Chart reference

The Helm chart aims to offer easy config settings through values for most used Kubernetes or Horizon features. If something you need is not yet covered, you can also use:

The chart source is also freely available to investigate unwanted behaviors.

global

Global Docker image parameters. Please note that this will override the image parameters, including dependencies, configured to use the global value.

imageRegistry

Global Docker image registry

global.imageRegistry: ""

imagePullSecrets

Global Docker registry secret names as an array

global.imagePullSecrets: []
Example
imagePullSecrets:
  - myRegistryKeySecretName

kubeVersion

Force target Kubernetes version (using Helm capabilities if not set)

kubeVersion: ""

nameOverride

String to partially override horizon.fullname

nameOverride: ""

fullnameOverride

String to fully override horizon.fullname

fullnameOverride: ""

imageRegistry

String to override the image registry for all containers

imageRegistry: ""

commonLabels

Labels to add to all deployed objects

commonLabels: {}

commonAnnotations

Annotations to add to all deployed objects

commonAnnotations: {}

image

By default, we fetch the Horizon image from the Evertrust registry. If the tag is null or unset, the default value will be set to the chart appVersion. As the official Evertrust registry is not in open-access, you should specify an image pull secret that has access to Horizon images.

Kubernetes Reference

registry

Horizon image registry

image.registry: "registry.evertrust.io"

repository

Horizon image repository

image.repository: "horizon"

tag

Horizon image tag (immutable tags are recommended)

image.tag: "2.9.1"

flavor

Horizon image flavor (for HSM compatible images)

image.flavor: ""

pullPolicy

Horizon image pull policy

image.pullPolicy: "IfNotPresent"

pullSecrets

Horizon image pull secrets

image.pullSecrets: []

updateStrategy

Kubernetes Reference

Example
updateStrategy:
 type: RollingUpdate
 rollingUpdate:
   maxSurge: 25%
   maxUnavailable: 25%

type

Horizon deployment strategy type

updateStrategy.type: "RollingUpdate"

rollingUpdate

Rolling update spec

updateStrategy.rollingUpdate:
  maxUnavailable: 1

deploymentAnnotations

Annotations to add to the deployment object

deploymentAnnotations: {}

deploymentLabels

Annotations to add to the deployment object

deploymentLabels: {}

priorityClassName

Horizon pod priority class name

priorityClassName: ""

hostAliases

Horizon pod host aliases

Kubernetes Reference

hostAliases: []

extraVolumes

Optionally specify extra list of additional volumes for Horizon pods

extraVolumes: []
Example
extraVolumes:
  - name: extra-volume-name
    configMap:
      name: example-configmap

extraVolumeMounts

Optionally specify extra list of additional volumeMounts for Horizon container(s)

extraVolumeMounts: []
Example
extraVolumeMounts:
  - name: extra-volume-name
    mountPath: /mnt/extra-volume

sidecars

Add additional sidecar containers to the Horizon pod

sidecars: []
Example
sidecars:
  - name: your-image-name
    image: your-image
    imagePullPolicy: Always
    ports:
      - name: portname
        containerPort: 1234

lifecycleHooks

Add lifecycle hooks to the Horizon deployment

lifecycleHooks: {}

podLabels

Extra labels for Horizon pods

Kubernetes Reference

podLabels: {}

podAnnotations

Annotations for Horizon pods

Kubernetes Reference

podAnnotations: {}

podAffinityPreset

Pod affinity preset. Ignored if affinity is set. Allowed values: soft or hard

Kubernetes Reference

podAffinityPreset: ""

podAntiAffinityPreset

Pod anti-affinity preset. Ignored if affinity is set. Allowed values: soft or hard

Kubernetes Reference

podAntiAffinityPreset: "soft"

nodeAffinityPreset

Node affinity preset

Kubernetes Reference

type

Node affinity preset type. Ignored if affinity is set. Allowed values: soft or hard

nodeAffinityPreset.type: ""

key

Node label key to match. Ignored if affinity is set

nodeAffinityPreset.key: ""

values

Node label values to match. Ignored if affinity is set

nodeAffinityPreset.values: []
Example
values:
  - e2e-az1
  - e2e-az2

revisionHistoryLimit

Number of controller revisions to keep

revisionHistoryLimit: 3

replicas

Replica count when no autoscaler is configured

replicas: 1

affinity

Affinity for pod assignment

podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it’s set.

