periscopev1.0.0

docssetupvalues

Helm values reference

Canonical reference for every value in the Periscope and periscope-agent Helm charts. For walkthroughs and the "why" behind each block, follow the per-topic links — this page is the exhaustive flat list operators reac…

setup9 min read

Canonical reference for every value in the Periscope and periscope-agent Helm charts. For walkthroughs and the "why" behind each block, follow the per-topic links — this page is the exhaustive flat list operators reach for during a helm upgrade.

The source of truth is each chart's values.yaml. This doc is re-derived from those files; if a value here disagrees with the chart, the chart wins and please file a docs bug.

Stability

Every value documented here is part of the v1.0 public configuration surface and covered by semver: breaking changes (rename, type change, removal) require a major bump (v2). New values may land additively in any minor release with safe defaults.

Server chart (periscope)

image

ValueTypeDefaultNotes
image.repositorystringghcr.io/gnana997/periscopeOCI repo for the server image.
image.tagstring"" (defaults to Chart.AppVersion)Pin to a specific release tag in production.
image.pullPolicystringIfNotPresentStandard K8s pull policy.
imagePullSecretslist[][{name: <secret>}] entries for private registries.

replicaCount

ValueTypeDefaultNotes
replicaCountint1v1.0 is single-replica only — the in-memory session store is per-pod. HA / multi-replica is a post-1.0 follow-up.

serviceAccount / podIdentity

ValueTypeDefaultNotes
serviceAccount.createbooltrueWhen false, set serviceAccount.name to an existing SA.
serviceAccount.namestring"" (derived from release name)The SA the Deployment runs as.
serviceAccount.annotationsmap{}IRSA path: set eks.amazonaws.com/role-arn here.
podIdentity.enabledboolfalsePod Identity path (preferred for new EKS). When true, no IRSA annotation is rendered — create the association out-of-band.

See deploy.md for the IRSA vs Pod Identity decision.

auth

OIDC, session, and authorization settings. Written verbatim into the rendered auth.yaml ConfigMap. See auth0.md / okta.md for IdP-specific values, and cluster-rbac.md for authorization mode trade-offs.

ValueTypeDefaultNotes
auth.oidc.issuerstring""OIDC discovery URL.
auth.oidc.clientIDstring""OIDC client ID.
auth.oidc.clientSecretstring${OIDC_CLIENT_SECRET}Reference into the chosen secrets.mode.
auth.oidc.redirectURLstring""Periscope's /api/auth/callback URL.
auth.oidc.scopeslist[openid, profile, email, offline_access]Standard scopes; usually leave as-is.
auth.oidc.audiencestring""Auth0 only; leave empty for Okta and most IdPs.
auth.oidc.postLogoutRedirectstring""URL the browser lands on after IdP logout.
auth.session.cookieNamestringperiscope_sessionSession cookie name.
auth.session.idleTimeoutduration30mIdle timeout before the session is invalidated.
auth.session.absoluteTimeoutduration8hHard cap on session lifetime.
auth.session.cookieDomainstringunsetOptional explicit Domain= attribute on the cookie.
auth.authorization.modeenumsharedshared | tier | raw. See RFC 0002 §4 and cluster-rbac.md.
auth.authorization.groupTiersmap{}tier-mode only: IdP group → tier (read|triage|write|maintain|admin).
auth.authorization.defaultTierstring""tier-mode only: tier applied when no group matches. "" = deny.
auth.authorization.groupPrefixstringperiscope:raw-mode only: prefix prepended to each impersonated group.
auth.authorization.groupsClaimstringgroupsIdP token claim that holds the groups list. Auth0 needs a custom namespaced claim.
auth.authorization.allowedGroupslist[]All modes: gate on these IdP groups. Empty = any authenticated user.
auth.authorization.auditAdminGroupslist[]IdP groups granted full /api/audit visibility across all users.
auth.dev.subjectstringdev@localLocal-dev only; identity used when no OIDC is configured.
auth.dev.emailstringdev@localLocal-dev only.
auth.dev.groupslist[dev]Local-dev only.

clusters

The cluster registry. Written verbatim into the rendered clusters.yaml ConfigMap. Three backends — see deploy.md and agent-onboarding.md.

