DirectorySecurity AdvisoriesPricing
/
Sign in
Directory
kibana logoHELM

kibana

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
storageClass: ""
29
## Security parameters
30
##
31
security:
32
## @param global.security.allowInsecureImages Allows skipping image verification
33
allowInsecureImages: false
34
## Compatibility adaptations for Kubernetes platforms
35
##
36
compatibility:
37
## Compatibility adaptations for Openshift
38
##
39
openshift:
40
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
41
##
42
adaptSecurityContext: auto
43
org: ""
44
## @section Common parameters
45
46
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
47
##
48
kubeVersion: ""
49
## @param nameOverride String to partially override common.names.fullname template with a string (will prepend the release name)
50
##
51
nameOverride: ""
52
## @param fullnameOverride String to fully override common.names.fullname template with a string
53
##
54
fullnameOverride: ""
55
## @param commonAnnotations Annotations to add to all deployed objects
56
##
57
commonAnnotations: {}
58
## @param commonLabels Labels to add to all deployed objects
59
##
60
commonLabels: {}
61
## @param extraDeploy A list of extra kubernetes resources to be deployed
62
##
63
extraDeploy: []
64
## @param clusterDomain Kubernetes cluster domain name
65
##
66
clusterDomain: cluster.local
67
## @param usePasswordFiles Mount credentials as files instead of using environment variables
68
##
69
usePasswordFiles: true
70
## Enable diagnostic mode in the deployment(s)/statefulset(s)
71
##
72
diagnosticMode:
73
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
74
##
75
enabled: false
76
## @param diagnosticMode.command Command to override all containers in the the deployment(s)/statefulset(s)
77
##
78
command:
79
- sleep
80
## @param diagnosticMode.args Args to override all containers in the the deployment(s)/statefulset(s)
81
##
82
args:
83
- infinity
84
## @section Kibana parameters
85
86
## Iamguarded Kibana image version
87
## ref: https://hub.docker.com/r/iamguarded/kibana/tags/
88
## @param image.registry [default: REGISTRY_NAME] Kibana image registry
89
## @param image.repository [default: REPOSITORY_NAME/kibana] Kibana image repository
90
## @skip image.tag Kibana image tag (immutable tags are recommended)
91
## @param image.digest Kibana image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
92
## @param image.pullPolicy Kibana image pull policy
93
## @param image.pullSecrets Specify docker-registry secret names as an array
94
## @param image.debug Enable %%MAIN_CONTAINER%% image debug mode
95
##
96
image:
97
registry: cgr.dev
98
repository: chainguard-private/kibana-iamguarded
99
tag: 9.3.1
100
digest: ""
101
## Specify a imagePullPolicy
102
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
103
##
104
pullPolicy: IfNotPresent
105
## Optionally specify an array of imagePullSecrets.
106
## Secrets must be manually created in the namespace.
107
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
108
## Example:
109
## pullSecrets:
110
## - myRegistryKeySecretName
111
##
112
pullSecrets: []
113
## Enable debug mode
114
##
115
debug: false
116
## @param replicaCount Number of replicas of the Kibana Pod
117
##
118
replicaCount: 1
119
## @param updateStrategy.type Set up update strategy for Kibana installation.
120
## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to makesure the pods are destroyed first.
