Helm Chart Values
Here is the reference for the customizable values for Helm installation. See Helm installation documentation for more information.
Values
Key | Description |
---|---|
hostname (string) | Hostname for the GitGuardian application (without https://)Default: nil |
postgresql (object) | PostgreSQL Database configurationDefault: Not set |
postgresql.host (string) | PostgreSQL Database host nameDefault: "" |
postgresql.port (int) | PostgreSQL Database host portDefault: 5432 |
postgresql.username (string) | PostgreSQL Database user nameDefault: "" |
postgresql.password (string) | PostgreSQL Database user password Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.tls.mode (string) | PostgreSQL Database SSL mode Possible values: disable, allow, prefer, require, verify-ca, verify-full See: PostgreSQL SSL Mode DescriptionsDefault: "require" |
postgresql.tls.crt (string) | PostgreSQL Database Client certificate Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.tls.key (string) | PostgreSQL Database Client certificate private key Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.tls.caCrt (string) | PostgreSQL Database Custom Certificate Authority Should preferably be set in existing secret (see: postgresql.existingSecret )Default: "" |
postgresql.existingSecret (string) | Secret used to store PostgreSQL password and Certificates (preferred method)Default: "" |
postgresql.existingSecretKeys (object) | Keys used for PostgreSQL Database secrets when using an existing secret |
postgresql.existingSecretKeys.password (string) | Existing secret key where to store PostgreSQL Database user passwordDefault: "POSTGRES_PASSWORD" |
postgresql.existingSecretKeys.tls.crt (string) | Existing secret key where to store PostgreSQL Database Client certificateDefault: "pg_client.crt" |
postgresql.existingSecretKeys.tls.key (string) | Existing secret key where to store PostgreSQL Database Client certificate private keyDefault: "pg_client.key" |
postgresql.existingSecretKeys.tls.caCrt (string) | Existing secret key where to store PostgreSQL Database Custom Certificate AuthorityDefault: "pg_server.ca_crt" |
redis (object) | Redis Database configuration You can either provide a full qualified URI or fill each parts in dedicated fields Redis is used as a broker and result backend for celery and as a Commit CacheDefault: Not set |
redis.main.url (string) | Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.user (string) | Redis Instance user name (if redis.main.url is not specified)Default: "" |
redis.main.password (string) | Redis Instance user password (if redis.main.url is not specified) Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.host (string) | Redis Instance host name (if redis.main.url is not specified)Default: "" |
redis.main.port (int) | Redis Instance host port (if redis.main.url is not specified)Default: 6379 |
redis.main.tls (object) | Redis Instance TLS configurationDefault: Not set |
redis.main.tls.enabled (bool) | Enable redis TLS (if redis.main.url is not specified)Default: false |
redis.main.tls.requireServerCert (bool) | Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for redis.main.url Default: false |
redis.main.tls.crt (string) | Redis Instance Client certificate Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.tls.key (string) | Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.tls.caCrt (string) | Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.main.existingSecret )Default: "" |
redis.main.existingSecret (string) | Secret used to store Redis Instance URL or password and Certificates (preferred method)Default: "" |
redis.main.existingSecretKeys (object) | Keys used for Redis secrets when using an existing secret |
redis.main.existingSecretKeys.tls.crt (string) | Existing secret key where to store Redis Instance Client certificateDefault: "redis_client.crt" |
redis.main.existingSecretKeys.tls.key (string) | Existing secret key where to store Redis Instance Client certificate private keyDefault: "redis_client.key" |
redis.main.existingSecretKeys.tls.caCrt (string) | Existing secret key where to store Redis Instance Custom Certificate AuthorityDefault: "redis_server.ca_crt" |
redis.commitCache.enabled (bool) | Enable a separate Redis instance dedicated to the Commit Cache feature. Commit Cache feature allows to not scan already scanned commit by saving in Redis scan results. If not enabled, main Redis instance will be used for the Commit CacheDefault: false |
redis.commitCache.url (string) | Full qualified URI of Redis Instance Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.user (string) | Redis Instance user name (if redis.commitCache.url is not specified)Default: "" |
