EJBCA Helm Deployment Parameters

ejbca.importEjbcaConfFiles

false

If run-time overridable application configuration property files should be applied

ejbca.ejbcaConfFilesSecret

Secret containing run-time overridable application configuration property files

ejbca.importExternalCas

false

If CA certificates should be imported into EJBCA as external CAs

ejbca.externalCasSecret

Secret containing CA certificates to import into EJBCA as external CAs

ejbca.configdumpImport.enabled

_ENTERPRISE

false

Enables ConfigDump, use together with either configMapName or inlineConfigdump

ejbca.configdumpImport.initialize

_ENTERPRISE

false

Generate initial certificate for CAs on import

ejbca.configdumpImport.configMapName

_ENTERPRISE

Option 1: Specify a ConfigMap containing your EJBCA ConfigDump JSON data

ejbca.configdumpImport.configMapKey

_ENTERPRISE

(Optional) The key in the ConfigMap where the EJBCA ConfigDump data is found (default: "configdump.json")

ejbca.configdumpImport.inlineConfigdump

_ENTERPRISE

Option 2: Directly insert EJBCA ConfigDump JSON data

ejbca.useEphemeralH2Database

false

If in-memory internal H2 database should be used. This is meant for convenient ephemeral test instances

ejbca.useH2Persistence

false

If internal H2 database with persistence should be used. Requires existingH2PersistenceClaim to be set

ejbca.existingH2PersistenceClaim

PersistentVolumeClaim that internal H2 database can use for data persistence

ejbca.env

Environment variables to pass to container.

ejbca.envRaw

Environment variables to pass to container in Kubernetes YAML format. Useful for Kubernetes secrets.

ejbca.envFrom

Expose all values of given secrets as environment variables in containers. Keys in the secrets will become the environment variable names in pods.

ejbca.initContainers

[]

Extra init containers to be added to the deployment

ejbca.sidecarContainers

[]

Extra sidecar containers to be added to the deployment

ejbca.volumes

[]

Extra volumes to be added to the deployment

ejbca.volumeMounts

[]

Extra volume mounts to be added to the deployment

DATABASE_JDBC_URL

The JDBC drivers for MariaDB/MySQL, Microsoft SQL Server, and PostgreSQL are bundled with the container to work out of the box by specifying the corresponding JDBC URL. We recommend the use of MariaDB with Galera clustering for production setups.

Automatically configured when test environment is created using ejbca.useEphemeralH2Database or ejbca.useH2Persistence.

DATABASE_USER

The username part of the credentials to access the external database. Not required for use of the H2 database.

DATABASE_PASSWORD

The password part of the credentials to access the external database. It should be provided as a secret in ejbca.envRaw section. Please see values.yaml for more details.

DATABASE_USER_PRIVILEGED

The privileged username part of the credentials to access the external database for table creation or altering. Only needed for initial container startup to create tables or upgrading EJBCA when database schema has changes. Not required for use of the H2 database.

DATABASE_PASSWORD_PRIVILEGED

The privileged password part of the credentials to access the external database for table creation or altering. Only needed for initial container startup to create tables or upgrading EJBCA when database schema has changes. Not required for use of the H2 database.

It should be provided as a secret in ejbca.envRaw section. Please see values.yaml for more details.

PASSWORD_ENCRYPTION_KEY

The following key (strictly speaking, PBE input password) allows for encrypting passwords used in EJBCA (e.g. End Entity, Crypto Token, CMP Alias, SCEP Alias, etc, passwords stored in database). This property should be set before initial EJBCA installation and it shouldn't be changed later, because there could exist passwords encrypted with the key about to be changed and EJBCA would be unable to decrypt them (note that the current implementation is capable to try decryption with the default key, i.e. qhrnf.f8743;12%#75, but it won't be able to decrypt passwords encrypted with a custom key being replaced for another custom key). For setting this property you could use any password you consider safe, but it is strongly recommended that you use a randomly generated password, e.g. by using openssl rand -base64 24.When upgrading a 100% up-time cluster all nodes must produce password encryption that is decryptable by old nodes. When all nodes run EJBCA 6.8.0 or higher you can change the password, and count, to increase security when passwords are saved in clear text (mostly used for batch generation and auto-activation).

EJBCA_CLI_DEFAULTPASSWORD

Password used for the EJBCA CLI. Using a custom password requires the password to then be provided when using the CLI.

services.proxyHttp.enabled

false

If service for reverse proxy servers to communicate with EJBCA container over HTTP should be enabled.

