Helm Chart Values Changelog
Track changes in GitGuardian's Helm chart values across releases.
Latest Version: 2025.9.0
Resources: Helm installation guide | Upgrade procedures
2025.9.0 vs 2025.8.0
New:
- Introduced
celeryWorkers.scanners-ods-highdisk
parameter to configure workers dedicated to high storage tasks like Microsoft OneDrive and SharePoint scanning (default: 0). Learn more about Non-VCS Sources.
Updated:
- Updated
logCollector.supportBundle.since
default value from3d
to6h
to make support bundle lighter.
Removed:
postgresql.plugins.pgvector.enabled
has been removed since it is now enabled by default, pgvector is now required. Learn more about PostgreSQL requirements.
2025.8.0 vs 2025.7.0
Air gap deployment? This release introduces a new image.registry
parameter in Helm values to support the Log Collector system. This parameter specifies the location of the GitGuardian images for the Log Collector components (Loki, MinIO, Fluent Bit) and is separate from the main imageRegistry
parameter. Follow the upgrade instructions to update your helm values file.
New:
- Introduced a new
image.registry
parameter in Helm values to support the Log Collector system. This parameter specifies the location of the GitGuardian images for the Log Collector components (Loki, MinIO, Fluent Bit) and is separate from the mainimageRegistry
parameter. Follow the upgrade instructions to update your helm values file. - Introduced
celeryWorkers.scanners-slack
parameter to configure workers dedicated to Slack scanning (default: 0). Learn more about Slack Scanning considerations. - Added
commonTolerations
parameter that allows you to apply consistent tolerations across all workloads in the GitGuardian deployment.
Updated:
- Updated Replicated SDK to version
1.8.0
.
Removed:
beat.replicas
has been removed and is now hardcoded in the chart to 1.
2025.7.0 vs 2025.6.0
New:
- Added
priorityClassName
parameter for ML Secret Engine and several priority class configuration. Learn more. This is also available for other pods and as a global parameter (global.priorityClassName
).
Updated:
- Changed the default value of
celeryWorkers.ml-api-priority.replicas
from0
to1
. Learn more. - Updated Replicated SDK to version
1.7.1
.
2025.6.0 vs 2025.5.0
New:
- Added
global.fipsEnabled
parameter to enable FIPS compliant images. Learn more about FIPS compliance. - Added pod anti-affinity configuration (
podAntiAffinityPreset
) andnodeSelector
andtolerations
parameters across all components for improved workload placement control and high availability. Learn more about scaling. - Enhanced logCollector with additional configuration options (
logCollector.env
,logCollector.envFrom
,logCollector.pipelines
). Learn more about additional pipelines. - Enhanced migration job resource configuration with separate specifications for pre-deploy, post-deploy, and upgrade path check jobs.
Updated:
- Updated Replicated SDK to version
1.6.0
. - Updated log collection system components (Fluent Bit, Loki, MinIO) to latest versions.
Removed:
migration.resources
has been replaced with job-specific resource configurations for better resource management.
2025.5.0 vs 2025.4.0
Air gap deployment? We've renamed images in this release. See below changes and find all image and tag names on the Air Gap Install page.
New:
- Added support for configuring the proxy via an existing Kubernetes secret using
proxy.existingSecret
andproxy.existingSecretKeys.*
.
Updated:
- FIPS: This release uses Chainguard images without FIPS-approved cryptographic modules. If you would like to use Chainguard images with FIPS, please contact our support team. This change involves renaming the following images:
gitguardian/prm-static-chainguard-fips
togitguardian/prm-static-chainguard
gitguardian/prm-app-fips
togitguardian/prm-app-chainguard
- Use
proxy.replicated.com/proxy/gitguardian/ghcr.io/gitguardian/wolfi/bash:latest
image instead ofproxy.replicated.com/proxy/gitguardian/docker.io/nginxinc/nginx-unprivileged:stable
for Custom CA injection (Seetls.customCa.image.*
). - Changed the default value of
replicated.image.tag
from1.5.1
to1.5.3
. - The
securityContext.enabled
(bool) parameter has been replaced by a newsecurityContext
(object) parameter, which now allows specifying the full Pod Security Context.
Removed:
experimental.chainguard
has been deprecated as GitGuardian images are now using Chainguard by default. Lean more about Chainguard.
