.png){kind=logo}
SignServer Helm Deployment Parameters
This lists configurable parameters for deploying SignServer using Helm. The parameters enable customization of the SignServer Helm deployment, ranging from application configuration to database settings, security keys, and service options.
SignServer Deployment Parameters
Parameter | Default | Description |
|---|---|---|
signserver.useEphemeralH2Database | true | If in-memory internal H2 database should be used |
signserver.useH2Persistence | false | If internal H2 database with persistence should be used. Requires existingH2PersistenceClaim to be set |
signserver.existingH2PersistenceClaim | PersistentVolumeClaim that internal H2 database can use for data persistence | |
signserver.importAppserverKeystore | false | If an existing keystore should be used for TLS configurations when reverse proxy is not used |
signserver.appserverKeystoreSecret | Secret containing keystore for TLS configuration of SignServer application server | |
signserver.importAppserverTruststore | false | If an existing truststore should be used for TLS configurations when reverse proxy is not used |
signserver.appserverTruststoreSecret | Secret containing truststore for TLS configuration of SignServer application server | |
signserver.importWorkerProperties | false | If properties files should be used to configure SignServer |
signserver.workerPropertiesSecret | Secret containing properties files used for configuring SignServer at startup | |
signserver.importKeystores | false | If keystore files should be mounted into the SignServer container |
signserver.keystoresSecret | Secret containing keystore files that can be used by SignServer workers | |
signserver.keystoresMountPath | Mount path in the SignServer container for mounted keystore files | |
signserver.env | Environment variables to pass to container | |
signserver.envRaw | Environment variables to pass to container in Kubernetes YAML format | |
signserver.initContainers | [] | Extra init containers to be added to the deployment |
signserver.sidecarContainers | [] | Extra sidecar containers to be added to the deployment |
signserver.volumes | [] | Extra volumes to be added to the deployment |
signserver.volumeMounts | [] | Extra volume mounts to be added to the deployment |
SignServer Environment Variables
Database Configuration
Parameter | Default | Description |
|---|---|---|
signserver.env.DATABASE_JDBC_URL | jdbc:h2:/mnt/persistent/signserverdb;DB_CLOSE_DELAY=-1 | JDBC URL to external database |
signserver.env.DATABASE_USER | signserver | The username part of the credentials to access the external database |
signserver.env.DATABASE_PASSWORD | signserver | The password part of the credentials to access the external database |
signserver.env.DATABASE_USER_PRIVILEGED | The username part of the credentials to access the external database if separate account is used for creating tables and schema changes | |
signserver.env.DATABASE_PASSWORD_PRIVILEGED | The password part of the credentials to access the external database if separate account is used for creating tables and schema changes |
Logging
Parameter | Default | Description |
|---|---|---|
signserver.env.LOG_LEVEL_APP | DEBUG | Application log level |
signserver.env.LOG_LEVEL_APP_WS_TRANSACTIONS | Application log level for WS transaction logging | |
signserver.env.LOG_LEVEL_SERVER | INFO | Application server log level for main system |
signserver.env.LOG_LEVEL_SERVER_SUBSYSTEMS | WARN | Application server log level for sub-systems |
signserver.env.LOG_STORAGE_LOCATION | Path in the Container (directory) where the log will be saved, so it can be mounted to a host directory. The mounted location must be a writable directory | |
signserver.env.LOG_STORAGE_MAX_SIZE_MB | 256 | Maximum total size of log files (in MB) before being discarded during log rotation. Minimum requirement: 2 (MB) |
signserver.env.LOG_AUDIT_TO_DB | true | Set this value to true if the internal SignServer audit log is needed |
Miscellaneous
The following lists other variables that provide additional miscellaneous capabilities to the container.
