Helm Chart Values

Here is the reference for the customizable values for Helm installation. See Helm installation documentation for more information.

Values

Key	Description
hostname (string)	Hostname for the GitGuardian application (without https://) Default: `nil`
postgresql (object)	PostgreSQL Database configuration Default: Not set
postgresql.host (string)	PostgreSQL Database host name Default: `""`
postgresql.port (int)	PostgreSQL Database host port Default: `5432`
postgresql.username (string)	PostgreSQL Database user name Default: `""`
postgresql.password (string)	PostgreSQL Database user password Should preferably be set in existing secret (see: `postgresql.existingSecret`) Default: `""`
postgresql.tls.mode (string)	PostgreSQL Database SSL mode Possible values: disable, allow, prefer, require, verify-ca, verify-full See: PostgreSQL SSL Mode Descriptions Default: `"require"`
postgresql.tls.crt (string)	PostgreSQL Database Client certificate Should preferably be set in existing secret (see: `postgresql.existingSecret`) Default: `""`
postgresql.tls.key (string)	PostgreSQL Database Client certificate private key Should preferably be set in existing secret (see: `postgresql.existingSecret`) Default: `""`
postgresql.tls.caCrt (string)	PostgreSQL Database Custom Certificate Authority Should preferably be set in existing secret (see: `postgresql.existingSecret`) Default: `""`
postgresql.existingSecret (string)	Secret used to store PostgreSQL password and Certificates (preferred method) Default: `""`
postgresql.existingSecretKeys (object)	Keys used for PostgreSQL Database secrets when using an existing secret
postgresql.existingSecretKeys.password (string)	Existing secret key where to store PostgreSQL Database user password Default: `"POSTGRES_PASSWORD"`
postgresql.existingSecretKeys.tls.crt (string)	Existing secret key where to store PostgreSQL Database Client certificate Default: `"pg_client.crt"`
postgresql.existingSecretKeys.tls.key (string)	Existing secret key where to store PostgreSQL Database Client certificate private key Default: `"pg_client.key"`
postgresql.existingSecretKeys.tls.caCrt (string)	Existing secret key where to store PostgreSQL Database Custom Certificate Authority Default: `"pg_server.ca_crt"`
redis (object)	Redis Database configuration You can either provide a full qualified URI or fill each parts in dedicated fields Redis is used as a broker and result backend for celery and as a Commit Cache Default: Not set
redis.main.url (string)	Full qualified URI of Redis Instance Should preferably be set in existing secret (see: `redis.main.existingSecret`) Default: `""`
redis.main.user (string)	Redis Instance user name (if `redis.main.url` is not specified) Default: `""`
redis.main.password (string)	Redis Instance user password (if `redis.main.url` is not specified) Should preferably be set in existing secret (see: `redis.main.existingSecret`) Default: `""`
redis.main.host (string)	Redis Instance host name (if `redis.main.url` is not specified) Default: `""`
redis.main.port (int)	Redis Instance host port (if `redis.main.url` is not specified) Default: `6379`
redis.main.tls (object)	Redis Instance TLS configuration Default: Not set
redis.main.tls.enabled (bool)	Enable redis TLS (if `redis.main.url` is not specified) Default: `false`
redis.main.tls.requireServerCert (bool)	Enable redis server certificate check If true, you must provide a `rediss://` URL Scheme for `redis.main.url` Default: `false`
redis.main.tls.crt (string)	Redis Instance Client certificate Should preferably be set in existing secret (see: `redis.main.existingSecret`) Default: `""`
redis.main.tls.key (string)	Redis Instance Client certificate private key Should preferably be set in existing secret (see: `redis.main.existingSecret`) Default: `""`
redis.main.tls.caCrt (string)	Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: `redis.main.existingSecret`) Default: `""`
redis.main.existingSecret (string)	Secret used to store Redis Instance URL or password and Certificates (preferred method) Default: `""`
redis.main.existingSecretKeys (object)	Keys used for Redis secrets when using an existing secret
redis.main.existingSecretKeys.tls.crt (string)	Existing secret key where to store Redis Instance Client certificate Default: `"redis_client.crt"`
redis.main.existingSecretKeys.tls.key (string)	Existing secret key where to store Redis Instance Client certificate private key Default: `"redis_client.key"`
redis.main.existingSecretKeys.tls.caCrt (string)	Existing secret key where to store Redis Instance Custom Certificate Authority Default: `"redis_server.ca_crt"`
redis.commitCache.enabled (bool)	Enable a separate Redis instance dedicated to the Commit Cache feature. Commit Cache feature allows to not scan already scanned commit by saving in Redis scan results. If not enabled, main Redis instance will be used for the Commit Cache Default: `false`
