SignServer Helm Deployment Parameters

The following tables list the configurable parameters for deploying SignServer using Helm. The parameters enable customization of the SignServer Helm deployment, ranging from application configuration to database settings, security keys, and service options.

SignServer Deployment Parameters

Parameter	Default	Description
`signserver.allowAny`	`false`	Provides access to AdminWeb. Change to `true` at first deployment for access. Make sure you change the parameter back to `false` for restricted access to not be overwritten.
`signserver.allowedHostnames`		Enable allow listed hosts filter by specifying hosts (and if needed, ports) that should only be allowed when sending HTTP requests to SignServer. If at least one value is added the filter is applied and will deny any HTTP request with a host header value other than those listed, with an HTTP error 403. Depending on the clients or reverse proxy servers, it may be required to also specify entries not only with the hostname but also with `hostname:port`. Example to allow requests from localhost (typically not for production) and from an other hostname: YAML `allowedHostnames: - localhost - localhost:8080 - localhost:8443 - service.example.org`
`signserver.useP11NgAsP11`		If set to true, the PKCS11CryptoToken is backed up by P11NG, meaning all PKCS#11 operations are performed by the P11NGCryptoToken. The default setting reflects the default in the current version of SignServer.
`signserver.useEphemeralH2Database`	`true`	Specifies if in-memory internal H2 database should be used.
`signserver.useH2Persistence`	`false`	Specifies if internal H2 database with persistence should be used. Requires `existingH2PersistenceClaim` to be set.
`signserver.existingH2PersistenceClaim`		Specifies the PersistentVolumeClaim that internal H2 database can use for data persistence.
`signserver.importAppserverKeystore`	`false`	Specifies if TLS configurations should use an existing keystore when reverse proxy is not used.
`signserver.appserverKeystoreSecret`		Specifies the secret-containing keystore for TLS configuration of SignServer application server.
`signserver.importAppserverTruststore`	`false`	Specifies if TLS configurations should use an existing truststore when reverse proxy is not used.
`signserver.appserverTruststoreSecret`		Specifies the secret-containing truststore for TLS configuration of SignServer application server.
`signserver.importWorkerProperties`	`false`	Specifies if properties files should be used to configure SignServer.
`signserver.workerPropertiesSecret`		Specifies the secret-containing properties files used for configuring SignServer at startup.
`signserver.importKeystores`	`false`	Specifies if keystore files should be mounted into the SignServer container.
`signserver.keystoresSecret`		Specifies the secret-containing keystore files that can be used by SignServer workers.
`signserver.keystoresMountPath`		Specifies the mount path in the SignServer container for mounted keystore files.
`signserver.env`		Specifies the environment variables to pass to container.
`signserver.envRaw`		Specifies environment variables to pass to container in Kubernetes YAML format.
`signserver.initContainers`	[]	Specifies extra init containers to be added to the deployment.
`signserver.sidecarContainers`	[]	Specifies extra sidecar containers to be added to the deployment.
`signserver.volumes`	[]	Specifies extra volumes to be added to the deployment.
`signserver.volumeMounts`	[]	Specifies extra volume mounts to be added to the deployment.

SignServer Environment Variables

Database Configuration

Parameter	Default	Description
`signserver.env.DATABASE_JDBC_URL`	`jdbc:h2:/mnt/persistent/signserverdb;DB_CLOSE_DELAY=-1`	JDBC URL to external database
`signserver.env.DATABASE_USER`	`signserver`	Specifies the username part of the credentials to access the external database.
`signserver.env.DATABASE_PASSWORD`	`signserver`	Specifies the password part of the credentials to access the external database.
`signserver.env.DATABASE_USER_PRIVILEGED`		Specifies the username part of the credentials to access the external database if separate account is used for creating tables and schema changes.
`signserver.env.DATABASE_PASSWORD_PRIVILEGED`		Specifies the password part of the credentials to access the external database if using a separate account for creating tables and schema changes.

Logging

For guidance on how to configure log levels, file storage, log shipping, and audit logging, see Logging and Monitoring.

Parameter	Default	Description
`signserver.env.LOG_LEVEL_APP`	`DEBUG`	Application log level.
`signserver.env.LOG_LEVEL_APP_WS_TRANSACTIONS`		Application log level for WS transaction logging.
`signserver.env.LOG_LEVEL_SERVER`	`INFO`	Application server log level for main system.
`signserver.env.LOG_LEVEL_SERVER_SUBSYSTEMS`	`WARN`	Application server log level for sub-systems.
`signserver.env.LOG_STORAGE_LOCATION`		Path in the Container (directory) where the log will be saved, so it can be mounted to a host directory. The mounted location must be a writable directory.
`signserver.env.LOG_STORAGE_MAX_SIZE_MB`	`256`	Maximum total size of log files (in MB) before being discarded during log rotation. Minimum requirement: 2 (MB)
`signserver.env.LOG_AUDIT_TO_DB`	`true`	Set this value to true if the internal SignServer audit log is needed.

