openfga
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
replicaCount: 3
2
image:
3
repository: cgr.dev/chainguard-private/openfga
4
pullPolicy: Always
5
tag: latest@sha256:6ed3bf4bd49c4c490872e47614f58299012c2ce84e6bb5289394a4b9afe8494e
6
imagePullSecrets: []
7
nameOverride: ""
8
fullnameOverride: ""
9
# Specify additional labels to apply to OpenFGA resources
10
# Usage example:
11
# commonLabels:
12
# app.example.com/system: permissions
13
# app.example.com/domain: example
14
commonLabels: {}
15
serviceAccount:
16
# Specifies whether a service account should be created
17
create: true
18
# Annotations to add to the service account
19
annotations: {}
20
# The name of the service account to use.
21
# If not set and create is true, a name is generated using the fullname template
22
name: ""
23
annotations: {}
24
podAnnotations: {}
25
podExtraLabels: {}
26
extraEnvVars: []
27
extraVolumes: []
28
extraVolumeMounts: []
29
extraInitContainers: []
30
podSecurityContext: {}
31
# fsGroup: 2000
32
33
securityContext: {}
34
# capabilities:
35
# drop:
36
# - ALL
37
# readOnlyRootFilesystem: true
38
# runAsNonRoot: true
39
# runAsUser: 1000
40
41
initContainer:
42
repository: cgr.dev/chainguard-private/k8s-wait-for
43
tag: latest@sha256:59ac03b24e7b7b81554f294b12ce32582cbb0017d43c54bb186e9998a176725c
44
pullPolicy: IfNotPresent
45
## Configure extra options for OpenFGA containers' liveness, readiness and startup probes
46
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
47
48
## @param livenessProbe.enabled Enable liveness probes on OpenFGA containers.
49
## @param livenessProbe.initialDelaySeconds Number of seconds after the container has started before liveness probes are initiated.
50
## @param livenessProbe.periodSeconds How often (in seconds) to perform the probe.
51
## @param livenessProbe.timeoutSeconds Number of seconds after which the probe times out.
52
## @param livenessProbe.failureThreshold Failure threshold for liveness probes.
53
## @param livenessProbe.successThreshold Success threshold for liveness probes.
54
##
55
livenessProbe:
56
enabled: true
57
initialDelaySeconds: 60
58
periodSeconds: 10
59
timeoutSeconds: 5
60
failureThreshold: 12
61
successThreshold: 1
62
## @param readinessProbe.enabled Enable readiness probes on OpenFGA containers.
63
## @param readinessProbe.initialDelaySeconds Number of seconds after the container has started before readiness probes are initiated.
64
## @param readinessProbe.periodSeconds How often (in seconds) to perform the probe.
65
## @param readinessProbe.timeoutSeconds Number of seconds after which the probe times out.
66
## @param readinessProbe.failureThreshold Failure threshold for readiness probes.
67
## @param readinessProbe.successThreshold Success threshold for readiness probes.
68
##
69
readinessProbe:
70
enabled: true
71
initialDelaySeconds: 5
72
periodSeconds: 10
73
timeoutSeconds: 5
74
failureThreshold: 6
75
successThreshold: 1
76
## @param startupProbe.enabled Enable startup probes on OpenFGA containers.
77
## @param startupProbe.initialDelaySeconds Number of seconds after the container has started before startup probes are initiated.
78
## @param startupProbe.periodSeconds How often (in seconds) to perform the probe.
79
## @param startupProbe.timeoutSeconds Number of seconds after which the probe times out.
80
## @param startupProbe.failureThreshold Failure threshold for startup probes.
81
## @param startupProbe.successThreshold Success threshold for startup probes.
82
##
83
startupProbe:
