AIStor Key Manager Helm Chart
The following code block includes the full contents of the AIStor Key Manager Helm Chart default values.yaml and all accompanying documentation.
# Following annotations/labels are applied to all resources created by the Helm chart
annotations: {}
labels: {}
# Allow to override the namespace for all resources
#namespaceOverride: "test"
# The Helm chart will try to auto-detect OpenShift. If it cannot detect OpenShift
# (i.e. when running helm template), then it will default to false. You can
# override this setting to force OpenShift mode.
#forceOpenShift: true
###
# Root key for AIStor Key Manager
keyManager:
###
# The Key Manager name
#
# When the key manager name is not specified, the chart will use the release name
# as the key manager name.
#name: mykms
###
# Specify the container image to use.
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/aistor/minkms`` repo and the RELEASE.2025-03-24T19-33-06Z tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/aistor/minkms
# tag: RELEASE.2025-03-24T19-33-06Z
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
# .. code-block:: yaml
#
# image:
# repository: quay.io/minio/aistor/minkms@sha256
# digest: 2ebef198955b802aae9fc2b7789d1d3073e9d1d05c8b70d702aeef7d064a9e56
# pullPolicy: IfNotPresent
#
#
image: {}
# repository: quay.io/minio/aistor/minkms
# tag: RELEASE.2025-03-24T19-33-06Z
# pullPolicy: IfNotPresent
###
#
# An array of Kubernetes secrets to use for pulling images from a private ``image.repository``.
# Only one array element is supported at this time.
imagePullSecret: {}
###
# The Kubernetes secret name that contains MinKMS configuration file
# The secret is expected to have a key named server-config.yaml that holds the configuration
configuration:
#name: mykms-server-config
existingSecret: false
hsm:
#name: mykms-secret
existingSecret: false
#
# Generate key using the `minkms --soft-hsm` command
#
# IMPORTANT: This default value cannot be used and should be replaced
key: "hsm:aes256:????????????????????????????????????????????"
affinity:
nodeAffinity: { }
podAffinity: { }
podAntiAffinity: { }
annotations: { }
###
# Configures external certificate settings for the Key Manager.
certificates:
disableAutoCert: false
###
# Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair.
#
# This is used by Key Manager to verify TLS connections from clients using those CAs
# If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification.
# See `ObjectStore CRD: ObjectStoreSpec <https://min.io/docs/aistor/kubernetes/upstream/reference/operator-crd.html#objectStoreSpec>`__.
certConfig: {}
# commonName: ...
# dnsNames:
# - "..."
# - "..."
# organizationName:
# - "..."
# - "..."
###
# externalCaCertSecret Allows KeyManager pods to verify client certificates signed by a Certificate Authority not in the default pod's trust store.
#
# If the ObjectStore uses custom or user-controlled TLS certificates, you *must* provide the CA for those certificates here
# externalCaCertSecret:
# - name: external-ca-secret-name
# type: kubernetes.io/tls
# - "..."
# externalClientCertSecrets is the secret storing the KMS server certificate if `disableAutoCert: true` and want to provide an externally generated TLS certificate.
#
# You must pass the CA used to sign these certificates to clients like the Object Store to allow for TLS validation during connection.
# externalClientCertSecrets:
# - name: keymanger-server-secret
# type: kubernetes.io/tls
# containerSecurityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# allowPrivilegeEscalation: false
# capabilities:
# drop:
# - ALL
# seccompProfile:
# type: RuntimeDefault
# securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# runAsNonRoot: true
# fsGroup: 1000
###
# An array of `Initialization Containers <https://kubernetes.io/docs/concepts/workloads/pods/init-containers/>`__ to initialize the Key Manager pods.
#
# All initialization containers should be run to completion before the Key Manager pod starts.
initContainers: []
# labels: { }
# serviceAccountName: ""
# nodeSelector: { }
###
# The `PodManagement <https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#pod-management-policy>`__ policy for Key Manager pods.
# Can be "OrderedReady" or "Parallel"
podManagementPolicy: Parallel
###
# PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods.
# Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/
priorityClassName: ""
replicas: 3
# resources: { }
# runtimeClassName: ""
# schedulerName: ""
service: {}
# annotations: {}
# labels: {}
# nodePort: 31002
# serviceType: NodePort
# type: NodePort
# serviceExternalTrafficPolicy: Local
###
# The `Kubernetes Service Account <https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/>`__ associated with the Object Store.
serviceAccountName: ""
sideCars: {}
# containers: []
# resources: {}
# volumeClaimTemplates: []
# volumes: []
# tolerations: []
# topologySpreadConstraints: {}
###
# volumeClaimTemplate is used to create a PersistentVolumeClaim for the Key Manager pods.
# The amount of storage requested is specified in the `resources.requests.storage` field
# The default value of '25Mib' should meet the requirements of reasonable production workloads.
# KeyManager may require more storage in workloads with a large number
# of enclaves and master keys. You can use the following formula to
# roughly estimate required storage:
# ( N_enclaves * 200 ) + ( N_keys * 200 ) + ( 64 * 1024 ) = total number of bytes
volumeClaimTemplate:
metadata:
name: mykms-volume
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 25Mi
extraResources: []