Chainloop Helm Chart
Chainloop is an open-source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process.
Introduction
This chart bootstraps a Chainloop deployment on a Kubernetes cluster using the Helm package manager.
Prerequisites
- Kubernetes 1.19+
- Helm 3.2.0+
- PV provisioner support in the underlying infrastructure (If built-in PostgreSQL is enabled)
Compatibility with the following Ingress Controllers has been verified, other controllers might or might not work.
TL;DR
Deploy Chainloop in development mode by running
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
--set development=true \
--set controlplane.auth.oidc.url=[OIDC URL] \
--set controlplane.auth.oidc.clientID=[clientID] \
--set controlplane.auth.oidc.clientSecret=[clientSecret]
CAUTION: Do not use this mode in production, for that, use the standard mode instead.
Installing the Chart
This chart comes in two flavors, standard and development.
Standard (default)
The default deployment mode relies on external dependencies to be available in advance.
The Helm Chart in this mode includes
- Chainloop Controlplane
- Chainloop Artifact proxy
- A PostgreSQL dependency enabled by default
During installation, you'll need to provide
- Open ID Connect Identity Provider (IDp) settings i.e Auth0 settings
- Connection settings for a secrets storage backend, either Hashicorp Vault or AWS Secrets Manager
- ECDSA (ES512) key-pair used for Controlplane to CAS Authentication
Instructions on how to create the ECDSA keypair can be found here.
Installation examples for standard mode
NOTE: We do not recommend passing nor storing sensitive data in plain text. For production, please consider having your overrides encrypted with tools such as Sops, Helm Secrets or Sealed Secrets.
Deploy Chainloop configured to talk to the bundled PostgreSQL an external OIDC IDp and a Vault instance.
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
# Open ID Connect (OIDC)
--set controlplane.auth.oidc.url=[OIDC URL] \
--set controlplane.auth.oidc.clientID=[clientID] \
--set controlplane.auth.oidc.clientSecret=[clientSecret] \
# Secrets backend
--set secretsBackend.vault.address="https://[vault address]:8200" \
--set secretsBackend.vault.token=[token] \
# Server Auth KeyPair
--set casJWTPrivateKey="$(cat private.ec.key)" \
--set casJWTPublicKey="$(cat public.pem)"
Deploy using AWS Secrets Manager instead of Vault
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
--set secretsBackend.backend=awsSecretManager \
--set secretsBackend.awsSecretManager.accessKey=[AWS ACCESS KEY ID] \
--set secretsBackend.awsSecretManager.secretKey=[AWS SECRET KEY] \
--set secretsBackend.awsSecretManager.region=[AWS region]\
# Server Auth KeyPair
# ...
or using GCP Secret Manager
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
--set secretsBackend.backend=gcpSecretManager \
--set secretsBackend.gcpSecretManager.projectId=[GCP Project ID] \
--set secretsBackend.gcpSecretManager.serviceAccountKey=[GCP Auth KEY] \
# Server Auth KeyPair
# ...
or Azure KeyVault
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
--set secretsBackend.backend=azureKeyVault \
--set secretsBackend.azureKeyVault.tenantID=[AD tenant ID] \
--set secretsBackend.azureKeyVault.clientID=[Service Principal ID] \
--set secretsBackend.azureKeyVault.clientSecret=[Service Principal secret] \
--set secretsBackend.azureKeyVault.vaultURI=[Azure KeyVault URI]
# Server Auth KeyPair
# ...
Connect to an external PostgreSQL database instead
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
# Open ID Connect (OIDC)
# ...
# Secrets backend
# ...
# Server Auth KeyPair
# ...
# External DB setup
--set postgresql.enabled=false \
--set controlplane.externalDatabase.host=[DB_HOST] \
--set controlplane.externalDatabase.user=[DB_USER] \
--set controlplane.externalDatabase.password=[DB_PASSWORD] \
--set controlplane.externalDatabase.database=[DB_NAME]
Development
To provide an easy way to give Chainloop a try, this Helm Chart has an opt-in development mode that can be enabled with the flag development=true
IMPORTANT: DO NOT USE THIS MODE IN PRODUCTION
The Helm Chart in this mode includes
- Chainloop Controlplane
- Chainloop Artifact proxy
- A PostgreSQL dependency enabled by default
- A pre-configured Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure)
CAUTION: Do not use this mode in production, for that, use the standard mode instead.