redis.commitCache.password (string) | Redis Instance user password (if redis.commitCache.url is not specified) Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.host (string) | Redis Instance host name (if redis.commitCache.url is not specified)Default: "" |
redis.commitCache.port (int) | Redis Instance host port (if redis.commitCache.url is not specified)Default: 6379 |
redis.commitCache.tls (object) | Redis Instance TLS configurationDefault: Not set |
redis.commitCache.tls.enabled (bool) | Enable redis TLS (if redis.main.url is not specified)Default: false |
redis.commitCache.tls.requireServerCert (bool) | Enable redis server certificate check If true, you must provide a rediss:// URL Scheme for REDIS_URL Default: false |
redis.commitCache.tls.crt (string) | Redis Instance Client certificate Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.tls.key (string) | Redis Instance Client certificate private key Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.tls.caCrt (string) | Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: redis.commitCache.existingSecret )Default: "" |
redis.commitCache.existingSecret (string) | Secret used to store Redis Instance URL or password and Certificates (preferred method)Default: "" |
redis.commitCache.existingSecretKeys (object) | Keys used for Redis secrets when using an existing secret |
redis.commitCache.existingSecretKeys.tls.crt (string) | Existing secret key where to store Redis Instance Client certificateDefault: "redis_client.crt" |
redis.commitCache.existingSecretKeys.tls.key (string) | Existing secret key where to store Redis Instance Client certificate private keyDefault: "redis_client.key" |
redis.commitCache.existingSecretKeys.tls.caCrt (string) | Existing secret key where to store Redis Instance Custom Certificate AuthorityDefault: "redis_server.ca_crt" |
miscEncryption (object) | Encryption keys configuration Django Secret Key, X509 certificate and key are auto-generated during installation if not setDefault: Auto-generated |
miscEncryption.djangoSecretKey (string) | Encryption key for sensitive database fields. Auto-generated at first install if empty (preferred method) IMPORTANT The key should be kept in a safe place at it is required to access all sensitive information in the databaseDefault: Auto-generated |
miscEncryption.existingSecret (string) | Secret used to store encryption secretsDefault: "" |
miscEncryption.existingSecretKeys (object) | Keys used for encryption secrets when using an existing secret |
miscEncryption.existingSecretKeys.djangoSecretKey (string) | Existing secret key where to store Django Secret Key Auto-generated at first install if empty (preferred method)Default: "DJANGO_SECRET_KEY" |
miscEncryption.existingSecretKeys.x509Cert (string) | Existing secret key where to store certificate for SAML/SSO auth Auto-generated at first install if empty (preferred method)Default: "SP_X509_CERT" |
miscEncryption.existingSecretKeys.x509PrivateKey (string) | Existing secret key where to store certificate private key for SAML/SSO auth Auto-generated at first install if empty (preferred method)Default: "SP_PRIVATE_KEY" |
externalSecrets.enabled (bool) | Enable https://external-secrets.io/Default: false |
externalSecrets.path (string) | External Secret PathDefault: "" |
externalSecrets.secretStoreRef.kind (string) | https://external-secrets.io/ ClassDefault: "SecretStore" |
externalSecrets.secretStoreRef.name (string) | https://external-secrets.io/ NameDefault: "vault" |
front (object) | Frontend configuration The Frontend serves the Dashboard and acts as a proxy for other web deployments |
front.nginx.replicas (int) | Dashboard Frontend replicas countDefault: 1 |
front.nginx.resources (object) | Dashboard Frontend resources requests and limitsDefault: {"limits":{"memory":"2Gi"},"requests":{"cpu":"200m","memory":"500Mi"}} |
front.service.type (string) | Service type. Can be ClusterIP, NodePort or LoadBalancerDefault: "ClusterIP" |
front.service.port (int) | Dashboard Frontend Service portDefault: 80 |
front.service.annotations (object) | Dashboard Frontend Service annotationsDefault: {} |
webapps (object) | Backend deployments configuration |
webapps.internal_api.replicas (int) | Internal API replicas countDefault: 1 |
webapps.internal_api_long.replicas (int) | Internal API for long requests replicas countDefault: 1 |
webapps.public_api.replicas (int) | Public API (used for ggshield scans) replicas countDefault: 1 |
webapps.hook.replicas (int) | VCS Webhooks Receivers replicas countDefault: 1 |
webapps.app_exporter.replicas (string) | Prometheus exporter replicas count Will be set to 1 if .Values.observability.exporter.appExporter.enabled is trueDefault: 0 |
celeryWorkers (object) | Asynchronous Workers deployments configuration |
celeryWorkers.worker.queues (string) | Queues consumed by default workersDefault: "celery,check_run,realtime,realtime_retry" |
