Skip to main content
Version: latest

Helm Configuration Reference

You can use the Palette VerteX Helm Chart to install Palette VerteX in a multi-node Kubernetes cluster in your production environment. The Helm chart allows you to customize values in the values.yaml file. This reference page lists and describes parameters available in the values.yaml file from the Helm Chart for your installation.

To learn how to install Palette VerteX using the Helm Chart, refer to the Kubernetes Instructions.

Required Parameters

The following parameters are required for a successful installation of Palette VerteX.

ParametersDescriptionType
config.env.rootDomainUsed to configure the domain for the Palette installation. We recommend you create a CNAME DNS record that supports multiple subdomains. You can achieve this using a wild card prefix, *.vertex.abc.com. Review the Environment parameters to learn more.String
config.env.ociPackRegistry or config.env.ociPackEcrRegistrySpecifies the FIPS image registry for Palette VerteX. You can use an a self-hosted OCI registry or a public OCI registry we maintain and support. For more information, refer to the Registry section.Object
scarThe Spectro Cloud Artifact Repository (SCAR) credentials for Palette VerteX FIPS images. Our support team provides these credentials. For more information, refer to the Registry section.Object
warning

If you are installing an air-gapped version of Palette VerteX, you must provide the image swap configuration. For more information, refer to the Image Swap Configuration section.

MongoDB

Palette VerteX uses MongoDB Enterprise as its internal database and supports two modes of deployment:

  • MongoDB Enterprise deployed and active inside the cluster.

  • MongoDB Enterprise is hosted on a software-as-a-service (SaaS) platform, such as MongoDB Atlas.

The table below lists the parameters used to configure a MongoDB deployment.

ParametersDescriptionTypeDefault value
internalSpecifies the MongoDB deployment either in-cluster or using Mongo Atlas.Booleantrue
databaseUrlThe URL for MongoDB Enterprise. If using a remote MongoDB Enterprise instance, provide the remote URL. This parameter must be updated if mongo.internal is set to false.Stringmongo-0.mongo,mongo-1.mongo,mongo-2.mongo
databasePasswordThe base64-encoded MongoDB Enterprise password. If you don't provide a value, a random password will be auto-generated.String""
replicasThe number of MongoDB replicas to start.Integer3
memoryLimitSpecifies the memory limit for each MongoDB Enterprise replica.String4Gi
cpuLimitSpecifies the CPU limit for each MongoDB Enterprise member.String2000m
pvcSizeThe storage settings for the MongoDB Enterprise database. Use increments of 5Gi when specifying the storage size. The storage size applies to each replica instance. The total storage size for the cluster is replicas * pvcSize.string20Gi
storageClassThe storage class for the MongoDB Enterprise database.String""
mongo:
internal: true
databaseUrl: "mongo-0.mongo,mongo-1.mongo,mongo-2.mongo"
databasePassword: ""
replicas: 3
cpuLimit: "2000m"
memoryLimit: "4Gi"
pvcSize: "20Gi"
storageClass: ""

Config

Review the following parameters to configure Palette VerteX for your environment. The config section contains the following subsections:

Install Mode

You can install Palette in connected or air-gapped mode. The table lists the parameters to configure the installation mode.

ParametersDescriptionTypeDefault value
installModeSpecifies the installation mode. Allowed values are connected or airgap. Set the value to airgap when installing in an air-gapped environment.Stringconnected
config:
installationMode: "connected"

SSO

You can configure Palette VerteX to use Single Sign-On (SSO) for user authentication. Configure the SSO parameters to enable SSO for Palette VerteX. You can also configure different SSO providers for each tenant post-install, check out the SAML & SSO Setup documentation for additional guidance.

To configure SSO, you must provide the following parameters.