OIDC

Parameter	Description
`signserver.env.OIDC_CLIENTID`	Specifies the client ID of the OIDC application registered with your identity provider.
`signserver.env.OIDC_CLIENTSECRET`	The client secret used together with the client ID to authenticate SignServer against the OIDC provider. Store it securely and define it in `envRaw` using `secretKeyRef` so it is not stored directly in the values file.
`signserver.env.OIDC_PROVIDERURI`	The base URI of the OIDC provider.
`signserver.env.OIDC_PROVIDERLOGOUTURI`	The logout endpoint of the OIDC provider.
`signserver.env.OIDC_LOGOUTURI`	The URI users are returned to after logout is completed. This should point to a valid SignServer page or external landing page.
`signserver.env.OIDC_REDIRECTURI`	The URI the OIDC provider redirects the user back to after successful authentication. It must match one of the allowed redirect URIs configured in the OIDC provider.
`signserver.env.OIDC_LOGINURI`	The application callback URI used to process the OIDC login response.
`signserver.env.OIDC_CALLERGROUPSCLAIM`	The claim name in the OIDC token that contains the user's group or role membership. SignServer uses this to map access permissions.
`signserver.env.OIDC_AUDIENCE`	The expected audience value for the issued token. It is typically set to the client ID or API identifier configured in the OIDC provider.

Miscellaneous

The following lists other variables that provide additional capabilities to the container:

Parameter	Default	Description
`signserver.env.TZ`		Specifies the TimeZone to use in the container.
`signserver.env.APPSERVER_DEPLOYMENT_TIMEOUT`	`300`	This value controls the deployment timeout in seconds for the application server when starting the application.
`signserver.env.JAVA_OPTS_CUSTOM`		Allows you to override the default JAVA_OPTS that are set in the standalone.conf.
`signserver.env.PROXY_AJP_BIND`		Run container with an AJP proxy port :8009 bound to the IP address in this variable. Example: `PROXY_AJP_BIND=0.0.0.0`
`signserver.env.PROXY_HTTP_BIND`		Run container with two HTTP back-end proxy ports :8081 and :8082 configured bound to the IP address in this variable. Port 8082 accepts the `SSL_CLIENT_CERT HTTP` header. Example: `PROXY_HTTP_BIND=0.0.0.0`

Service Parameters

Parameter	Default	Description
`services.directHttp.enabled`	`true`	Enables the service for communicating directly with SignServer container.
`services.directHttp.type`	`NodePort`	Specifies the service type for communicating directly with SignServer container.
`services.directHttp.httpPort`	`31080`	Specifies the HTTP port for communicating directly with SignServer container.
`services.directHttp.httpsPort`	`31443`	Specifies the HTTPS port for communicating directly with SignServer container.
`services.proxyAJP.enabled`	`false`	Enables the service for reverse proxy servers to communicate with SignServer container over AJP.
`services.proxyAJP.type`	`ClusterIP`	Specifies the service type for proxy AJP communication.
`services.proxyAJP.bindIP`	`0.0.0.0`	Specifies the IP to bind for proxy AJP communication.
`services.proxyAJP.port`	`8009`	Specifies the service port for proxy AJP communication.
`services.proxyHttp.enabled`	`false`	Enables the service for reverse proxy servers to communicate with SignServer container over HTTP.
`services.proxyHttp.type`	`ClusterIP`	Specifies the service type for proxy HTTP communication.
`services.proxyHttp.bindIP`	`0.0.0.0`	Specifies the IP to bind for proxy HTTP communication.
`services.proxyHttp.httpPort`	`8081`	Specifies the service port for proxy HTTP communication.
`services.proxyHttp.httpsPort`	`8082`	Specifies the service port for proxy HTTP communication that accepts SSL_CLIENT_CERT header.
`services.sidecarPorts`	`[]`	Specifies additional ports to expose in sidecar containers.

NGINX Reverse Proxy Parameters

NGINX reverse proxy runs as a sidecar, and the associated service may be used as LoadBalancer to allow cluster external access.