celeryWorkers.worker.replicas (int) | Default workers (incl. realtime scans) replicas countDefault: 2 |
celeryWorkers.email.queues (string) | Queues consumed by Messaging workersDefault: "email,notifier" |
celeryWorkers.email.replicas (int) | Messaging workers replicas countDefault: 2 |
celeryWorkers.scanners.queues (string) | Queues consumed by Historical Scan workersDefault: "basic_repo_scan,premium_repo_scan,manual_repo_scan" |
celeryWorkers.scanners.replicas (int) | Historical Scan workers replicas countDefault: 2 |
celeryWorkers.long.queues (string) | Queues consumed by Long Tasks workersDefault: "celery_long" |
celeryWorkers.long.replicas (int) | Long Tasks workers replicas countDefault: 2 |
beat (object) | Asynchronous tasks scheduler |
beat.replicas (int) | Asynchronous tasks scheduler replicas countDefault: 1 |
beat.resources (object) | Asynchronous tasks scheduler resources requests and limitsDefault: {"limits":{"memory":"200Mi"},"requests":{"cpu":"10m","memory":"200Mi"}} |
onPrem.adminUser (object) | GitGuardian Admin User A temporary password has to be set in secret "gim-secrets" under ADMIN_PASSWORD key. You'll be asked to change this password on your connectionDefault: {"email":"","firstname":""} |
sentry.enabled (bool) | Enable Sentry tracing and APMDefault: false |
sentry.dsn (string) | Sentry Data Source Name URLDefault: "" |
tls (object) | HTTPS TLS configuration You can manage the certificate manually or use https://cert-manager.io/ |
tls.certManager.enabled (bool) | Use https://cert-manager.io/ instead of a manual certificateDefault: false |
tls.certManager.certificatesSecret (string) | Name of the created cert-manager Certificate object Default: "gitguardian-certificate" |
tls.certManager.certificatesNamespace (string) | Namespace where certificate will be createdDefault: .Release.Namespace |
tls.certManager.issuer.kind (string) | https://cert-manager.io/ Issuer ClassDefault: "ClusterIssuer" |
tls.certManager.issuer.name (string) | https://cert-manager.io/ Issuer NameDefault: "gitguardian" |
tls.customCa (object) | Custom Certificate Authority certificate for integrations (VCS, notifiers, webhooks, ...) |
tls.customCa.caCert (string) | Certificates full chain in the PEM format Should preferably be set in existing secret (see: tls.customCa.existingSecret )Default: "" |
tls.customCa.existingSecret (string) | Existing secret containing certificates full chain in the PEM formatDefault: "" |
tls.customCa.existingSecretCaCertKey (string) | Key name of the certificate entryDefault: "custom-ca.pem" |
networkPolicy.enabled (bool) | Use default network policy. If enabled, you must ensure ingress traffic is allowed to nginxDefault: false |
argoCd.enabled (bool) | Enable ArgoCD hook and sync-wave annotationsDefault: false |
istio.enabled (bool) | Enable https://istio.io/ If istio is deactivated, you must configure your own ingress redirecting to nginx service on port 80, or set the service to be LoadBalancer Default: false |
istio.gateway.name (string) | Istio Gateway nameDefault: "{{.Release.Name}}-{{.Release.Namespace}}" |
istio.gateway.namespace (string) | Istio Gateway namespaceDefault: "istio-system" |
observability.exporters (object) | Prometheus exporters configuration |
observability.exporters.appExporter (object) | Applicative metrics Exporter This will expose /metrics for GitGuardian Applicative metrics See: https://docs.gitguardian.com/self-hosting/management/application-management/metrics |
observability.exporters.appExporter.enabled (bool) | Enable Applicative ExporterDefault: false |
observability.exporters.appExporter.resources (object) | Applicative Exporter resources requests and limitsDefault: {} |
observability.exporters.celeryExporter (object) | Celery metrics Exporter This will expose /metrics for Celery metrics See: https://github.com/danihodovic/celery-exporter |
observability.exporters.celeryExporter.enabled (bool) | Enable Celery ExporterDefault: false |
observability.serviceMonitors.enabled (bool) | Enable ServiceMonitors for Prometheus Operator Note: this requires to install Prometheus Operator (not included in this chart) See: https://prometheus-operator.devDefault: false |
proxy (object) | HTTP(s) proxy configuration You can configure a proxy server for outgoing traffic from the applicationDefault: Not set |
proxy.httpProxyUrl (string) | Url of the proxy server to be used for HTTP requests Username and password in the url are not supportedDefault: nil |
proxy.httpsProxyUrl (string) | Url of the proxy server to be used for HTTPS requests Username and password in the url are not supportedDefault: nil |
proxy.noProxyHostNames (list) | List of host names through which the traffic should not go via the proxyDefault: [] |