.png){kind=logo}
SignServer Helm Deployment Parameters
The following tables list the configurable parameters for deploying SignServer using Helm. The parameters enable customization of the SignServer Helm deployment, ranging from application configuration to database settings, security keys, and service options.
SignServer Deployment Parameters
Parameter | Default | Description |
|---|---|---|
signserver.allowAny | false | Provides access to AdminWeb. Change to true at first deployment for access. Make sure you change the parameter back to false for restricted access to not be overwritten. |
signserver.useP11NgAsP11 | If set to true, the PKCS11CryptoToken is backed up by P11NG, meaning all PKCS#11 operations are performed by the P11NGCryptoToken. The default setting reflects the default in the current version of SignServer. | |
signserver.useEphemeralH2Database | true | Specifies if in-memory internal H2 database should be used. |
signserver.useH2Persistence | false | Specifies if internal H2 database with persistence should be used. Requires |
signserver.existingH2PersistenceClaim | Specifies the PersistentVolumeClaim that internal H2 database can use for data persistence. | |
signserver.importAppserverKeystore | false | Specifies if TLS configurations should use an existing keystore when reverse proxy is not used. |
signserver.appserverKeystoreSecret | Specifies the secret-containing keystore for TLS configuration of SignServer application server. | |
signserver.importAppserverTruststore | false | Specifies if TLS configurations should use an existing truststore when reverse proxy is not used. |
signserver.appserverTruststoreSecret | Specifies the secret-containing truststore for TLS configuration of SignServer application server. | |
signserver.importWorkerProperties | false | Specifies if properties files should be used to configure SignServer. |
signserver.workerPropertiesSecret | Specifies the secret-containing properties files used for configuring SignServer at startup. | |
signserver.importKeystores | false | Specifies if keystore files should be mounted into the SignServer container. |
signserver.keystoresSecret | Specifies the secret-containing keystore files that can be used by SignServer workers. | |
signserver.keystoresMountPath | Specifies the mount path in the SignServer container for mounted keystore files. | |
signserver.env | Specifies the environment variables to pass to container. | |
signserver.envRaw | Specifies environment variables to pass to container in Kubernetes YAML format. | |
signserver.initContainers | [] | Specifies extra init containers to be added to the deployment. |
signserver.sidecarContainers | [] | Specifies extra sidecar containers to be added to the deployment. |
signserver.volumes | [] | Specifies extra volumes to be added to the deployment. |
signserver.volumeMounts | [] | Specifies extra volume mounts to be added to the deployment. |
SignServer Environment Variables
Database Configuration
Parameter | Default | Description |
|---|---|---|
signserver.env.DATABASE_JDBC_URL | jdbc:h2:/mnt/persistent/signserverdb;DB_CLOSE_DELAY=-1 | JDBC URL to external database |
signserver.env.DATABASE_USER | signserver | Specifies the username part of the credentials to access the external database. |
signserver.env.DATABASE_PASSWORD | signserver | Specifies the password part of the credentials to access the external database. |
signserver.env.DATABASE_USER_PRIVILEGED | Specifies the username part of the credentials to access the external database if separate account is used for creating tables and schema changes. | |
signserver.env.DATABASE_PASSWORD_PRIVILEGED | Specifies the password part of the credentials to access the external database if using a separate account for creating tables and schema changes. |
Logging
Parameter | Default | Description |
|---|---|---|
signserver.env.LOG_LEVEL_APP | DEBUG | Application log level. |
signserver.env.LOG_LEVEL_APP_WS_TRANSACTIONS | Application log level for WS transaction logging. | |
signserver.env.LOG_LEVEL_SERVER | INFO | Application server log level for main system. |
signserver.env.LOG_LEVEL_SERVER_SUBSYSTEMS | WARN | Application server log level for sub-systems. |
signserver.env.LOG_STORAGE_LOCATION | Path in the Container (directory) where the log will be saved, so it can be mounted to a host directory. The mounted location must be a writable directory. | |
signserver.env.LOG_STORAGE_MAX_SIZE_MB | 256 | Maximum total size of log files (in MB) before being discarded during log rotation. Minimum requirement: 2 (MB) |
signserver.env.LOG_AUDIT_TO_DB | true | Set this value to true if the internal SignServer audit log is needed. |
Miscellaneous
The following lists other variables that provide additional miscellaneous capabilities to the container.
