Self Hosted Kubernetes Agent

AWS

EFS CSI

For the EKS cluster, you can use this TF example - EFS CSI-Driver/StorageClass

GCP

Filestore, OpenSource NFS

Azure

Azure Files

AWS Secrets Manager (us-east-1)

${ssm:<secret-name>}

Set by the awsSecretsRegion helm value. Defaults to us-east-1 Role must have permissions: secretsmanager:GetSecretValue

GCP Secrets Manager

${gcp:<secret-id>}

Your GCP project's default region

Access to the secret must be possible using the customerGoogleCredentials configuration or using GKE workload identity. The customerGoogleProject configuration must be supplied and will be used to access secrets in that project only. The permission 'secrets.versions.access' is required

Azure Key Vault

${azure:<secret-name>@<vault-name>}

Your Azure subscription's default region

HashiCorp Vault

${vault:<path>.<key>@<namespace>} where @<namespace> is optional

OCI Vault Secrets

${oci:<secret-id>}

The region defined in the credentials provided in the agent configuration.

dockerImage agentImagePullSecret

Custom Docker image URI and Base64 encoded .dockerconfigjson contents

Custom Docker image. See Using a custom image in an agent

No

agentImagePullSecretRef

A reference to a k8s secret name that holds a Docker pull image token

Custom Docker image that is hosted on a private Docker registry

No

infracostApiKeyEncoded

Base64 encoded Infracost API key

Cost Estimation

Yes: INFRACOST_API_KEY

assumerKeyIdEncoded assumerSecretEncoded

Base64 encoded AWS Access Key ID & Secret

AWS Assume role for deploy credentials. Also, see Authenticating the agent on AWS EKS

Yes: ASSUMER_ACCESS_KEY_ID ASSUMER_SECRET_ACCESS_KEY

limits.cpu limits.memory

Container resource limits Read more about resource ​allocation Recommended cpu: 1.5 and memory: 3Gi

Custom deployment pod size

No

requests.cpu requests.memory

Container resource requests. Recommended cpu: 1.5 and memory: 3Gi

Custom deployment container resources

No

tolerations

An array of toleration objects to apply to all pods. see docs

Custom tolerations

No

deploymentTolerations

An array of tolerationobjects - targeting the deployment pods. This will override the default tolerations for deployment pods.

Custom tolerations

No

affinity

Allows you to constrain which nodes env0 pods are eligible to be scheduled on. see docs

Custom node affinity

No

deploymentAffinity

Affinity for deployment pods. This will override the default affinity for deployment pods.

Custom node affinity

No

customerAwsAccessKeyIdEncoded customerAwsSecretAccessKeyEncoded awsSecretsRegion

Base64 encoded AWS Access Key ID & Secret. Requires the secretsmanager:GetSecretValue permission

Using AWS Secrets Manager to store secrets for the agent

Yes: CUSTOMER_AWS_ACCESS_KEY_ID CUSTOMER_AWS_SECRET_ACCESS_KEY

customerGoogleProject customerGoogleCredentials

Base64 encoded GCP project name and JSON service-key contents. Requires the Secret Manager Secret Access role.

Using GCP Secret Manager to store secrets for the agent. These credentials are not used for the deployment itself. If deploymentJobServiceAccountName is set - Workload identity will override any supplied credentials.

Yes: CUSTOMER_GOOGLE_PROJECT CUSTOMER_GOOGLE_CREDENTIALS

customerAzureClientId customerAzureClientSecret customerAzureTenantId

Base64 encoded Azure Credentials.

Using Azure Key Vault Secrets to store secrets for the agent

Yes: CUSTOMER_AZURE_CLIENT_ID CUSTOMER_AZURE_CLIENT_SECRET CUSTOMER_AZURE_TENANT_ID

customerOracleCredentials.tenancyOCIDEncoded customerOracleCredentials.userOCIDEncoded customerOracleCredentials.apiKeyFingerprintEncoded customerOracleCredentials.apiKeyPrivateKeyEncoded customerOracleCredentials.secretsRegion

OCI credentials. All should be defined separately within the same object - customerOracleCredentials.

Any field that ends with Encoded should be Base64 encoded.

Using OCI Vault to store secrets for the agent. These credentials are not used for the deployment itself.