ParametersDescriptionTypeDefault value
saml.enabledSpecifies whether to enable SSO SAML configuration by setting it to true.Booleanfalse
saml.acsUrlRootThe root URL of the Assertion Consumer Service (ACS).Stringmyfirstpalette.spectrocloud.com
saml.acsUrlSchemeThe URL scheme of the ACS: http or https.Stringhttps
saml.audienceUrlThe URL of the intended audience for the SAML response.Stringhttps://www.spectrocloud.com
saml.entityIDThe Entity ID of the Service Provider.Stringhttps://www.spectrocloud.com
saml.apiVersionSpecify the SSO SAML API version to use.Stringv1
config:
sso:
saml:
enabled: false
acsUrlRoot: "myfirstpalette.spectrocloud.com"
acsUrlScheme: "https"
audienceUrl: "https://www.spectrocloud.com"
entityId: "https://www.spectrocloud.com"
apiVersion: "v1"

Email

Palette VerteX uses email to send notifications to users. The email notification is used when inviting new users to the platform, password resets, and when webhook alerts are triggered. Use the following parameters to configure email settings for Palette VerteX.

ParametersDescriptionTypeDefault value
enabledSpecifies whether to enable email configuration.Booleanfalse
emailID The email address for sending mail.Stringnoreply@spectrocloud.com
smtpServerSimple Mail Transfer Protocol (SMTP) server used for sending mail.Stringsmtp.gmail.com
smtpPortSMTP port used for sending mail.Integer587
insecureSkipVerifyTLSSpecifies whether to skip Transport Layer Security (TLS) verification for the SMTP connection.Booleantrue
fromEmailIDEmail address of the From address.Stringnoreply@spectrocloud.com
passwordThe base64-encoded SMTP password when sending emails.String""
config:
email:
enabled: false
emailId: "noreply@spectrocloud.com"
smtpServer: "smtp.gmail.com"
smtpPort: 587
insecureSkipVerifyTls: true
fromEmailId: "noreply@spectrocloud.com"
password: ""

Environment

The following parameters are used to configure the environment.

ParametersDescriptionTypeDefault value
env.rootDomainSpecifies the URL name assigned to Palette Vertex. The value assigned should have a Domain Name System (DNS) CNAME record mapped to exposed IP address or the load balancer URL of the service ingress-nginx-controller. Optionally, if ingress.ingressStaticIP is provided with a value you can use same assigned static IP address as the value to this parameter.String""
env.installerModeSpecifies the installer mode. Do not modify the value.Stringself-hosted
env.installerCloudSpecifies the cloud provider. Leave this parameter empty if you are installing a self-hosted Palette VerteX.String""
config:
env:
rootDomain: ""
warning

As you create tenants in Palette VerteX, the tenant name is prefixed to the domain name you assigned to Palette VerteX. For example, if you create a tenant named tenant1 and the domain name you assigned to Palette VerteX is vertex.example.com, the tenant URL will be tenant1.vertex.example.com. We recommend you create an additional wildcard DNS record to map all tenant URLs to the Palette VerteX load balancer. For example, *.vertex.example.com.

Cluster

Use the following parameters to configure the Kubernetes cluster.

ParametersDescriptionTypeDefault value
stableEndpointAccessSet to true if the Kubernetes cluster is deployed in a public endpoint. If the cluster is deployed in a private network through a stable private endpoint, set to false.Booleanfalse
config:
cluster:
stableEndpointAccess: false

Registries

Palette VerteX requires credentials to access the required Palette VerteX images. You can configure different types of registries for Palette VerteX to download the required images. You must configure at least one Open Container Initiative (OCI) registry for Palette VerteX. You must also provide the credentials for the Spectro Cloud Artifact Repository (SCAR) to download the required FIPS images.

warning

Palette VerteX does not support insecure connections. Ensure you have the Certificate Authority (CA) available, in PEM format, when using a custom packs and image registry. Otherwise, VerteX will not be able to pull packs and images from the registry. Use the caCert parameter to provide the base64-encoded CA certificate.