2025.4.0 vs 2025.3.0
Air gap deployment? We've added new images in this release. Find all image and tag names on the Air Gap Install page.
New:
- Our self-hosted deployments now include a log collection system, leveraging Loki, MinIO, and Fluent Bit under the hood. This log collection system is now enabled by default for all installation types (Helm or KOTS). Learn more about the log collector.
- The PostgreSQL
pgvector
extension is now required by default (postgresql.plugins.pgvector.enabled
). Please follow the installation instructions to enable vector similarity search capabilities for upcoming machine learning features.
Updated:
- Added default
support-bundle
Role and optional ClusterRole creation (configurable viareplicated.supportBundle.rbac.clusterRole.create
). - Changed the default value of
replicated.image.tag
from1.1.1
to1.5.1
. - Added
global.compatibility.openshift.adaptSecurityContext
configuration to support OpenShift's restricted-v2 Security Context Constraints (SCC). Values includeauto
(default),force
, anddisabled
for flexible security context adaptation.
2025.3.0 vs 2025.2.0
We've updated the path and names of our images in this release. Follow the upgrade instructions to update your tooling for downloading and uploading GitGuardian images to your private registry. Find all image and tag names on the Air Gap Install page.
Updated:
- Changed the default value of
replicated.image.tag
from1.1.0
to1.1.1
. - Change registry URL from
proxy.replicated.com/proxy/gitguardian/513715405986.dkr.ecr.us-west-2.amazonaws.com
toproxy.replicated.com/proxy/gitguardian/docker.io
and rename paths and images name from:/prm/static-chainguard
to/gitguardian/prm-static-chainguard-fips
/prm/app-chainguard
to/gitguardian/prm-app-chainguard-fips
/prm/helm-tooling
to/gitguardian/prm-helm-tooling
/services/nginx-unprivileged
to/nginxinc/nginx-unprivileged
/ml-detector/ml-secret-engine/app-chainguard
to/gitguardian/ml-secret-engine-app-chainguard-fips
- Change registry URL from
registry.replicated.com
toproxy.replicated.com/proxy/gitguardian/docker.io
and rename paths and images name from/gitguardian/replicated-sdk
to/replicated/replicated-sdk
. - The
nhi-scout
parameter has been renamed toggscout
. - Added
celeryWorkers.*.autoscaling.keda.idleReplicaCount
parameter to allow specifying the number of replicas when there is no activity on the Celery Worker (default:0
).
2025.2.0 vs 2025.1.0
New:
- Enhanced the
webapps.<all>.autoscaling
settings to support both Horizontal Pod Autoscaler (HPA) and KEDA autoscaling options, including enabling/disabling and setting triggers. Learn more. - Added
migration.podAnnotations
parameter for GitGuardian migration pods.
Updated:
nhiScout.enabled
parameter has been moved tonhi-scout.enabled
. Learn more.- Changed the default value of
replicated.image.tag
from1.0.0
to1.1.0
.
2025.1.0 vs 2024.12.0
The ReplicatedSDK image is now pulled from the Replicated registry instead of Docker Hub. For airgap installations, ensure you update your automation processes for pulling and pushing images to your private registry. For more information, refer to the Airgap Installation page.
New:
- Introduced
secretEngine
parameter to configure the new ML Secret Engine service. (Disabled by default). Learn more. - Introduced
celeryWorkers.ml-api-priority
parameter to configure ML Secret Engine dedicated worker (Disabled by default). - Introduced
nhiScout.enabled
parameter to enable NHI Scout deployment (Disabled by default). Learn more - Introduced
nhi-scout
parameter to configure NHI Scout. - Added
replicated.image.registry
parameter to use the Replicated registry (registry.replicated.com
) instead of Docker Hub by default.
Updated:
- Changed the default value of
replicated.image.repository
fromreplicated/replicated-sdk
togitguardian/replicated-sdk
. - Changed the default value of
replicated.image.tag
fromv1.0.0-beta.31
to1.0.0
.
2024.12.0 vs 2024.11.0
This release includes breaking changes. Upgrade to 2024.12.0 using the upgrade notes.
New:
- Ability to deploy
Ingress
objects with the support of several Ingress controllers. For details, see the Ingress documentation.
