
Sentry Data Source Name URL
Default: ""
tls
(object)
HTTPS TLS configuration You can manage the certificate manually or use https://cert-manager.io/
tls.certManager.enabled
(bool)
Use https://cert-manager.io/ instead of a manual certificate
Default: false
tls.certManager.certificatesSecret
(string)
Name of the created cert-manager Certificate object
Default: "gitguardian-certificate"
tls.certManager.certificatesNamespace
(string)
Namespace where certificate will be created
Default: .Release.Namespace
tls.certManager.issuer.kind
(string)
https://cert-manager.io/ Issuer Class
Default: "ClusterIssuer"
tls.certManager.issuer.name
(string)
https://cert-manager.io/ Issuer Name
Default: "gitguardian"
tls.customCa
(object)
Custom Certificate Authority certificate for integrations (VCS, notifiers, webhooks, ...)
tls.customCa.caCert
(string)
Certificates full chain in the PEM format Should preferably be set in existing secret (see: tls.customCa.existingSecret)
Default: ""
tls.customCa.existingSecret
(string)
Existing secret containing certificates full chain in the PEM format
Default: ""
tls.customCa.existingSecretCaCertKey
(string)
Key name of the certificate entry
Default: "custom-ca.pem"
networkPolicy.enabled
(bool)
Use default network policy. If enabled, you must ensure ingress traffic is allowed to nginx
Default: false
argoCd.enabled
(bool)
Enable ArgoCD hook and sync-wave annotations
Default: false
istio.enabled
(bool)
Enable https://istio.io/ If istio is deactivated, you must configure your own ingress redirecting to nginx service on port 80, or set the service to be LoadBalancer
Default: false
istio.gateway.name
(string)
Istio Gateway name
Default: "{{.Release.Name}}-{{.Release.Namespace}}"
istio.gateway.namespace
(string)
Istio Gateway namespace
Default: "istio-system"
observability.exporters
(object)
Prometheus exporters configuration
observability.exporters.appExporter
(object)
Applicative metrics Exporter This will expose /metrics for GitGuardian Applicative metrics See: https://docs.gitguardian.com/self-hosting/management/application-management/metrics
observability.exporters.appExporter.enabled
(bool)
Enable Applicative Exporter
Default: false
observability.exporters.appExporter.resources
(object)
Applicative Exporter resources requests and limits
Default: {}
observability.exporters.celeryExporter
(object)
Celery metrics Exporter This will expose /metrics for Celery metrics See: https://github.com/danihodovic/celery-exporter
observability.exporters.celeryExporter.enabled
(bool)
Enable Celery Exporter
Default: false
observability.serviceMonitors.enabled
(bool)
Enable ServiceMonitors for Prometheus Operator Note: this requires to install Prometheus Operator (not included in this chart) See: https://prometheus-operator.dev
Default: false
proxy
(object)
HTTP(s) proxy configuration You can configure a proxy server for outgoing traffic from the application
Default: Not set
proxy.httpProxyUrl
(string)
Url of the proxy server to be used for HTTP requests Username and password in the url are not supported
Default: nil
proxy.httpsProxyUrl
(string)
Url of the proxy server to be used for HTTPS requests Username and password in the url are not supported
Default: nil
proxy.noProxyHostNames
(list)
List of host names through which the traffic should not go via the proxy
Default: []