redis.commitCache.url (string)	Full qualified URI of Redis Instance Should preferably be set in existing secret (see: `redis.commitCache.existingSecret`) Default: `""`
redis.commitCache.user (string)	Redis Instance user name (if `redis.commitCache.url` is not specified) Default: `""`
redis.commitCache.password (string)	Redis Instance user password (if `redis.commitCache.url` is not specified) Should preferably be set in existing secret (see: `redis.commitCache.existingSecret`) Default: `""`
redis.commitCache.host (string)	Redis Instance host name (if `redis.commitCache.url` is not specified) Default: `""`
redis.commitCache.port (int)	Redis Instance host port (if `redis.commitCache.url` is not specified) Default: `6379`
redis.commitCache.tls (object)	Redis Instance TLS configuration Default: Not set
redis.commitCache.tls.enabled (bool)	Enable redis TLS (if `redis.main.url` is not specified) Default: `false`
redis.commitCache.tls.requireServerCert (bool)	Enable redis server certificate check If true, you must provide a `rediss://` URL Scheme for `REDIS_URL` Default: `false`
redis.commitCache.tls.crt (string)	Redis Instance Client certificate Should preferably be set in existing secret (see: `redis.commitCache.existingSecret`) Default: `""`
redis.commitCache.tls.key (string)	Redis Instance Client certificate private key Should preferably be set in existing secret (see: `redis.commitCache.existingSecret`) Default: `""`
redis.commitCache.tls.caCrt (string)	Redis Instance Custom Certificate Authority Should preferably be set in existing secret (see: `redis.commitCache.existingSecret`) Default: `""`
redis.commitCache.existingSecret (string)	Secret used to store Redis Instance URL or password and Certificates (preferred method) Default: `""`
redis.commitCache.existingSecretKeys (object)	Keys used for Redis secrets when using an existing secret
redis.commitCache.existingSecretKeys.tls.crt (string)	Existing secret key where to store Redis Instance Client certificate Default: `"redis_client.crt"`
redis.commitCache.existingSecretKeys.tls.key (string)	Existing secret key where to store Redis Instance Client certificate private key Default: `"redis_client.key"`
redis.commitCache.existingSecretKeys.tls.caCrt (string)	Existing secret key where to store Redis Instance Custom Certificate Authority Default: `"redis_server.ca_crt"`
miscEncryption (object)	Encryption keys configuration Django Secret Key, X509 certificate and key are auto-generated during installation if not set Default: Auto-generated
miscEncryption.djangoSecretKey (string)	Encryption key for sensitive database fields. Auto-generated at first install if empty (preferred method) IMPORTANT The key should be kept in a safe place at it is required to access all sensitive information in the database Default: Auto-generated
miscEncryption.existingSecret (string)	Secret used to store encryption secrets Default: `""`
miscEncryption.existingSecretKeys (object)	Keys used for encryption secrets when using an existing secret
miscEncryption.existingSecretKeys.djangoSecretKey (string)	Existing secret key where to store Django Secret Key Auto-generated at first install if empty (preferred method) Default: `"DJANGO_SECRET_KEY"`
miscEncryption.existingSecretKeys.x509Cert (string)	Existing secret key where to store certificate for SAML/SSO auth Auto-generated at first install if empty (preferred method) Default: `"SP_X509_CERT"`
miscEncryption.existingSecretKeys.x509PrivateKey (string)	Existing secret key where to store certificate private key for SAML/SSO auth Auto-generated at first install if empty (preferred method) Default: `"SP_PRIVATE_KEY"`
externalSecrets.enabled (bool)	Enable https://external-secrets.io/ Default: `false`
externalSecrets.path (string)	External Secret Path Default: `""`
externalSecrets.secretStoreRef.kind (string)	https://external-secrets.io/ Class Default: `"SecretStore"`
externalSecrets.secretStoreRef.name (string)	https://external-secrets.io/ Name Default: `"vault"`
front (object)	Frontend configuration The Frontend serves the Dashboard and acts as a proxy for other web deployments
front.nginx.replicas (int)	Dashboard Frontend replicas count Default: `1`
front.nginx.resources (object)	Dashboard Frontend resources requests and limits Default: `{"limits":{"memory":"2Gi"},"requests":{"cpu":"200m","memory":"500Mi"}}`
front.service.type (string)	Service type. Can be ClusterIP, NodePort or LoadBalancer Default: `"ClusterIP"`
front.service.port (int)	Dashboard Frontend Service port Default: `80`
front.service.annotations (object)	Dashboard Frontend Service annotations Default: `{}`
webapps (object)	Backend deployments configuration
webapps.internal_api.replicas (int)	Internal API replicas count Default: `1`
webapps.internal_api_long.replicas (int)	Internal API for long requests replicas count Default: `1`
webapps.public_api.replicas (int)	Public API (used for ggshield scans) replicas count Default: `1`
webapps.hook.replicas (int)	VCS Webhooks Receivers replicas count Default: `1`