During installation, you'll need to provide
- Open ID Connect Identity Provider (IDp) settings i.e Auth0 settings
Connection settings for a secrets storage backend, either Hashicorp Vault or AWS Secrets ManagerECDSA (ES512) key-pair used for Controlplane to CAS Authentication
Installation examples for development mode
Deploy by leveraging built-in Vault and PostgreSQL instances
helm install [RELEASE_NAME] oci://ghcr.io/chainloop-dev/charts/chainloop \
--set development=true \
--set controlplane.auth.oidc.url=[OIDC URL] \
--set controlplane.auth.oidc.clientID=[clientID] \
--set controlplane.auth.oidc.clientSecret=[clientSecret]
How to guides
CAS upload speeds are slow, what can I do?
Chainloop uses gRPC streaming to perform artifact uploads. This method is susceptible to being very slow on high latency scenarios. #375
To improve upload speeds, you need to increase http2 flow control buffer. This can be done in NGINX by setting the following annotation in the ingress resource.
# Improve upload speed by adding client buffering used by http2 control-flows
nginx.ingress.kubernetes.io/client-body-buffer-size: "3M"
Note: For other reverse proxies, you'll need to find the equivalent configuration.
Generate a ECDSA key-pair
An ECDSA key-pair is required to perform authentication between the control-plane and the Artifact CAS
You can generate both the private and public keys by running
# Private Key (private.ec.key)
openssl ecparam -name secp521r1 -genkey -noout -out private.ec.key
# Public Key (public.pem)
openssl ec -in private.ec.key -pubout -out public.pem
Then, you can either provide it in a custom values.yaml file override
casJWTPrivateKey: |-
-----BEGIN EC PRIVATE KEY-----
REDACTED
-----END EC PRIVATE KEY-----
casJWTPublicKey: |
-----BEGIN PUBLIC KEY-----
REDACTED
-----END PUBLIC KEY-----
or as shown before, provide them as imperative inputs during Helm Install/Upgrade --set casJWTPrivateKey="$(cat private.ec.key)"--set casJWTPublicKey="$(cat public.pem)"
Enable a custom domain with TLS
Chainloop uses three endpoints so we'll need to enable the ingress resource for each one of them.
See below an example of a values.yaml override
controlplane:
ingress:
enabled: true
hostname: cp.chainloop.dev
ingressAPI:
enabled: true
hostname: api.cp.chainloop.dev
cas:
ingressAPI:
enabled: true
hostname: api.cas.chainloop.dev
A complete setup that uses
- NGINX as ingress Controller
- cert-manager as TLS provider
would look like
controlplane:
ingress:
enabled: true
tls: true
ingressClassName: nginx
hostname: cp.chainloop.dev
annotations:
# This depends on your configured issuer
cert-manager.io/cluster-issuer: "letsencrypt-prod"
ingressAPI:
enabled: true
tls: true
ingressClassName: nginx
hostname: api.cp.chainloop.dev
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
cas:
ingressAPI:
enabled: true
tls: true
ingressClassName: nginx
hostname: api.cas.chainloop.dev
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
cert-manager.io/cluster-issuer: "letsencrypt-prod"
# limit the size of the files that go through the proxy
# 0 means to not check the size of the request so we do not get 413 error.
# For now we are going to set a limit on 100MB files
# Even though we send data in chunks of 1MB, this size refers to all the data sent in the streaming connection
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
Remember, once you have set up your domain, make sure you use the CLI pointing to it instead of the defaults.