121
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
122
## Example:
123
## updateStrategy:
124
## type: RollingUpdate
125
## rollingUpdate:
126
## maxSurge: 25%
127
## maxUnavailable: 25%
128
##
129
updateStrategy:
130
type: RollingUpdate
131
## @param revisionHistoryLimit Number of old replicasets to retain
132
##
133
revisionHistoryLimit: 10
134
## @param schedulerName Alternative scheduler
135
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
136
##
137
schedulerName: ""
138
## @param priorityClassName %%MAIN_CONTAINER_NAME%% pods' priorityClassName
139
##
140
priorityClassName: ""
141
## @param terminationGracePeriodSeconds In seconds, time the given to the %%MAIN_CONTAINER_NAME%% pod needs to terminate gracefully
142
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
143
##
144
terminationGracePeriodSeconds: ""
145
## @param topologySpreadConstraints Topology Spread Constraints for pod assignment
146
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
147
## The value is evaluated as a template
148
##
149
topologySpreadConstraints: []
150
## @param automountServiceAccountToken Mount Service Account token in pod
151
##
152
automountServiceAccountToken: false
153
## @param hostAliases Add deployment host aliases
154
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
155
##
156
hostAliases: []
157
## @param plugins Array containing the Kibana plugins to be installed in deployment
158
## eg:
159
## plugins:
160
## - https://github.com/fbaligand/kibana-enhanced-table/releases/download/v1.5.0/enhanced-table-1.5.0_7.3.2.zip
161
##
162
plugins: []
163
## Saved objects to import (NDJSON format)
164
##
165
savedObjects:
166
## @param savedObjects.urls Array containing links to NDJSON files to be imported during Kibana initialization
167
## e.g:
168
## urls:
169
## - www.example.com/dashboard.ndjson
170
##
171
urls: []
172
## @param savedObjects.configmap Configmap containing NDJSON files to be imported during Kibana initialization (evaluated as a template)
173
##
174
configmap: ""
175
## @param savedObjects.overwrite Overwrite saved objects
176
overwrite: false
177
##
178
## @param extraConfiguration Extra settings to be added to the default kibana.yml configmap that the chart creates (unless replaced using `configurationCM`). Evaluated as a template
179
##
180
extraConfiguration: {}
181
## @param configurationCM ConfigMap containing a kibana.yml file that will replace the default one specified in configuration.yaml
182
##
183
configurationCM: ""
184
## @param command Override default container command (useful when using custom images)
185
##
186
command: []
187
## @param args Override default container args (useful when using custom images)
188
##
189
args: []
190
## @param lifecycleHooks for the %%MAIN_CONTAINER_NAME%% container(s) to automate configuration before or after startup
191
##
192
lifecycleHooks: {}
193
## @param extraEnvVars Array containing extra env vars to configure Kibana
194
## For example:
195
## extraEnvVars:
196
## - name: KIBANA_ELASTICSEARCH_URL
197
## value: test
198
##
199
extraEnvVars: []
200
## @param extraEnvVarsCM ConfigMap containing extra env vars to configure Kibana
201
##
202
extraEnvVarsCM: ""
203
## @param extraEnvVarsSecret Secret containing extra env vars to configure Kibana (in case of sensitive data)
204
##
205
extraEnvVarsSecret: ""
206
## @param extraVolumes Array to add extra volumes. Requires setting `extraVolumeMounts`
207
##
208
extraVolumes: []
209
## @param extraVolumeMounts Array to add extra mounts. Normally used with `extraVolumes`
210
##
211
extraVolumeMounts: []
212
## Init containers parameters:
213
## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
214
##
215
volumePermissions:
216
## @param volumePermissions.enabled Enable init container that changes volume permissions in the data directory (for cases where the default k8s `runAsUser` and `fsUser` values do not work)
217
##
218
enabled: false
219
## @param volumePermissions.image.registry [default: REGISTRY_NAME] Init container volume-permissions image registry
220
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] Init container volume-permissions image name
221
## @skip volumePermissions.image.tag Init container volume-permissions image tag
222
## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
223
## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy
224
## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets
225
##
226
image:
227
registry: cgr.dev
228
repository: chainguard-private/os-shell-iamguarded
229
tag: 1.0.0
230
digest: ""