Set to true when NGINX Ingress is used.

services.directHttp.enabled

true

If service for communicating directly with EJBCA container should be enabled. It should only be used dung debugging.

services.sidecarPorts

[]

Additional ports to expose in sidecar containers

services.proxyHttp.type

ClusterIP

Service type for proxy HTTP communication

services.proxyHttp.bindIP

0.0.0.0

IP to bind for proxy HTTP communication

services.proxyHttp.httpPort

8081

Service port for proxy HTTP communication. You may set this to empty to only allow TLS communication.

services.proxyHttp.httpsPort

8082

Service port for proxy HTTP communication that accepts SSL_CLIENT_CERT header

services.directHttp.type

NodePort

Service type for communicating directly with EJBCA container

services.directHttp.httpPort

30080

HTTP port for communicating directly with EJBCA container

services.directHttp.httpsPort

30443

HTTPS port for communicating directly with EJBCA container

nginx.enabled

false

If NGINX sidecar container should be deployed as reverse proxy for EJBCA

nginx.host

NGINX reverse proxy server name or domain

(Mandatory)

nginx.service.type

ClusterIP

Type of service to create for NGINX reverse proxy

nginx.initializeWithSelfSignedTls

false

Create a self-signed TLS certificate for first time setup with LoadBalancer service

nginx.service.httpPort

80

HTTP port to use for NGINX reverse proxy. You may set this to empty to only allow TLS communication.

nginx.service.httpsPort

443

HTTPS port to use for NGINX reverse proxy

nginx.externalConfiguration

Configure nginx.conf from scratch. A skeleton configuration can be found at templates/nginx-configmap.yaml

nginx.additionalHosts

List of server names or domains which will be added as server blocks in nginx.conf.

Relevant when LoadBalancer service is used.

nginx.loadBalancerAccess.enableStickySessionClientIp

_BETA

false

Create an additional loadbalancer service with sessionAffinity: "ClientIP" . Only relevant if multiple EJBCA instances are deployed with a helm release.

Relevant for UI access only.

nginx.loadBalancerAccess.enableReplicaSpecificAccess

_BETA

false

Create an additional loadbalancer service for each EJBCA pod. Only relevant if multiple EJBCA instances are deployed with a helm release.

Relevant for inspecting individual pods.

Enabling NGINX sidecar along with LoadBalancer Service

Domains

Mandatory to configure nginx.host which is used as the default server block in NGINX configuration.

Along with that multiple domains may be added as additionalHosts

Each of the domains MUST have their own individual TLS configuration as mentioned in next row.

These TLS credentials may be unique or may share same private key and certificate depending on customer’s choice.

TLS credential

Intended domain is selected based on TLS SNI. NGINX uses corresponding server block or credentials.

Each of the domains needs 3 entries with specific naming convention:

• domain.pem → server certificate

• domain-Key.pem → server private key

• domain-CA.pem → server trusted CA for client certificate with optional authentication

All of them are provided as a Kubernetes secret together.

Notice that, in the example server certificates of ejbcara.vmk8s and ejbcara.alternate.vmk8s are issued by different CA and also they use ManagementCA for authentication.

On the other hand, ejbcara.issuerca.vmk8s server certificate is issued by IssuerCA. It is also used for authentication.

kubectl create secret generic \
   internal-nginx-credential-secret-ra -n ranamespace \
   
 --from-file=ejbcara.vmk8s.pem=ejbcara.vmk8s.pem \
 --from-file=ejbcara.vmk8s-Key.pem=ejbcara.vmk8s.key \
 --from-file=ejbcara.vmk8s-CA.pem=ManagementCA.cacert.pem
 
 --from-file=ejbcara.issuerca.vmk8s.pem=ejbcara.issuerca.vmk8s.pem \
 --from-file=ejbcara.issuerca.vmk8s-Key.pem=ejbcara.issuerca.vmk8s.key \
 --from-file=ejbcara.issuerca.vmk8s-CA.pem=IssuerCA.cacert.pem \
 
 --from-file=ejbcara.alternate.vmk8s.pem=ejbcara.alternate.vmk8s.pem \
 --from-file=ejbcara.alternate.vmk8s-Key.pem=ejbcara.alternate.vmk8s.key \
 --from-file=ejbcara.alternate.vmk8s-CA.pem=ManagementCA.cacert.pem

nginx:
  enabled: true
  host: "ejbcara.vmk8s"
  mountInternalNginxCert: true
  secretInternalNginxCert: "internal-nginx-credential-secret-ra"

The credentials of host e.g. ejbcara.vmk8s is used as default certificate when no matching domain name is found. This is the case:

• When LoadBalancer IP is directly used for access

• Kubernetes cluster internal access

The credentials of host must include {ejbca-release-name}.{namespace} or equivalent as DNSName in issued certificate to enable cluster internal access with TLS e.g. EJBCA Peer communication.

serviceAnnotations

{}

Annotations to be added to both services i.e. connected to EJBCA and NGINX container for each pod

ingress.enabled

false

If ingress should be created for EJBCA

ingress.className

"nginx"

Ingress class name

ingress.annotations

Ingress annotations

ingress.hosts

[]

Ingress hosts configurations

ingress.tls

[]

Ingress TLS configurations

replicaCount

1

Number of EJBCA replicas.
Note that auto-scaling of RA and VA is not supported.

updateStrategy

Specifies the strategy for replacing old Pods with new ones

image.variant

_ENTERPRISE

Appends the application variant to the image.repository path:

• not set - full EJBCA functionality using ejbca-ee image.

• ra - Registration Authority using ejbca-ee-ra image.

