Skip to content

List of Supported Values

Supported values

These are the values supported in the ping-devops chart. In general, values specified in the global section can be overridden for individual products. The product sections have many global fields overridden by default (workloads, services, etc.).

Global values

Name Description Default
global.annotations Annotations listed, will be added to the kubernetes resource {}
global.labels Labels listed, will be added to all Kubernetes resources. {}
global.envs Environment variables listed will be added to the global-env-vars configmap {}
global.addReleaseNameToResource Provides global ability to add names to kubernetes resources. One of {none, append, prepend} prepend
global.ingress.enabled false
global.ingress.addReleaseToHost Add release to host. One of {prepend, append, subdomain, none} subdomain
global.ingress.defaultDomain Replaces with "defaultDomain" in host fields
global.ingress.defaultTlsSecret Replaces with "defaultTlsSecret" in tls.secretName
global.ingress.annotations {}
global.privateCert.generate If true, then an internal certificate secret will be created along with mount of the certificate in /run/secrets/internal-cert (creates a tls.crt and tls.key). By default the Issuer of the cert will be the service name created by the Helm Chart. Additionally, the ingress hosts, if enabled, will be added to the list of X509v3 Subject Alternative Name false
global.privateCert.format The format of the certificate to be generated. Used "pingaccess-fips-pem" to generate a valid certificate for running PingAccess in FIPS mode. Any other value will generate a PKCS12 keystore with the generated certificate. PKCS12
global.privateCert.additionalHosts Additional hosts for the cert []
global.privateCert.additionalIPs Additional IP addresses for the cert []
global.masterPassword Uses Helm function derivePassword, which uses the master password specification:
global.masterPassword.enabled Enable master password false
global.masterPassword.strength Master password template. One of {long, maximum} Defaults to release name Defaults to chart name
global.masterPassword.secret Defaults to release namespace
global.vault Hashicorp Vault configuration
global.vault.enabled Enable Vault false
global.vault.hashicorp.annotations Annotation names, which will be appended to '' in the annotation. The vault.hashicorp.annotations.serviceAccountName value will be overwritten by the service account generated for the workload if there is one.
global.vault.secretPrefix Prefix that will be prepended to any secrets being injected. ""
global.vault.secrets Vault secrets to pull in {}
global.imagePullSecrets Repository authentication using secret defined as a docker-registry secret in Kubernetes. []
global.image.repository Default image registry is not the fully-qualified name of the image Example: image.repository: pingidentity,, pingidentity
global.image.repositoryFqn Docker image repository fully-qualified name. Overrides image.repository and on the pod image spec Example: image.repositoryFqn: pingidentity/pingfederate, Default image name MUST be set in child chart Example: pingfederate
global.image.tag Default image tag 2402
global.image.pullPolicy Default image pull policy IfNotPresent
global.rbac.generateServiceAccount Set to true to generate a service account for the workload. false
global.rbac.serviceAccountName Name of the service account that will be generated. The default value of "defaultServiceAccountName" will result in a service account named based on the Helm installation and the specific workload being deployed. If generateServiceAccount and generateGlobalServiceAccount are false, this value can also refer to a service account created outside of Helm. _defaultServiceAccountName_
global.rbac.generateRoleAndRoleBinding Set to true to generate a Role and RoleBinding corresponding to the workload service account. false
global.rbac.generateGlobalServiceAccount Set to true to generate a service account for the entire installation. This global service account will be used for workloads that do not generate their own service account. false
global.rbac.generateGlobalRoleAndRoleBinding Set to true to generate a Role and RoleBinding corresponding to the global service account for the entire installation. false
global.rbac.applyServiceAccountToWorkload Set to true (the default) to apply to service account to the workload. true
global.rbac.role This yaml will be directly inserted into the generated Role when generateRoleAndRoleBinding and/or generateGlobalRoleAndRoleBinding are true. The rules for the Role can be set here. get, watch, and list verbs for the pods resource
global.externalImage Provides ability to use external images for various purposes such as using curl, waitfor, etc. A pingtoolkit image is included by default for running waitFor and generating private cert initContainers. A pingaccess image is also included by default to allow generating an encrypted PEM-formatted cert that is compatible with FIPS mode. Any values specified on the image will be copied directly to the k8s spec for the container, except for the externalImage.{name}.image section, which follows the format of the global.image section. If no image section is specified (the default), the corresponding value from the product values section will be used. For example, if externalImage.pingtoolkit.image is empty, the values from the top-level pingtoolkit.image section will be used. {pingtoolkit, pingaccess} Services mapping a port to a targetPort on the corresponding container {} Value for the annotation for the cluster service. If set, then this name will be used as the cluster service name (i.e clusterService == true). If true, the data service will be created with type: LoadBalancer. false If true, a ClusterIP service is created reachable within the cluster. A single IP is provided and the service will round-robin across the backend containers If true, a headless service is created, explicitly specifying "None" for the clusterIP. DNS requests to this service will provide one of the IPs of the backend containers Port on the kubernetes container Port available from the kubernetes service. If clusterService=true this port on the cluster service is not really used, as the headless service always maps through to the container port Port available from the kubernetes ingress