Kubernetes Reference

affinity: {}

nodeSelector

Node labels for pod assignment

Kubernetes Reference

nodeSelector: {}

tolerations

Tolerations for pod assignment

Kubernetes Reference

tolerations: []

topologySpreadConstraints

Spread Constraints for pod assignment

Kubernetes Reference

topologySpreadConstraints: []
Example
topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: node
    whenUnsatisfiable: DoNotSchedule

resources

Horizon containers' resource requests and limits. The JVM will automatically adapt the memory allocation pool to the container allocated resources.

Kubernetes Reference

limits

The resources limits for the Horizon container

resources.limits: {}

requests

The requested resources for the Horizon container

resources.requests:
  memory: 512Mi
  cpu: 300m

podSecurityContext

Configure Pods Security Context

Kubernetes Reference

enabled

Enabled Horizon pods' Security Context

podSecurityContext.enabled: true

fsGroup

Set Horizon pod’s Security Context fsGroup

podSecurityContext.fsGroup: 1001

containerSecurityContext

Configure Container Security Context (only main container)

Kubernetes Reference

enabled

Enabled Horizon containers' Security Context

containerSecurityContext.enabled: true

runAsUser

Set Horizon container’s Security Context runAsUser

containerSecurityContext.runAsUser: 1001

runAsNonRoot

Set Horizon container’s Security Context runAsNonRoot

containerSecurityContext.runAsNonRoot: true

livenessProbe

Configure extra options for Horizon containers' liveness probe.

Kubernetes Reference

enabled

Enable livenessProbe

livenessProbe.enabled: true

initialDelaySeconds

Initial delay seconds for livenessProbe

livenessProbe.initialDelaySeconds: 0

periodSeconds

Period seconds for livenessProbe

livenessProbe.periodSeconds: 10

timeoutSeconds

Timeout seconds for livenessProbe

livenessProbe.timeoutSeconds: 5

successThreshold

Success threshold for livenessProbe

livenessProbe.successThreshold: 1

failureThreshold

Failure threshold for livenessProbe

livenessProbe.failureThreshold: 3

startupProbe

A startup probe allows us to define a shorter period to improve Horizon time-to-liveliness time while preserving the Horizon pod from a restart loop when it is slow to start.

Kubernetes Reference

enabled

Enable startupProbe. Since Horizon is slow to start, this is highly recommended.

startupProbe.enabled: true

failureThreshold

Failure threshold for startupProbe

startupProbe.failureThreshold: 60

periodSeconds

Period seconds for startupProbe

startupProbe.periodSeconds: 3

readinessProbe

Kubernetes Reference

enabled

Enable readinessProbe

readinessProbe.enabled: true

initialDelaySeconds

Initial delay seconds for readinessProbe

readinessProbe.initialDelaySeconds: 0

periodSeconds

Period seconds for readinessProbe

readinessProbe.periodSeconds: 5

timeoutSeconds

Timeout seconds for readinessProbe

readinessProbe.timeoutSeconds: 3

successThreshold

Success threshold for readinessProbe

readinessProbe.successThreshold: 1

failureThreshold

Failure threshold for readinessProbe

readinessProbe.failureThreshold: 3

horizontalAutoscaler

Kubernetes Reference

enabled

Enable Horizontal POD autoscaling for Horizon

horizontalAutoscaler.enabled: false

minReplicas

Minimum number of Horizon replicas

horizontalAutoscaler.minReplicas: 1

maxReplicas

Maximum number of Horizon replicas

horizontalAutoscaler.maxReplicas: 3

targetCPU

Target CPU utilization percentage

horizontalAutoscaler.targetCPU: 50

targetMemory

Target Memory utilization percentage

horizontalAutoscaler.targetMemory: 50

disruptionBudget

Kubernetes Reference

enabled

Created a PodDisruptionBudget

disruptionBudget.enabled: false

minAvailable

Min number of pods that must still be available after the eviction

disruptionBudget.minAvailable: 1

maxUnavailable

Max number of pods that can be unavailable after the eviction

disruptionBudget.maxUnavailable: 0

environment

Configure environment variable injections into Horizon’s pods. This is the way you should inject secrets into the app if you wish to use the Kubernetes secrets implementation.

Kubernetes Reference

environment: []
Example
environment:
  - name: KEY
    value: VALUE

dnsConfig

This value is useful if you need to resolve your custom domain for ACME challenges.

