List of Supported Values
Supported values ¶
These are the values supported in the ping-devops chart. In general, values specified in the global section can be overridden for individual products. The product sections have many global fields overridden by default (workloads, services, etc.).
Global values ¶
| Name | Description | Default |
|---|---|---|
global.annotations |
Annotations listed, will be added to all Kubernetes resources. | {} |
global.labels |
Labels listed, will be added to all Kubernetes resources. | {} |
global.envs |
Environment variables listed will be added to the global-env-vars configmap | {} |
global.addReleaseNameToResource |
Provides global ability to add names to kubernetes resources. One of {none, append, prepend} |
prepend |
global.ingress.enabled |
false |
|
global.ingress.addReleaseToHost |
Add release to host. One of {prepend, append, subdomain, none} |
subdomain |
global.ingress.defaultDomain |
Replaces with "defaultDomain" in host fields | example.com |
global.ingress.defaultTlsSecret |
Replaces with "defaultTlsSecret" in tls.secretName | |
global.ingress.annotations |
{} |
|
global.ingress.spec.ingressClassName |
||
global.privateCert.generate |
If true, then an internal certificate secret will be created along with mount of the certificate in /run/secrets/internal-cert (creates a tls.crt and tls.key). By default the Issuer of the cert will be the service name created by the Helm Chart. Additionally, the ingress hosts, if enabled, will be added to the list of X509v3 Subject Alternative Name | false |
global.privateCert.format |
The format of the certificate to be generated. Used "pingaccess-fips-pem" to generate a valid certificate for running PingAccess in FIPS mode. Any other value will generate a PKCS12 keystore with the generated certificate. | PKCS12 |
global.privateCert.additionalHosts |
Additional hosts for the cert | [] |
global.privateCert.additionalIPs |
Additional IP addresses for the cert | [] |
global.masterPassword |
Uses Helm function derivePassword, which uses the master password specification: https://masterpassword.app/masterpassword-algorithm.pdf | |
global.masterPassword.enabled |
Enable master password | false |
global.masterPassword.strength |
Master password template. One of {long, maximum} |
|
global.masterPassword.name |
Defaults to release name | |
global.masterPassword.site |
Defaults to chart name | |
global.masterPassword.secret |
Defaults to release namespace | |
global.vault |
Hashicorp Vault configuration | |
global.vault.enabled |
Enable Vault | false |
global.vault.hashicorp.annotations |
Annotation names, which will be appended to 'vault.hashicorp.com/' in the annotation. The vault.hashicorp.annotations.serviceAccountName value will be overwritten by the service account generated for the workload if there is one. | |
global.vault.secretPrefix |
Prefix that will be prepended to any secrets being injected. | "" |
global.vault.secrets |
Vault secrets to pull in | {} |
global.imagePullSecrets |
Repository authentication using secret defined as a docker-registry secret in Kubernetes. | [] |
global.image.repository |
Default image registry is not the fully-qualified name of the image Example: image.repository: pingidentity, docker.io, 123.dkr.ecr.us-west-1.amazonaws.com | pingidentity |
global.image.repositoryFqn |
Docker image repository fully-qualified name. Overrides image.repository and image.name on the pod image spec Example: image.repositoryFqn: pingidentity/pingfederate, docker.io/my-pingfederate | |
global.image.name |
Default image name MUST be set in child chart Example: image.name: pingfederate | |
global.image.tag |
Default image tag | 2506 |
global.image.pullPolicy |
Default image pull policy | IfNotPresent |
global.rbac.generateServiceAccount |
Set to true to generate a service account for the workload. | false |
global.rbac.serviceAccountName |
Name of the service account that will be generated. The default value of "defaultServiceAccountName" will result in a service account named based on the Helm installation and the specific workload being deployed. If generateServiceAccount and generateGlobalServiceAccount are false, this value can also refer to a service account created outside of Helm. | _defaultServiceAccountName_ |
global.rbac.generateRoleAndRoleBinding |
Set to true to generate a Role and RoleBinding corresponding to the workload service account. | false |
global.rbac.generateGlobalServiceAccount |
Set to true to generate a service account for the entire installation. This global service account will be used for workloads that do not generate their own service account. | false |
global.rbac.generateGlobalRoleAndRoleBinding |