Workload values - Deployment and StatefulSet

Name Description Default
global.workload Can be Deployment or StatefulSet Deployment
global.workload.annotations Workload annotations
global.workload.schedulerName K8s scheduler default-scheduler
global.workload.shareProcessNamespace Set shareProcessNamespace in the pod spec false
global.workload.enableServiceLinks indicates whether info about services can be added as env variables true
global.workload.topologySpreadConstraints Configuration of pod spread across cluster zones []
global.workload.deployment Deployment workload configuration
global.workload.deployment.strategy Deployment pod replacement strategy
global.workload.deployment.strategy.type Strategy type RollingUpdate
global.workload.deployment.strategy.rollingUpdate.maxSurge Max surge, only applicable for RollingUpdate type 1
global.workload.deployment.strategy.rollingUpdate.maxUnavailable Max unavailable, only applicable for RollingUpdate type 0
global.workload.statefulSet StatefulSet workload configuration
global.workload.statefulSet.partition Used for canary testing if n>0 0
global.workload.statefulSet.persistentvolume.enabled Enable persistent volumes true
global.workload.statefulSet.persistentvolume.volumes For every volume defined in the volumes list, 3 items will be created in the StatefulSet: 1. container.volumeMounts - name and mountPath. 2. template.spec.volume - name and persistentVolumeClaim.claimName. 3. spec.volumeClaimTemplates - persistentVolumeClaim. {out-dir}
global.workload.statefulSet.persistentvolume.volumes.volumeName.mountPath Mount path for the volume
global.workload.statefulSet.persistentvolume.volumes.volumeName.persistentVolumeClaim volumeClaimTemplate
global.workload.statefulSet.podManagementPolicy Controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default behavior is OrderedReady. The Parallel podManagementPolicy allows for starting up and scaling down multiple Pods simultaneously. Updates are not affected. The only products that support Parallel are PingDirectory and PingDataSync, on versions 2209 and later. When using the Parallel policy, consider setting the RETRY_TIMEOUT_SECONDS environment variable to a higher value (it defaults to 180) for the Pods. If the value is too low with many servers starting at once, it may lead to some Pods restarting unnecessarily during the initial workload startup. OrderedReady
global.workload.securityContext securityContext for the workload Pod spec. The securityContext defined will be inserted directly into the Pod spec. The user (9031) and group (0) represent the current user and group used with PingIdentity images (except PingDelegator). The fsGroup is required for any workloads that volumeMount a pvc (i.e. StatefulSets). Set as securityContext: null when no generated securityContext is desired. fsGroup 0, runAsUser 9031, runAsGroup 0
global.clustering.autoscaling Configure Horizontal Pod Autoscaling
global.clustering.autoscaling.enabled Enable Horizontal Pod Autoscaling. If enabled, ensure that proper container.resources values are set and coordinated with the targetCPUUtilizationPercentage or targetMemoryUtilizationPercentage false
global.clustering.autoscaling.minReplicas Autoscaler minimum replicas 1
global.clustering.autoscaling.maxReplicas Autoscaler maximum replicas 4
global.clustering.autoscaling.targetCPUUtilizationPercentage Target CPU utilization 75
global.clustering.autoscaling.targetMemoryUtilizationPercentage Target memory utilization
global.clustering.autoscaling.behavior Custom HPA behavior yaml {}
global.clustering.autoscalingMetricsTemplate Custom HPA metrics yaml []
global.container Configure the container in the workload Pod spec
global.workload.container.securityContext securityContext at the container level for the workload. The securityContext defined will be inserted directly into the spec for the main container of the Pod. By default no container securityContext is defined. In Kubernetes when a container-level securityContext is set, it will overwrite any corresponding values from the Pod-level securityContext. null
global.container.replicaCount Number of replicas for workload 1
global.container.resources container resources yaml to insert into Pod spec
global.container.nodeSelector nodeSelector yaml to insert into Pod spec {}
global.container.tolerations tolerations yaml to insert into Pod spec []
global.container.affinity affinity yaml to insert into Pod spec {}
global.container.terminationGracePeriodSeconds termination grace period 30
global.container.envFrom envFrom yaml to insert into Pod spec []
global.container.env Additional environment variables to insert into the Pod spec. Unlike the global.envs values, these will be set directly on the Pod. global.envs values are set in ConfigMaps rather than on the Pod directly. This value allows for setting the valueFrom field for an environment variable when necessary. []
global.container.lifecycle lifecycle yaml to insert into Pod spec
global.container.probes probes yaml to insert into Pod spec liveness, readiness, and startup probes defined

