DirectorySecurity AdvisoriesPricing
Sign in
Directory
sigstore-fulcio logoHELM

sigstore-fulcio

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
namespace:
2
create: false
3
name: fulcio-system
4
imagePullSecrets: []
5
init:
6
enabled: false
7
image:
8
curl:
9
registry: cgr.dev
10
repository: chainguard-private/curl
11
# -- 8.17.0
12
version: sha256:df6a5b122f3038224a275b4f09776cc3036b6f001da1ce74759c15dcc0e3fdeb
13
imagePullPolicy: IfNotPresent
14
containerResources: {}
15
config:
16
contents: {}
17
format: json
18
server:
19
replicaCount: 1
20
name: server
21
svcPort: 80
22
grpcSvcPort: 5554
23
# -- KMS type for signing key (possible values: "" / "none", "aws")
24
kmsType: none
25
secret: fulcio-server-secret
26
# -- kubernetes secret name containing IAM credentials for use with AWS KMS
27
awsKmsCredentialsSecretName: aws-kms-credentials
28
# -- AWS region if using AWS KMS for signing key
29
awsKmsRegion: us-east-1
30
logging:
31
production: false
32
image:
33
registry: cgr.dev
34
repository: chainguard-private/fulcio
35
pullPolicy: IfNotPresent
36
# crane digest ghcr.io/sigstore/fulcio:v1.8.7
37
version: latest@sha256:78a08cac186dd8c8c9af391faa137f85f1ec8dcee19895f6289afae342b9b9c5
38
args:
39
port: 5555
40
grpcPort: 5554
41
# Valid values: googleca, pkcs11ca, aws-hsm-root-ca-path, fileca, kmsca
42
certificateAuthority: fileca
43
# kms_resource: gcpkms://....
44
# kms_cert_chain: |-
45
# << your PEM encoded cert chain here. Order from active intermedate first to root last >>
46
# tink_kms_resource: gcp-kms://...
47
# tink_kms_cert_chain: |-
48
# << your PEM encoded Tink cert chain here. Order from active intermedate first to root last >>
49
# tink_enc_keyset: |-
50
# << your encrypted Tink keyset >>
51
hsm_caroot_id:
52
aws_hsm_root_ca_path:
53
gcp_private_ca_parent: projects/test/locations/us-east1/caPools/test
54
ct_log_url: ""
55
ct_log_origin: ""
56
disable_ct_log: false
57
serviceAccount:
58
create: true
59
name: ""
60
annotations: {}
61
mountToken: true
62
# -- Liveness probe for the fulcio server container. `httpGet.port` should
63
# match `server.args.port`.
64
livenessProbe:
65
failureThreshold: 3
66
httpGet:
67
path: /healthz
68
port: 5555
69
scheme: HTTP
70
periodSeconds: 10
71
successThreshold: 1
72
timeoutSeconds: 1
73
# -- Readiness probe for the fulcio server container. `httpGet.port` should
74
# match `server.args.port`.
75
readinessProbe:
76
failureThreshold: 3
77
httpGet:
78
path: /healthz
79
port: 5555
80
scheme: HTTP
81
periodSeconds: 10
82
successThreshold: 1
83
timeoutSeconds: 1
84
service:
85
type: ClusterIP
86
ports:
87
- name: http
88
port: 80
89
protocol: TCP
90
targetPort: 5555
91
- name: grpc
92
port: 5554
93
protocol: TCP
94
targetPort: 5554
95
- name: 2112-tcp
96
port: 2112
97
protocol: TCP
98
targetPort: 2112
99
ingress:
100
http:
101
enabled: true
102
className: "nginx"
103
annotations: {}
104
hosts:
105
- path: /
106
host: "fulcio.localhost"
107
tls: []
108
grpc:
109
enabled: false
110
className: ""
111
annotations:
112
nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
113
hosts:
114
- host: fulcio.localhost
115
path: /dev.sigstore.fulcio.v2.CA
116
tls:
117
- secretName: fulcio-grpc-ingress-tls
118
hosts:
119
- fulcio.localhost
120
ingresses:
121
- enabled: false
122
grpc: true
123
http: true
124
name: "gce-ingress"
125
className: "gce"
126
hosts:
127
- path: /
128
host: fulcio.localhost
129
annotations: {}
130
tls: []
131
staticGlobalIP: lb-ext-ip
132
frontendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_frontendconfig_parameters
133
sslPolicy: fulcio-ssl-policy
134
redirectToHttps:
135
enabled: true
136
backendConfigSpec: # https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-configuration#configuring_ingress_features_through_backendconfig_parameters
137
securityPolicy:
138
name: fulcio-security-policy
139
logging:
140
enable: true
141
healthCheck:
142
port: 5555
143
requestPath: "/healthz"
144
type: HTTP
145
# -- Additional labels to add to the server pod
146
podLabels: {}
147
securityContext:
148
runAsNonRoot: true
149
runAsUser: 65533
150
tolerations: []
151
nodeSelector: {}
152
affinity: {}
153
neg:
154
http:
155
name: ""
156
port: 80
157
grpc:
158
name: ""
159
port: 5554
160
createcerts:
161
enabled: true
162
replicaCount: 1
163
name: createcerts
164
image:
165
registry: cgr.dev
166
repository: chainguard-private/sigstore-scaffolding-fulcio-createcerts
167
pullPolicy: IfNotPresent
168
# v0.7.31
169
version: latest@sha256:fe971facc8f441e6f214d94342deb7597df39e84b6af7839c8ee0f5d7deb0172
170
ttlSecondsAfterFinished: 3600
171
serviceAccount:
172
create: true
173
name: ""
174
annotations: {}
175
mountToken: true
176
securityContext:
177
runAsNonRoot: true
178
runAsUser: 65533
179
annotations: {}
180
podAnnotations: {}
181
podLabels: {}
182
tolerations: []
183
nodeSelector: {}
184
affinity: {}
185
# Configure ctlog dependency
186
ctlog:
187
enabled: true
188
name: ctlog
189
forceNamespace: ctlog-system
190
fullnameOverride: ctlog
191
namespace:
192
name: ctlog-system
193
create: true
194
createtree:
195
name: ctlog-createtree
196
fullnameOverride: ctlog-createtree
197
createcerts:
198
name: ctlog-createcerts
199
fullnameOverride: ctlog-createcerts
200
createctconfig:
201
logPrefix: fulcio
202
# Force namespace of namespaced resources
203
forceNamespace: ""
204

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.