OCI Registry

Palette VerteX requires access to an OCI registry that contains all the required FIPS packs. You can host your own OCI registry and configure Palette VerteX to reference the registry. Alternatively, you can use the public OCI registry provided by us, refer to the ociPackEcrRegistry section to learn more about the publicly available OCI registry.

warning

If you are using a self-hosted OCI registry, you must provide the required FIPS packs to the registry. Contact support for additional guidance on how to add the required FIPS packs to your OCI registry.

ParametersDescriptionTypeDefault value
ociPackRegistry.endpointThe endpoint URL for the registry.String""
ociPackRegistry.nameThe name of the registry.String""
ociPackRegistry.passwordThe base64-encoded password for the registry.String""
ociPackRegistry.usernameThe username for the registry.String""
ociPackRegistry.baseContentPathThe base path for the registry.String""
ociPackRegistry.insecureSkipVerifySpecifies whether to skip Transport Layer Security (TLS) verification for the registry connection. VerteX requires the CA for registries that use a self-signed certificate.Booleanfalse
ociPackRegistry.caCertThe registry's base64-encoded certificate authority (CA) certificate. Required for self-hosted OCI registries.String""
config:
ociPackRegistry:
endpoint: ""
name: ""
password: ""
username: ""
baseContentPath: ""
insecureSkipVerify: false
caCert: ""

OCI ECR Registry

We expose a public OCI ECR registry that you can configure Palette VerteX to reference. If you want to host your own OCI registry, refer to the OCI Registry section. The OCI Elastic Container Registry (ECR) is hosted in an AWS ECR registry. Our support team provides the credentials for the OCI ECR registry.

ParametersDescriptionTypeDefault value
ociPackEcrRegistry.endpointThe endpoint URL for the registry.String""
ociPackEcrRegistry.nameThe name of the registry.String""
ociPackEcrRegistry.accessKeyThe base64-encoded access key for the registry.String""
ociPackEcrRegistry.secretKeyThe base64-encoded secret key for the registry.String""
ociPackEcrRegistry.baseContentPathThe base path for the registry.String""
ociPackEcrRegistry.isPrivateSpecifies whether the registry is private.Booleantrue
ociPackEcrRegistry.insecureSkipVerifySpecifies whether to skip Transport Layer Security (TLS) verification for the registry connection.Booleanfalse
ociPackEcrRegistry.caCertThe registry's base64-encoded certificate authority (CA) certificate.String""
config:
ociPackEcrRegistry:
endpoint: ""
name: ""
accessKey: ""
secretKey: ""
baseContentPath: ""
isPrivate: true
insecureSkipVerify: false
caCert: ""

OCI Image Registry

You can specify an OCI registry for the images used by Palette.

ParametersDescriptionTypeDefault value
ociImageRegistry.endpointThe endpoint URL for the registry.String""
ociImageRegistry.nameThe name of the registry.String""
ociImageRegistry.passwordThe password for the registry.String""
ociImageRegistry.usernameThe username for the registry.String""
ociImageRegistry.baseContentPathThe base path for the registry.String""
ociImageRegistry.insecureSkipVerifySpecifies whether to skip Transport Layer Security (TLS) verification for the registry connection.Booleanfalse
ociImageRegistry.caCertThe registry's base64-encoded certificate authority (CA) certificate. Required for self-hosted OCI registries.String""
ociImageRegistry.mirrorRegistriesA comma-separated list of mirror registries.String""
config:
ociImageRegistry:
endpoint: ""
name: ""
password: ""
username: ""
baseContentPath: ""
insecureSkipVerify: false
caCert: ""
mirrorRegistries: ""

Spectro Cloud Artifact Repository (SCAR)

SCAR credentials are required to download the necessary FIPS manifests. Our support team provides the SCAR credentials.

