sigstore-fulcio
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
namespace:
2
create: false
3
name: fulcio-system
4
imagePullSecrets: []
5
init:
6
enabled: false
7
image:
8
curl:
9
registry: cgr.dev
10
repository: chainguard-private/curl
11
# -- 8.17.0
12
version: sha256:9302c69f621a6d069afe7c103a1c5a4fe807df55299a49cc9654b0bcb98846cf
13
imagePullPolicy: IfNotPresent
14
containerResources: {}
15
config:
16
contents: {}
17
format: json
18
server:
19
replicaCount: 1
20
name: server
21
svcPort: 80
22
grpcSvcPort: 5554
23
# -- KMS type for signing key (possible values: "" / "none", "aws")
24
kmsType: none
25
secret: fulcio-server-secret
26
# -- kubernetes secret name containing IAM credentials for use with AWS KMS
27
awsKmsCredentialsSecretName: aws-kms-credentials
28
# -- AWS region if using AWS KMS for signing key
29
awsKmsRegion: us-east-1
30
logging:
31
production: false
32
image:
33
registry: cgr.dev
34
repository: chainguard-private/fulcio
35
pullPolicy: IfNotPresent
36
# crane digest ghcr.io/sigstore/fulcio:v1.8.7
37
version: latest@sha256:7d654169cca34054bb342f14c4676dbb3213d9e7d5d096c2cdf314d915d933db
38
args:
39
port: 5555
40
grpcPort: 5554
41
# Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
42
certificateAuthority: fileca
43
# kms_resource: gcpkms://....
44
# kms_cert_chain: |-
45
# << your PEM encoded cert chain here. Order from active intermedate first to root last >>
46
# tink_kms_resource: gcp-kms://...
47
# tink_kms_cert_chain: |-
48
# << your PEM encoded Tink cert chain here. Order from active intermedate first to root last >>
49
# tink_enc_keyset: |-
50
# << your encrypted Tink keyset >>
51
hsm_caroot_id:
52
aws_hsm_root_ca_path:
53
gcp_private_ca_parent: projects/test/locations/us-east1/caPools/test
54
ct_log_url: ""
55
disable_ct_log: false
56
serviceAccount:
57
create: true
58
name: ""
59
annotations: {}
60
mountToken: true
61
service:
62
type: ClusterIP
63
ports:
64
- name: http
65
port: 80
66
protocol: TCP
67
targetPort: 5555
68
- name: grpc
69
port: 5554
70
protocol: TCP
71
targetPort: 5554
72
- name: 2112-tcp
73
port: 2112
74
protocol: TCP
75
targetPort: 2112
76
ingress:
77
http:
78
enabled: true
79
className: "nginx"
80
annotations: {}
81
hosts:
82
- path: /
83
host: "fulcio.localhost"
84
tls: []
85
grpc:
86
enabled: false
87
className: ""
88
annotations:
89
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
90
hosts:
91
- host: fulcio.localhost
92
path: /dev.sigstore.fulcio.v2.CA
93
tls:
94
- secretName: fulcio-grpc-ingress-tls
95
hosts:
96
- fulcio.localhost
97
ingresses:
98
- enabled: false
99
grpc: true
100
http: true
101
name: "gce-ingress"
102
className: "gce"
103
hosts:
104
- path: /
105
host: fulcio.localhost
106
annotations: {}
107
tls: []
108
staticGlobalIP: lb-ext-ip
109
frontendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters
110
sslPolicy: fulcio-ssl-policy
111
redirectToHttps:
112
enabled: true
113
backendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
114
securityPolicy:
115
name: fulcio-security-policy
116
logging:
117
enable: true
118
healthCheck:
119
port: 5555
120
requestPath: "/healthz"
121
type: HTTP
122
# -- Additional labels to add to the server pod
123
podLabels: {}
124
securityContext:
125
runAsNonRoot: true
126
runAsUser: 65533
127
tolerations: []
128
nodeSelector: {}
129
affinity: {}
130
neg:
131
http:
132
name: ""
133
port: 80
134
grpc:
135
name: ""
136
port: 5554
137
createcerts:
138
enabled: true
139
replicaCount: 1
140
name: createcerts
141
image:
142
registry: cgr.dev
143
repository: chainguard-private/sigstore-scaffolding-fulcio-createcerts
144
pullPolicy: IfNotPresent
145
# v0.7.31
146
version: latest@sha256:502a6555fca3da0f5a80ee5034f1bf46967280f6acad058ef760d649216256e7
147
ttlSecondsAfterFinished: 3600
148
serviceAccount:
149
create: true
150
name: ""
151
annotations: {}
152
mountToken: true
153
securityContext:
154
runAsNonRoot: true
155
runAsUser: 65533
156
annotations: {}
157
tolerations: []
158
nodeSelector: {}
159
affinity: {}
160
# Configure ctlog dependency
161
ctlog:
162
enabled: true
163
name: ctlog
164
forceNamespace: ctlog-system
165
fullnameOverride: ctlog
166
namespace:
167
name: ctlog-system
168
create: true
169
createtree:
170
name: ctlog-createtree
171
fullnameOverride: ctlog-createtree
172
createcerts:
173
name: ctlog-createcerts
174
fullnameOverride: ctlog-createcerts
175
createctconfig:
176
logPrefix: fulcio
177
# Force namespace of namespaced resources
178
forceNamespace: ""
179
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.