Other global defaults

Name Description Default
global.license.secret.devOps Identify the k8s secret containing the DevOps USER/KEY if used during deployment. pingctl can be used to generate the devops-secret devops-secret
global.utilitySidecar Deploy a utility sidecar for running command-line tools. This sidecar is useful for command line utilities like collect-support-data. The sidecar will remain running alongside the workload, even when the sidecar isn't being used. It does not need to be listed in the includeSidecars value.
global.utilitySidecar.enabled Enable the utility sidecar false
global.utilitySidecar.resources Set k8s resources yaml for the sidecar spec 1 CPU and 2g memory limit, 0 CPU and 128Mi memory request
global.utilitySidecar.env Environment variables for the sidecar
global.includeSidecars names of sidecars to include, from the top-level sidecars value []
global.includeInitContainers names of sidecars to include, from the top-level initContainers value []
global.includeVolumes names of sidecars to include, from the top-level volumes value []

Shared utilities

Name Description Default
sidecars Sidecar yaml definitions available to product workload spec {}
initContainers initContainer yaml definitions available to product workload spec {}
volumes volume yaml definitions available to product workload spec for sidecars, initContainers, or main product containers {}
configMaps configMap yaml definitions available to product workload spec for sidecars or main product containers {}

Image/Product values

Name Description Default
ldap-sdk-tools LDAP SDK tools values
ldap-sdk-tools.enabled Enable LDAP SDK tools deployment false
pingfederate-admin PingFederate admin values
pingfederate-admin.enabled Enable PingFederate admin deployment false
pingfederate-engine PingFederate engine values
pingfederate-engine.enabled Enable PingFederate engine deployment false
pingdirectory PingDirectory values
pingdirectory.enabled Enable PingDirectory deployment false
pingdirectory.cronjob CronJobs run a kubectl exec command to run commands on a utility sidecar container. They will also create the necessary ServiceAccount, Role, and RoleBinding to run the jobs
pingdirectory.cronjob.enabled Enable the PingDirectory CronJob false
pingdirectory.cronjob.spec yaml to insert into the created CronJob spec. If a jobTemplate is not provided, a default template will be inserted. A schedule value must be provided
pingdirectory.cronjob.spec.jobTemplate yaml to override default jobTemplate.
pingdirectory.cronjob.image Image to run the Jobs. The image must include kubectl bitname/kubectl:latest
pingdirectory.cronjob.args Job arguments [] If true, the per-Pod LoadBalancer services enabled with will include this port. false Set to true to create a separate LoadBalancer service for each individual Pod in the PingDirectory StatefulSet. false Value used for the annotation for the LoadBalancer services. This value will be used as a suffix for the hostname for each individual pod when is set to true.
pingdirectoryproxy PingDirectoryProxy values
pingdirectoryproxy.enabled Enable PingDirectoryProxy deployment false
pingdelegator PingDelegator values
pingdelegator.enabled Enable PingDelegator deployment false
pingdatasync PingDataSync values
pingdatasync.enabled Enable PingDataSync deployment false
pingauthorize PingAuthorize values
pingauthorize.enabled Enable PingAuthorize deployment false
pingauthorizepap PingAuthorizePAP values
pingauthorizepap.enabled Enable PingAuthorizePAP deployment false
pingaccess-admin PingAccess admin values
pingaccess-admin.enabled Enable PingAccess admin deployment false
pingaccess-engine PingAccess engine values
pingaccess-engine.enabled Enable PingAccess engine deployment false
pingcentral PingCentral values
pingcentral.enabled Enable PingCentral deployment false
pingdataconsole PingDataConsole values
pingdataconsole.enabled Enable PingDataConsole deployment false
pingdataconsole.defaultLogin Default login details for the console Default hostname pingdirectory-cluster
pingdataconsole.defaultLogin.server.port Default port 636
pingdataconsole.defaultLogin.username Default username administrator
PingIntelligence values
pingintelligence.enabled Enable PingIntelligence deployment false
pd-replication-timing PingDirectory replication timing values
pd-replication-timing.enabled Enable PingDirectory replication timing deployment false
pingtoolkit PingToolkit values
pingtoolkit.enabled Enable PingToolkit deployment false
testFramework.rbac.serviceAccountImagePullSecrets Repository authentication using secrets defined as a docker-registry secrets in Kubernetes. []