ParametersDescriptionTypeDefault value
scar.endpointThe endpoint URL of SCAR.String""
scar.usernameThe username for SCAR.String""
scar.passwordThe base64-encoded password for the SCAR.String""
scar.insecureSkipVerifySpecifies whether to skip Transport Layer Security (TLS) verification for the SCAR connection.Booleanfalse
scar.caCertThe base64-encoded certificate authority (CA) certificate for SCAR.String""
config:
scar:
endpoint: ""
username: ""
password: ""
insecureSkipVerify: false
caCert: ""

Image Swap Configuration

You can configure Palette VerteX to use image swap to download the required images. This is an advanced configuration option, and it is only required for air-gapped deployments. You must also install the Palette VerteX Image Swap Helm chart to use this option, otherwise, Palette VerteX will ignore the configuration.

ParametersDescriptionTypeDefault value
imageSwapInitImageThe image swap init image.Stringgcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2
imageSwapImageThe image swap image.Stringgcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2
imageSwapConfigThe image swap configuration for specific environments.String""
imageSwapConfig.isEKSClusterSpecifies whether the cluster is an Amazon EKS cluster. Set to false if the Kubernetes cluster is not an EKS cluster.Booleantrue
config:
imageSwapImages:
imageSwapInitImage: "gcr.io/spectro-images-public/thewebroot/imageswap-init:v1.5.2"
imageSwapImage: "gcr.io/spectro-images-public/thewebroot/imageswap:v1.5.2"

imageSwapConfig:
isEKSCluster: true

gRPC

gRPC is used for communication between Palette VerteX components. You can enable the deployment of an additional load balancer for gRPC. Host clusters deployed by Palette VerteX use the load balancer to communicate with the Palette VerteX control plane. This is an advanced configuration option, and it is not required for most deployments. Speak with your support representative before enabling this option.

If you want to use an external gRPC endpoint, you must provide a domain name for the gRPC endpoint and a valid x509 certificate. Additionally, you must provide a custom domain name for the endpoint. A CNAME DNS record must point to the IP address of the gRPC load balancer. For example, if your Palette VerteX domain name is vertex.example.com, you could create a CNAME DNS record for grpc.vertex.example.com that points to the IP address of the load balancer dedicated to gRPC.

ParametersDescriptionTypeDefault value
externalSpecifies whether to use an external gRPC endpoint.Booleanfalse
endpointThe gRPC endpoint.String""
annotationsA map of key-value pairs that specifies load balancer annotations for gRPC. You can use annotations to change the behavior of the load balancer and the gRPC configuration. This field is considered an advanced setting. We recommend you consult with your assigned support team representative before making changes.Object{}
grpcStaticIPSpecify a static IP address for the gRPC load balancer service. If the field is empty, a dynamic IP address will be assigned to the load balancer.String""
caCertificateBase64The base64-encoded Certificate Authority (CA) certificate for the gRPC endpoint.String""
serverCrtBase64The base64-encoded server certificate for the gRPC endpoint.String""
serverKeyBase64The base64-encoded server key for the gRPC endpoint.String""
insecureSkipVerifySpecifies whether to skip Transport Layer Security (TLS) verification for the gRPC endpoint.Booleanfalse
grpc:
external: false
endpoint: ""
annotations: {}
grpcStaticIP: ""
caCertificateBase64: ""
serverCrtBase64: ""
serverKeyBase64: ""
insecureSkipVerify: false

Ingress

Palette VerteX deploys an Nginx Ingress Controller. This controller is used to route traffic to the Palette VerteX control plane. You can change the default behavior and omit the deployment of an Nginx Ingress Controller.