231
pullPolicy: IfNotPresent
232
## Optionally specify an array of imagePullSecrets.
233
## Secrets must be manually created in the namespace.
234
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
235
## Example:
236
## pullSecrets:
237
## - myRegistryKeySecretName
238
##
239
pullSecrets: []
240
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
241
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
242
##
243
resourcesPreset: "nano"
244
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
245
## Example:
246
## resources:
247
## requests:
248
## cpu: 2
249
## memory: 512Mi
250
## limits:
251
## cpu: 3
252
## memory: 1024Mi
253
## resources:
254
## requests:
255
## memory: 128Mi
256
## cpu: 100m
257
resources: {}
258
## Enable persistence using Persistent Volume Claims
259
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
260
##
261
persistence:
262
## @param persistence.enabled Enable persistence
263
##
264
enabled: true
265
## @param persistence.storageClass Kibana data Persistent Volume Storage Class
266
## If defined, storageClassName: <storageClass>
267
## If set to "-", storageClassName: "", which disables dynamic provisioning
268
## If undefined (the default) or set to null, no storageClassName spec is
269
## set, choosing the default provisioner. (gp2 on AWS, standard on
270
## GKE, AWS & OpenStack)
271
##
272
storageClass: ""
273
## @param persistence.existingClaim Provide an existing `PersistentVolumeClaim`
274
##
275
existingClaim: ""
276
## @param persistence.accessModes Persistent Volume access modes
277
##
278
accessModes:
279
- ReadWriteOnce
280
## @param persistence.size Size for the PV
281
##
282
size: 10Gi
283
## @param persistence.annotations Persistent Volume Claim annotations
284
##
285
annotations: {}
286
## @param persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
287
##
288
subPath: ""
289
## @param persistence.selector Selector to match an existing Persistent Volume for Kibana data PVC
290
## If set, the PVC can't have a PV dynamically provisioned for it
291
## E.g.
292
## selector:
293
## matchLabels:
294
## app: my-app
295
##
296
selector: {}
297
## @param persistence.dataSource Custom PVC data source
298
##
299
dataSource: {}
300
## Configure extra options for startup probe
301
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
302
## @param startupProbe.enabled Enable/disable the startup probe
303
## @param startupProbe.initialDelaySeconds Delay before startup probe is initiated
304
## @param startupProbe.periodSeconds How often to perform the probe
305
## @param startupProbe.timeoutSeconds When the probe times out
306
## @param startupProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
307
## @param startupProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
308
##
309
startupProbe:
310
enabled: false
311
initialDelaySeconds: 120
312
periodSeconds: 10
313
timeoutSeconds: 5
314
failureThreshold: 6
315
successThreshold: 1
316
## Configure extra options for liveness probe
317
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
318
## @param livenessProbe.enabled Enable/disable the Liveness probe
319
## @param livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
320
## @param livenessProbe.periodSeconds How often to perform the probe
321
## @param livenessProbe.timeoutSeconds When the probe times out
322
## @param livenessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
323
## @param livenessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
324
##
325
livenessProbe:
326
enabled: true
327
initialDelaySeconds: 120
328
periodSeconds: 10
329
timeoutSeconds: 5
330
failureThreshold: 6
331
successThreshold: 1
332
## Configure extra options for readiness probe
333
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
334
## @param readinessProbe.enabled Enable/disable the Readiness probe
335
## @param readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
336
## @param readinessProbe.periodSeconds How often to perform the probe
337
## @param readinessProbe.timeoutSeconds When the probe times out
338
## @param readinessProbe.failureThreshold Minimum consecutive failures for the probe to be considered failed after having succeeded.
339
## @param readinessProbe.successThreshold Minimum consecutive successes for the probe to be considered successful after having failed.