Parameter	Default	Description
`nginx.enabled`	`false`	If the built-in NGINX reverse proxy should be deployed.
`nginx.image`	`nginx:1.27.1`	NGINX container image.
`nginx.host`	`signserverhost`	Hostname used by the NGINX reverse proxy configuration.
`nginx.service.type`	`LoadBalancer`	Kubernetes Service type for exposing NGINX.
`nginx.service.bindIP`	`0.0.0.0`	Bind IP used by the NGINX service configuration.
`nginx.initializeWithSelfSignedTls`	`false`	If NGINX should generate a temporary self-signed TLS certificate at startup.
`nginx.mountInternalNginxCert`	`false`	If an existing Kubernetes secret should be mounted as the NGINX TLS certificate.
`nginx.secretInternalNginxCert`	`managementca-secret`	Kubernetes secret containing the NGINX TLS certificate and private key.
`nginx.service.httpPort`	`80`	HTTP port exposed by the NGINX service.
`nginx.service.httpsPort`	`443`	HTTPS port exposed by the NGINX service.
`nginx.loadBalancerAccess.enableStickySessionClientIp`	`false`	Enable client IP-based sticky sessions when using a load balancer.
`nginx.loadBalancerAccess.enableReplicaSpecificAccess`	`false`	Create a load balancer service for each pod when using multiple replicas.
`nginx.additionalHosts`		List of server names or domains which will be added as server blocks in config file. Relevant when LoadBalancer service is used.

Common Parameters to Reverse Proxy and Service

Parameter	Default	Description
`serviceAnnotations`	`{}`	Annotations to be added to both services, such as connected to SignServer and reverse proxy container for each pod.

Ingress Parameters

Ingress NGINX is no longer recommended. Ingress configuration parameters remain available for backward compatibility, but new deployments should use an actively maintained alternative, such as an NGINX reverse proxy. See Ingress NGINX Retirement: What You Need to Know.

Parameter	Default	Description
`ingress.enabled`	`false`	Enables ingress creation for SignServer.
`ingress.className`	`"nginx"`	Specifies ingress class name.
`ingress.annotations`		Specifies ingress annotations.
`ingress.hosts`	`[]`	Specifies ingress hosts configurations.
`ingress.tls`	`[]`	Specifies ingress TLS configurations.

Generic Kubernetes Deployment Parameters

For guidance on configuring health check probes, see Logging and Monitoring.

Parameter	Default	Description
`replicaCount`	`1`	Specifies the number of SignServer replicas.
`image.repository`	`keyfactor/signserver-ce`	Specifies the SignServer image repository.
`image.pullPolicy`	`IfNotPresent`	Specifies the SignServer image pull policy.
`image.tag`		Overrides the image tag whose default is the chart appVersion.
`imagePullSecrets`	[]	Specifies the SignServer image pull secrets.
`nameOverride`	""	Overrides the chart name.
`fullnameOverride`	""	Fully overrides the generated name.
`probes.signserver.startup`	`initialDelaySeconds: 20, periodSeconds: 10, timeoutSeconds:1, failureThreshold: 30`	Overrides the default configuration of the startup probe (initialDelaySeconds, periodSeconds, etc.)
`probes.signserver.liveness`	`initialDelaySeconds: 5, periodSeconds: 10, timeoutSeconds:1, failureThreshold: 3`	Overrides the default configuration of the liveness probe (initialDelaySeconds, periodSeconds, etc.)
`probes.signserver.readiness`	`initialDelaySeconds: 5, periodSeconds: 10, timeoutSeconds:1, failureThreshold: 3`	Overrides the default configuration of the readiness probe (initialDelaySeconds, periodSeconds, etc.)
`serviceAccount.create`	`true`	Specifies whether a service account should be created.
`serviceAccount.annotations`	{}	Specifies the annotations to add to the service account.
`serviceAccount.name`	""	Specifies the name of the service account to use. If not set and `create` is true, a name is generated using the `fullname` template.
`podAnnotations`	{}	Specifies additional pod annotations.
`podSecurityContext`	{}	Specifies the pod security context.
`securityContext`	{}	Specifies the container security context.
`resources`	{}	Specifies resource requests and limits.
`autoscaling.enabled`	`false`	Enables autoscaling.
`autoscaling.minReplicas`	`1`	Specifies the minimum number of replicas for autoscaling deployment.
`autoscaling.maxReplicas`	`5`	Specifies the maximum number of replicas for autoscaling deployment.
`autoscaling.targetCPUUtilizationPercentage`	`80`	Specifies the target CPU utilization for autoscaling deployment.
`autoscaling.targetMemoryUtilizationPercentage`		Specifies the target memory utilization for autoscaling deployment.
`nodeSelector`	{}	Specifies the node labels for pod assignment.
`tolerations`	[]	Specifies the tolerations for pod assignment.
`affinity`	{}	Specifies the affinity for pod assignment.
`configMaps`	[]	List of ConfigMaps to create.
`secrets`	[]	List of Opaque secrets to create. Values are base64 encoded by default. This parameter is for development testing only. Do not use plain text secrets in production.