Yes: CUSTOMER_ORACLE_TENANCY_OCID CUSTOMER_ORACLE_USER_OCID CUSTOMER_ORACLE_API_KEY_FINGERPRINT CUSTOMER_ORACLE_API_KEY_PRIVATE_KEY ORACLE_SECRETS_REGION

customerVaultTokenEncoded customerVaultUrl

• (Deprecated)* Base64 encoded HCP Vault token, and the Vault's URL (also base64 encoded)

Using HCP Vault to store secrets for the agent

Yes: CUSTOMER_VAULT_TOKEN CUSTOMER_VAULT_ADDRESS

vault

Set HCP Vault authentication. First, set the cluster's URL:

address: (equivalent to VAULT_ADDR) loginPath: "<LoginCustomPath>" - (Optional)

Then, you should choose one of the following login method:

• By Vault token method: "token" encodedToken: "<vault-token>"

• By Username & Password method: "password" username: "<username>" encodedPassword: "<base64Encoded password>"

• By Certificate method: "certificate" role: "<certificate name>" clientCertificateSecretName: "<secret-name>"

  • • The secret must created in the same namespace with specify keys (client-cert, client-key) for example: kubectl create secret generic <secret-name> -n env0-agent --from-file=client-key=client.key --from-file=client-cert=client.crt passphraseSecretName: "<secret-name>" (Optional)
  • • The secret must created in the same namespace with specify keys (client-cert, client-key) for example: kubectl create secret generic <secret-name> -n env0-agent --from-literal=passphrase=my-password
    • • For Certification Authority (CA) you can choose between: ^ caDisable: true ^ caCertificateSecretName: "<secret-name>"with the key - ca-cert ^ Using CA certificate with customCertificates

• By Role & Service Account Token(JWT) method: "service_account" role: "<vault role name>"

  • • The JWT is supposed to be supplied by kubernetes in the following path: /var/run/secrets/kubernetes.io/serviceaccount/token\ You can read more about service accounts here. Communication is based on v1 HTTP API
    
    

Using HCP Vault to store secrets for the agent

No

bitbucketServerCredentialsEncoded

Base64 Bitbucket server credentials in the format `username:token (using a Personal Access token)

On-premise Bitbucket Server installation

Yes: BITBUCKET_SERVER_CREDENTIALS

gitlabEnterpriseCredentialsEncoded

Base64 Gitlab Enterprise credentials in the form of a Personal Access token

On-premise Gitlab Enterprise installation

Yes: GITLAB_ENTERPRISE_CREDENTIALS

gitlabEnterpriseBaseUrlSuffix

In cases where your GitLab instance base url is not at the root of the url, URL but on a separate path, e.g.,https://gitlab.acme.com/prod you should define that added suffix to this value gitlabEnterpriseBaseUrlSuffix=prod

On-premise Gitlab Enterprise installation

No

githubEnterpriseAppId githubEnterpriseAppInstallationId githubEnterpriseAppPrivateKeyEncoded

GitHub Enterprise Integration (see step 3)

On-premise GitHub Enterprise installation

Yes: GITHUB_ENTERPRISE_APP_PRIVATE_KEY

allowedVcsUrlRegex

When set, cloning a git repository will only be permitted if the git url matches the regular expression set.

VCS URL Whitelisting

No

customCertificates

An array of strings. Each represents a name of Kubernetes secret that contains custom CA certificates. Those certificates will be available during deployments.

Custom CA Certificates. More details here

No

gitSslNoVerify

When set to true, cloning a git repo will not verify SSL/TLS certs

Ignoring SSL/TLS certs for on-premise git servers

No

storageClassName

Ability to change the default PVC storage class name for env0 self-hosted agent

the default isenv0-state-sc

Please note: When changing this you should also change your storage class name to match this configuration

No

deploymentJobServiceAccountName

Customize the Kubernetes service account used by the deployment pod. Primarily for pod-level IAM permissions

the default is default

No

jobHistoryLimitFailure jobHistoryLimitSuccess

The number of successful and failed deployment jobs should be kept in the Kubernetes cluster history

The default is 10 for each value

No

strictSecurityContext

When set to true, the pod operates under node user instead of root

Increased agent pod security

No

env0StateEncryptionKey

A base64 encoded string (password). When set, deployment state and working directory will be encrypted and persisted on Env0's end