340
##
341
readinessProbe:
342
enabled: true
343
initialDelaySeconds: 30
344
periodSeconds: 10
345
timeoutSeconds: 5
346
failureThreshold: 6
347
successThreshold: 1
348
## @param customStartupProbe Custom liveness probe for the Web component
349
##
350
customStartupProbe: {}
351
## @param customLivenessProbe Custom liveness probe for the Web component
352
##
353
customLivenessProbe: {}
354
## @param customReadinessProbe Custom readiness probe for the Web component
355
##
356
customReadinessProbe: {}
357
## @param forceInitScripts Force execution of init scripts
358
##
359
forceInitScripts: false
360
## @param initScriptsCM Configmap with init scripts to execute
361
##
362
initScriptsCM: ""
363
## @param initScriptsSecret Secret with init scripts to execute (for sensitive data)
364
##
365
initScriptsSecret: ""
366
## Service configuration
367
##
368
service:
369
## @param service.ports.http Kubernetes Service port
370
##
371
ports:
372
http: 5601
373
## @param service.type Kubernetes Service type
374
##
375
type: ClusterIP
376
## @param service.nodePorts.http Specify the nodePort value for the LoadBalancer and NodePort service types
377
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
378
##
379
nodePorts:
380
http: ""
381
## @param service.clusterIP %%MAIN_CONTAINER_NAME%% service Cluster IP
382
## e.g.:
383
## clusterIP: None
384
##
385
clusterIP: ""
386
## @param service.loadBalancerIP loadBalancerIP if Kibana service type is `LoadBalancer`
387
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
388
##
389
loadBalancerIP: ""
390
## @param service.loadBalancerSourceRanges %%MAIN_CONTAINER_NAME%% service Load Balancer sources
391
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
392
## e.g:
393
## loadBalancerSourceRanges:
394
## - 10.10.10.0/24
395
##
396
loadBalancerSourceRanges: []
397
## @param service.externalTrafficPolicy Enable client source IP preservation
398
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
399
##
400
externalTrafficPolicy: Cluster
401
## @param service.annotations Annotations for Kibana service (evaluated as a template)
402
## This can be used to set the LoadBalancer service type to internal only.
403
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
404
##
405
annotations: {}
406
## @param service.labels Extra labels for Kibana service
407
##
408
labels: {}
409
## @param service.extraPorts Extra ports to expose in the service (normally used with the `sidecar` value)
410
##
411
extraPorts: []
412
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
413
## If "ClientIP", consecutive client requests will be directed to the same Pod
414
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
415
##
416
sessionAffinity: None
417
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
418
## sessionAffinityConfig:
419
## clientIP:
420
## timeoutSeconds: 300
421
##
422
sessionAffinityConfig: {}
423
## Network Policies
424
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
425
##
426
networkPolicy:
427
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
428
##
429
enabled: true
430
## @param networkPolicy.allowExternal Don't require server label for connections
431
## The Policy model to apply. When set to false, only pods with the correct
432
## server label will have network access to the ports server is listening
433
## on. When true, server will accept connections from any source
434
## (with the correct destination port).
435
##
436
allowExternal: true
437
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
438
##
439
allowExternalEgress: true
440
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
441
## e.g:
442
## extraIngress:
443
## - ports:
444
## - port: 1234
445
## from:
446
## - podSelector:
447
## - matchLabels:
448
## - role: frontend
449
## - podSelector:
450
## - matchExpressions:
451
## - key: role
452
## operator: In
453
## values:
454
## - frontend
455
extraIngress: []
456
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
457
## e.g:
458
## extraEgress:
459
## - ports:
460
## - port: 1234
461
## to:
462
## - podSelector:
463
## - matchLabels:
464
## - role: frontend
465
## - podSelector:
466
## - matchExpressions:
467
## - key: role
468
## operator: In
469
## values:
470
## - frontend
471
##
472
extraEgress: []
473
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
474
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
475
##
476
ingressNSMatchLabels: {}
477
ingressNSPodMatchLabels: {}
478
## Configure the ingress resource that allows you to access the
479
## Kibana installation. Set up the URL
480
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
481
##
482
ingress:
483
## @param ingress.enabled Enable ingress controller resource
484
##
485
enabled: false
486
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
487
## certManager: false
488
##
489
490
## @param ingress.pathType Ingress Path type
491
##
492
pathType: ImplementationSpecific
493
## @param ingress.apiVersion Override API Version (automatically detected if not set)
494
##
495
apiVersion: ""
496
## @param ingress.hostname Default host for the ingress resource. Evaluated as a template. If specified as "*" no host rule is configured
497
##
498
hostname: kibana.local
499
## @param ingress.path The Path to Kibana. You may need to set this to '/*' in order to use this with ALB ingress controllers.