Connect to an external PostgreSQL database
# Disable built-in DB
postgresql:
enabled: false
# Provide with external connection
controlplane:
externalDatabase:
host: 1.2.3.4
port: 5432
user: chainloop
password: [REDACTED]
database: chainloop-controlplane-prod
Alternatively, if you are using Google Cloud SQL and you are running Chainloop in Google Kubernetes Engine. You can connect instead via a proxy
This method can also be easily enabled in this chart by doing
# Disable built-in DB
postgresql:
enabled: false
# Provide with external connection
controlplane:
sqlProxy:
# Inject the proxy sidecar
enabled: true
## @param controlplane.sqlProxy.connectionName Google Cloud SQL connection name
connectionName: "my-sql-instance"
# Then you'll need to configure your DB settings to use the proxy IP address
externalDatabase:
host: [proxy-sidecar-ip-address]
port: 5432
user: chainloop
password: [REDACTED]
database: chainloop-controlplane-prod
Use AWS secrets manager
Instead of using Hashicorp Vault (default), you can use AWS Secrets Manager by adding these settings in your values.yaml file
secretsBackend:
backend: awsSecretManager
awsSecretManager:
accessKey: [KEY]
secretKey: [SECRET]
region: [REGION]
Use GCP secret manager
Or Google Cloud Secret Manager with the following settings
secretsBackend:
backend: gcpSecretManager
gcpSecretManager:
projectId: [PROJECT_ID]
serviceAccountKey: [KEY]
Use Azure KeyVault
Azure KeyVault is also supported
secretsBackend:
backend: azureKeyVault
azureKeyVault:
tenantID: [TENANT_ID] # Active Directory Tenant ID
clientID: [CLIENT_ID] # Registered application / service principal client ID
clientSecret: [CLIENT_SECRET] # Service principal client secret
vaultURI: [VAULT URI] # Azure Key Vault URL
Deploy in keyless mode with file-based CA
This feature is experimental, as it doesn't yet support verification.
You can enable keyless signing mode by providing a custom Certificate Authority. For example, these commands generate a self-signed certificate with an RSA private key of length 4096 and AES256 encryption:
> openssl genrsa -aes256 -out ca.key 4096
...
> openssl req -new -x509 -sha256 -key ca.key -out ca.crt
...
Then you can configure your deployment values with:
controlplane:
keylessSigning:
enabled: true
backend: fileCA
fileCA:
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
keyPass: "REDACTED"
Insert custom Certificate Authorities (CAs)
In some scenarios, you might want to add custom Certificate Authorities to the Chainloop deployment. Like in the instance where your OIDC provider uses a self-signed certificate. To do so, add the PEM-encoded CA certificate to the customCAs list in your values.yaml file like in the example below.
customCAs:
- |-
-----BEGIN CERTIFICATE-----
MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
REDACTED
5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
-----END CERTIFICATE-----
Send exceptions to Sentry
You can configure different sentry projects for both the controlplane and the artifact CAS
# for controlplane
controlplane:
...
sentry:
enabled: true
dsn: [your secret sentry project DSN URL]
environment: production
# Artifact CAS
cas:
...
sentry:
enabled: true
dsn: [your secret sentry project DSN URL]
environment: production
Enable Prometheus Monitoring in GKE
Chainloop exposes Prometheus compatible /metrics endpoints that can be easily scraped by a Prometheus data collector Server.
Google Cloud has a managed Prometheus offering that could be easily enabled by setting --set GKEMonitoring.enabled=true. This will inject the required PodMonitoring custom resources.