webapps.app_exporter.replicas (string)	Prometheus exporter replicas count Will be set to 1 if .Values.observability.exporter.appExporter.enabled is true Default: 0
celeryWorkers (object)	Asynchronous Workers deployments configuration
celeryWorkers.worker.queues (string)	Queues consumed by default workers Default: `"celery,check_run,realtime,realtime_retry"`
celeryWorkers.worker.replicas (int)	Default workers (incl. realtime scans) replicas count Default: `2`
celeryWorkers.email.queues (string)	Queues consumed by Messaging workers Default: `"email,notifier"`
celeryWorkers.email.replicas (int)	Messaging workers replicas count Default: `2`
celeryWorkers.scanners.queues (string)	Queues consumed by Historical Scan workers Default: `"basic_repo_scan,premium_repo_scan,manual_repo_scan"`
celeryWorkers.scanners.replicas (int)	Historical Scan workers replicas count Default: `2`
celeryWorkers.long.queues (string)	Queues consumed by Long Tasks workers Default: `"celery_long"`
celeryWorkers.long.replicas (int)	Long Tasks workers replicas count Default: `2`
beat (object)	Asynchronous tasks scheduler
beat.replicas (int)	Asynchronous tasks scheduler replicas count Default: `1`
beat.resources (object)	Asynchronous tasks scheduler resources requests and limits Default: `{"limits":{"memory":"200Mi"},"requests":{"cpu":"10m","memory":"200Mi"}}`
onPrem.adminUser (object)	GitGuardian Admin User A temporary password has to be set in secret "gim-secrets" under ADMIN_PASSWORD key. You'll be asked to change this password on your connection Default: `{"email":"","firstname":""}`
sentry.enabled (bool)	Enable Sentry tracing and APM Default: `false`
sentry.dsn (string)	Sentry Data Source Name URL Default: `""`
tls (object)	HTTPS TLS configuration You can manage the certificate manually or use https://cert-manager.io/
tls.certManager.enabled (bool)	Use https://cert-manager.io/ instead of a manual certificate Default: `false`
tls.certManager.certificatesSecret (string)	Name of the created cert-manager `Certificate` object Default: `"gitguardian-certificate"`
tls.certManager.certificatesNamespace (string)	Namespace where certificate will be created Default: `.Release.Namespace`
tls.certManager.issuer.kind (string)	https://cert-manager.io/ Issuer Class Default: `"ClusterIssuer"`
tls.certManager.issuer.name (string)	https://cert-manager.io/ Issuer Name Default: `"gitguardian"`
tls.customCa (object)	Custom Certificate Authority certificate for integrations (VCS, notifiers, webhooks, ...)
tls.customCa.caCert (string)	Certificates full chain in the PEM format Should preferably be set in existing secret (see: `tls.customCa.existingSecret`) Default: `""`
tls.customCa.existingSecret (string)	Existing secret containing certificates full chain in the PEM format Default: `""`
tls.customCa.existingSecretCaCertKey (string)	Key name of the certificate entry Default: `"custom-ca.pem"`
networkPolicy.enabled (bool)	Use default network policy. If enabled, you must ensure ingress traffic is allowed to nginx Default: `false`
argoCd.enabled (bool)	Enable ArgoCD hook and sync-wave annotations Default: `false`
istio.enabled (bool)	Enable https://istio.io/ If istio is deactivated, you must configure your own ingress redirecting to `nginx` service on port 80, or set the service to be `LoadBalancer` Default: `false`
istio.gateway.name (string)	Istio Gateway name Default: `"{{.Release.Name}}-{{.Release.Namespace}}"`
istio.gateway.namespace (string)	Istio Gateway namespace Default: `"istio-system"`
observability.exporters (object)	Prometheus exporters configuration
observability.exporters.appExporter (object)	Applicative metrics Exporter This will expose /metrics for GitGuardian Applicative metrics See: https://docs.gitguardian.com/self-hosting/management/application-management/metrics
observability.exporters.appExporter.enabled (bool)	Enable Applicative Exporter Default: `false`
observability.exporters.appExporter.resources (object)	Applicative Exporter resources requests and limits Default: `{}`
observability.exporters.celeryExporter (object)	Celery metrics Exporter This will expose /metrics for Celery metrics See: https://github.com/danihodovic/celery-exporter
observability.exporters.celeryExporter.enabled (bool)	Enable Celery Exporter Default: `false`
observability.serviceMonitors.enabled (bool)	Enable ServiceMonitors for Prometheus Operator Note: this requires to install Prometheus Operator (not included in this chart) See: https://prometheus-operator.dev Default: `false`
proxy (object)	HTTP(s) proxy configuration You can configure a proxy server for outgoing traffic from the application Default: Not set
proxy.httpProxyUrl (string)	Url of the proxy server to be used for HTTP requests Username and password in the url are not supported Default: `nil`
proxy.httpsProxyUrl (string)	Url of the proxy server to be used for HTTPS requests Username and password in the url are not supported Default: `nil`
proxy.noProxyHostNames (list)	List of host names through which the traffic should not go via the proxy Default: `[]`