The Venafi Kubernetes Agent connects your Kubernetes or OpenShift cluster to the Venafi Control Plane. You will require a Venafi Control Plane account to connect your cluster. If you do not have one, you can sign up for a free trial now at:
📖 Read the Venafi Kubernetes Agent documentation, to learn how install and configure this Helm chart.
Default value:
true
Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.
Default value:
false
Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor
The namespace that the pod monitor should live in. Defaults to the venafi-kubernetes-agent namespace.
Default value:
default
Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.
Default value:
60s
The interval to scrape metrics.
Default value:
30s
The timeout before a metrics scrape fails.
Default value:
{}
Additional labels to add to the PodMonitor.
Default value:
{}
Additional annotations to add to the PodMonitor.
Default value:
false
Keep labels from scraped data, overriding server-side labels.
Default value:
{}
EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instanceDefault value:
1
default replicas, do not scale up
Default value:
registry.venafi.cloud/venafi-agent/venafi-agent
The container image for the Venafi Enhanced Issuer manager.
Default value:
IfNotPresent
Kubernetes imagePullPolicy on Deployment.
Default value:
v0.0.0
Overrides the image tag whose default is the chart appVersion.
Default value:
[]
Specify image pull credentials if using a private registry. Example:
- name: my-pull-secret
Default value:
""
Helm default setting to override release name, usually leave blank.
Default value:
""
Helm default setting, use this to shorten the full install name.
Default value:
true
Specifies whether a service account should be created.
Default value:
{}
Annotations YAML to add to the service account.
Default value:
""
The name of the service account to use. If blank and serviceAccount.create is true, a name is generated using the fullname template of the release.
Default value:
{}
Additional YAML annotations to add the the pod.
Default value:
{}
Optional Pod (all containers) SecurityContext options, see https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod.
Example:
podSecurityContext
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
Default value:
ALL
Default value:
true
Default value:
true
Default value:
200Mi
Default value:
200m
Default value:
500Mi
Default value:
{}
Embed YAML for nodeSelector settings, see
https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
Default value:
[]
Embed YAML for toleration settings, see
https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
Default value:
{}
Embed YAML for Node affinity settings, see
https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity/.
Default value:
[]
Specify the command to run overriding default binary.
Default value:
[]
Specify additional arguments to pass to the agent binary.
Example: ["--strict", "--oneshot"]
Default value:
[]
Additional volumes to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. For example:
volumes:
- name: cabundle
configMap:
name: cabundle
optional: false
defaultMode: 0644In order to create the ConfigMap, you can use the following command:
kubectl create configmap cabundle \
--from-file=cabundle=./your/custom/ca/bundle.pem
Default value:
[]
Additional volume mounts to add to the Venafi Kubernetes Agent container. This is useful for mounting a custom CA bundle. Any PEM certificate mounted under /etc/ssl/certs will be loaded by the Venafi Kubernetes Agent. For
example:volumeMounts:
- name: cabundle
mountPath: /etc/ssl/certs/cabundle
subPath: cabundle
readOnly: trueDefault value:
agent-credentials
Name of the secret containing the private key
Default value:
privatekey.pem
Key name in the referenced secret
Configure VenafiConnection authentication
Default value:
false
When set to true, the Venafi Kubernetes Agent will authenticate to. Venafi using the configuration in a VenafiConnection resource. Use venafiConnection.enabled=true for secretless authentication. When set to true, the authentication.secret values will be ignored and the. Secret with authentication.secretName will not be mounted into the
Venafi Kubernetes Agent Pod.
Default value:
venafi-components
The name of a VenafiConnection resource which contains the configuration for authenticating to Venafi.
Default value:
venafi
The namespace of a VenafiConnection resource which contains the configuration for authenticating to Venafi.
Default value:
https://api.venafi.cloud/
API URL of the Venafi Control Plane API. For EU tenants, set this value to https://api.venafi.eu/. If you are using the VenafiConnection authentication method, you must set the API URL using the field spec.vcp.url on the
VenafiConnection resource instead.
Default value:
""
The client-id to be used for authenticating with the Venafi Control. Plane. Only useful when using a Key Pair Service Account in the Venafi. Control Plane. You can obtain the cliend ID by creating a Key Pair Service
Account in the Venafi Control Plane.
Default value:
0h1m0s
Send data back to the platform every minute unless changed.
Default value:
""
Name for the cluster resource if it needs to be created in Venafi Control
Plane.
Default value:
""
Description for the cluster resource if it needs to be created in Venafi
Control Plane.
Default value:
kubernetes.io/service-account-token
Default value:
kubernetes.io/dockercfg
Default value:
kubernetes.io/dockerconfigjson
Default value:
kubernetes.io/basic-auth
Default value:
kubernetes.io/ssh-auth
Default value:
bootstrap.kubernetes.io/token
Default value:
helm.sh/release.v1
Default value:
[]
You can configure Venafi Kubernetes Agent to exclude some annotations or labels from being pushed to the Venafi Control Plane. All Kubernetes objects are affected. The objects are still pushed, but the specified annotations and labels are removed before being sent to the Venafi Control Plane.
Dots is the only character that needs to be escaped in the regex. Use either double quotes with escaped single quotes or unquoted strings for the regex to avoid YAML parsing issues with \..
Example: excludeAnnotationKeysRegex: ['^kapp.k14s.io/original.*']
Default value:
[]
Default value:
null
Default value:
null
Default value:
false
Enable or disable the PodDisruptionBudget resource, which helps prevent downtime during voluntary disruptions such as during a Node upgrade.
Configure the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if maxUnavailable is set.
Configure the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if minAvailable is set.
The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep", this prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to manually remove the remaining CRDs.
Default value:
false
The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 and below. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.
Default value:
false
This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.
Default value:
false
When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.