List of Supported Values
Supported values ¶
These are the values supported in the ping-devops chart. In general, values specified in the global section can be overridden for individual products. The product sections have many global fields overridden by default (workloads, services, etc.).
Global values ¶
| Name | Description | Default |
|---|---|---|
global.annotations |
Annotations listed, will be added to the kubernetes resource | {} |
global.envs |
Environment variables listed will be added to the global-env-vars configmap | {} |
global.addReleaseNameToResource |
Provides global ability to add names to kubernetes resources. One of {none, append, prepend} |
prepend |
global.ingress.enabled |
false |
|
global.ingress.addReleaseToHost |
Add release to host. One of {prepend, append, subdomain, none} |
subdomain |
global.ingress.defaultDomain |
Replaces with "defaultDomain" in host fields | example.com |
global.ingress.defaultTlsSecret |
Replaces with "defaultTlsSecret" in tls.secretName | |
global.ingress.annotations |
{} |
|
global.privateCert.generate |
If true, then an internal certificate secret will be created along with mount of the certificate in /run/secrets/internal-cert (creates a tls.crt and tls.key). By default the Issuer of the cert will be the service name created by the Helm Chart. Additionally, the ingress hosts, if enabled, will be added to the list of X509v3 Subject Alternative Name | false |
global.privateCert.format |
The format of the certificate to be generated. Used "pingaccess-fips-pem" to generate a valid certificate for running PingAccess in FIPS mode. Any other value will generate a PKCS12 keystore with the generated certificate. | PKCS12 |
global.privateCert.additionalHosts |
Additional hosts for the cert | [] |
global.privateCert.additionalIPs |
Additional IP addresses for the cert | [] |
global.masterPassword |
Uses Helm function derivePassword, which uses the master password specification: https://masterpassword.app/masterpassword-algorithm.pdf | |
global.masterPassword.enabled |
Enable master password | false |
global.masterPassword.strength |
Master password template. One of {long, maximum} |
|
global.masterPassword.name |
Defaults to release name | |
global.masterPassword.site |
Defaults to chart name | |
global.masterPassword.secret |
Defaults to release namespace | |
global.vault |
Hashicorp Vault configuration | |
global.vault.enabled |
Enable Vault | false |
global.vault.hashicorp.annotations |
Annotation names, which will be appended to 'vault.hashicorp.com/' in the annotation | |
global.vault.secrets |
Vault secrets to pull in | {} |
global.image.repository |
Default image registry is not the fully-qualified name of the image Example: image.repository: pingidentity, docker.io, 123.dkr.ecr.us-west-1.amazonaws.com | pingidentity |
global.image.repositoryFqn |
Docker image repository fully-qualified name. Overrides image.repository and image.name on the pod image spec Example: image.repositoryFqn: pingidentity/pingfederate, docker.io/my-pingfederate | |
global.image.name |
Default image name MUST be set in child chart Example: image.name: pingfederate | |
global.image.tag |
Default image tag | 2205 |
global.image.pullPolicy |
Default image pull policy | IfNotPresent |
global.externalImage |
Provides ability to use external images for various purposes such as using curl, waitfor, etc. A pingtoolkit image is included by default for running waitFor and generating private cert initContainers. A pingaccess image is also included by default to allow generating an encrypted PEM-formatted cert that is compatible with FIPS mode. Any values specified on the image will be copied directly to the k8s spec for the container, except for the externalImage.{name}.image section, which follows the format of the global.image section. If no image section is specified (the default), the corresponding value from the product values section will be used. For example, if externalImage.pingtoolkit.image is empty, the values from the top-level pingtoolkit.image section will be used. | {pingtoolkit, pingaccess} |
global.services |
Services mapping a port to a targetPort on the corresponding container | {} |
global.services.clusterExternalDNSHostname |
Value for the external-dns.alpha.kubernetes.io/hostname annotation | |
global.services.clusterServiceName |
If set, then this name will be used as the cluster service name (i.e clusterService == true). | |
global.services.serviceName.dataService |
