values.yaml
Configuration for setting up the Protegrity Anonymization API.
The values.yaml file contains the configuration for setting up the Protegrity Anonymization API. Use
the template provided with the Protegrity Anonymization API or copy the following code to a .yaml file
and modify it as per your requirements before running it.
## PREREQUISITES
## Create separate namespace. Eg: kubectl create ns anon-ns. Update your namespace name in values.yaml.
## Running all pods in the namespace specific for Protegrity Anonymization API
namespace:
name: anon-ns # Update the namespace if required.
## Prerequisite for setting up Database and S3 bucket Pod.
## This is to handle any new DB pod getting created that uses the same persistence storage in case the running Database pod gets disrupted.
## This persistence also helps persist Anon-storage data.
persistence:
## Update storageClassName based on the PV/PVC/Storage config.
storageClassName: # Example: managed-premium for Azure, standard for AWS EKS, gp2 for AWS EC2, standard for GCP.
fsType: ext4
## This section is required if the image is getting pulled from the Azure Container Registry
## create image pull secrets and specify the name here.
## remove the [] after 'imagePullSecrets:' once you specify the secrets
#imagePullSecrets: []
# - name: regcred
## This section is required if the S3 bucket image is getting pulled from the Azure Container Registry instead of Public Repo
## create image pull secrets and specify the name here.
## remove the [] after 'imagePullSecrets:' once you specify the secrets
#s3bucketImagePullSecrets: []
# - name: regcred
image:
s3bucket_repo: quay.io/s3bucket/s3bucket # Public repo path for S3 bucket Image.
s3bucket_tag: RELEASE.2025-04-03T14-56-28Z # Tag name for S3 bucket image.
repository: <Repo_path> # Repo path for the Container Registry in Azure, AWS.
anonapi_tag: <AnonImage_tag> # Tag name of the ANON-API Image.
database_tag: <DatabaseImage_tag> # Tag name of the ANON-API Image.
pullPolicy: Always
s3:
enabled: false
bucketName: "" # S3 bucket name for storage (must exist before installation)
region: "us-east-1" # AWS region
iamRoleArn: "" # IAM role ARN with S3 permissions (s3:ListBucket, s3:GetObject, s3:PutObject, s3:DeleteObject)
## Refer to the section in the documentation for setting up and configuring NGINX-INGRESS before deploying the application.
ingress:
## Add the host section with the hostname used as CN while creating server certificates.
## While creating the certificates you can use *.protegrity.com as CN and SAN as used in the below example
host: anon.protegrity.com # Update the host according to your server certificates.
## To terminate TLS on the Ingress Controller Load Balancer.
## K8s TLS Secret containing the certificate and key must be provided.
secret: anon-protegrity-tls # Update the secretName according to your secretName.
## To validate the client certificate with the above server certificate
## Create the secret of the CA certificate used to sign both the server and client certificate as shown in the example below
ca_secret: ca-protegrity # Update the ca-secretName according to your secretName.
ingress_class: nginx-anon
## IP Address of Ingress Server
## CMD: kubectl get service -n nginx
ingressIP: <IP Address of Ingress Server> # Specify the external IP address obtained from above command.
## ingress connection timeout (connect/read/send time out interval)
timeout: 600
## Typically the deployment includes checksums of secrets/config,
## So that when these change on a subsequent helm install, the deployment/statefulset
## is restarted, so set to "true" to disable this behaviour.
ignoreChartChecksums: false
## Create the volumes and specify the names here.
## remove the [] after 'volumes:' once you specify volumes
volumes: []
#- name: gcs-secret ##This secret is used when user wants to read and write data to a Google cloud storage Refer DOC.
#secret:
#secretName: adc-gcs-creds
## Create the volumeMounts and specify the names here.
## remove the [] after 'volumeMounts:' once you specify volumeMounts
volumeMounts: []
#- name: gcs-secret
#mountPath: /home/anonuser/gcs
## Creating a service account for Anonymization
serviceaccount:
name: anon-service-account
## Setting the pod security context
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
# Configure the delays for Liveness Probe here
livenessProbe:
initialDelaySeconds: 50
periodSeconds: 40
#Configure the delays for Readiness Probe here
#Configure the delays for Readiness Probe here
readinessProbe:
initialDelaySeconds: 60
periodSeconds: 20
timeoutSeconds: 5
failureThreshold: 3
## ANON-APP ##
anonapp:
name: anon-app-depl
service:
name: anon-app-svc
port: 8090
labels:
appname: anonapp
loglevel: INFO # To get logs at DEBUG: Set loglevel to DEBUG and do helm upgrade
## ANON-DATABASE ##
database:
name: anon-db-sts
labels:
app: anon-db
service:
name: anon-db-svc
port: 5432
access_appdb:
store: anondb
username: anondbuser
password: anondbpsw
userContext:
fsUser: 70
fsGroup: 70
fsGroupChangePolicy: "OnRootMismatch"
persistence: ## Persistence Volume size
accessMode: ReadWriteOnce
size: 20Gi
## ANON-DASK ##
dask:
scheduler:
name: anon-scheduler-depl
service:
name: anon-dask-svc
port: 8786
daskUiPort: 8787
labels:
appname: dask
worker:
name: anon-worker-depl
## Increase the number of worker pods as per your requirement
labels:
app: dask-worker
replicaCount: 1
## Resources defined for the worker pod
worker_resources:
requests:
cpu: 2
memory: 6Gi
limits:
cpu: 2
memory: 6Gi
## Specs with which worker container should start
containerSpecs:
memLimit: "6G"
nthreads: 2
## Worker pod env to read values from configMap manifest.
## A config Map(wrkr-specs) is used to set these values.
workerPodEnv:
- name: worker_mem_limit
valueFrom:
configMapKeyRef:
name: wrkr-specs
key: worker-mem-limit
- name: num_threads
valueFrom:
configMapKeyRef:
name: wrkr-specs
key: num-threads
hpa:
name: anon-worker-hpa
autoscaling:
minReplicas: 1 # Min number of worker pods which will be running when the cluster starts.
maxReplicas: 3 # Max number of worker pods which will autoscale in the cluster.
targetMemoryThreshold: 4Gi # Threshold memory-load beyond which worker pods will autoscale.
## FOR MORE INFO ABOUT PROCESSING LARGE DATASETS REFER TO THE DOCUMENTATION
########################################################################
## ANON-STORAGE ##
storage:
## Refer the following command for creating your own secret.
## CMD: kubectl create secret generic my-s3bucket-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux
existingSecret: "" # Supply your secret Name for ignoring below default credentials.
bucket_name: "anonstorage" # Default bucket name for S3 bucket
secret:
name: "storage-creds" # Secret to access s3bucket-server
access_key: "anonuser" # Access key for s3bucket-server
secret_key: "protegrity" # Secret key for s3bucket-server
persistence:
## Path where PV would be mounted on the S3 bucket Pod
mountPath: "/data"
accessMode: ReadWriteOnce
size: 20Gi
service:
name: anon-s3bucket-svc
port: 8100
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
resources:
requests:
memory: 2Gi
cpu: 1
certsPath: "/etc/s3bucket/certs/"
configPathmc: "/etc/s3bucket/mc/"
Feedback
Was this page helpful?