Skip to main content
Version: v4.8

Values file configuration reference

This page describes the options that can be set in the values.yaml file that configures your sidecar deployment.

tip

The default values also define the type of structure that should be put in the field:

Default ValueVariable Type
[]Array
""String
{}Complex object

Kubernetes configuration

Image configuration

FieldDescriptionDefault Value
global.imageRegistryOverrides the image registry for the sidecar images.""
global.imagePullSecretsPull secret names to be attached to all images in the deployment[]
global.cyral.imageRegistryOverrides the image registry for cyral-based sidecar images""
image.pullPolicyDefault pullPolicy for all images"Always"

Object generation configuration

FieldDescriptionDefault Value
nameOverrideOverrides the name of the chart for object generation""
fullnameOverrideOverrides the full name of the generated objects""

Deployment configuration

FieldDescriptionDefault Value
replicaCountNumber of replicas of the deployment1
nodeSelectorNode selector for the pods of the deployment{}
tolerationsTolerations for the pods of the deployment[]
affinityAffinity configuration for the pods{}
extraVolumesExtra volumes to be created on the deployment[]
podSecurityContextSecurity context for each pod created in the deployment{}
securityContextSecurity context for each container created in the deployment{}

Service configuration

FieldDescriptionDefault Value
service.enableEnables/disables creation of the sidecar servicetrue
service.typeType of kubernetes service that will be created alongside the sidecar. Allowed values are ClusterIP, LoadBalancer and NodePort."ClusterIP"
service.loadBalancerConfiguration for the AWS LB created when service.type is "LoadBalancer"-
service.loadBalancer.certificateIdId for the certificate that the AWS LB will use""
service.loadBalancer.dnsNameDNS name for the AWS LB""
service.loadBalancer.sourceRangesSource ranges for reaching the AWS LB[]
service.loadBalancer.tlsPortsPorts that will be TLS terminated in the load balancer[]
service.portsPorts to be exposed on the service. These ports will override and other port defined in specific services[]

TLS certificate configuration

FieldDescriptionDefault Value
dispatcher.selfSignedCertificate.existingSecretName of the secret that contains the self signed certificate for dispatcher TLS connections.""

RBAC configuration

FieldDescriptionDefault Value
rbac.createWhether or not to create RBAC objects on the clustertrue
rbac.serviceAccount.nameName of the service account that will be used by the pod""

Metrics configuration

FieldDescriptionDefault Value
metrics.enabledEnables/disables creation of the sidecar metrics resources, including targetting annotationstrue
podMonitor.enabledEnables/disables creation of podMonitor resources for prometheus scraping on the sidecar podfalse

Container configuration

These configurations can be applied to all containers inside of the chart, both repository and infrastructure containers. To apply these on the values.yaml file, you add the configuration to its <container> section.

General configuration

FieldDescriptionDefault Value
<container>.enabledWhether or not to add the container to the sidecartrue
<container>.extraEnvsExtra environment variables that will be added to that container. These variables are templated[]
<container>.extraVolumeMountsExtra volumes to be mounted on that container. These values are templated[]

Image configuration

FieldDescriptionDefault Value
<container>.image.registryImage registry for the container imageContainer specific
<container>.image.repositoryImage repository for the container imageContainer specific
<container>.image.tagImage tag for the container imageContainer specific

Resource configuration

info

We don't set default resources for the deployment. This is infrastructure specific.

tip

To read more about container resources on Kubernetes, read our guide on setting resources and Kubernetes' documentation on it.

FieldDescriptionDefault Value
<container>.resources.limits.cpuCPU limit for that container-
<container>.resources.limits.memorymemory limit for that container-
<container>.resources.requests.cpuCPU request for that container-
<container>.resources.requests.memorymemory request for that container-

Repository Configuration

This configuration applies for all repository specific containers. To apply this to the values.yaml file, add it in the section for the <repo> type you want to apply it to. For example, you would set the ports configuration for MySQL databases in the parameter, mysql.ports. Most repositories also contain all configurations contained in the Container Configuration section.

General configuration

FieldDescriptionDefault Value
<repo>.enabledWhether the repository will be supported by the sidecar. If disabled the containers (if any) and ports will not be added to the final sidecar resourcetrue
<repo>.portsPort configuration for the repository-
<repo>.ports.sidecarList of ports that will be exposed on the sidecar's service with this repo's id on it. These ports will be overriten if service.ports is setRepo specific

MySQL

FieldDescriptionDefault Value
mysql.multiplexedPortPort that will be configured as a multiplexed port on the mysql container. This port will not be available for repository conectivity. Leave 0 for no port to be allocated0

Snowflake

FieldDescriptionDefault Value
snowflake.idp.SSOLoginURLURL for the SSO for snowflake connections""
snowflake.idp.certificateCertificate for the snowflake SSO""
info

Denodo and redshift repositories do not have image nor resource configurations, since they are handled by the same container as the postgres repository.

Integration configuration

These configurations will usually be generated by your control plane, don't change these without help from Cyral support.

Cyral Control Plane configurations

FieldDescriptionDefault Value
controlPlane.hostHost of the Cyral Control Plane""
controlPlane.ports.httpHTTP port for your control plane443
controlPlane.ports.grpcGRPC port for your control plane443
sidecarIdID of the sidecar, as registered in the Cyral control plane""

Datadog

The datadog integration uses the datadog helm chart. We set a few default values when generating the values.yaml file from the control plane.

Filebeat

FieldDescriptionDefault Value
filebeat.output.typeThe type of output that filebeat will send to"elasticsearch"
filebeat.output.useTLSUse TLS on filebeat's outputfalse
filebeat.output.usePrivateCertificateChainUse a private certificate chain on the TLS for the filebeat outputfalse
filebeat.output.useMutualAuthenticationUse mutual authentication for the filebeat outputfalse
filebeat.createRoleCreate the roles necessary for filebeat to runtrue
filebeat.integrationType of integration that is active. This should match the configuration in the settings below""
filebeat.logstashLogstash configuration for the filebeat integration{}
filebeat.elasticsearchElasticsearch configuration for the filebeat integration{}

Fluentbit

FieldDescriptionDefault Value
fluentbit.splunkSplunk configuration for the fluentbit integration{}
fluentbit.sumologicSumologic configuration for the fluentbit integration{}