Additional settings
This guide describes the various optional settings that can be configured in your values.yaml, along with their default values. The settings in uppercase are the ones that can be configured in the env section of your values.yaml, the others are regular YAML keys at the top level of the file.
API settings
These settings define how the OpsChain API will be exposed on the network. Modifying any of these settings requires a full redeployment of the MintPress application.
OPSCHAIN_API_CERTIFICATE_SECRET_NAME
Default value: none
The Kubernetes TLS secret name containing a custom certificate to be used for the HTTPS listener. When this is set, OPSCHAIN_API_HOST_NAME must also be configured. Learn more.
OPSCHAIN_API_EXTERNAL_PORT
Default value: 3000
The port that will be exposed for accessing the OpsChain API service.
env.OPSCHAIN_API_HOST_NAME and api.hostName
Default value: opschain-api
The host name that will be configured for the OpsChain API HTTPS listener. This is not required for HTTP access to the API, only for HTTPS access. Learn more
These two values must match.
OPSCHAIN_INSECURE_HTTP_PORT_ENABLED
Default value: true
Defines whether the OpsChain Ingress should provide an insecure HTTP port to be used for accessing the OpsChain API. Learn more.
GUI settings
OPSCHAIN_GUI_BASE_URL
Default value: none
The base URL for the OpsChain GUI (e.g. https://opschain.example.com). It is required to ensure links within external notifications are valid and the OpsChain API pod will fail to startup if it is not configured.
API/worker database settings
These settings affect how the OpsChain API and worker interact with the database.
OPSCHAIN_API_DATABASE_STATEMENT_TIMEOUT
Default values: 50s (50 seconds)
Configures the database statement_timeout for API requests to the OpsChain API. This means queries to the database will be terminated if this timeout is exceeded.
Set to 0 to disable this feature (meaning queries will not be terminated).
Queries are terminated to prevent overloading the database.
OPSCHAIN_WORKER_DATABASE_STATEMENT_TIMEOUT
Default values: 0 (do not timeout)
Configures the database statement_timeout for SQL statements executed within the OpsChain worker. This means queries to the database will be terminated if this timeout is exceeded.
Authentication settings
OPSCHAIN_AUTH_STRATEGY
Default value: ldap
Accepted values: ldap, local
This setting can be updated via system configuration post installation.
Defines which authentication strategy will be used for user authentication. Currently, only one can be active at any given moment.
For the changes to this setting to take effect, the OpsChain API must be restarted.
Users that are authenticated via LDAP will not be able to login when this variable is set to local and vice-versa.
OPSCHAIN_ENABLE_BASIC_AUTH
Default value: true
Whether to enable basic authentication for the OpsChain API. When this is disabled, the only authentication method available is bearer token authentication.
When basic authentication is used, the username and password for OpsChain are sent in plain text on each request. If the OPSCHAIN_INSECURE_HTTP_PORT_ENABLED setting is also set to true and a client connects via HTTP, their credentials are in greater risk of being compromised.
When this setting is false and OPSCHAIN_TOKEN_ENABLE_COOKIES is true, connecting to the OpsChain GUI should be done via HTTPS. Otherwise, your session will end on token expiry and you'll need to login again.
OPSCHAIN_TOKEN_ACCESS_EXPIRY
Default value: 240
The number of minutes before a bearer access token expires.
OPSCHAIN_TOKEN_ENABLE_COOKIES
Default value: true
Whether to enable cookies for bearer tokens. When this is true, the bearer tokens will be stored in the client's browser cookies and sent with each request to the OpsChain API. When this is false, the bearer tokens will be stored in the client's browser local storage instead.
Secure cookies cannot be stored in the user's browser cookies if the OpsChain GUI is accessed via insecure HTTP. This means that insecure HTTP sessions will end on token expiry and you'll need to login again.
To prevent that, you can set this setting to false or connect to the OpsChain GUI via HTTPS.
OPSCHAIN_TOKEN_REFRESH_EXPIRY
Default value: 10080
The number of minutes before a bearer refresh token expires.
Change running settings
apiWorker.replicas
Default value: 1
The number of worker pods that will be deployed to process change and workflow steps.
The number of steps that can be processed by OpsChain is limited to the number of threads per worker multiplied by this value. E.g. Two workers with five threads per worker can process ten steps concurrently.
apiWorker.terminationGracePeriodSeconds
Default value: 3600
The time, in seconds, given to the worker pods to gracefully shutdown before they are forcefully terminated.
mintModelApi.enabled
Default value: true
Whether to enable the MintModel API deployment.
mintModelApi.replicas
Default value: 10
The number of parallel MintModel-rendering pods. These are the pods responsible for concretising the MintModels into actionable files. Without them, your instance will not be able to generate MintModels.
OPSCHAIN_PARALLEL_CHANGE_WORKER_STEPS
Default value: 10
The number of steps that can be run in parallel for a single change.
This option should not be set to a value greater than the number of threads per worker multiplied by the number of workers.