Configure Chainloop CLI to point to your instance
Once you have your instance of Chainloop deployed, you need to configure the CLI to point to both the CAS and the Control plane gRPC APIs like this.
chainloop config save \
--control-plane my-controlplane.acme.com:443 \
--artifact-cas cas.acme.com:443
Parameters
Common parameters
| Name | Description | Value |
|---|---|---|
kubeVersion | Override Kubernetes version | "" |
development | Deploys Chainloop pre-configured FOR DEVELOPMENT ONLY. It includes a Vault instance in development mode and pre-configured authentication certificates and passphrases | false |
GKEMonitoring.enabled | Enable GKE podMonitoring (prometheus.io scrape) to scrape the controlplane and CAS /metrics endpoints | false |
Secrets Backend
| Name | Description | Value |
|---|---|---|
secretsBackend.backend | Secrets backend type ("vault", "awsSecretManager" or "gcpSecretManager", "azureKeyVault") | vault |
secretsBackend.secretPrefix | Prefix that will be pre-pended to all secrets in the storage backend | chainloop |
secretsBackend.vault.address | Vault address | |
secretsBackend.vault.token | Vault authentication token | |
secretsBackend.awsSecretManager.accessKey | AWS Access KEY ID | |
secretsBackend.awsSecretManager.secretKey | AWS Secret Key | |
secretsBackend.awsSecretManager.region | AWS Secrets Manager Region | |
secretsBackend.gcpSecretManager.projectId | GCP Project ID | |
secretsBackend.gcpSecretManager.serviceAccountKey | GCP Auth Key | |
secretsBackend.azureKeyVault.tenantID | Active Directory Tenant ID | |
secretsBackend.azureKeyVault.clientID | Registered application / service principal client ID | |
secretsBackend.azureKeyVault.clientSecret | Service principal client secret | |
secretsBackend.azureKeyVault.vaultURI | Azure Key Vault URL |
Authentication
| Name | Description | Value |
|---|---|---|
casJWTPrivateKey | ECDSA (ES512) private key used for Controlplane to CAS Authentication | "" |
casJWTPublicKey | ECDSA (ES512) public key | "" |
Control Plane
| Name | Description | Value |
|---|---|---|
controlplane.replicaCount | Number of replicas | 2 |
controlplane.image.repository | FQDN uri for the image | ghcr.io/chainloop-dev/chainloop/control-plane |
controlplane.image.tag | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | |
controlplane.tlsConfig.secret.name | name of a secret containing TLS certificate to be used by the controlplane grpc server. | "" |
controlplane.pluginsDir | Directory where to look for plugins | /plugins |
controlplane.referrerSharedIndex | Configure the shared, public index API endpoint that can be used to discover metadata referrers | |
controlplane.referrerSharedIndex.enabled | Enable index API endpoint | false |
controlplane.referrerSharedIndex.allowedOrgs | List of UUIDs of organizations that are allowed to publish to the shared index | [] |
controlplane.onboarding.name | Name of the organization to onboard | |
controlplane.onboarding.role | Role of the organization to onboard |
Control Plane Database
| Name | Description | Value |
|---|---|---|
controlplane.externalDatabase | External PostgreSQL configuration. These values are only used when postgresql.enabled is set to false | |
controlplane.externalDatabase.host | Database host | "" |
controlplane.externalDatabase.port | Database port number | 5432 |
controlplane.externalDatabase.user | Non-root username | "" |
controlplane.externalDatabase.database | Database name | "" |
controlplane.externalDatabase.password | Password for the non-root username | "" |
controlplane.sqlProxy.enabled | Enable sidecar to connect to DB via Google Cloud SQL proxy | false |
controlplane.sqlProxy.connectionName | Google Cloud SQL connection name | "" |
controlplane.sqlProxy.resources | Sidecar container resources | {} |
Control Plane Authentication
| Name | Description | Value |
|---|---|---|
controlplane.auth.passphrase | Passphrase used to sign the Auth Tokens generated by the controlplane. Leave empty for auto-generation | "" |
controlplane.auth.oidc.url | Full authentication path, it should match the issuer URL of the Identity provider (IDp) | "" |
controlplane.auth.oidc.clientID | OIDC IDp clientID | "" |