• va - Validation Authority using ejbca-ee-va image.

image.repository

EJBCA image repository

image.tag

Overrides the image tag whose default is the chart appVersion

image.pullPolicy

IfNotPresent

EJBCA image pull policy

imagePullSecrets

[]

EJBCA image pull secrets

nameOverride

""

Overrides the chart name

fullnameOverride

""

Fully overrides generated name

serviceAccount.create

true

Specifies whether a service account should be created

serviceAccount.annotations

{}

Annotations to add to the service account

serviceAccount.name

""

The name of the service account to use. If not set and create is true, a name is generated using the fullname template

podAnnotations

{}

Additional pod annotations

podSecurityContext

{}

Pod security context

securityContext

{}

Container security context

resources

{}

Resource requests and limits

autoscaling.enabled

false

If autoscaling should be used

autoscaling.minReplicas

1

Minimum number of replicas for autoscaling deployment

autoscaling.maxReplicas

5

Maxmimum number of replicas for autoscaling deployment

autoscaling.targetCPUUtilizationPercentage

80

Target CPU utilization for autoscaling deployment

autoscaling.targetMemoryUtilizationPercentage

Target memory utilization for autoscaling deployment

autoscaling.behavior

Scaling behavior

podDisruptionBudget.create

false

If PodDisruptionBudget should be used

podDisruptionBudget.minAvailable

1

Minimum number of pods from that must be available after an eviction.

podDisruptionBudget.maxUnavailable

Maximum number of pods from can be unavailable after am eviction.

nodeSelector

{}

Node labels for pod assignment

tolerations

[]

Toleration for pod assignment

affinity

{}

Affinity for pod assignment

topologySpreadConstraints

[]

Constraints to control how Pods are distributed across the cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains

priorityClassName

Pod priority indicator

schedulerName

Name of scheduler responsible for finding the best Node for newly created Pods

terminationGracePeriodSeconds

Amount of time, in seconds, that a Pod is given to gracefully shut down before it will be terminated forcefully

SMTP_DESTINATION

localhost

Specify the FQDN or IP Address of the SMTP host for EJBCA to send email notifications.

SMTP_DESTINATION_PORT

25

Specify the port number of the SMTP host for EJBCA to send email notifications to the SMTP_DESTINATION host.

SMTP_FROM

no-reply@localhost

Specify the from address for emails sent from this EJBCA instance.

SMTP_TLS_ENABLED

true

Used for Wildfly to connect using TLS to the SMTP server. This only supports public CA certificates.

SMTP_SSL_ENABLED

true

Used for Wildfly to connect using SSL to the SMTP server.

SMTP_USERNAME

ejbca-mail

The username used when authentication is required for SMTP server.

SMTP_PASSWORD

ejbca

The password used to authenticate to the SMTP server. It should be provided as Kubernetes secrets.

OBSERVABLE_BIND

127.0.0.1

The IP address where port 8090 will listen for requests to /health, /health/ready, /health/live and /metrics . Set this to 0.0.0.0 to bind to all container interfaces.

METRICS_ENABLED

false

Set this to "true" to collect metrics and expose them at the /metrics endpoint for scraping.

LOG_LEVEL_APP

INFO

Application log level.

LOG_AUDIT_TO_DB

false

Set this value to true (LOG_AUDIT_TO_DB=true) if the internal EJBCA audit log is needed. Common use of these systems will have a proper logging system in place (which is possibly better than what EJBCA provides) therefore this value is set to false by default (or if unspecified).

LOG_LEVEL_APP_WS_TRANSACTIONS

DEBUG (enabled)

Application log level for WS transaction logging. These log entries are always logged at DEBUG log level. Set this log level to DEBUG or lower to enable and INFO or higher to disable.

LOG_LEVEL_SERVER

INFO

Application server log level for main system.

LOG_LEVEL_SERVER_SUBSYSTEMS

WARN

Application server log level for sub-systems.

LOG_STORAGE_MAX_SIZE_MB

256

Integer: Maximum total size of log files (in MB) before being discarded during log rotation. Minimum requirement: 2 (MB)

LOG_STORAGE_LOCATION

Disabled (empty)

String: Path in the Container (directory) where the log will be saved, so it can be mounted to a host directory. The mounted location must be a writable directory. Non-writable directory will cause the Container to fail the startup.

TZ

UTC

TimeZone to use in the container. Since the system TimeZone is used both for logging and currently also for presentation in the UI this improves usability.

APPSERVER_DEPLOYMENT_TIMEOUT

300

This value controls the deployment timeout in seconds for the application server when starting the application. If EJBCA fails to perform early start-up tasks like eager loading of CAs due to the application server timing out, you can adjust this setting. Normally this could also indicate that the resources assigned to the database are insufficient compared to the scale of the PKI.

OCSP_CHECK_SIGN_CERT_VALIDITY

true

When no OCSP signing certificate is not configured and the CA keys are used for signing OCSP requests set this variable to false. If OCSP signing certificates are used then leave this value as the default true.

OCSP_NON_EXISTING_IS_GOOD

false

Respond with 'good' when receiving OCSP requests for non-existing certificates