84
enabled: false
85
initialDelaySeconds: 60
86
periodSeconds: 10
87
timeoutSeconds: 5
88
failureThreshold: 30
89
successThreshold: 1
90
## @param customLivenessProbe Overrides the default liveness probe with a custom one.
91
##
92
customLivenessProbe: {}
93
## @param customReadinessProbe Overrides the default readiness probe with a custom one.
94
##
95
customReadinessProbe: {}
96
## @param customStartupProbe Overrides the default startup probe with a custom one.
97
##
98
customStartupProbe: {}
99
service:
100
annotations: {}
101
type: ClusterIP
102
port: 8080
103
telemetry:
104
trace:
105
enabled: false
106
otlp:
107
endpoint:
108
tls:
109
enabled: false
110
sampleRatio:
111
metrics:
112
## @param telemetry.metrics.enabled enable/disable prometheus metrics on the '/metrics' endpoint
113
##
114
enabled: true
115
serviceMonitor:
116
## @param telemetry.metrics.serviceMonitor.enabled enable/disable installation of serviceMonitor custom resource
117
##
118
enabled: false
119
## @param telemetry.metrics.serviceMonitor.additionalLabels additional labels to be added to the serivceMonitor resource
120
##
121
additionalLabels: {}
122
## @param telemetry.metrics.serviceMonitor.annotations annotations to be added to the serviceMonitor resource
123
##
124
annotations: {}
125
## @param telemetry.metrics.serviceMonitor.jobLabel the label to use to retrieve the job name from
126
##
127
jobLabel: "app.kubernetes.io/name"
128
## @param telemetry.metrics.serviceMonitor.namespace namespace where the serviceMonitor resource should be installed to
129
##
130
namespace: ""
131
## @param telemetry.metrics.serviceMonitor.namespaceSelector which namespaces should be scraped
132
##
133
## Default: scrape .Release.Namespace or namespaceOverride only
134
## To scrape all, use the following:
135
## namespaceSelector:
136
## any: true
137
##
138
namespaceSelector: {}
139
## @param telemetry.metrics.serviceMonitor.scrapeInterval prometheus scrape interval
140
##
141
scrapeInterval: 30s
142
## @param telemetry.metrics.serviceMonitor.scrapeTimeout prometheus scrape timeout
143
##
144
scrapeTimeout: 10s
145
## @param telemetry.metrics.serviceMonitor.targetLabels additional target labels to scrape
146
##
147
targetLabels: []
148
## @param telemetry.metrics.serviceMonitor.relabelings add job relabelings
149
##
150
relabelings: []
151
## @param telemetry.metrics.serviceMonitor.metricRelabelings add metric relabelings
152
##
153
metricRelabelings: []
154
## @param telemetry.metrics.addr the host:port address to serve the Metrics server on
155
addr: 0.0.0.0:2112
156
## @param telemetry.metrics.enableRPCHistograms enables prometheus histogram metrics for RPC latency distributions
157
enableRPCHistograms:
158
## @param telemetry.metrics.podAnnotations [object] Annotations for the Prometheus metrics on etcd pods
159
##
160
podAnnotations:
161
prometheus.io/scrape: "true"
162
prometheus.io/port: "{{ .Values.containerPorts.prometheus }}"
163
datastore:
164
metrics:
165
enabled: false
166
engine: memory
167
uri:
168
uriSecret:
169
username:
170
password:
171
existingSecret:
172
secretKeys:
173
uriKey:
174
usernameKey:
175
passwordKey:
176
maxCacheSize:
177
maxOpenConns:
178
maxIdleConns:
179
connMaxIdleTime:
180
connMaxLifetime:
181
secondary:
182
engine:
183
uri:
184
uriSecret:
185
username:
186
password:
187
existingSecret:
188
secretKeys:
189
uriKey:
190
usernameKey:
191
passwordKey:
192
applyMigrations: true
193
waitForMigrations: true
194
migrationType: job
195
migrations:
196
resources: {}
197
image:
198
repository: groundnuty/k8s-wait-for
199
pullPolicy: Always
200
tag: "v2.0"
201
## DEPRECATED: The bundled PostgreSQL and MySQL sub-charts use the Bitnami legacy
202
## archive repository which is no longer actively maintained or receiving security updates.
203
## They are provided for backwards compatibility only and will be removed in subsequent releases.
204
postgresql:
205
## @param postgresql.enabled enable the bitnami/postgresql subchart (DEPRECATED - uses unsupported legacy archive)
206
enabled: false
207
image:
208
registry: docker.io
209
repository: bitnamilegacy/postgresql
210
tag: 15.4.0-debian-11-r45
211
mysql:
212
## @param mysql.enabled enable the bitnami/mysql subchart (DEPRECATED - uses unsupported legacy archive)
213
enabled: false
214
image:
215
registry: docker.io
216
repository: bitnamilegacy/mysql
217
tag: 8.0.32-debian-11-r14
218
grpc:
219
addr: 0.0.0.0:8081
220
tls:
221
enabled: false
222
cert:
223
key:
224
ca:
225
http:
226
enabled: true
227
addr: 0.0.0.0:8080
228
tls:
229
enabled: false
230
cert:
231
key:
232
upstreamTimeout:
233
corsAllowedOrigins: ["*"]
234
corsAllowedHeaders: ["*"]
235
authn:
236
method:
237
preshared:
238
keys: []
239
keysSecret:
240
oidc:
241
audience:
242
issuer:
243
playground:
244
enabled: true
245
port: 3000
246
profiler:
247
enabled: false
