sigstore-fulcio
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
namespace:
2
create: false
3
name: fulcio-system
4
imagePullSecrets: []
5
init:
6
enabled: false
7
image:
8
curl:
9
registry: cgr.dev
10
repository: chainguard-private/curl
11
# -- 8.17.0
12
version: sha256:b794e0553a61c8739b71f2c2e5674ebc8d2b610defdf8aa07874c1d81ac845a9
13
imagePullPolicy: IfNotPresent
14
containerResources: {}
15
config:
16
contents: {}
17
format: json
18
server:
19
replicaCount: 1
20
name: server
21
svcPort: 80
22
grpcSvcPort: 5554
23
# -- KMS type for signing key (possible values: "" / "none", "aws")
24
kmsType: none
25
secret: fulcio-server-secret
26
# -- kubernetes secret name containing IAM credentials for use with AWS KMS
27
awsKmsCredentialsSecretName: aws-kms-credentials
28
# -- AWS region if using AWS KMS for signing key
29
awsKmsRegion: us-east-1
30
logging:
31
production: false
32
image:
33
registry: cgr.dev
34
repository: chainguard-private/fulcio
35
pullPolicy: IfNotPresent
36
# crane digest ghcr.io/sigstore/fulcio:v1.8.7
37
version: latest@sha256:7d654169cca34054bb342f14c4676dbb3213d9e7d5d096c2cdf314d915d933db
38
args:
39
port: 5555
40
grpcPort: 5554
41
# Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
42
certificateAuthority: fileca
43
# kms_resource: gcpkms://....
44
# kms_cert_chain: |-
45
# << your PEM encoded cert chain here. Order from active intermedate first to root last >>
46
# tink_kms_resource: gcp-kms://...
47
# tink_kms_cert_chain: |-
48
# << your PEM encoded Tink cert chain here. Order from active intermedate first to root last >>
49
# tink_enc_keyset: |-
50
# << your encrypted Tink keyset >>
51
hsm_caroot_id:
52
aws_hsm_root_ca_path:
53
gcp_private_ca_parent: projects/test/locations/us-east1/caPools/test
54
ct_log_url: ""
55
disable_ct_log: false
56
serviceAccount:
57
create: true
58
name: ""
59
annotations: {}
60
mountToken: true
61
# -- Liveness probe for the fulcio server container. `httpGet.port` should
62
# match `server.args.port`.
63
livenessProbe:
64
failureThreshold: 3
65
httpGet:
66
path: /healthz
67
port: 5555
68
scheme: HTTP
69
periodSeconds: 10
70
successThreshold: 1
71
timeoutSeconds: 1
72
# -- Readiness probe for the fulcio server container. `httpGet.port` should
73
# match `server.args.port`.
74
readinessProbe:
75
failureThreshold: 3
76
httpGet:
77
path: /healthz
78
port: 5555
79
scheme: HTTP
80
periodSeconds: 10
81
successThreshold: 1
82
timeoutSeconds: 1
83
service:
84
type: ClusterIP
85
ports:
86
- name: http
87
port: 80
88
protocol: TCP
89
targetPort: 5555
90
- name: grpc
91
port: 5554
92
protocol: TCP
93
targetPort: 5554
94
- name: 2112-tcp
95
port: 2112
96
protocol: TCP
97
targetPort: 2112
98
ingress:
99
http:
100
enabled: true
101
className: "nginx"
102
annotations: {}
103
hosts:
104
- path: /
105
host: "fulcio.localhost"
106
tls: []
107
grpc:
108
enabled: false
109
className: ""
110
annotations:
111
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
112
hosts:
113
- host: fulcio.localhost
114
path: /dev.sigstore.fulcio.v2.CA
115
tls:
116
- secretName: fulcio-grpc-ingress-tls
117
hosts:
118
- fulcio.localhost
119
ingresses:
120
- enabled: false
121
grpc: true
122
http: true
123
name: "gce-ingress"
124
className: "gce"
125
hosts:
126
- path: /
127
host: fulcio.localhost
128
annotations: {}
129
tls: []
130
staticGlobalIP: lb-ext-ip
131
frontendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters
132
sslPolicy: fulcio-ssl-policy
133
redirectToHttps:
134
enabled: true
135
backendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
136
securityPolicy:
137
name: fulcio-security-policy
138
logging:
139
enable: true
140
healthCheck:
141
port: 5555
142
requestPath: "/healthz"
143
type: HTTP
144
# -- Additional labels to add to the server pod
145
podLabels: {}
146
securityContext:
147
runAsNonRoot: true
148
runAsUser: 65533
149
tolerations: []
150
nodeSelector: {}
151
affinity: {}
152
neg:
153
http:
154
name: ""
155
port: 80
156
grpc:
157
name: ""
158
port: 5554
159
createcerts:
160
enabled: true
161
replicaCount: 1
162
name: createcerts
163
image:
164
registry: cgr.dev
165
repository: chainguard-private/sigstore-scaffolding-fulcio-createcerts
166
pullPolicy: IfNotPresent
167
# v0.7.31
168
version: latest@sha256:502a6555fca3da0f5a80ee5034f1bf46967280f6acad058ef760d649216256e7
169
ttlSecondsAfterFinished: 3600
170
serviceAccount:
171
create: true
172
name: ""
173
annotations: {}
174
mountToken: true
175
securityContext:
176
runAsNonRoot: true
177
runAsUser: 65533
178
annotations: {}
179
podAnnotations: {}
180
podLabels: {}
181
tolerations: []
182
nodeSelector: {}
183
affinity: {}
184
# Configure ctlog dependency
185
ctlog:
186
enabled: true
187
name: ctlog
188
forceNamespace: ctlog-system
189
fullnameOverride: ctlog
190
namespace:
191
name: ctlog-system
192
create: true
193
createtree:
194
name: ctlog-createtree
195
fullnameOverride: ctlog-createtree
196
createcerts:
197
name: ctlog-createcerts
198
fullnameOverride: ctlog-createcerts
199
createctconfig:
200
logPrefix: fulcio
201
# Force namespace of namespaced resources
202
forceNamespace: ""
203
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.