global:
storageClass: glusterfs-storage
sde:
superuserEmail: sde-superuser@acme.com
superuserPassword: thePasswordForTheDefaultWebSuperUser
defaultFromEmail: "ACME Corp. <noreply@acme.com>"
serverEmail: host@acme.com
defaultOrg: default
feedbackEmail: sde-feedback@acme.com
supportEmail: sde-admin@acme.comAdvanced Helm configuration
Table of Contents
Advanced settings
The following are examples of advanced optional settings. Please review values.yaml in the
SD Elements Helm Chart for the full list of options and comments. If in doubt, contact support@sdelements.com.
If you use advanced settings, put them in the values.custom.yaml file as you did with the settings used to deploy SD Elements.
|
Configuring an external database
-
When using an external database, set the internal database subchart to false and and set values for external-database
-
The external database should be Postgress 12.x.
sc-database: enabled: false external-database: host: dbhost user: dbuser password: dbpwd
Enabling OpenShift compatibility
This configuration is only compatible with SD Elements versions 2022.2 or newer.
|
| When enabling OpenShift compatibility, the helm chart disables incompatible configurations (e.g. PodSecurityContext). |
Pre-requisites:
Configuration:
To enable OpenShift compatibility, add the following configuration to values.custom.yaml
global:
openshift:
enabled: true
web:
ingressClassName: openshift-defaultWe recommend using the OpenShift Container Platform Ingress Operator. The default IngressClassName is openshift-default, this value may differ in your environment.
Common customizations
Parameter |
Comments |
Default |
|
Sets the default storageclass for all persistent volumes |
(unset) |
|
Set to |
|
|
Set to |
|
|
Sets the storageclass for the database data volume, overrides global.storageClass |
(unset) |
|
Sets the size of the database data volume |
|
|
The default FROM address to send regular email as |
|
|
The default organization to create SD Elements users under |
default |
|
Set to 'true' to enable JITT (additional license required) |
|
|
E-mail address to which user feedback will be sent |
|
|
Set your site hostname |
|
|
The email address that error messages come from |
|
|
E-mail address to direct in-app support requests to |
|
|
The user session inactivity timeout (seconds) |
|
|
The default admin user email address |
|
|
Adjust the SD Elements application logging level |
|
|
Adjust the log level of the admin email process |
|
|
Adjust the wsgi/apache process logging level |
|
Jobs
Asyncronous jobs are defined in values.yaml. You can remove default jobs and add new custom jobs.
The jobs must be included under the specifications section and in map format.
The following are examples of custom jobs added under specifications:
job:
specifications:
custom_job:
schedule: "01 1 * * *"
niceness: 15
command: ["/bin/sde.sh"]
args:
- "custom_management_command"
failedJobsHistoryLimit: 1
successfulJobsHistoryLimit: 1
concurrencyPolicy: Forbid
restartPolicy: OnFailure
volumeWritePermission: false
env:
- name: ENV_VAR_NAME
value: ENV_VAR_VALUE
resources:
requests:
cpu: 1
memory: 1024Mi
limits:
cpu: 2
memory: 2048MiShared Object Storage
SD Elements makes use of Shared Object Storage via AWS S3 or an S3 compatible API object storage for sharing files between SD Elements microservices.
Requirements
-
An existing S3 bucket
-
An AWS IAM service account that has read/write access to the S3 bucket
-
The Access Key and Secret Key for the IAM service account
See Amazon S3: Allows read and write access to objects in an S3 Bucket for details on IAM policy configuration.
If you do not have access to AWS S3, see Alternative Configuration below for details.
S3 configuration
SD Elements can be configured to use S3 by modifying the follow section in your values.yaml overlay:
global:
sharedStorage:
bucketName: my-s3-bucket-name
s3Url: https://s3.us-east-1.amazonaws.com
s3AccessKey: AwsServiceAccountAccessKey
s3SecretKey: AwsServiceAccountSecretKey
s3Url must be formatted in Amazon S3 Path-Style URL
|
You may wish to set up an IAM Policy to restrict service account to the specific S3 bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::my-s3-bucket-name",
"arn:aws:s3:::my-s3-bucket-name/*"
]
}
]
}Alternative S3 configuration
If you are deploying in an environment without AWS S3 object storage, an alternative option is to enable the
MinIO subchart within SD Elements which provides an S3 compatible API service as a replacement. In order to use
MinIO, you should configure both the global.sharedStorage and minio sections in your values.yaml overlay and
ensure certain properties match.
| minIO bucket naming conventions are the same as those of Amazon S3. See Amazon S3 bucket naming rules for more information. |
global:
sharedStorage:
bucketName: my-bucket-name # If using MinIO, ensure value matches a bucket in `minio` section
s3Url: http://{namespace}-minio:9000
s3AccessKey: AccessKeyGoesHere # If using MinIO, ensure value matches `accessKey` in `minio` section
s3SecretKey: SecretKeyGoesHere # If using MinIO, ensure value matches `secretKey` in `minio` section
minio:
enabled: true
rootUser: admin
rootPassword: Password
persistence:
storageClass: myStorageclassName
tls:
enabled: false
buckets:
- name: my-bucket-name # should match global.sharedStorage.bucketName
policy: none
purge: false
users:
- accessKey: AccessKeyGoesHere # should match global.sharedStorage.s3AccessKey
secretKey: SecretKeyGoesHere # should match global.sharedStorage.s3SecretKey
policy: readwrite
imagePullSecrets:
- name: "security-compass-secret"