500
##
501
path: /
502
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
503
## For a full list of possible ingress annotations, please see
504
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
505
## Use this parameter to set the required annotations for cert-manager, see
506
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
507
##
508
## e.g:
509
## annotations:
510
## kubernetes.io/ingress.class: nginx
511
## cert-manager.io/cluster-issuer: cluster-issuer-name
512
##
513
annotations: {}
514
## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter
515
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
516
## You can use the ingress.secrets parameter to create this TLS secret or rely on cert-manager to create it
517
##
518
tls: false
519
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
520
##
521
selfSigned: false
522
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record. Evaluated as a template.
523
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
524
## extraHosts:
525
## - name: kibana.local
526
## path: /
527
##
528
extraHosts: []
529
## @param ingress.extraPaths Additional arbitrary path/backend objects. Evaluated as a template.
530
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
531
## extraPaths:
532
## - path: /*
533
## backend:
534
## serviceName: ssl-redirect
535
## servicePort: use-annotation
536
##
537
extraPaths: []
538
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record. Evaluated as a template.
539
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
540
## extraTls:
541
## - hosts:
542
## - kibana.local
543
## secretName: kibana.local-tls
544
##
545
extraTls: []
546
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
547
## key and certificate should start with -----BEGIN CERTIFICATE----- or
548
## -----BEGIN RSA PRIVATE KEY-----
549
##
550
## name should line up with a tlsSecret set further up
551
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
552
##
553
## It is also possible to create and manage the certificates outside of this helm chart
554
## Please see README.md for more information
555
## e.g:
556
## - name: kibana.local-tls
557
## key:
558
## certificate:
559
##
560
secrets: []
561
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
562
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
563
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
564
##
565
ingressClassName: ""
566
## @param ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template
567
## Useful when looking for additional customization, such as using different backend
568
##
569
extraRules: []
570
## Pods Service Account
571
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
572
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
573
## @param serviceAccount.name Name of the service account to use. If not set and create is true, a name is generated using the fullname template.
574
## @param serviceAccount.automountServiceAccountToken Automount service account token for the server service account
575
## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
576
##
577
serviceAccount:
578
create: true
579
name: ""
580
automountServiceAccountToken: false
581
annotations: {}
582
## @param containerPorts.http Port to expose at container level
583
##
584
containerPorts:
585
http: 5601
586
## Configure Pods Security Context
587
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
588
## @param podSecurityContext.enabled Enabled %%MAIN_CONTAINER_NAME%% pods' Security Context
589
## @param podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
590
## @param podSecurityContext.sysctls Set kernel settings using the sysctl interface
591
## @param podSecurityContext.supplementalGroups Set filesystem extra groups
592
## @param podSecurityContext.fsGroup Set %%MAIN_CONTAINER_NAME%% pod's Security Context fsGroup
593
##
594
podSecurityContext:
595
enabled: true
596
fsGroupChangePolicy: Always
597
sysctls: []
598
supplementalGroups: []
599
fsGroup: 1001
600
## Configure Container Security Context
601
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
602
## @param containerSecurityContext.enabled Enabled containers' Security Context
603
## @param containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
604
## @param containerSecurityContext.runAsUser Set containers' Security Context runAsUser
605
## @param containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
606
## @param containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
607
## @param containerSecurityContext.privileged Set container's Security Context privileged
608
## @param containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
609
## @param containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
610
## @param containerSecurityContext.capabilities.drop List of capabilities to be dropped
611
## @param containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
612
##
613
containerSecurityContext:
614
enabled: true
615
seLinuxOptions: {}
616
runAsUser: 1001
617
runAsGroup: 1001
618
runAsNonRoot: true
619
privileged: false
620
readOnlyRootFilesystem: true
621
allowPrivilegeEscalation: false
622
capabilities:
623
drop: ["ALL"]
624
seccompProfile:
625
type: "RuntimeDefault"
626
## Kibana resource requests and limits
627
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
628
## We usually recommend not to specify default resources and to leave this as a conscious
629
## choice for the user. This also increases chances charts run on environments with little
630
## resources, such as Minikube. If you do want to specify resources, uncomment the following
631
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
632
## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
633
## More information: https://github.com/iamguarded/charts/blob/main/iamguarded/common/templates/_resources.tpl#L15
634
##
635
resourcesPreset: "small"
636
## @param resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
637
## Example:
638
## resources:
639
## requests:
640
## cpu: 2
641
## memory: 512Mi
642
## limits:
643
## cpu: 3
644
## memory: 1024Mi
645
##
646
resources: {}
647
## @param podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
648
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
649
##
650
podAffinityPreset: ""
651
## @param podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
652
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
653
##
654
podAntiAffinityPreset: soft
655
## Node affinity preset
656
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
657
## Allowed values: soft, hard
658
##
659
nodeAffinityPreset:
660
## @param nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
661
##
662
type: ""