Kubernetes Reference

dnsConfig: {}
Example
nameservers:
  - 1.2.3.4
searches:
  - ns1.svc.cluster-domain.example
  - my.dns.search.suffix
options:
  - name: ndots
    value: "2"

dnsPolicy

Kubernetes Reference

dnsPolicy: ""

service

Service configuration

type

Kubernetes service type

service.type: "ClusterIP"

clusterIP

Horizon service clusterIP IP

service.clusterIP: ""
Example
clusterIP: None

loadBalancerIP

Load balancer IP for the Horizon Service (optional, cloud specific)

Kubernetes Reference

service.loadBalancerIP: ""

loadBalancerSourceRanges

Address that are allowed when service is LoadBalancer

Kubernetes Reference

service.loadBalancerSourceRanges: []
Example
loadBalancerSourceRanges:
  - 10.10.10.0/24

externalTrafficPolicy

Enable client source IP preservation

Kubernetes Reference

service.externalTrafficPolicy: "Cluster"

extraPorts

Extra port to expose on Horizon service

service.extraPorts: []

annotations

Annotations for Horizon service

service.annotations: {}

ingress

Ingress configuration

Kubernetes Reference

enabled

Set to true to enable ingress record generation

ingress.enabled: false

type

Ingress type

Automatically configure your ingress for an ingress controller. Accepted values are nginx, traefik. This will override the clientCertificateHeader if set, and generate annotations, resources, and ingresses resources to ensure Horizon works correctly.

ingress.type: ""

clientCertificateAuth

Client certificate authentication

When ingress.type is set, determines whether the ingress controller should request client certificates.

ingress.clientCertificateAuth: false

clientCertificateCASecrets

Client certificate CA secrets

If set, the ingress controller will only request client certificates signed by these CAs. Each secret should contain a ca.crt key containing the PEM-encoded AC certificate.

ingress.clientCertificateCASecrets: []

scepCompatibilityMode

SCEP compatibility mode

Adds a secondary ingress for SCEP support over HTTP.

ingress.scepCompatibilityMode: false

ingressClassName

IngressClass that will be used to implement the Ingress (Kubernetes 1.18+)

ingress.ingressClassName: ""

hostname

Default host for the ingress resource

ingress.hostname: ""
Example
hostname: "horizon.local"

path

Default path for the ingress record

You may need to set this to '/*' in order to use this with ALB ingress controllers. 
ingress.path: "/"

pathType

Ingress path type

ingress.pathType: "Prefix"

annotations

Additional annotations for the Ingress resource

To enable certificate autogeneration, place here your cert-manager annotations.

ingress.annotations: {}
Example
annotations:
  cert-manager.io/cluster-issuer: cluster-issuer-name

tls

Enable TLS configuration for the hostname defined at ingress.hostname parameter

TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }} You can use the ingress.secrets parameter to create this TLS secret, relay on cert-manager to create it, or let the chart create self-signed certificates for you.

ingress.tls: false

extraHosts

The list of additional hostnames to be covered with this ingress record

Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array.

ingress.extraHosts: []
Example
extraHosts:
- name: horizon.local
  path: /

extraPaths

An array with additional arbitrary paths that may need to be added to the ingress under the main host

ingress.extraPaths: []
Example
extraPaths:
- path: /*
  backend:
    serviceName: ssl-redirect
    servicePort: use-annotation

extraTls

The tls configuration for additional hostnames to be covered with this ingress record

Kubernetes Reference

ingress.extraTls: []
Example
extraTls:
- hosts:
    - horizon.local
  secretName: horizon.local-tls

extraRules

Additional rules to be covered with this ingress record

Kubernetes Reference

ingress.extraRules: []
Example
extraRules:
- host: horizon.local
    http:
      path: /
      backend:
        service:
          name: horizon
          port:
            name: http

monitoring

Prometheus monitor configuration

enabled

Enable the creation of a ServiceMonitor object for Horizon if the cluster has the monitoring.coreos.com/v1 capability

monitoring.enabled: true

appSecret

Configure the Play secret for the Horizon instance. As this is used for cryptographic purposes, it should be fetched from the environment.

Play Framework Application Secret

appSecret: {}
Example
appSecret:
  valueFrom:
    secretKeyRef:
      name: horizon-secret
      key: appSecret

license

A valid Horizon license is required for the software to run. You should store it (base64-encoded) in a Kubernetes secret and specify the secret details here.

README.md[README.md]

secretName

Existing secret name where the Horizon license is stored

license.secretName: ""

secretKey

Existing secret key where the Horizon license is stored

license.secretKey: ""

initialAdminHashPassword

Set up initial admin user.

enabled

Whether to enable the initial admin user

initialAdminHashPassword.enabled: false

secretName

Existing secret name where the initial admin password is stored

initialAdminHashPassword.secretName: ""

secretKey

Existing secret key where the initial admin password is stored

initialAdminHashPassword.secretKey: ""

defaultVault

Horizon Default vault configuration

keyset

Keyset

A reference to a secret that contains the keyset. You should store it (base64-encoded) in a Kubernetes secret and specify the secret details here.