Updated:
front.ingress
has been renamed toingress
for improved consistency and standardization across the Helm chart.istio
have been moved under theingress
.- The default memory value for
migration.resources
has been increased from100Mi
to200Mi
.
2024.11.0 vs 2024.10.0
This release includes breaking changes.
New:
- Removed
settings.healthCheck.periodicInterval
parameter since health checks are now distributed over time rather than executing them simultaneously. This parameter is replaced byspread_periodic_range_minutes
in the admin area. - Added
replicated.privateCASecret
parameter to specify a custom CA when using a proxy. Learn more. - Replace the legacy parameter
replicated.images.replicated-sdk
with the new parametersreplicated.image.repository
andreplicated.image.tag
Updated:
- Changed the default value of
replicated.image.tag
fromv1.0.0-beta.27
to1.0.0-beta.31
.
2024.10.0 vs 2024.9.0
New:
- Added two new worker types
long-ods
(non-VCS sources such as Slack, Jira Cloud, Confluence, ...) andlong-ods-io
(long tasks specialized in Input/Output). - Added the support of CRL (instead of default OCSP) for certificate-based authentication.
Updated:
- Decreased the default value of
celeryWorkers.realtime-ods.replicas
from2
to0
.
2024.9.0 vs 2024.8.0
New:
- Added a new
autoscaling
object to configure autoscaling settings. - Enhanced the
celeryWorkers.<all>.autoscaling
settings to support both Horizontal Pod Autoscaler (HPA) and KEDA autoscaling options, including enabling/disabling and setting triggers. Learn more. - Introduced a new setting
replicated.supportBundle.logs.maxLines
to specify the maximum number of lines included in support bundle logs. - Added
experimental.tini
, a new option to enabletini
for terminating zombie processes on workers.
Updated:
- Changed the default value of
replicated.images.replicated-sdk
fromv1.0.0-beta.26
tov1.0.0-beta.27
.
2024.8.0 vs 2024.7.0
New:
- Introduced
tls.clientAuth
to support authentication using Common Access Card (CAC) or Personal Identity Verification (PIV). For detailed information, refer to the documentation here.
Updated:
- Updated the default version of
replicated.images.replicated-sdk
fromv1.0.0-beta.23
tov1.0.0-beta.26
.
2024.7.0 vs 2024.6.0
This release includes breaking changes.
New:
- Added
settings.healthCheck.periodicInterval
allowing you to change the frequency of health checks.
Updated:
- Renamed
front.ingress.tls.secretName
tofront.ingress.tls.existingSecret
. - Renamed
tls.customCa.caCert
totls.customCa.caCrt
. - Renamed
tls.customCa.existingSecretCaCertKey
totls.customCa.existingSecretKeys.caCrt
and set the Default to""
. - Renamed
redis.main.existingSecretKeys.sentinel.password
toredis.main.existingSecretKeys.sentinelPassword
. - Renamed
redis.main.existingSecretKeys.sentinel.url
toredis.main.existingSecretKeys.sentinelUrl
. - Updated default value
front.nginx.resources
from{"requests":{"cpu":"200m","memory":"500Mi"}}
to{"requests":{"cpu":"100m","memory":"200Mi"}}
- Changed the default value of
replicated.images.replicated-sdk
fromv1.0.0-beta.21
tov1.0.0-beta.23
.
2024.6.0 vs 2024.5.0
Updated:
- Added new task
background_validity_check
toceleryWorkers.long.queues
. - Changed the default value of
replicated.images.replicated-sdk
fromv1.0.0-beta.16
tov1.0.0-beta.21
.
2024.5.0 vs 2024.4.0
This release includes breaking changes.
New:
- Introduce
externalSecrets.refreshInterval
option to give the ability to customize the refresh interval for external secrets. - Added
istio.gateway.enabled
parameter to be able to disable Istio Gateway handling when Istio is enabled. - Added
redis.main.existingSecretKeys.url
andredis.main.existingSecretKeys.password
. - Added
redis.commitCache.existingSecretKeys.url
andredis.commitCache.existingSecretKeys.password
. - Added
migration.labels
andmigration.podLabels
for migrations resources.
Updated:
- Replaced
postgresql.existingSecretKeys.tls
withpostgresql.tls.existingSecretKeys
and set the Default to""
forpassword
instead ofPOSTGRES_PASSWORD
.crt
instead of ``"pg_client.crt"`.key
instead of"pg_client.key"
.caCrt
instead of"pg_server.ca_crt"
.