663
## @param nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
664
## E.g.
665
## key: "kubernetes.io/e2e-az-name"
666
##
667
key: ""
668
## @param nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
669
## E.g.
670
## values:
671
## - e2e-az1
672
## - e2e-az2
673
##
674
values: []
675
## @param affinity Affinity for pod assignment
676
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
677
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
678
##
679
affinity: {}
680
## @param nodeSelector Node labels for pod assignment
681
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
682
##
683
nodeSelector: {}
684
## @param tolerations Tolerations for pod assignment
685
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
686
##
687
tolerations: []
688
## @param podAnnotations Pod annotations
689
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
690
##
691
podAnnotations: {}
692
## @param podLabels Extra labels to add to Pod
693
##
694
podLabels: {}
695
## @param sidecars Attach additional containers to the pod
696
## e.g.
697
## - name: your-image-name
698
## image: your-image
699
## imagePullPolicy: Always
700
## ports:
701
## - name: portname
702
## containerPort: 1234
703
##
704
sidecars: []
705
## @param initContainers Add additional init containers to the pod
706
## e.g.
707
## - name: your-image-name
708
## image: your-image
709
## imagePullPolicy: Always
710
## ports:
711
## - name: portname
712
## containerPort: 1234
713
##
714
initContainers: []
715
## Pod Disruption Budget configuration
716
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
717
## @param pdb.create Enable/disable a Pod Disruption Budget creation
718
## @param pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
719
## @param pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `pdb.minAvailable` and `pdb.maxUnavailable` are empty.
720
##
721
pdb:
722
create: true
723
minAvailable: ""
724
maxUnavailable: ""
725
## @param configuration [object] Kibana configuration
726
##
727
configuration:
728
server:
729
basePath: ""
730
host: "0.0.0.0"
731
publicBaseUrl: ""
732
rewriteBasePath: false
733
## Prometheus metrics (requires the kibana-prometheus-exporter plugin)
734
##
735
metrics:
736
## @param metrics.enabled Start a side-car prometheus exporter
737
##
738
enabled: false
739
service:
740
## @param metrics.service.annotations [object] Prometheus annotations for the Kibana service
741
##
742
annotations:
743
prometheus.io/scrape: "true"
744
prometheus.io/port: "80"
745
prometheus.io/path: "_prometheus/metrics"
746
## Prometheus Operator ServiceMonitor configuration
747
##
748
serviceMonitor:
749
## @param metrics.serviceMonitor.enabled If `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
750
##
751
enabled: false
752
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
753
##
754
namespace: ""
755
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
756
##
757
jobLabel: ""
758
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
759
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
760
## e.g:
761
## interval: 10s
762
##
763
interval: ""
764
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
765
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
766
## e.g:
767
## scrapeTimeout: 10s
768
##
769
scrapeTimeout: ""
770
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
771
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
772
##
773
relabelings: []
774
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
775
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
776
##
777
metricRelabelings: []
778
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
779
## ref: https://github.com/iamguarded/charts/tree/main/iamguarded/prometheus-operator#prometheus-configuration
780
## e.g:
781
## selector:
782
## prometheus: my-prometheus
783
##
784
# selector:
785
# prometheus: my-prometheus
786
selector: {}
787
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
788
##
789
labels: {}
790
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
791
##
792
honorLabels: false
793
## @section Kibana server TLS configuration
794
##
795
tls:
796
## @param tls.enabled Enable SSL/TLS encryption for Kibana server (HTTPS)
797
##
798
enabled: false
799
## @param tls.autoGenerated Create self-signed TLS certificates. Currently only supports PEM certificates.
800
##
801
autoGenerated: false
802
## @param tls.existingSecret Name of the existing secret containing Kibana server certificates
803
##
804
existingSecret: ""
805
## @param tls.usePemCerts Use this variable if your secrets contain PEM certificates instead of PKCS12
806
## Note: Ignored when using autoGenerated certs.
807
##
808
usePemCerts: false
809
## @param tls.keyPassword Password to access the PEM key when it is password-protected.
810
##
811
keyPassword: ""
812
## @param tls.keystorePassword Password to access the PKCS12 keystore when it is password-protected.
813
##
814
keystorePassword: ""
815
## @param tls.passwordsSecret Name of a existing secret containing the Keystore or PEM key password
816
##
817
passwordsSecret: ""
818
## @section Elasticsearch parameters
819
##
820
elasticsearch:
821
## @param elasticsearch.hosts List of elasticsearch hosts to connect to.
822
## e.g:
823
## hosts:
824
## - elasticsearch-1
825
## - elasticsearch-2
826
##
827
hosts: []
828
## @param elasticsearch.port Elasticsearch port
829
##
830
port: ""
831
security:
832
auth:
833
## @param elasticsearch.security.auth.enabled Set to 'true' if Elasticsearch has authentication enabled
834
##
835
enabled: false
836
## @param elasticsearch.security.auth.kibanaPassword Password of the 'kibana_system' user, used to authenticate Kibana connection with Elasticsearch.
837
##
838
kibanaPassword: ""
839
## @param elasticsearch.security.auth.existingSecret Name of the existing secret containing the password for the 'kibana_system' user.
840
##
841
existingSecret: ""
842
## @param elasticsearch.security.auth.createSystemUser If enabled, Kibana will use Elasticsearch API to create the 'kibana_system' user at startup.
843
##
844
createSystemUser: false
845
## @param elasticsearch.security.auth.elasticsearchPasswordSecret Name of the existing secret containing the password for the 'elastic' user.
846
## Required if createSystemUser=true. The secret must containt the key 'elasticsearch-password'.
847
##
848
elasticsearchPasswordSecret: ""
849
tls:
850
## @param elasticsearch.security.tls.enabled Set to 'true' if Elasticsearch API uses TLS/SSL (HTTPS)
851
##
852
enabled: false
853
## @param elasticsearch.security.tls.verificationMode Verification mode for SSL communications.
854
## Supported values: full, certificate, none.
855
## Ref: https://www.elastic.co/guide/en/kibana/7.x/settings.html#elasticsearch-ssl-verificationmode
856
verificationMode: "full"
857
## @param elasticsearch.security.tls.existingSecret Name of the existing secret containing Elasticsearch Truststore or CA certificate. Required unless verificationMode=none
858
##
859
existingSecret: ""
860
## @param elasticsearch.security.tls.usePemCerts Set to 'true' to use PEM certificates instead of PKCS12.
861
##
862
usePemCerts: false
863
## @param elasticsearch.security.tls.truststorePassword Password to access the PKCS12 trustore in case it is password-protected.
864
##
865
truststorePassword: ""
866
## @param elasticsearch.security.tls.passwordsSecret Name of a existing secret containing the Truststore password
867
##
868
passwordsSecret: ""
869

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0Golden ImagesCVE RemediationPublic Sector

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.