Env0-Hosted Encrypted State

Yes: ENV0_STATE_ENCRYPTION_KEY

environmentOutputEncryptionKey

A base64 encoded string (password). Used to enable the "Environment Outputs" feature

See notes in Environment Outputs

No

logger

Logger config level - debug/info/warn/error format - json/cli

No

agentImagePullPolicy

Set imagePullPolicy attribute - Always/Never/IfNotPresent

No

agentProxy

Agent's Proxy pod config: install - true/false replicas - how many replicas of the agent proxy to use. Default is 1 maxConcurrentRequests - how many concurrent requests each pod should handle. Default is 500 limits - k8s (cpu and memory) limits. Default is 250m and 500Mi

No

deploymentPodWarmPoolSize

A number of deployment pods that should be left "warm" (running & idle) and ready for new deployments

No

podAdditionalEnvVars

Additional Environment variables to be passed to the deployment pods, which will also be passed to the deployment process. These are set as a plain yaml object, i.e.: "podAdditionalEnvVars": ··"MY_SECRET": akeyless:/K8s/my_k8s_secret"

No

podAdditionalLabels

Additional labels to be set on deployment pods. Those are set as a plain yaml object, i.e.: "podAdditionalLabels": ··"mykey": "myvalue"

No

podAdditionalAnnotations

Additional annotations to be set on deployment pods. These are set as a plain yaml object, i.e.: "podAdditionalAnnotations": ··"mykey": "myvalue"

No

agentAdditionalEnvVars

Additional Environment variables to be passed to the agent pods, which will also be passed to the agent proxy / trigger. These are set as a plain yaml object, i.e.: "agentAdditionalEnvVars": ··"MY_ENV": "MY_VALUE"

No

agentAdditionalLabels

Additional annotations to be set on agent (trigger/proxy) pods. These are set as a plain yaml object, i.e.: "agentAdditionalLabels": ··"mykey": "myvalue"

No

agentAdditionalAnnotations

Additional annotations to be set on agent (trigger/proxy) pods. Those are set plain yaml object i.e:

"agentAdditionalAnnotations": ··"mykey": "myvalue"

No

customSecrets

customSecrets: - envVarName: MY_SECRET ··secretName: my-secrets-1 ··key: db_password

Mount custom secrets

No

customSecretMounts

customSecretMounts: - volumeName: my-secrets-1 ··secretName: my-secrets-1 ··mountPath: /opt/secret1

Mount secret files to given a mountPath

No

env0ConfigSecretName

A Kubernetes Secret name. Can be used to provide sensitive values listed in this table, instead of providing them in the Helm values files.

No

customRoleForOidcAwsSsm.duration customRoleForOidcAwsSsm.arn

Custom role for AWS SSM secret fetching, Note: only used when useOidcForAwsSsm=true

No

useOidcForAwsSsm

When set totrue the agent will be instructed to authenticate to AWS SSM using env0 OIDC.

No

httpProxy httpsProxy noProxy

Using Internal Proxy for communication with env0 or your self hosted VCS For enable proxy for http /httpsrequests use

httpProxy: "http://my-http-proxy-address" httpsProxy: "https://my-https-proxy-address"

If you want to exclude url from using the proxy use noProxy: "https://env0.com,https://my-other-vcs"

No

env0BlockDestroyAndTaskCommands

If set to "true", this agent will throw an error when any user tries to destroy any environment or run a custom "task" in it

No

additionalPodConfig

Additional configurations to be merged with the spec of deployment pods. Can be used to add hostAliases, dnsConfig, etc.

Example: additionalPodConfig: hostAliases: - ip: "192.168.1.100" hostnames: - "example.internal" - "example.test" dnsConfig: nameservers: - 1.1.1.1 - 8.8.8.8

additionalAgentConfig

Additional configurations to be merged with the spec of agent (trigger/proxy) pods. Can be used to add hostAliases, dnsConfig, etc.

Example: additionalAgentConfig: hostAliases: - ip: "192.168.1.100" hostnames: - "example.internal" - "example.test" dnsConfig: nameservers: - 1.1.1.1 - 8.8.8.8