Skip to content

List of Supported Values

Supported values

These are the values supported in the ping-devops chart. In general, values specified in the global section can be overridden for individual products. The product sections have many global fields overridden by default (workloads, services, etc.).

Global values

Name Description Default
global.annotations Annotations listed, will be added to the kubernetes resource {}
global.envs Environment variables listed will be added to the global-env-vars configmap {}
global.addReleaseNameToResource Provides global ability to add names to kubernetes resources. One of {none, append, prepend} prepend
global.ingress.enabled false
global.ingress.addReleaseToHost Add release to host. One of {prepend, append, subdomain, none} subdomain
global.ingress.defaultDomain Replaces with "defaultDomain" in host fields
global.ingress.defaultTlsSecret Replaces with "defaultTlsSecret" in tls.secretName
global.ingress.annotations {}
global.privateCert.generate If true, then an internal certificate secret will be created along with mount of the certificate in /run/secrets/internal-cert (creates a tls.crt and tls.key). By default the Issuer of the cert will be the service name created by the Helm Chart. Additionally, the ingress hosts, if enabled, will be added to the list of X509v3 Subject Alternative Name false
global.privateCert.format The format of the certificate to be generated. Used "pingaccess-fips-pem" to generate a valid certificate for running PingAccess in FIPS mode. Any other value will generate a PKCS12 keystore with the generated certificate. PKCS12
global.privateCert.additionalHosts Additional hosts for the cert []
global.privateCert.additionalIPs Additional IP addresses for the cert []
global.masterPassword Uses Helm function derivePassword, which uses the master password specification:
global.masterPassword.enabled Enable master password false
global.masterPassword.strength Master password template. One of {long, maximum} Defaults to release name Defaults to chart name
global.masterPassword.secret Defaults to release namespace
global.vault Hashicorp Vault configuration
global.vault.enabled Enable Vault false
global.vault.hashicorp.annotations Annotation names, which will be appended to '' in the annotation
global.vault.secrets Vault secrets to pull in {}
global.image.repository Default image registry is not the fully-qualified name of the image Example: image.repository: pingidentity,, pingidentity
global.image.repositoryFqn Docker image repository fully-qualified name. Overrides image.repository and on the pod image spec Example: image.repositoryFqn: pingidentity/pingfederate, Default image name MUST be set in child chart Example: pingfederate
global.image.tag Default image tag 2205
global.image.pullPolicy Default image pull policy IfNotPresent
global.externalImage Provides ability to use external images for various purposes such as using curl, waitfor, etc. A pingtoolkit image is included by default for running waitFor and generating private cert initContainers. A pingaccess image is also included by default to allow generating an encrypted PEM-formatted cert that is compatible with FIPS mode. Any values specified on the image will be copied directly to the k8s spec for the container, except for the externalImage.{name}.image section, which follows the format of the global.image section. If no image section is specified (the default), the corresponding value from the product values section will be used. For example, if externalImage.pingtoolkit.image is empty, the values from the top-level pingtoolkit.image section will be used. {pingtoolkit, pingaccess} Services mapping a port to a targetPort on the corresponding container {} Value for the annotation If set, then this name will be used as the cluster service name (i.e clusterService == true). If true, a ClusterIP service is created reachable within the cluster. A single IP is provided and the service will round-robin across the backend containers If true, a headless service is created, explicitly specifying "None" for the clusterIP. DNS requests to this service will provide one of the IPs of the backend containers Port on the kubernetes container Port available from the kubernetes service. If clusterService=true this port on the cluster service is not really used, as the headless service always maps through to the container port Port available from the kubernetes ingress

Workload values - Deployment and StatefulSet

Name Description Default
global.workload Can be Deployment or StatefulSet Deployment
global.workload.annotations Workload annotations
global.workload.schedulerName K8s scheduler default-scheduler
global.workload.shareProcessNamespace Set shareProcessNamespace in the pod spec false
global.workload.deployment Deployment workload configuration
global.workload.deployment.strategy Deployment pod replacement strategy
global.workload.deployment.strategy.type Strategy type RollingUpdate
global.workload.deployment.strategy.rollingUpdate.maxSurge Max surge, only applicable for RollingUpdate type 1
global.workload.deployment.strategy.rollingUpdate.maxUnavailable Max unavailable, only applicable for RollingUpdate type 0
global.workload.statefulSet StatefulSet workload configuration
global.workload.statefulSet.partition Used for canary testing if n>0 0
global.workload.statefulSet.persistentvolume.enabled Enable persistent volumes true
global.workload.statefulSet.persistentvolume.volumes For every volume defined in the volumes list, 3 items will be created in the StatefulSet: 1. container.volumeMounts - name and mountPath. 2. template.spec.volume - name and persistentVolumeClaim.claimName. 3. spec.volumeClaimTemplates - persistentVolumeClaim. {out-dir}
global.workload.statefulSet.persistentvolume.volumes.volumeName.mountPath Mount path for the volume
global.workload.statefulSet.persistentvolume.volumes.volumeName.persistentVolumeClaim volumeClaimTemplate
global.workload.securityContext securityContext for the workload. The securityContext defined will be inserted directly into the spec. The user (9031) and group (0) represent the current user and group used with PingIdentity images (except PingDelegator). The fsGroup is required for any workloads that volumeMount a pvc (i.e. StatefulSets). Set as securityContext: null when no generated securityContext is desired. fsGroup 0, runAsUser 9031, runAsGroup 0
global.container Configure the container in the workload Pod spec
global.container.replicaCount Number of replicas for workload 1
global.container.resources container resources yaml to insert into Pod spec
global.container.nodeSelector nodeSelector yaml to insert into Pod spec {}
global.container.tolerations tolerations yaml to insert into Pod spec []
global.container.affinity affinity yaml to insert into Pod spec {}
global.container.terminationGracePeriodSeconds termination grace period 30
global.container.envFrom envFrom yaml to insert into Pod spec []
global.container.lifecycle lifecycle yaml to insert into Pod spec
global.container.probes probes yaml to insert into Pod spec liveness, readiness, and startup probes defined