controlplane.auth.oidc.clientSecret | OIDC IDp clientSecret | "" |
controlplane.auth.oidc.loginURLOverride | Optional OIDC login URL override, useful to point to custom login pages | |
controlplane.auth.oidc.externalURL | Optional External URL for the controlplane to the outside world | |
controlplane.auth.allowList.rules | List of domains or emails to allow | |
controlplane.auth.allowList.selectedRoutes | List of selected routes to allow. If not set it applies to all routes | |
controlplane.auth.allowList.customMessage | Custom message to display when a user is not allowed |
Control Plane Networking
| Name | Description | Value |
|---|---|---|
controlplane.service.type | Service type | ClusterIP |
controlplane.service.port | Service port | 80 |
controlplane.service.targetPort | Service target Port | http |
controlplane.service.nodePorts.http | Node port for HTTP. NOTE: choose port between [30000-32767] | |
controlplane.serviceAPI.type | Service type | ClusterIP |
controlplane.serviceAPI.port | Service port | 80 |
controlplane.serviceAPI.targetPort | Service target Port | grpc |
controlplane.serviceAPI.annotations | Service annotations | |
controlplane.serviceAPI.nodePorts.http | Node port for HTTP. NOTE: choose port between [30000-32767] | |
controlplane.ingress.enabled | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | false |
controlplane.ingress.pathType | Ingress path type | ImplementationSpecific |
controlplane.ingress.hostname | Default host for the ingress record | cp.dev.local |
controlplane.ingress.ingressClassName | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
controlplane.ingress.path | Default path for the ingress record | / |
controlplane.ingress.annotations | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
controlplane.ingress.tls | Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter | false |
controlplane.ingress.selfSigned | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
controlplane.ingress.extraHosts | An array with additional hostname(s) to be covered with the ingress record | [] |
controlplane.ingress.extraPaths | An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
controlplane.ingress.extraTls | TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
controlplane.ingress.secrets | Custom TLS certificates as secrets | [] |
controlplane.ingress.extraRules | Additional rules to be covered with this ingress record | [] |
controlplane.ingressAPI.enabled | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | false |
controlplane.ingressAPI.pathType | Ingress path type | ImplementationSpecific |
controlplane.ingressAPI.hostname | Default host for the ingress record | api.cp.dev.local |
controlplane.ingressAPI.ingressClassName | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
controlplane.ingressAPI.path | Default path for the ingress record | / |
controlplane.ingressAPI.annotations | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | |
controlplane.ingressAPI.tls | Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter | false |
controlplane.ingressAPI.selfSigned | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
controlplane.ingressAPI.extraHosts | An array with additional hostname(s) to be covered with the ingress record | [] |
controlplane.ingressAPI.extraPaths | An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
controlplane.ingressAPI.extraTls | TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
controlplane.ingressAPI.secrets | Custom TLS certificates as secrets | [] |
controlplane.ingressAPI.extraRules | Additional rules to be covered with this ingress record | [] |
Controlplane Misc
| Name | Description | Value |
|---|---|---|
controlplane.resources.limits.cpu | Container resource limits CPU | 250m |
controlplane.resources.limits.memory | Container resource limits memory | 512Mi |
controlplane.resources.requests.cpu | Container resource requests CPU | 250m |
controlplane.resources.requests.memory | Container resource requests memory | 512Mi |
controlplane.autoscaling.enabled | Enable deployment autoscaling | false |
controlplane.autoscaling.minReplicas | Minimum number of replicas | 1 |
controlplane.autoscaling.maxReplicas | Maximum number of replicas | 100 |