OPSCHAIN_REPO_FOLDER
Default value: .mintpress
This setting can be updated via system configuration post installation.
Folder in the Git repositories where OpsChain properties and custom Dockerfiles will be imported from when running a change. Can be overriden by projects, environments, assets or on a per-change basis.
OPSCHAIN_SSH_KNOWN_HOSTS_CONFIG_MAP
Default value: none
MintPress uses a bundled SSH known_hosts file for authentication. It has certificates for a number of common source code hosting platforms, including:
- Bitbucket
- GitHub
- GitLab
If you'd like to have support for other platforms, you can create a new config map with the desired contents and update this setting to use your custom config map name instead.
You can use the following command to export the bundled known_hosts file to a YAML file as a template:
kubectl -n ${KUBERNETES_NAMESPACE} get ConfigMap opschain-ssh-known-hosts -o yaml > custom-opschain-ssh-known-hosts.yaml
You can then edit the exported resource, ensure you update the metadata.name field to a different config map name, and then update the file contents under the known_hosts key. Once the resource definition has been updated, use kubectl to create the custom config map:
kubectl -n ${KUBERNETES_NAMESPACE} apply -f custom-opschain-ssh-known-hosts.yaml
Once the custom config map has been created, you can update the OPSCHAIN_SSH_KNOWN_HOSTS_CONFIG_MAP setting to use the custom config map name instead.
OPSCHAIN_THREADS_PER_WORKER
Default value: 5
Minimum value: 2
The number of threads each worker process will run. Note that increasing this number further may actually decrease concurrency due to context switching. We recommend that you consider increasing the number of workers before considering increasing this value.
OPSCHAIN_TRACE
Default value: false
If set to true, additional logging will be generated when changes are run, allowing for more detailed debugging of changes.
Image building settings
These settings define how MintPress will build the Docker images for running changes.
buildService.env
Default value: none
Environment variables to be set for the image build container.
buildService.rootless
Default value: true
Whether to use the Buildkit rootless mode for the image build container. Using rootless mode provides a more secure and isolated environment at the cost of build performance.
If you are using a kernel version older than 5.11, you'll also need to enable the fuseDevicePlugin.enabled setting.
You can check your kernel version by running the following command:
uname -a
buildService.volume.size
Default value: 50Gi
Volume claim size for the image build container cache.
fuseDevicePlugin.enabled
Default value: false
Whether to enable the FUSE device plugin used by the image build container. This is required for rootless mode to work on kernels older than 5.11. This will only have an effect if buildService.rootless is set to true.
This will add a daemonset to the cluster. If the build service is stuck in a Pending state during an upgrade, delete the pod for the fuse-device-plugin and it will recover properly.
fuseDevicePlugin.version
Default value: 0.1.0
The image tag of the FUSE device plugin to use.
Image registry settings
External image registry settings
OPSCHAIN_DOCKER_USER
Default value: none
Docker Hub username to be used for accessing the OpsChain images on the external image registry.
OPSCHAIN_DOCKER_PASSWORD
Default value: none
Docker Hub password/token to be used for accessing the OpsChain images on the external image registry.
Internal image registry settings
OPSCHAIN_IMAGE_REGISTRY_HOST
Default value: opschain-image-registry.local.gd
Internally used hostname that needs to resolve to the Kubernetes node, but be different to the API hostname. In the MintPress host server, ensure you add a DNS entry for the internal image registry host name to your hosts file to allow MintPress to access the image registry, for example:
echo "127.0.0.1 opschain-image-registry.local.gd" >> /etc/hosts
trow.env
Default value: none
Environment variables to be set for the internal image registry.
Ingress settings
OPSCHAIN_INGRESS_TLS_PORT
Default value: 3443
Ingress service port defined in the Kong controller. Used by the internal image registry and for HTTPS access to the API, GUI and the OpsChain secret vault. This should match the value in the global.ingressTlsPort setting.
Kubernetes deployment settings
OPSCHAIN_KUBERNETES_NAMESPACE
Default value: mintpress
The Kubernetes namespace where MintPress will be deployed.
OPSCHAIN_RUNNER_NODE_SELECTOR
Default value: {}
This setting can be updated via system configuration post installation.
Kubernetes nodeSelector value that will be used to select the Kubernetes node where step runner pods will be deployed. Must be specified as a JSON string.
Use the default value unless running on a multi-node cluster.
LDAP/AD settings
OpsChain provides an LDAP server for authentication out-of-the-box. If you'd prefer to use your own LDAP server, follow the OpsChain LDAP guide to alter these settings. All the default values shown below refer to the out-of-the-box LDAP server that OpsChain provides.
All these settings can be updated via system configuration post installation.
OPSCHAIN_LDAP_ADMIN
Default value: cn=admin,dc=opschain,dc=io
LDAP/AD administrator DN to connect to.
Note: As OpsChain does not write to the LDAP database, this only needs to be a DN with permission to search all users and groups.