Parameter | Default | Description |
|---|---|---|
signserver.env.TZ | Specifies the TimeZone to use in the container. | |
signserver.env.APPSERVER_DEPLOYMENT_TIMEOUT | 300 | This value controls the deployment timeout in seconds for the application server when starting the application. |
signserver.env.JAVA_OPTS_CUSTOM | Allows you to override the default JAVA_OPTS that are set in the standalone.conf. | |
signserver.env.PROXY_AJP_BIND | Run container with an AJP proxy port :8009 bound to the IP address in this variable, e.g. PROXY_AJP_BIND=0.0.0.0 | |
signserver.env.PROXY_HTTP_BIND | Run container with two HTTP back-end proxy ports :8081 and :8082 configured bound to the IP address in this variable. Port 8082 will accepts the SSL_CLIENT_CERT HTTP header, e.g. PROXY_HTTP_BIND=0.0.0.0 |
Service Parameters
Parameter | Default | Description |
|---|---|---|
services.directHttp.enabled | true | Enables the service for communicating directly with SignServer container. |
services.directHttp.type | NodePort | Specifies the service type for communicating directly with SignServer container. |
services.directHttp.httpPort | 31080 | Specifies the HTTP port for communicating directly with SignServer container. |
services.directHttp.httpsPort | 31443 | Specifies the HTTPS port for communicating directly with SignServer container. |
services.proxyAJP.enabled | false | Enables the service for reverse proxy servers to communicate with SignServer container over AJP. |
services.proxyAJP.type | ClusterIP | Specifies the service type for proxy AJP communication. |
services.proxyAJP.bindIP | 0.0.0.0 | Specifies the IP to bind for proxy AJP communication. |
services.proxyAJP.port | 8009 | Specifies the service port for proxy AJP communication. |
services.proxyHttp.enabled | false | Enables the service for reverse proxy servers to communicate with SignServer container over HTTP. |
services.proxyHttp.type | ClusterIP | Specifies the service type for proxy HTTP communication. |
services.proxyHttp.bindIP | 0.0.0.0 | Specifies the IP to bind for proxy HTTP communication. |
services.proxyHttp.httpPort | 8081 | Specifies the service port for proxy HTTP communication. |
services.proxyHttp.httpsPort | 8082 | Specifies the service port for proxy HTTP communication that accepts SSL_CLIENT_CERT header. |
services.sidecarPorts | [] | Specifies additional ports to expose in sidecar containers. |
Ingress Parameters
Parameter | Default | Description |
|---|---|---|
ingress.enabled | false | Enables ingress creation for SignServer. |
ingress.className | "nginx" | Specifies ingress class name. |
ingress.annotations | Specifies ingress annotations. | |
ingress.hosts | [] | Specifies ingress hosts configurations. |
ingress.tls | [] | Specifies ingress TLS configurations. |
For NGINX ingress documentation, refer to https://docs.nginx.com/nginx-ingress-controller/.
Generic Kubernetes Deployment Parameters
Parameter | Default | Description |
|---|---|---|
replicaCount | 1 | Specifies the number of SignServer replicas. |
image.repository | keyfactor/signserver-ce | Specifies the SignServer image repository. |
image.pullPolicy | IfNotPresent | Specifies the SignServer image pull policy. |
image.tag | Overrides the image tag whose default is the chart appVersion. | |
imagePullSecrets | [] | Specifies the SignServer image pull secrets. |
nameOverride | "" | Overrides the chart name. |
fullnameOverride | "" | Fully overrides the generated name. |
serviceAccount.create | true | Specifies whether a service account should be created. |
serviceAccount.annotations | {} | Specifies the annotations to add to the service account. |
serviceAccount.name | "" | Specifies the name of the service account to use. If not set and |
podAnnotations | {} | Specifies additional pod annotations. |
podSecurityContext | {} | Specifies the pod security context. |
securityContext | {} | Specifies the container security context. |
resources | {} | Specifies resource requests and limits. |
autoscaling.enabled | false | Enables autoscaling. |
autoscaling.minReplicas | 1 | Specifies the minimum number of replicas for autoscaling deployment. |
autoscaling.maxReplicas | 5 | Specifies the maximum number of replicas for autoscaling deployment. |
autoscaling.targetCPUUtilizationPercentage | 80 | Specifies the target CPU utilization for autoscaling deployment. |
autoscaling.targetMemoryUtilizationPercentage | Specifies the target memory utilization for autoscaling deployment. | |
nodeSelector | {} | Specifies the node labels for pod assignment. |
tolerations | [] | Specifies the tolerations for pod assignment. |
affinity | {} | Specifies the affinity for pod assignment. |