controlplane.autoscaling.targetCPUUtilizationPercentage | Target CPU percentage | 80 |
controlplane.autoscaling.targetMemoryUtilizationPercentage | Target CPU memory | 80 |
controlplane.sentry.enabled | Enable sentry.io alerting | false |
controlplane.sentry.dsn | DSN endpoint | "" |
controlplane.sentry.environment | Environment tag | production |
Keyless signing configuration
| Name | Description | Value |
|---|---|---|
controlplane.keylessSigning.enabled | Activates or deactivates the feature | false |
controlplane.keylessSigning.backend | The backend to use. Currently only "fileCA" and "ejbcaCA" are supported | fileCA |
controlplane.keylessSigning.fileCA.cert | The PEM-encoded certificate of the file based CA | "" |
controlplane.keylessSigning.fileCA.key | The PEM-encoded private key of the file based CA | "" |
controlplane.keylessSigning.fileCA.keyPass | The secret key pass | "" |
controlplane.keylessSigning.ejbcaCA.serverURL | The url of the EJBCA service (https://host/ejbca) | "" |
controlplane.keylessSigning.ejbcaCA.clientKey | PEM-encoded the private key for EJBCA cert authentication | "" |
controlplane.keylessSigning.ejbcaCA.clientCert | PEM-encoded certificate for EJBCA cert authentication | "" |
controlplane.keylessSigning.ejbcaCA.certProfileName | Name of the certificate profile to use in EJBCA | "" |
controlplane.keylessSigning.ejbcaCA.endEntityProfileName | Name of the Entity Profile to use in EJBCA | "" |
controlplane.keylessSigning.ejbcaCA.caName | Name of the CA issuer to use in EJBCA | "" |
controlplane.customCAs | List of custom CA certificates content | [] |
Artifact Content Addressable (CAS) API
| Name | Description | Value |
|---|---|---|
cas.replicaCount | Number of replicas | 2 |
cas.image.repository | FQDN uri for the image | ghcr.io/chainloop-dev/chainloop/artifact-cas |
cas.image.tag | Image tag (immutable tags are recommended). If no set chart.appVersion will be used | |
cas.tlsConfig.secret.name | name of a secret containing TLS certificate to be used by the controlplane grpc server. | "" |
CAS Networking
| Name | Description | Value |
|---|---|---|
cas.service.type | Service type | ClusterIP |
cas.service.port | Service port | 80 |
cas.service.targetPort | Service target Port | http |
cas.service.nodePorts.http | Node port for HTTP. NOTE: choose port between [30000-32767] | |
cas.serviceAPI.type | Service type | ClusterIP |
cas.serviceAPI.port | Service port | 80 |
cas.serviceAPI.targetPort | Service target Port | grpc |
cas.serviceAPI.annotations | Service annotations | |
cas.serviceAPI.nodePorts.http | Node port for HTTP. NOTE: choose port between [30000-32767] | |
cas.ingress.enabled | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | false |
cas.ingress.pathType | Ingress path type | ImplementationSpecific |
cas.ingress.hostname | Default host for the ingress record | cas.dev.local |
cas.ingress.ingressClassName | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
cas.ingress.path | Default path for the ingress record | / |
cas.ingress.annotations | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | {} |
cas.ingress.tls | Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter | false |
cas.ingress.selfSigned | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
cas.ingress.extraHosts | An array with additional hostname(s) to be covered with the ingress record | [] |
cas.ingress.extraPaths | An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
cas.ingress.extraTls | TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
cas.ingress.secrets | Custom TLS certificates as secrets | [] |
cas.ingress.extraRules | Additional rules to be covered with this ingress record | [] |
cas.ingressAPI.enabled | Enable ingress record generation for %%MAIN_CONTAINER_NAME%% | false |
cas.ingressAPI.pathType | Ingress path type | ImplementationSpecific |
cas.ingressAPI.hostname | Default host for the ingress record | api.cas.dev.local |
cas.ingressAPI.ingressClassName | IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+) | "" |
cas.ingressAPI.path | Default path for the ingress record | / |
cas.ingressAPI.annotations | Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations. | |