ValueTypeDefaultNotes
clusterslist[]Each entry has name + backend plus backend-specific fields.

Per-entry fields by backend:

backend: eksname, backend: eks, region, arn.

backend: kubeconfigname, backend: kubeconfig, kubeconfigPath, optional kubeconfigContext.

backend: in-clustername, backend: in-cluster. The chart auto-binds the Periscope SA to the impersonator role.

backend: agentname, backend: agent. No other backend-specific fields; the agent dialing in with a matching mTLS CN supplies the connection.

Per-cluster overrides (any backend):

FieldTypeNotes
exec.enabledboolfalse disables exec entirely on this cluster.
exec.serverIdleSecondsintOverrides global idle timeout for this cluster.
exec.idleWarnSecondsintOverrides global idle-warn lead.
exec.heartbeatSecondsintOverrides global heartbeat.
exec.maxSessionsPerUserintOverrides global per-user cap.
exec.maxSessionsTotalintOverrides global per-cluster cap.
environmentstringFree-form label, surfaced on the fleet card (e.g. prod, staging).

secrets

How the OIDC client secret reaches the pod. Pick exactly one mode.

ValueTypeDefaultNotes
secrets.modeenumexistingexisting | plain | external | native.
secrets.existing.namestringperiscope-oidcName of the pre-applied K8s Secret.
secrets.existing.keystringOIDC_CLIENT_SECRETKey in the Secret + env-var name on the pod.
secrets.plain.clientSecretstring""Used only when mode=plain. Renders a kind: Secret from values — fine for kind/minikube, never for prod.
secrets.external.storeNamestring""External Secrets Operator: SecretStore / ClusterSecretStore name.
secrets.external.storeKindenumClusterSecretStoreOr SecretStore.
secrets.external.refreshIntervalduration1hResync interval on the rendered ExternalSecret.
secrets.external.remoteKeystring""Upstream secret path / name.
secrets.external.remotePropertystring""JSON key to extract when the upstream value is JSON-shaped.
secrets.native.enabledbooltrueNo K8s Secret at all; Periscope's resolver fetches from AWS Secrets Manager / SSM at startup. Point auth.oidc.clientSecret at e.g. aws-secretsmanager://periscope/oidc#client_secret.

env

ValueTypeDefaultNotes
envlist[]Extra name: value pairs. Rarely needed — the chart maps documented PERISCOPE_* vars from typed values.

service / ingress

ValueTypeDefaultNotes
service.typestringClusterIPStandard K8s Service type.
service.portint8080Periscope listens on :8080 inside the pod.
ingress.enabledboolfalseWhen true, an Ingress resource is rendered.
ingress.classNamestring""IngressClass name (nginx, alb, …).
ingress.annotationsmap{}Controller-specific annotations.
ingress.hoststring""Hostname the Ingress matches.
ingress.pathstring/Path to match.
ingress.pathTypestringPrefixStandard pathType.
ingress.tls.enabledboolfalseRender a TLS section.
ingress.tls.secretNamestring""TLS Secret name when enabled.

Pod / container specs

ValueTypeDefaultNotes
resources.requests.cpuquantity100m
resources.requests.memoryquantity128Mi
resources.limits.cpuquantity500m
resources.limits.memoryquantity512Mi
podAnnotationsmap{}Extra annotations on the Deployment's pod template.
podSecurityContext.runAsNonRootbooltrue
podSecurityContext.runAsUserint65532Distroless nonroot UID.
podSecurityContext.runAsGroupint65532
podSecurityContext.fsGroupint65532
podSecurityContext.seccompProfile.typestringRuntimeDefault
containerSecurityContext.allowPrivilegeEscalationboolfalse
containerSecurityContext.readOnlyRootFilesystembooltrue
containerSecurityContext.capabilities.droplist[ALL]
nodeSelectormap{}Standard.
tolerationslist[]Standard.
affinitymap{}Standard.

audit

Audit log persistence. See audit.md for retention sizing and the "stdout always on, SQLite optional" model.