If true, a ClusterIP service is created reachable within the cluster. A single IP is provided and the service will round-robin across the backend containers | |
global.services.serviceName.clusterService |
If true, a headless service is created, explicitly specifying "None" for the clusterIP. DNS requests to this service will provide one of the IPs of the backend containers | |
global.services.serviceName.containerPort |
Port on the kubernetes container | |
global.services.serviceName.servicePort |
Port available from the kubernetes service. If clusterService=true this port on the cluster service is not really used, as the headless service always maps through to the container port | |
global.services.serviceName.ingressPort |
Port available from the kubernetes ingress |
Workload values - Deployment and StatefulSet ¶
| Name | Description | Default |
|---|---|---|
global.workload |
Can be Deployment or StatefulSet | Deployment |
global.workload.annotations |
Workload annotations | |
global.workload.schedulerName |
K8s scheduler | default-scheduler |
global.workload.shareProcessNamespace |
Set shareProcessNamespace in the pod spec | false |
global.workload.deployment |
Deployment workload configuration | |
global.workload.deployment.strategy |
Deployment pod replacement strategy | |
global.workload.deployment.strategy.type |
Strategy type | RollingUpdate |
global.workload.deployment.strategy.rollingUpdate.maxSurge |
Max surge, only applicable for RollingUpdate type | 1 |
global.workload.deployment.strategy.rollingUpdate.maxUnavailable |
Max unavailable, only applicable for RollingUpdate type | 0 |
global.workload.statefulSet |
StatefulSet workload configuration | |
global.workload.statefulSet.partition |
Used for canary testing if n>0 | 0 |
global.workload.statefulSet.persistentvolume.enabled |
Enable persistent volumes | true |
global.workload.statefulSet.persistentvolume.volumes |
For every volume defined in the volumes list, 3 items will be created in the StatefulSet: 1. container.volumeMounts - name and mountPath. 2. template.spec.volume - name and persistentVolumeClaim.claimName. 3. spec.volumeClaimTemplates - persistentVolumeClaim. | {out-dir} |
global.workload.statefulSet.persistentvolume.volumes.volumeName.mountPath |
Mount path for the volume | |
global.workload.statefulSet.persistentvolume.volumes.volumeName.persistentVolumeClaim |
volumeClaimTemplate | |
global.workload.securityContext |
securityContext for the workload. The securityContext defined will be inserted directly into the spec. The user (9031) and group (0) represent the current user and group used with PingIdentity images (except PingDelegator). The fsGroup is required for any workloads that volumeMount a pvc (i.e. StatefulSets). Set as securityContext: null when no generated securityContext is desired. | fsGroup 0, runAsUser 9031, runAsGroup 0 |
global.container |
Configure the container in the workload Pod spec | |
global.container.replicaCount |
Number of replicas for workload | 1 |
global.container.resources |
container resources yaml to insert into Pod spec | |
global.container.nodeSelector |
nodeSelector yaml to insert into Pod spec | {} |
global.container.tolerations |
tolerations yaml to insert into Pod spec | [] |
global.container.affinity |
affinity yaml to insert into Pod spec | {} |
global.container.terminationGracePeriodSeconds |
termination grace period | 30 |
global.container.envFrom |
envFrom yaml to insert into Pod spec | [] |
global.container.lifecycle |
lifecycle yaml to insert into Pod spec | |
global.container.probes |
probes yaml to insert into Pod spec | liveness, readiness, and startup probes defined |
Other global defaults ¶
| Name | Description | Default |
|---|---|---|
global.license.secret.devOps |
Identify the k8s secret containing the DevOps USER/KEY if used during deployment. pingctl can be used to generate the devops-secret | devops-secret |
global.utilitySidecar |
Deploy a utility sidecar for running command-line tools. This sidecar is useful for command line utilities like collect-support-data. The sidecar will remain running alongside the workload, even when the sidecar isn't being used. It does not need to be listed in the includeSidecars value. | |
global.utilitySidecar.enabled |
Enable the utility sidecar | false |
global.utilitySidecar.resources |
Set k8s resources yaml for the sidecar spec | 1 CPU and 2g memory limit, 0 CPU and 128Mi memory request |
global.includeSidecars |
names of sidecars to include, from the top-level sidecars value |
[] |
global.includeInitContainers |
names of sidecars to include, from the top-level initContainers value |