Set to true to generate a Role and RoleBinding corresponding to the global service account for the entire installation. | false |
global.rbac.applyServiceAccountToWorkload |
Set to true (the default) to apply to service account to the workload. | true |
global.rbac.role |
This yaml will be directly inserted into the generated Role when generateRoleAndRoleBinding and/or generateGlobalRoleAndRoleBinding are true. The rules for the Role can be set here. | get, watch, and list verbs for the pods resource |
global.rbac.serviceAccountAnnotations |
Any custom annotations to add to the service account. | |
global.rbac.roleAnnotations |
Any custom annotations to add to the role. | |
global.rbac.roleBindingAnnotations |
Any custom annotations to add to the role binding. | |
global.rbac.serviceAccountLabels |
Any custom labels to add to the service account. | |
global.rbac.roleLabels |
Any custom labels to add to the role. | |
global.rbac.roleBindingLabels |
Any custom labels to add to the role binding. | |
global.externalImage |
Provides ability to use external images for various purposes such as using curl, waitfor, etc. A pingtoolkit image is included by default for running waitFor and generating private cert initContainers. A pingaccess image is also included by default to allow generating an encrypted PEM-formatted cert that is compatible with FIPS mode. Any values specified on the image will be copied directly to the k8s spec for the container, except for the externalImage.{name}.image section, which follows the format of the global.image section. If no image section is specified (the default), the corresponding value from the product values section will be used. For example, if externalImage.pingtoolkit.image is empty, the values from the top-level pingtoolkit.image section will be used. | {pingtoolkit, pingaccess} |
global.services |
Services mapping a port to a targetPort on the corresponding container | {} |
global.services.clusterExternalDNSHostname |
Value for the external-dns.alpha.kubernetes.io/hostname annotation for the cluster service. | |
global.services.clusterServiceName |
If set, then this name will be used as the cluster service name (i.e clusterService == true). | |
global.services.useLoadBalancerForDataService |
If true, the data service will be created with type: LoadBalancer. | false |
global.services.serviceName.dataService |
If true, a ClusterIP service is created reachable within the cluster. A single IP is provided and the service will round-robin across the backend containers | |
global.services.serviceName.clusterService |
If true, a headless service is created, explicitly specifying "None" for the clusterIP. DNS requests to this service will provide one of the IPs of the backend containers | |
global.services.serviceName.containerPort |
Port on the kubernetes container | |
global.services.serviceName.servicePort |
Port available from the kubernetes service. If clusterService=true this port on the cluster service is not really used, as the headless service always maps through to the container port | |
global.services.serviceName.ingressPort |
Port available from the kubernetes ingress | |
global.services.annotations |
Any custom annotations to add to the service. | |
global.services.clusterServiceAnnotations |
Any custom annotations to add to the ClusterIP service. | |
global.services.labels |
Any custom labels to add to the service. | |
global.services.clusterServiceLabels |
Any custom labels to add to the ClusterIP service. |
Workload values - Deployment and StatefulSet ¶
| Name | Description | Default |
|---|---|---|
global.workload |
Can be Deployment or StatefulSet | Deployment |
global.workload.annotations |
Annotations to apply to the template in the workload. To apply top-level annotations to the Deployment or StatefulSet itself, use global.workload.deployment.annotations or global.workload.statefulSet.annotations. | |
global.workload.labels |
Labels to apply to the template in the workload. To apply top-level labels to the Deployment or StatefulSet itself, use global.workload.deployment.labels or global.workload.statefulSet.labels. | |
global.workload.schedulerName |
K8s scheduler | default-scheduler |
global.workload.shareProcessNamespace |
Set shareProcessNamespace in the pod spec | false |
global.workload.enableServiceLinks |
indicates whether info about services can be added as env variables | true |
global.workload.topologySpreadConstraints |
Configuration of pod spread across cluster zones | [] |
global.workload.deployment |
Deployment workload configuration | |
global.workload.deployment.strategy |
Deployment pod replacement strategy | |