ValueTypeDefaultNotes
audit.enabledboolfalseWhen true, also writes audit events to a local SQLite DB. stdout JSON emission is unconditional.
audit.retentionDaysint30Time-based retention. 0 disables time-based pruning.
audit.maxSizeMBint1024Application-level on-disk cap. 0 disables size-based pruning.
audit.vacuumIntervalduration24hHow often the prune+VACUUM loop runs.
audit.storage.typeenumpvcpvc (persistent) | emptyDir (ephemeral).
audit.storage.sizequantity5GiPVC request size. Used only when type=pvc.
audit.storage.storageClassstring""Empty = cluster default StorageClass.
audit.storage.accessModestringReadWriteOncev1.0 single-replica needs only RWO.

exec

Pod-exec global defaults. Per-cluster overrides go under clusters[].exec. See pod-exec.md for the operator guide.

ValueTypeDefaultNotes
exec.serverIdleSecondsint600Server-side idle timeout.
exec.idleWarnSecondsint30Browser warning lead before the cut.
exec.heartbeatSecondsint20WebSocket heartbeat ping interval.
exec.maxSessionsPerUserint5Concurrent sessions per OIDC subject.
exec.maxSessionsTotalint50Concurrent sessions per cluster.
exec.probeClustersOnBootboolfalsePre-warm IAM creds + exec policy at startup.

There is intentionally no global exec.enabled switch. Disable exec per-cluster via clusters[i].exec.enabled: false.

watchStreams

SSE live-list configuration. See watch-streams.md for the kind registry, group aliases, and fallback behavior.

ValueTypeDefaultNotes
watchStreams.kindsstring""Empty / all / off / none / comma-separated kinds / group aliases.
watchStreams.perUserLimitint60Per-user concurrent stream cap. 0 disables (not recommended).

Group aliases: core, workloads, networking, storage, cluster. Per-kind tokens: see watchStreams: block in values.yaml.

pdb

ValueTypeDefaultNotes
pdb.enabledbooltrueRender a PodDisruptionBudget.
pdb.maxUnavailableint1v1.0 single-replica: 1 allows drains. Switch to minAvailable per replica when HA lands post-1.0.

networkPolicy

See networkpolicy.md for the full recipe.

ValueTypeDefaultNotes
networkPolicy.enabledboolfalseRender a NetworkPolicy.
networkPolicy.ingress.fromNamespaceslist[]namespaceSelector matchLabels for permitted ingress sources.
networkPolicy.ingress.extralist[]Raw NetworkPolicyIngressRule entries appended.
networkPolicy.egress.extralist[]Raw NetworkPolicyEgressRule entries (e.g. IdP CIDRs, EKS endpoints). DNS to kube-dns is always added.

clusterRBAC

Tier-mode RBAC manifests rendered for the central cluster. See cluster-rbac.md.

ValueTypeDefaultNotes
clusterRBAC.enabledboolfalseRender the periscope-tier ClusterRoles + bindings.
clusterRBAC.bridgeGroupstringperiscope-bridgeK8s group your EKS Access Entry binds the pod principal to.

agent

Server-side agent backend (#42) — opens the mTLS tunnel listener and the registration endpoints. See agent-onboarding.md and ../architecture/agent-tunnel.md.