Parameter | Default | Description |
|---|---|---|
signserver.env.TZ | TimeZone to use in the container | |
signserver.env.APPSERVER_DEPLOYMENT_TIMEOUT | 300 | This value controls the deployment timeout in seconds for the application server when starting the application |
signserver.env.JAVA_OPTS_CUSTOM | Allows you to override the default JAVA_OPTS that are set in the standalone.conf | |
signserver.env.PROXY_AJP_BIND | Run container with an AJP proxy port :8009 bound to the IP address in this variable, e.g. PROXY_AJP_BIND=0.0.0.0 | |
signserver.env.PROXY_HTTP_BIND | Run container with two HTTP back-end proxy ports :8081 and :8082 configured bound to the IP address in this variable. Port 8082 will accepts the SSL_CLIENT_CERT HTTP header, e.g. PROXY_HTTP_BIND=0.0.0.0 |
Service Parameters
Parameter | Default | Description |
|---|---|---|
services.directHttp.enabled | true | If service for communicating directly with SignServer container should be enabled |
services.directHttp.type | NodePort | Service type for communicating directly with SignServer container |
services.directHttp.httpPort | 31080 | HTTP port for communicating directly with SignServer container |
services.directHttp.httpsPort | 31443 | HTTPS port for communicating directly with SignServer container |
services.proxyAJP.enabled | false | If service for reverse proxy servers to communicate with SignServer container over AJP should be enabled |
services.proxyAJP.type | ClusterIP | Service type for proxy AJP communication |
services.proxyAJP.bindIP | 0.0.0.0 | IP to bind for proxy AJP communication |
services.proxyAJP.port | 8009 | Service port for proxy AJP communication |
services.proxyHttp.enabled | false | If service for reverse proxy servers to communicate with SignServer container over HTTP should be enabled |
services.proxyHttp.type | ClusterIP | Service type for proxy HTTP communication |
services.proxyHttp.bindIP | 0.0.0.0 | IP to bind for proxy HTTP communication |
services.proxyHttp.httpPort | 8081 | Service port for proxy HTTP communication |
services.proxyHttp.httpsPort | 8082 | Service port for proxy HTTP communication that accepts SSL_CLIENT_CERT header |
services.sidecarPorts | [] | Additional ports to expose in sidecar containers |
Ingress Parameters
Parameter | Default | Description |
|---|---|---|
ingress.enabled | false | If ingress should be created for SignServer |
ingress.className | "nginx" | Ingress class name |
ingress.annotations | Ingress annotations | |
ingress.hosts | [] | Ingress hosts configurations |
ingress.tls | [] | Ingress TLS configurations |
For NGINX ingress documentation, refer to https://docs.nginx.com/nginx-ingress-controller/.
Generic Kubernetes Deployment Parameters
Parameter | Default | Description |
|---|---|---|
replicaCount | 1 | Number of SignServer replicas |
image.repository | keyfactor/signserver-ce | SignServer image repository |
image.pullPolicy | IfNotPresent | SignServer image pull policy |
image.tag | Overrides the image tag whose default is the chart appVersion | |
imagePullSecrets | [] | SignServer image pull secrets |
nameOverride | "" | Overrides the chart name |
fullnameOverride | "" | Fully overrides generated name |
serviceAccount.create | true | Specifies whether a service account should be created |
serviceAccount.annotations | {} | Annotations to add to the service account |
serviceAccount.name | "" | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
podAnnotations | {} | Additional pod annotations |
podSecurityContext | {} | Pod security context |
securityContext | {} | Container security context |
resources | {} | Resource requests and limits |
autoscaling.enabled | false | If autoscaling should be used |
autoscaling.minReplicas | 1 | Minimum number of replicas for autoscaling deployment |
autoscaling.maxReplicas | 5 | Maximimum number of replicas for autoscaling deployment |
autoscaling.targetCPUUtilizationPercentage | 80 | Target CPU utilization for autoscaling deployment |
autoscaling.targetMemoryUtilizationPercentage | Target memory utilization for autoscaling deployment | |
nodeSelector | {} | Node labels for pod assignment |
tolerations | [] | Tolerations for pod assignment |
affinity | {} | Affinity for pod assignment |