README.md[README.md]

defaultVault.keyset: {}
Example
keyset:
 secretName: ""
 secretKey: ""

legacySsvPassword

Horizon legacy SSV password (Optional). Should be set if upgrading from Horizon 2.7 or earlier to Horizon 2.8 or later.

legacySsvPassword: {}
Example
legacySsvPassword:
  secretName: horizon-legacy-ssv-password
  secretKey: legacySsvPassword

allowedHosts

Additional allowed hosts that are whitelisted to access the Horizon UI. Configured ingresses will automatically be added to the list, this should only be used when port forwarding or when an ingress is created manually.

allowedHosts:
  - localhost:9000
Example
allowedHosts:
  - localhost:9000
  - demo.example.org

trustedProxies

Depending on your Kubernetes environment, Ingress IPs may be unpredictable. In that case, you should whitelist every IP in your local addressing space.

trustedProxies:
  - 0.0.0.0/0
  - '::/0'
Example
trustedProxies:
  - 0.0.0.0/0
  - ::/0

events

Configuration for Horizon events

chainsign

Whether Horizon events should be signed and chained using the event seal secret

events.chainsign: true

secret

Secret used to sign and chain events

Can be a reference to a Kubernetes secret.

events.secret: {}
Example
secret:
  valueFrom:
    secretKeyRef:
      name: horizon-secret
      key: eventSealSecret

ttl

Duration during which events are kept in database

events.ttl: ""

discoveryTtl

Duration during which discovery events are kept in database

events.discoveryTtl: ""

logFormat

Format in which logs will be outputted. Can be set either to "console" or "json" for structured logging.

logFormat: "console"

tls

TLS configuration

enabled

Whether to use the HTTPS port by default on ingresses and other services

tls.enabled: false

secretName

Existing secret name where a PKCS12 certificate is stored

tls.secretName: ""

secretKey

Existing secret key where the PKCS12 certificate is stored

tls.secretKey: ""

mailer

Configuration for the Horizon mailer. You should configure this if you want your Horizon instance to be able to send emails. You should fetch credentials from the environment if they are required.

host

SMTP host

mailer.host: ""

port

SMTP host port

mailer.port: ""

tls

Enable TLS for this SMTP host

mailer.tls: ""

ssl

Enable SSL for this SMTP host

mailer.ssl: ""

user

Authentication username for this SMTP host

mailer.user: ""

password

Authentication password for this SMTP host

Can be a reference to a Kubernetes secret.

mailer.password: {}
Example
password:
  valueFrom:
    secretKeyRef:
      name: horizon-secret
      key: mailerPassword

logback

Configure the logger for this Horizon instance. Sensible defaults are set, but you may need a more verbose logging experience when debugging the application.

Play Framework Logging

level

Global logging level for all loggers

logback.level: "info"

pattern

Log messages pattern

logback.pattern: "%date{yyyy-MM-dd HH:mm:ss} - [%logger] - [%traceID] - [%level] - %message%n%xException{full}"

loggers

Logging level overrides for specific loggers

logback.loggers:
  - name: events
    level: warn
  - name: json_events
    level: info
You might want to use the following loggers to gather more info about your Horizon instance
loggers:
  - name: actors
    level: debug
  - name: actions
    level: debug
  - name: controllers
    level: debug
  - name: filters
    level: debug
  - name: models
    level: debug
  - name: modules
    level: debug
  - name: pki-connectors
    level: debug
  - name: racs-connectors
    level: debug

serviceAccount

Kubernetes Reference

create

Enable the creation of a ServiceAccount for Horizon pods

serviceAccount.create: true

name

Name of the created ServiceAccount

If not set and create is true, a name is generated using the horizon.fullname template.

serviceAccount.name: ""

annotations

Annotations for Horizon Service Account

serviceAccount.annotations:
  helm.sh/hook: pre-install, pre-upgrade, pre-rollback
  helm.sh/hook-delete-policy: before-hook-creation
  helm.sh/hook-weight: '0'

automountServiceAccountToken

Automount service account token for the server service account

serviceAccount.automountServiceAccountToken: true

clientCertificateHeader

Indicates to Horizon in which header the client certificate will be passed. Will be automatically set by the ingress.clientCertificateAuth value if set.

clientCertificateHeader: ""

podsDirectConnect

Whether Horizon pods should connect to each other directly via IP, or through a DNS record generated by a Kubernetes DNS server. Useful if the kube-dns server is configured with "pods disabled" or if you use GKE Cloud DNS. NOTE: This is not supported by Istio.

podsDirectConnect: false

extraConfig

Additional configuration for Horizon. Injecting arbitrary config could result in unexpected behavior. Proceed with caution.