248
addr: 0.0.0.0:3001
249
log:
250
level: info
251
format: json
252
timestampFormat: Unix
253
checkQueryCache:
254
enabled: false
255
limit:
256
ttl:
257
experimentals: []
258
maxTuplesPerWrite:
259
maxTypesPerAuthorizationModel:
260
maxAuthorizationModelSizeInBytes:
261
maxConcurrentReadsForCheck:
262
maxConcurrentReadsForListObjects:
263
maxConcurrentReadsForListUsers:
264
maxChecksPerBatchCheck:
265
maxConcurrentChecksPerBatchCheck:
266
changelogHorizonOffset:
267
resolveNodeLimit:
268
resolveNodeBreadthLimit:
269
listObjectsDeadline:
270
listObjectsMaxResults:
271
listUsersDeadline:
272
listUsersMaxResults:
273
requestTimeout:
274
requestDurationDatastoreQueryCountBuckets: [50, 200]
275
allowWriting1_0Models:
276
allowEvaluating1_0Models:
277
ingress:
278
enabled: false
279
className: ""
280
annotations: {}
281
# kubernetes.io/ingress.class: nginx
282
# kubernetes.io/tls-acme: "true"
283
hosts:
284
- host: chart-example.local
285
paths:
286
- path: /
287
pathType: ImplementationSpecific
288
# servicePort: 8080
289
tls: []
290
# - secretName: chart-example-tls
291
# hosts:
292
# - chart-example.local
293
resources: {}
294
lifecycle: {}
295
autoscaling:
296
enabled: false
297
minReplicas: 1
298
maxReplicas: 100
299
targetCPUUtilizationPercentage: 80
300
targetMemoryUtilizationPercentage: 80
301
nodeSelector: {}
302
tolerations: []
303
topologySpreadConstraints: []
304
affinity: {}
305
# @param sidecars Add additional sidecar containers to the pods
306
# Example:
307
# sidecars:
308
# - name: your-image-name
309
# image: your-image
310
# imagePullPolicy: Always
311
# ports:
312
# - name: portname
313
# containerPort: 1234
314
sidecars: []
315
migrate:
316
extraVolumes: []
317
extraVolumeMounts: []
318
extraInitContainers: []
319
sidecars: []
320
annotations:
321
helm.sh/hook: "post-install, post-upgrade, post-rollback, post-delete"
322
helm.sh/hook-weight: "-5"
323
helm.sh/hook-delete-policy: "before-hook-creation"
324
labels: {}
325
timeout:
326
testPodSpec: {}
327
testContainerSpec: {}
328
# -- Array of extra K8s manifests to deploy
329
## Note: Supports use of custom Helm templates
330
extraObjects: []
331
## Example: Deploy a PostgreSQL instance for dev/test using official Docker images.
332
## For production, use a managed database service or an operator like CloudnativePG.
333
## Configure the chart to use the secret:
334
## datastore:
335
## engine: postgres
336
## uriSecret: openfga-postgres-credentials # (PostgreSQL example)
337
## # or
338
## uriSecret: openfga-mysql-credentials # (MySQL example)
339
#
340
## PostgreSQL dev/test example:
341
# - apiVersion: v1
342
# kind: Secret
343
# metadata:
344
# name: openfga-postgres-credentials
345
# stringData:
346
# POSTGRES_USER: openfga
347
# POSTGRES_PASSWORD: changeme
348
# POSTGRES_DB: openfga
349
# uri: "postgres://openfga:changeme@openfga-postgres:5432/openfga?sslmode=disable"
350
# - apiVersion: apps/v1
351
# kind: Deployment
352
# metadata:
353
# name: openfga-postgres
354
# spec:
355
# replicas: 1
356
# selector:
357
# matchLabels:
358
# app: openfga-postgres
359
# template:
360
# metadata:
361
# labels:
362
# app: openfga-postgres
363
# spec:
364
# containers:
365
# - name: postgres
366
# image: postgres:17
367
# ports:
368
# - containerPort: 5432
369
# envFrom:
370
# - secretRef:
371
# name: openfga-postgres-credentials
372
# volumeMounts:
373
# - name: data
374
# mountPath: /var/lib/postgresql/data
375
# volumes:
376
# - name: data
377
# emptyDir: {}
378
# - apiVersion: v1
379
# kind: Service
380
# metadata:
381
# name: openfga-postgres
382
# spec:
383
# selector:
384
# app: openfga-postgres
385
# ports:
386
# - port: 5432
387
# targetPort: 5432
388
#
389
## MySQL dev/test example:
390
# - apiVersion: v1
391
# kind: Secret
392
# metadata:
393
# name: openfga-mysql-credentials
394
# stringData:
395
# MYSQL_ROOT_PASSWORD: changeme
396
# MYSQL_USER: openfga
397
# MYSQL_PASSWORD: changeme
398
# MYSQL_DATABASE: openfga
399
# uri: "openfga:changeme@tcp(openfga-mysql:3306)/openfga?parseTime=true"
400
# - apiVersion: apps/v1
401
# kind: Deployment
402
# metadata:
403
# name: openfga-mysql
404
# spec:
405
# replicas: 1
406
# selector:
407
# matchLabels:
408
# app: openfga-mysql
409
# template:
410
# metadata:
411
# labels:
412
# app: openfga-mysql
413
# spec:
414
# containers:
415
# - name: mysql
416
# image: mysql:8.4
417
# ports:
418
# - containerPort: 3306
419
# envFrom:
420
# - secretRef:
421
# name: openfga-mysql-credentials
422
# volumeMounts:
423
# - name: data
424
# mountPath: /var/lib/mysql
425
# volumes:
426
# - name: data
427
# emptyDir: {}
428
# - apiVersion: v1
429
# kind: Service
430
# metadata:
431
# name: openfga-mysql
432
# spec:
433
# selector:
434
# app: openfga-mysql
435
# ports:
436
# - port: 3306
437
# targetPort: 3306
438
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.