global.workload.deployment.strategy.type |
Strategy type | RollingUpdate |
global.workload.deployment.strategy.rollingUpdate.maxSurge |
Max surge, only applicable for RollingUpdate type | 1 |
global.workload.deployment.strategy.rollingUpdate.maxUnavailable |
Max unavailable, only applicable for RollingUpdate type | 0 |
global.workload.deployment.annotations |
Annotations to apply to the top-level Deployment. To apply annotations to the template within the Deployment, use global.workload.annotations. | |
global.workload.deployment.labels |
Labels to apply to the top-level Deployment. To apply labels to the template within the Deployment, use global.workload.labels. | |
global.workload.statefulSet |
StatefulSet workload configuration | |
global.workload.statefulSet.partition |
Used for canary testing if n>0 | 0 |
global.workload.statefulSet.persistentvolume.enabled |
Enable persistent volumes | true |
global.workload.statefulSet.persistentvolume.volumes |
For every volume defined in the volumes list, 3 items will be created in the StatefulSet: 1. container.volumeMounts - name and mountPath. 2. template.spec.volume - name and persistentVolumeClaim.claimName. 3. spec.volumeClaimTemplates - persistentVolumeClaim. | {out-dir} |
global.workload.statefulSet.persistentvolume.volumes.volumeName.mountPath |
Mount path for the volume | |
global.workload.statefulSet.persistentvolume.volumes.volumeName.persistentVolumeClaim |
volumeClaimTemplate | |
global.workload.statefulSet.podManagementPolicy |
Controls how pods are created during initial scale up, when replacing pods on nodes, or when scaling down. The default behavior is OrderedReady. The Parallel podManagementPolicy allows for starting up and scaling down multiple Pods simultaneously. Updates are not affected. The only products that support Parallel are PingDirectory and PingDataSync, on versions 2209 and later. When using the Parallel policy, consider setting the RETRY_TIMEOUT_SECONDS environment variable to a higher value (it defaults to 180) for the Pods. If the value is too low with many servers starting at once, it may lead to some Pods restarting unnecessarily during the initial workload startup. | OrderedReady |
global.workload.statefulSet.annotations |
Annotations to apply to the top-level StatefulSet. To apply annotations to the template within the StatefulSet, use global.workload.annotations. | |
global.workload.statefulSet.labels |
Labels to apply to the top-level StatefulSet. To apply labels to the template within the StatefulSet, use global.workload.labels. | |
global.workload.securityContext |
securityContext for the workload Pod spec. The securityContext defined will be inserted directly into the Pod spec. The user (9031) and group (0) represent the current user and group used with PingIdentity images (except PingDelegator). The fsGroup is required for any workloads that volumeMount a pvc (i.e. StatefulSets). Set as securityContext: null when no generated securityContext is desired. | fsGroup 0, runAsUser 9031, runAsGroup 0 |
global.clustering.autoscaling |
Configure Horizontal Pod Autoscaling | |
global.clustering.autoscaling.enabled |
Enable Horizontal Pod Autoscaling. If enabled, ensure that proper container.resources values are set and coordinated with the targetCPUUtilizationPercentage or targetMemoryUtilizationPercentage | false |
global.clustering.autoscaling.minReplicas |
Autoscaler minimum replicas | 1 |
global.clustering.autoscaling.maxReplicas |
Autoscaler maximum replicas | 4 |
global.clustering.autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization | 75 |
global.clustering.autoscaling.targetMemoryUtilizationPercentage |
Target memory utilization | |
global.clustering.autoscaling.annotations |
Custom annotations for the HPA. | |
global.clustering.autoscaling.labels |
Custom labels for the HPA. | |
global.clustering.autoscaling.behavior |
Custom HPA behavior yaml | {} |
global.clustering.autoscalingMetricsTemplate |
Custom HPA metrics yaml | [] |
global.container |
Configure the container in the workload Pod spec | |
global.workload.container.securityContext |
securityContext at the container level for the workload. The securityContext defined will be inserted directly into the spec for the main container of the Pod. Container-level securityContext values will overwrite any corresponding values from the Pod-level securityContext. | allowPrivilegeEscalation: false, capabilities: drop: ALL |
global.container.replicaCount |
Number of replicas for workload | 1 |
global.container.resources |
container resources yaml to insert into Pod spec | |
global.container.nodeSelector |
nodeSelector yaml to insert into Pod spec | {} |
global.container.tolerations |