ParametersDescriptionTypeDefault value
enabledSpecifies whether to deploy an Nginx controller. Set to false if you do not want an Nginx controller deployed.Booleantrue
ingress.internalSpecifies whether to deploy a load balancer or use the host network.Booleanfalse
ingress.certificateSpecify the base64-encoded x509 SSL certificate for the Nginx Ingress Controller. If left blank, the Nginx Ingress Controller will generate a self-signed certificate.String""
ingress.keySpecify the base64-encoded x509 SSL certificate key for the Nginx Ingress Controller.String""
ingress.annotationsA map of key-value pairs that specifies load balancer annotations for ingress. You can use annotations to change the behavior of the load balancer and the Nginx configuration. This is an advanced setting. We recommend you consult with your assigned support team representative prior to modification.Object{}
ingress.ingressStaticIPSpecify a static IP address for the ingress load balancer service. If empty, a dynamic IP address will be assigned to the load balancer.String""
ingress.terminateHTTPSAtLoadBalancerSpecifies whether to terminate HTTPS at the load balancer.Booleanfalse
ingress:
enabled: true
ingress:
internal: false
certificate: ""
key: ""
annotations: {}
ingressStaticIP: ""
terminateHTTPSAtLoadBalancer: false

Spectro Proxy

You can specify a reverse proxy server that clusters deployed through Palette VerteX can use to facilitate network connectivity to the cluster's Kubernetes API server. Host clusters deployed in private networks can use the Spectro Proxy pack to expose the cluster's Kubernetes API to downstream clients that are not in the same network. Check out the Reverse Proxy documentation to learn more about setting up a reverse proxy server for Palette VerteX.

ParametersDescriptionTypeDefault value
frps.enabledSpecifies whether to enable the Spectro server-side proxy.Booleanfalse
frps.frpHostURLThe Spectro server-side proxy URL.String""
frps.server.crtThe base64-encoded server certificate for the Spectro server-side proxy.String""
frps.server.keyThe base64-encoded server key for the Spectro server-side proxy.String""
frps.ca.crtThe base64-encoded certificate authority (CA) certificate for the Spectro server-side proxy.String""
frps:
frps:
enabled: false
frpHostURL: ""
server:
crt: ""
key: ""
ca:
crt: ""

UI System

The table lists parameters to configure the Palette VerteX User Interface (UI) behavior. You can disable the UI or the Network Operations Center (NOC) UI. You can also specify the MapBox access token and style layer ID for the NOC UI. MapBox is a third-party service that provides mapping and location services. To learn more about MapBox and how to obtain an access token, refer to the MapBox Access tokens guide.

ParametersDescriptionTypeDefault value
enabledSpecifies whether to enable the Palette VerteX UI.Booleantrue
ui.nocUI.enableSpecifies whether to enable the Palette VerteX Network Operations Center (NOC) UI. Enabling this parameter requires the ui.nocUI.mapBoxAccessToken. Once enabled, all cluster locations will be reported to MapBox. This feature is not FIPS compliant.Booleanfalse
ui.nocUI.mapBoxAccessTokenThe MapBox access token for the Palette VerteX NOC UI.String""
ui.nocUI.mapBoxStyledLayerIDThe MapBox style layer ID for the Palette VerteX NOC UI.String""
ui-system:
enabled: true
ui:
nocUI:
enable: false
mapBoxAccessToken: ""
mapBoxStyledLayerID: ""

Reach System

You can configure VerteX to use a proxy server to access the internet. Set the parameter reach-system.enabled to true to enable the proxy server. Proxy settings are configured in the reach-system.proxySettings section.

ParametersDescriptionTypeDefault value
reachSystem.enabledSpecifies whether to enable the usage of a proxy server for Palette.Booleanfalse
reachSystem.proxySettings.http_proxyThe HTTP proxy server URL.String""
reachSystem.proxySettings.https_proxyThe HTTPS proxy server URL.String""
reachSystem.proxySettings.no_proxyA list of hostnames or IP addresses that should not be go through the proxy server.String""
reachSystem.proxySettings.ca_crt_pathThe base64-encoded certificate authority (CA) of the proxy server.String""
reachSystem.scheduleOnControlPlaneSpecifies whether to schedule the reach system on the control plane.Booleantrue
reach-system:
enabled: false
proxySettings:
http_proxy: ""
https_proxy: ""
no_proxy:
ca_crt_path: ""
scheduleOnControlPlane: true