OPSCHAIN_LDAP_BASE_DN
Default value: dc=opschain,dc=io
LDAP/AD base DN value.
OPSCHAIN_LDAP_CACHE_TTL
Default value: 0
The time to live for the LDAP group membership cache in seconds. When set to 0, the cache will be disabled.
OPSCHAIN_LDAP_DOMAIN
Default value: opschain.io
LDAP/AD domain.
OPSCHAIN_LDAP_ENABLE_SSL
Default value: false
Whether to enable SSL for the LDAP connection.
OPSCHAIN_LDAP_GROUP_ATTRIBUTE
Default value: member
LDAP/AD group attribute containing OpsChain user DNs.
OPSCHAIN_LDAP_GROUP_BASE
Default value: ou=groups,dc=opschain,dc=io
LDAP/AD base DN to search for groups.
OPSCHAIN_LDAP_GROUPS_FILTER
Default value: (objectClass=groupOfNames)
LDAP/AD filter to use when searching for groups.
OPSCHAIN_LDAP_HC_USER
Default value: healthcheck
To verify the LDAP server is available, OpsChain performs a regular query of the LDAP database for the username supplied here.
Note: If you do not wish to perform this check, leave this blank.
OPSCHAIN_LDAP_HOST
Default value: opschain-ldap
LDAP/AD host name (or IP address).
OPSCHAIN_LDAP_LOG_LEVEL
Default value: 1024
The log level the LDAP server should use.
OPSCHAIN_LDAP_LOGGING_ENABLED
Default value: true
Whether to enable logging for the LDAP server.
OPSCHAIN_LDAP_MAIL_ATTRIBUTE
Default value: mail
LDAP/AD user attribute used to fetch LDAP users' email addresses.
OPSCHAIN_LDAP_ORGANISATION
Default value: OpsChain
Organisation name for the LDAP server.
OPSCHAIN_LDAP_PORT
Default value: 389
LDAP/AD host port to connect to.
OPSCHAIN_LDAP_USE_ADMIN_TO_BIND
Default value: false
Whether to use the LDAP administrator DN to bind to the LDAP server.
OPSCHAIN_LDAP_USER_ATTRIBUTE
Default value: uid
LDAP/AD user attribute used as the OpsChain username.
OPSCHAIN_LDAP_USER_BASE
Default value: ou=users,dc=opschain,dc=io
LDAP/AD base DN to search for users.
OPSCHAIN_LDAP_USERS_FILTER
Default value: (objectClass=inetOrgPerson)
LDAP/AD filter to use when searching for users.
Secret vault settings
This is an exhaustive list of all the settings that can be configured for the OpsChain secret vault in the values.yaml file.
To support a high availability setup using the OpsChain vault as the global default, you must configure its service to allow incoming connections from the other instances:
secretVault:
...
externalService:
enabled: true
# Default value - can be overridden
nodePort: 30201
Make sure that the nodePort is accessible from the other instances in the high availability setup.
OPSCHAIN_VAULT_ADDRESS
Default value: none
The address of the external secret vault that MintPress will use, including the port, e.g http://vault.example.com:8200.
OPSCHAIN_VAULT_AUTH_METHOD
Default value: none
Accepted values: token, userpass, ldap
The authentication method that MintPress will use to authenticate with the external secret vault.
OPSCHAIN_VAULT_TOKEN
Default value: none
The token that MintPress will use to authenticate with the external secret vault. Required if the authentication method is token.
When using the OpsChain secret vault, the token will be automatically generated by OpsChain and is necessary for root access to the secret vault. You can extract the token from the opschain-vault-config secret by running the following command:
kubectl -n ${KUBERNETES_NAMESPACE} get secret opschain-vault-config -o jsonpath="{.data.OPSCHAIN_VAULT_TOKEN}" | base64 -d
Note that this token provides root access to the secret vault and should be kept secure.
OPSCHAIN_VAULT_USERNAME
Default value: none
The username that MintPress will use to authenticate with the external secret vault. Required if the authentication method is userpass or ldap.
OPSCHAIN_VAULT_PASSWORD
Default value: none
The password that MintPress will use to authenticate with the external secret vault. Required if the authentication method is userpass or ldap.
OPSCHAIN_VAULT_MOUNT_PATH
Default value: none
The mount path for the KV secret store in the external secret vault.
OPSCHAIN_VAULT_USE_MINT_ENCRYPTION
Default value: true
Whether to use MintPress's encryption to encrypt the values before storing them in the external secret vault. If this is set to true, the values will be encrypted twice.
OPSCHAIN_VAULT_CLIENT_OPTIONS
Default value: none
A hash of options to pass to the external vault client, in JSON format. Refer to the Vault Ruby Client Gem usage instructions for the available options.
Post-install system configuration
When starting MintPress for the first time, the settings above will be stored in MintPress's database and might be updated via the OpsChain GUI or API. See the API documentation for more details.
What to do next
- With your
values.yamlfile ready, install MintPress and start using it.