ValueTypeDefaultNotes
agent.enabledboolfalseMaster switch — opens :8443, mounts /api/agents/* routes, pre-creates the CA Secret.
agent.listenAddrstring:8443Bind address for the mTLS tunnel listener.
agent.tunnelSANsstringlocalhostComma-separated SANs baked into the server cert agents present on the tunnel.
agent.caSecretNamestringperiscope-agent-caK8s Secret holding the per-deployment CA.
agent.tunnelService.enabledboolfalseRender a second Service to expose the tunnel listener externally.
agent.tunnelService.typestringLoadBalancerNLB recommended (TLS-passthrough).
agent.tunnelService.portint8443External port for the tunnel Service.
agent.tunnelService.annotationsmap{}Cloud-LB-specific annotations.

Agent chart (periscope-agent)

Each managed cluster runs ONE periscope-agent Deployment. Most fields are install-time identity; the rest can stay at defaults. See agent-onboarding.md for the topology decision matrix.

image

ValueTypeDefaultNotes
image.repositorystringghcr.io/gnana997/periscope-agent
image.tagstring"" (defaults to Chart.AppVersion)
image.pullPolicystringIfNotPresent
imagePullSecretslist[]

agent

ValueTypeDefaultNotes
agent.serverURLstring""Required. WebSocket URL of the central tunnel listener (wss://...:8443/api/agents/connect).
agent.clusterNamestring""Required. Must match a clusters[].name of backend: agent on the server.
agent.registrationTokenstring""Required on first install only. Bootstrap token from POST /api/agents/tokens. Single-use, 15-min TTL.
agent.registrationURLstring""Set when registration uses a different LB than the tunnel (Topology B — split ALB+NLB). Empty = derive from serverURL.
agent.serverCAHashstring""SPKI hash (sha256:...) for self-signed registration endpoints (Topology C).
agent.stateSecretNamestringperiscope-agent-statePersisted mTLS cert + key + server CA.
agent.healthAddrstring:8081Liveness / readiness probe port.
agent.logLevelenum"" (binary default = info)debug | info | warn | error. Set debug for per-request access logs.
agent.execIdleSecondsint600Per-connection idle timeout (seconds) for hijacked exec WS / SPDY streams. Mirrors the server's PERISCOPE_EXEC_IDLE_SECONDS; set the same value here so stuck streams get reaped on the agent side if the server crashes mid-session. Activity = any successful read; only idle streams are killed. 0 disables (relies entirely on server-side cascade close + OS TCP keepalive — not recommended).

deployment shape

ValueTypeDefaultNotes
replicaCountint1Tunnel sessions are 1:1 with agent pods. HA needs server-side peer routing (post-1.0).
serviceAccount.createbooltrue
serviceAccount.namestring""
serviceAccount.annotationsmap{}

RBAC

ValueTypeDefaultNotes
clusterRole.enabledbooltrueBind the agent SA to a ClusterRole granting get/list/watch on every kind + impersonate on users/groups/SAs.
clusterRBAC.enabledbooltrueInstall tier ClusterRoleBindings on the managed cluster (periscope-tier-read/write/admin/triage/maintain). Required for impersonation to actually authorize.

resources / security context

Mirrors the server chart's defaults; same fields, just with agent-appropriate request/limit values.

ValueTypeDefault
resources.requests.cpuquantity50m
resources.requests.memoryquantity64Mi
resources.limits.cpuquantity500m
resources.limits.memoryquantity256Mi
podSecurityContext.runAsNonRootbooltrue
podSecurityContext.runAsUserint65532
podSecurityContext.runAsGroupint65532
podSecurityContext.seccompProfile.typestringRuntimeDefault
containerSecurityContext.allowPrivilegeEscalationboolfalse
containerSecurityContext.readOnlyRootFilesystembooltrue
containerSecurityContext.capabilities.droplist[ALL]
nodeSelectormap{}
tolerationslist[]
affinitymap{}
podAnnotationsmap{}
envlist[]

See also

← previous

NetworkPolicy

next →

Environment variables

edit this page on github →