tolerations yaml to insert into Pod spec | [] |
global.container.affinity |
affinity yaml to insert into Pod spec | {} |
global.container.terminationGracePeriodSeconds |
termination grace period | 30 |
global.container.envFrom |
envFrom yaml to insert into Pod spec | [] |
global.container.env |
Additional environment variables to insert into the Pod spec. Unlike the global.envs values, these will be set directly on the Pod. global.envs values are set in ConfigMaps rather than on the Pod directly. This value allows for setting the valueFrom field for an environment variable when necessary. | [] |
global.container.lifecycle |
lifecycle yaml to insert into Pod spec | |
global.container.probes |
probes yaml to insert into Pod spec | liveness, readiness, and startup probes defined |
Other global defaults ¶
| Name | Description | Default |
|---|---|---|
global.license.secret.devOps |
Identify the k8s secret containing the DevOps USER/KEY if used during deployment. pingctl can be used to generate the devops-secret | devops-secret |
global.utilitySidecar |
Deploy a utility sidecar for running command-line tools. This sidecar is useful for command line utilities like collect-support-data. The sidecar will remain running alongside the workload, even when the sidecar isn't being used. It does not need to be listed in the includeSidecars value. | |
global.utilitySidecar.enabled |
Enable the utility sidecar | false |
global.utilitySidecar.resources |
Set k8s resources yaml for the sidecar spec | 1 CPU and 2g memory limit, 0 CPU and 128Mi memory request |
global.utilitySidecar.env |
Environment variables for the sidecar | |
global.utilitySidecar.securityContext |
securityContext at the container level for the sidecar. The securityContext defined will be inserted directly into the spec for the sidecar. By default no container securityContext is defined. In Kubernetes when a container-level securityContext is set, it will overwrite any corresponding values from the Pod-level securityContext. | allowPrivilegeEscalation: false, capabilities: drop: ALL |
global.includeSidecars |
names of sidecars to include, from the top-level sidecars value |
[] |
global.includeInitContainers |
names of sidecars to include, from the top-level initContainers value |
[] |
global.includeVolumes |
names of sidecars to include, from the top-level volumes value |
[] |
Shared utilities ¶
| Name | Description | Default |
|---|---|---|
sidecars |
Sidecar yaml definitions available to product workload spec | {} |
initContainers |
initContainer yaml definitions available to product workload spec | {} |
volumes |
volume yaml definitions available to product workload spec for sidecars, initContainers, or main product containers | {} |
configMaps |
configMap yaml definitions available to product workload spec for sidecars or main product containers | {} |
Image/Product values ¶
| Name | Description | Default |
|---|---|---|
ldap-sdk-tools |
LDAP SDK tools values | |
ldap-sdk-tools.enabled |
Enable LDAP SDK tools deployment | false |
pingfederate-admin |
PingFederate admin values | |
pingfederate-admin.enabled |
Enable PingFederate admin deployment | false |
pingfederate-admin.cronjob |
CronJobs run a kubectl exec command to run commands on a utility sidecar container. They will also create the necessary ServiceAccount, Role, and RoleBinding to run the jobs | |
pingfederate-admin.cronjob.enabled |
Enable the PingFederate Admin CronJob | false |
pingfederate-admin.cronjob.spec |
yaml to insert into the created CronJob spec. If specified, this will override any other specified values for the CronJob. | |
pingfederate-admin.cronjob.spec.jobTemplate |
yaml to override default jobTemplate. If a jobTemplate is not overridden, a default template will be inserted. | |
pingfederate-admin.cronjob.image |
Image to run the Jobs. The image must include kubectl | bitname/kubectl:latest |
pingfederate-admin.cronjob.args |
Job arguments | [] |
pingfederate-admin.cronjob.podSecurityContext |
securityContext for the pod in the jobTemplate. This will be used if a jobTemplate is not specified. | null |
pingfederate-admin.cronjob.podSecurityContext |
securityContext for the container in the jobTemplate. This will be used if a jobTemplate is not specified. | allowPrivilegeEscalation: false, capabilities: drop: ALL |
pingfederate-engine |
PingFederate engine values | |
pingfederate-engine.enabled |
Enable PingFederate engine deployment | false |
pingfederate-engine.cronjob |
CronJobs run a kubectl exec command to run commands on a utility sidecar container. They will also create the necessary ServiceAccount, Role, and RoleBinding to run the jobs | |