[] |
global.includeVolumes |
names of sidecars to include, from the top-level volumes value |
[] |
Shared utilities ¶
| Name | Description | Default |
|---|---|---|
sidecars |
Sidecar yaml definitions available to product workload spec | {} |
initContainers |
initContainer yaml definitions available to product workload spec | {} |
volumes |
volume yaml definitions available to product workload spec for sidecars, initContainers, or main product containers | {} |
configMaps |
configMap yaml definitions available to product workload spec for sidecars or main product containers | {} |
Image/Product values ¶
| Name | Description | Default |
|---|---|---|
ldap-sdk-tools |
LDAP SDK tools values | |
ldap-sdk-tools.enabled |
Enable LDAP SDK tools deployment | false |
pingfederate-admin |
PingFederate admin values | |
pingfederate-admin.enabled |
Enable PingFederate admin deployment | false |
pingfederate-engine |
PingFederate engine values | |
pingfederate-engine.enabled |
Enable PingFederate engine deployment | false |
pingfederate-engine.clustering.autoscaling |
Configure Horizontal Pod Autoscaling | |
pingfederate-engine.clustering.autoscaling.enabled |
Enable Horizontal Pod Autoscaling. If enabled, ensure that proper pingfederate.container.resources values are set and coordinated with the targetCPUUtilizationPercentage or targetMemoryUtilizationPercentage | false |
pingfederate-engine.clustering.autoscaling.minReplicas |
Autoscaler minimum replicas | 1 |
pingfederate-engine.clustering.autoscaling.maxReplicas |
Autoscaler maximum replicas | 4 |
pingfederate-engine.clustering.autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization | 75 |
pingfederate-engine.clustering.autoscaling.targetMemoryUtilizationPercentage |
Target memory utilization | |
pingfederate-engine.clustering.autoscaling.behavior |
Custom HPA behavior yaml | {} |
pingfederate-engine.clustering.autoscalingMetricsTemplate |
Custom HPA metrics yaml | [] |
pingdirectory |
PingDirectory values | |
pingdirectory.enabled |
Enable PingDirectory deployment | false |
pingdirectory.cronjob |
CronJobs run a kubectl exec command to run commands on a utility sidecar container. They will also create the necessary ServiceAccount, Role, and RoleBinding to run the jobs | |
pingdirectory.cronjob.enabled |
Enable the PingDirectory CronJob | false |
pingdirectory.cronjob.spec |
yaml to insert into the created CronJob spec. The jobTemplate should not be included. A schedule value must be provided | |
pingdirectory.cronjob.jobspec |
yaml to override default jobTemplate. | |
pingdirectory.cronjob.image |
Image to run the Jobs. The image must include kubectl | bitname/kubectl:latest |
pingdirectory.cronjob.args |
Job arguments | [] |
pingdirectoryproxy |
PingDirectoryProxy values | |
pingdirectoryproxy.enabled |
Enable PingDirectoryProxy deployment | false |
pingdelegator |
PingDelegator values | |
pingdelegator.enabled |
Enable PingDelegator deployment | false |
pingdatasync |
PingDataSync values | |
pingdatasync.enabled |
Enable PingDataSync deployment | false |
pingauthorize |
PingAuthorize values | |
pingauthorize.enabled |
Enable PingAuthorize deployment | false |
pingauthorizepap |
PingAuthorizePAP values | |
pingauthorizepap.enabled |
Enable PingAuthorizePAP deployment | false |
pingdatagovernance |
PingDataGovernance values | |
pingdatagovernance.enabled |
Enable PingDataGovernance deployment | false |
pingdatagovernancepap |
PingDataGovernancePAP values | |
pingdatagovernancepap.enabled |
Enable PingDataGovernancePAP deployment | false |
pingaccess-admin |
PingAccess admin values | |
pingaccess-admin.enabled |
Enable PingAccess admin deployment | false |
pingaccess-engine |
PingAccess engine values | |
pingaccess-engine.enabled |
Enable PingAccess engine deployment | false |
pingcentral |
PingCentral values | |
pingcentral.enabled |
Enable PingCentral deployment | false |
pingdataconsole |
PingDataConsole values | |
pingdataconsole.enabled |
Enable PingDataConsole deployment | false |
pingdataconsole.defaultLogin |
Default login details for the console | |
pingdataconsole.defaultLogin.server.host |
Default hostname | pingdirectory-cluster |
pingdataconsole.defaultLogin.server.port |
Default port | 636 |
pingdataconsole.defaultLogin.username |
Default username | administrator |
pd-replication-timing |
PingDirectory replication timing values | |
pd-replication-timing.enabled |
Enable PingDirectory replication timing deployment | false |
pingtoolkit |
PingToolkit values | |
pingtoolkit.enabled |
Enable PingToolkit deployment | false |