cas.ingressAPI.tls | Enable TLS configuration for the host defined at controlplane.ingress.hostname parameter | false |
cas.ingressAPI.selfSigned | Create a TLS secret for this ingress record using self-signed certificates generated by Helm | false |
cas.ingressAPI.extraHosts | An array with additional hostname(s) to be covered with the ingress record | [] |
cas.ingressAPI.extraPaths | An array with additional arbitrary paths that may need to be added to the ingress under the main host | [] |
cas.ingressAPI.extraTls | TLS configuration for additional hostname(s) to be covered with this ingress record | [] |
cas.ingressAPI.secrets | Custom TLS certificates as secrets | [] |
cas.ingressAPI.extraRules | Additional rules to be covered with this ingress record | [] |
CAS Misc
| Name | Description | Value |
|---|---|---|
cas.resources.limits.cpu | Container resource limits CPU | 250m |
cas.resources.limits.memory | Container resource limits memory | 512Mi |
cas.resources.requests.cpu | Container resource requests CPU | 250m |
cas.resources.requests.memory | Container resource requests memory | 512Mi |
cas.autoscaling.enabled | Enable deployment autoscaling | false |
cas.autoscaling.minReplicas | Minimum number of replicas | 1 |
cas.autoscaling.maxReplicas | Maximum number of replicas | 100 |
cas.autoscaling.targetCPUUtilizationPercentage | Target CPU percentage | 80 |
cas.autoscaling.targetMemoryUtilizationPercentage | Target CPU memory | 80 |
cas.sentry.enabled | Enable sentry.io alerting | false |
cas.sentry.dsn | DSN endpoint | "" |
cas.sentry.environment | Environment tag | production |
Dependencies
| Name | Description | Value |
|---|---|---|
postgresql.enabled | Switch to enable or disable the PostgreSQL helm chart | true |
postgresql.auth.enablePostgresUser | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | false |
postgresql.auth.username | Name for a custom user to create | chainloop |
postgresql.auth.password | Password for the custom user to create | chainlooppwd |
postgresql.auth.database | Name for a custom database to create | chainloop-cp |
postgresql.auth.existingSecret | Name of existing secret to use for PostgreSQL credentials | "" |
vault.server.args | Arguments to pass to the vault server. This is useful for setting the server in development mode | ["server","-dev"] |
vault.server.config | Configuration for the vault server. Small override of default Bitnami configuration | `storage "inmem" |
| disable_mlock = true | ||
| ui = true | ||
| service_registration "kubernetes" ` | ||
vault.server.extraEnvVars[0].name | Root token for the vault server | VAULT_DEV_ROOT_TOKEN_ID |
vault.server.extraEnvVars[0].value | The value of the root token. Default: notasecret | notasecret |
vault.server.extraEnvVars[1].name | Address to listen on development mode | VAULT_DEV_LISTEN_ADDRESS |
vault.server.extraEnvVars[1].value | The address to listen on. Default: [::]:8200 | [::]:8200 |
dex.config.issuer | The issuer URL of the Identity provider (IDp) | http://chainloop-dex:5556/dex |
dex.config.storage.type | Storage type for the dex server | memory |
dex.config.web.http | HTTP address for the dex server | 0.0.0.0:5556 |
dex.config.staticClients[0].id | Client ID for the static client | chainloop-dev |
dex.config.staticClients[0].redirectURIs | Redirect URIs for the static client | ["http://0.0.0.0:8000/auth/callback","http://localhost:8000/auth/callback"] |
dex.config.staticClients[0].name | Name for the static client | Chainloop Dev |
dex.config.staticClients[0].secret | Secret for the static client | ZXhhbXBsZS1hcHAtc2VjcmV0 |
dex.config.enablePasswordDB | Enable static passwords | true |
dex.config.staticPasswords[0].email | Email for the static password | john@chainloop.local |
dex.config.staticPasswords[0].hash | Hash for the static password | $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W |
dex.config.staticPasswords[1].email | Email for the static password | sarah@chainloop.local |
dex.config.staticPasswords[1].hash | Hash for the static password | $2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W |
License
Copyright © 2023 The Chainloop Authors
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.