pingfederate-engine.cronjob.enabled |
Enable the PingFederate engine CronJob | false |
pingfederate-engine.cronjob.spec |
yaml to insert into the created CronJob spec. If specified, this will override any other specified values for the CronJob. | |
pingfederate-engine.cronjob.spec.jobTemplate |
yaml to override default jobTemplate. If a jobTemplate is not overridden, a default template will be inserted. | |
pingfederate-engine.cronjob.image |
Image to run the Jobs. The image must include kubectl | bitname/kubectl:latest |
pingfederate-engine.cronjob.args |
Job arguments | [] |
pingfederate-engine.cronjob.podSecurityContext |
securityContext for the pod in the jobTemplate. This will be used if a jobTemplate is not specified. | null |
pingfederate-engine.cronjob.podSecurityContext |
securityContext for the container in the jobTemplate. This will be used if a jobTemplate is not specified. | allowPrivilegeEscalation: false, capabilities: drop: ALL |
pingdirectory |
PingDirectory values | |
pingdirectory.enabled |
Enable PingDirectory deployment | false |
pingdirectory.cronjob |
CronJobs run a kubectl exec command to run commands on a utility sidecar container. They will also create the necessary ServiceAccount, Role, and RoleBinding to run the jobs | |
pingdirectory.cronjob.enabled |
Enable the PingDirectory CronJob | false |
pingdirectory.cronjob.spec |
yaml to insert into the created CronJob spec. If specified, this will override any other specified values for the CronJob. | |
pingdirectory.cronjob.spec.jobTemplate |
yaml to override default jobTemplate. If a jobTemplate is not overridden, a default template will be inserted. | |
pingdirectory.cronjob.image |
Image to run the Jobs. The image must include kubectl | bitname/kubectl:latest |
pingdirectory.cronjob.args |
Job arguments | [] |
pingdirectory.cronjob.podSecurityContext |
securityContext for the pod in the jobTemplate. This will be used if a jobTemplate is not specified. | null |
pingdirectory.cronjob.podSecurityContext |
securityContext for the container in the jobTemplate. This will be used if a jobTemplate is not specified. | allowPrivilegeEscalation: false, capabilities: drop: ALL |
pingdirectory.services.serviceName.loadBalancerService |
If true, the per-Pod LoadBalancer services enabled with pingdirectory.services.loadBalancerServicePerPod will include this port. | false |
pingdirectory.services.loadBalancerServicePerPod |
Set to true to create a separate LoadBalancer service for each individual Pod in the PingDirectory StatefulSet. | false |
pingdirectory.services.loadBalancerExternalDNSHostnameSuffix |
Value used for the external-dns.alpha.kubernetes.io/hostname annotation for the LoadBalancer services. This value will be used as a suffix for the hostname for each individual pod when pingdirectory.services.loadBalancerServicePerPod is set to true. | |
pingdirectoryproxy |
PingDirectoryProxy values | |
pingdirectoryproxy.enabled |
Enable PingDirectoryProxy deployment | false |
pingdelegator |
PingDelegator values | |
pingdelegator.enabled |
Enable PingDelegator deployment | false |
pingdatasync |
PingDataSync values | |
pingdatasync.enabled |
Enable PingDataSync deployment | false |
pingauthorize |
PingAuthorize values | |
pingauthorize.enabled |
Enable PingAuthorize deployment | false |
pingauthorizepap |
PingAuthorizePAP values | |
pingauthorizepap.enabled |
Enable PingAuthorizePAP deployment | false |
pingaccess-admin |
PingAccess admin values | |
pingaccess-admin.enabled |
Enable PingAccess admin deployment | false |
pingaccess-engine |
PingAccess engine values | |
pingaccess-engine.enabled |
Enable PingAccess engine deployment | false |
pingcentral |
PingCentral values | |
pingcentral.enabled |
Enable PingCentral deployment | false |
pingdataconsole |
PingDataConsole values | |
pingdataconsole.enabled |
Enable PingDataConsole deployment | false |
pingdataconsole.defaultLogin |
Default login details for the console | |
pingdataconsole.defaultLogin.server.host |
Default hostname | pingdirectory-cluster |
pingdataconsole.defaultLogin.server.port |
Default port | 636 |
pingdataconsole.defaultLogin.username |
Default username | administrator |
PingIntelligence |
values | |
pingintelligence.enabled |
Enable PingIntelligence deployment | false |
pd-replication-timing |
PingDirectory replication timing values | |
pd-replication-timing.enabled |
Enable PingDirectory replication timing deployment | false |
pingtoolkit |
PingToolkit values | |
pingtoolkit.enabled |
Enable PingToolkit deployment | false |
testFramework.rbac.serviceAccountImagePullSecrets |
Repository authentication using secrets defined as a docker-registry secrets in Kubernetes. | [] |