- Replaced
redis.main.existingSecretKeys.tls
withredis.main.tls.existingSecretKeys
and set the Default values to""
forcrt
instead of ``"redis_client.crt"`.key
instead of"redis_client.key"
.caCrt
instead of"redis_server.ca_crt"
.
- Replaced
redis.commitCache.existingSecretKeys.tls
withredis.commitCache.tls.existingSecretKeys
and set the Default values to""
forcrt
instead of ``"redis_client.crt"`.key
instead of"redis_client.key"
.caCrt
instead of"redis_server.ca_crt"
.
- Rename
celeryWorkers.realtime_ods
toceleryWorkers.realtime-ods
. - Set the Default for
miscEncryption.existingSecretKeys
attributes to""
fordjangoSecretKey
instead of"DJANGO_SECRET_KEY"
.dbEncryptionKeys
instead of"ENCRYPTION_KEYS"
.x509Cert
instead of"SP_X509_CERT"
.x509PrivateKey
instead of"SP_PRIVATE_KEY"
.
- Added
"existingSecret":"","existingSecretKeys":{"password":""}
inonPrem.adminUser
offering the option to specify the admin password in a secret. - Rename Default value for
tls.customCa.existingSecretCaCertKey
to"ca.crt"
instead of"custom-ca.pem"
. - Added
report
toceleryWorkers.worker.queues
.
Removed:
- Removed
argoCd.enabled
originally used to inject Argo CD phase annotations in Kubernetes resources but, since Argo CD supports Helm hooks annotations by mapping them onto its own hook annotations, it is not used anymore in 2024.5.0.
2024.4.0 vs 2024.3.0
New:
- Added
commonLabels
to add custom labels to differentiate multiple GitGuardian deployments within the same Kubernetes cluster. - Introduce
ephemeralStorage
option for allceleryWorkers
to support Generic Ephemeral Inline Volumes. - Introduced new
celeryWorkers.realtime-ods
worker for Other Data Sources (ODS) real time scanning.
Updated:
- Modified
celeryWorkers.worker.queues
and movedrealtime_ods,realtime_retry_ods
tasks into newceleryWorkers.realtime-ods.queue
.
2024.3.0 vs 2024.2.0
Updated:
- Changed the default value of
replicated.images.replicated-sdk
fromv1.0.0-beta.14
tov1.0.0-beta.16
. - Decreased the default value of
celeryWorkers.scanners_ods.replicas
from2
to0
.
2024.2.0 vs 2024.1.0
New:
- Added
redis.main.sentinel
configuration options for managing Redis Sentinel settings. - Introduced new settings for
redis.main.existingSecretKeys.sentinel.url
andredis.main.existingSecretKeys.sentinel.password
. - Added
miscEncryption.dbEncryptionKeys
andmiscEncryption.existingSecretKeys.dbEncryptionKeys
for database encryption key management. - Introduced new
celeryWorkers.scanners_ods
worker for Other Data Sources (ODS) scanning.
Updated:
- Changed the default value of
replicated.images.replicated-sdk
fromv1.0.0-beta.12
tov1.0.0-beta.14
.
Removed:
- Removed
observability.exporters.celeryExporter
.
2024.1.0 vs 2023.12.0
New:
- Expanded
nodeSelector
andtolerations
settings across multiple services:front.nginx
,webapps.internal_api
,webapps.internal_api_long
,webapps.public_api
,webapps.hook
,webapps.app_exporter
,celeryWorkers.worker
,celeryWorkers.email
,celeryWorkers.scanners
, andceleryWorkers.long
. - New
replicated.isAirgap
setting to manage air-gapped environments. - Introduced
tls.customCa.image
configuration for custom CA management. - Added new settings related to Kubernetes Roles and RoleBindings:
rbac.enabled
,serviceAccount.create
,serviceAccount.name
,migration.serviceAccount.create
, andmigration.serviceAccount.name
.
Updated:
- Added new tasks
realtime_ods,realtime_retry_ods
toceleryWorkers.worker.queues
to support additional task types. - Enabled
experimental.chainguard
by default, changing fromfalse
totrue
, to utilize Chainguard images for backend and frontend services.