Horizon Configuration Parameters

extraConfig: ""
Example
extraConfig: |
  horizon {
    notification.mail.attachment.extension.der = "der"
  }

upgrade

Upgrade job

enabled

If true, an upgrade job will be run when upgrading the release, modifying your database schema. This works even if mongodb.enabled is set to false.

upgrade.enabled: true

force

If true, an upgrade job will be run every time the Chart is installed or upgraded.

upgrade.force: false

annotations

Extra annotations to add to the upgrade job

upgrade.annotations:
  helm.sh/hook: post-upgrade
  helm.sh/hook-delete-policy: before-hook-creation
  helm.sh/hook-weight: '0'

image

Upgrade image

registry

Horizon Migration image registry

upgrade.image.registry: "registry.evertrust.io"

repository

Horizon Migration image repository

upgrade.image.repository: "horizon-migration"

tag

Horizon Migration image tag (immutable tags are recommended)

upgrade.image.tag: "1.16.0"

pullPolicy

Horizon Migration image pull policy

upgrade.image.pullPolicy: "IfNotPresent"

pullSecrets

Horizon Migration image pull secrets

upgrade.image.pullSecrets: []

resources

horizon-migration container resources

Kubernetes Reference

upgrade.resources:
  limits:
    memory: 512Mi
    cpu: 500m
  requests:
    memory: 512Mi
    cpu: 500m

from

Sets the version you’re upgrading from. If empty, the chart will try to infer the version from the database.

upgrade.from: ""

to

Sets the version you’re upgrading to. If empty, the chart will use Chart.AppVersion.

upgrade.to: ""

nodeSelector

Node labels for upgrade pod assignment

Kubernetes Reference

upgrade.nodeSelector: {}

tolerations

Tolerations for upgrade pod assignment

Kubernetes Reference

upgrade.tolerations: []

podSecurityContext

Configure Pods Security Context

Kubernetes Reference

enabled

Enabled upgrade pod Security Context

upgrade.podSecurityContext.enabled: true

fsGroup

Set upgrade pod Security Context fsGroup

upgrade.podSecurityContext.fsGroup: 1001

containerSecurityContext

Configure Container Security Context

Kubernetes Reference

enabled

Enabled upgrade container Security Context

upgrade.containerSecurityContext.enabled: true

runAsUser

Set upgrade container Security Context runAsUser

upgrade.containerSecurityContext.runAsUser: 1001

runAsNonRoot

Set upgrade container Security Context runAsNonRoot

upgrade.containerSecurityContext.runAsNonRoot: true

extraVolumes

Optionally specify extra list of additional volumes for the upgrade pod

upgrade.extraVolumes: []
Example
extraVolumes:
  - name: extra-volume-name
    configMap:
      name: example-configmap

extraVolumeMounts

Optionally specify extra list of additional volumeMounts for the upgrade container

upgrade.extraVolumeMounts: []
Example
extraVolumeMounts:
  - name: extra-volume-name
    mountPath: /mnt/extra-volume

ignoreEmptyFrom

Ignore empty from

upgrade.ignoreEmptyFrom: false

externalDatabase

Configuration for an Horizon external database

Refer to the Horizon installation guide to configure the installation correctly.

uri

External MongoDB URI

For an external database to be used, mongodb.enabled must be set to false. Can be a reference to a Kubernetes secret.

externalDatabase.uri: {}
Example
uri:
  valueFrom:
    secretKeyRef:
      name: horizon-secret
      key: mongoDBUri

extraObjects

Create dynamic manifests via values

extraObjects: []
Example
extraObjects:
  - apiVersion: "kubernetes-client.io/v1"
    kind: ExternalSecret
    metadata:
      name: horizon-secrets
    spec:
      backendType: gcpSecretsManager
      data:
        - key: horizon-secret-key
          name: horizon-secret-name

metrics

Enable Prometheus metrics

enabled

Whether to enable Prometheus metrics

metrics.enabled: false

port

Prometheus metrics port

metrics.port: 9095

analytics

Enable analytics engine

Refer to the Horizon installation guide to configure the installation correctly.

Analytics guide

Analytics for docker guide

enabled

Whether to enable analytics

analytics.enabled: false

persistence

Enable Persistence

When enabled, Horizon will be deployed as a statefulset.

enabled

Whether to enable persistence

persistence.enabled: false

persistentVolumeClaimRetentionPolicy

Persistent Volume Claim Retention Policy

Kubernetes Reference

persistence.persistentVolumeClaimRetentionPolicy:
  whenDeleted: Delete
  whenScaled: Retain