Other global defaults

Name Description Default
global.license.secret.devOps Identify the k8s secret containing the DevOps USER/KEY if used during deployment. pingctl can be used to generate the devops-secret devops-secret
global.utilitySidecar Deploy a utility sidecar for running command-line tools. This sidecar is useful for command line utilities like collect-support-data. The sidecar will remain running alongside the workload, even when the sidecar isn't being used. It does not need to be listed in the includeSidecars value.
global.utilitySidecar.enabled Enable the utility sidecar false
global.utilitySidecar.resources Set k8s resources yaml for the sidecar spec 1 CPU and 2g memory limit, 0 CPU and 128Mi memory request
global.includeSidecars names of sidecars to include, from the top-level sidecars value []
global.includeInitContainers names of sidecars to include, from the top-level initContainers value []
global.includeVolumes names of sidecars to include, from the top-level volumes value []

Shared utilities

Name Description Default
sidecars Sidecar yaml definitions available to product workload spec {}
initContainers initContainer yaml definitions available to product workload spec {}
volumes volume yaml definitions available to product workload spec for sidecars, initContainers, or main product containers {}
configMaps configMap yaml definitions available to product workload spec for sidecars or main product containers {}

Image/Product values

Name Description Default
ldap-sdk-tools LDAP SDK tools values
ldap-sdk-tools.enabled Enable LDAP SDK tools deployment false
pingfederate-admin PingFederate admin values
pingfederate-admin.enabled Enable PingFederate admin deployment false
pingfederate-engine PingFederate engine values
pingfederate-engine.enabled Enable PingFederate engine deployment false
pingfederate-engine.clustering.autoscaling Configure Horizontal Pod Autoscaling
pingfederate-engine.clustering.autoscaling.enabled Enable Horizontal Pod Autoscaling. If enabled, ensure that proper pingfederate.container.resources values are set and coordinated with the targetCPUUtilizationPercentage or targetMemoryUtilizationPercentage false
pingfederate-engine.clustering.autoscaling.minReplicas Autoscaler minimum replicas 1
pingfederate-engine.clustering.autoscaling.maxReplicas Autoscaler maximum replicas 4
pingfederate-engine.clustering.autoscaling.targetCPUUtilizationPercentage Target CPU utilization 75
pingfederate-engine.clustering.autoscaling.targetMemoryUtilizationPercentage Target memory utilization
pingfederate-engine.clustering.autoscaling.behavior Custom HPA behavior yaml {}
pingfederate-engine.clustering.autoscalingMetricsTemplate Custom HPA metrics yaml []
pingdirectory PingDirectory values
pingdirectory.enabled Enable PingDirectory deployment false
pingdirectory.cronjob CronJobs run a kubectl exec command to run commands on a utility sidecar container. They will also create the necessary ServiceAccount, Role, and RoleBinding to run the jobs
pingdirectory.cronjob.enabled Enable the PingDirectory CronJob false
pingdirectory.cronjob.spec yaml to insert into the created CronJob spec. The jobTemplate should not be included. A schedule value must be provided
pingdirectory.cronjob.jobspec yaml to override default jobTemplate.
pingdirectory.cronjob.image Image to run the Jobs. The image must include kubectl bitname/kubectl:latest
pingdirectory.cronjob.args Job arguments []
pingdirectoryproxy PingDirectoryProxy values
pingdirectoryproxy.enabled Enable PingDirectoryProxy deployment false
pingdelegator PingDelegator values
pingdelegator.enabled Enable PingDelegator deployment false
pingdatasync PingDataSync values
pingdatasync.enabled Enable PingDataSync deployment false
pingauthorize PingAuthorize values
pingauthorize.enabled Enable PingAuthorize deployment false
pingauthorizepap PingAuthorizePAP values
pingauthorizepap.enabled Enable PingAuthorizePAP deployment false
pingdatagovernance PingDataGovernance values
pingdatagovernance.enabled Enable PingDataGovernance deployment false
pingdatagovernancepap PingDataGovernancePAP values
pingdatagovernancepap.enabled Enable PingDataGovernancePAP deployment false
pingaccess-admin PingAccess admin values
pingaccess-admin.enabled Enable PingAccess admin deployment false
pingaccess-engine PingAccess engine values
pingaccess-engine.enabled Enable PingAccess engine deployment false
pingcentral PingCentral values
pingcentral.enabled Enable PingCentral deployment false
pingdataconsole PingDataConsole values
pingdataconsole.enabled Enable PingDataConsole deployment false
pingdataconsole.defaultLogin Default login details for the console Default hostname pingdirectory-cluster
pingdataconsole.defaultLogin.server.port Default port 636
pingdataconsole.defaultLogin.username Default username administrator
pd-replication-timing PingDirectory replication timing values
pd-replication-timing.enabled Enable PingDirectory replication timing deployment false
pingtoolkit PingToolkit values
pingtoolkit.enabled Enable PingToolkit deployment false