FusionAuth is a modern platform for Customer Identity and Access Management (CIAM). FusionAuth provides APIs and a responsive web user interface to support login, registration, localized email, multi-factor authentication, reporting, and much more.
You can read the official instructions, including install steps for AWS, GCP, and Azure, in the FusionAuth Kubernetes installation guide.
- PostgreSQL or MySQL database
- ElasticSearch or OpenSearch instance (optional)
To install the chart with the release name my-fusionauth
:
$ helm repo add fusionauth https://fusionauth.github.io/charts
$ helm install my-fusionauth fusionauth/fusionauth \
--set database.host=[database host] \
--set database.user=[database username] \
--set database.password=[database password] \
--set search.host=[elasticsearch host]
📝 For test deployments, you can remove --set search.host
and add --set search.engine=database
to configure FusionAuth to use the database for search instead of a dedicated search host. This is not recommended for real-world use, as search performance will be greatly reduced.
To uninstall/delete the my-fusionauth
release:
$ helm delete my-fusionauth
The helm chart is versioned independently from FusionAuth app releases. However, the latest version of the helm chart will default to the latest version of FusionAuth.
📝 You can and probably should override the image.tag
field in values.yaml
to run your desired version of the FusionAuth application.
-
In
1.0.0
and later, the FusionAuth app version will now default to the latest available. Release notes will indicate if the chart includes a newer version of FusionAuth. If you wish to override this behavior, setimage.tag
when deploying. -
In
0.8.0
, theenvironment
value is now an array instead of an object. Make sure to reformat your values when you update. -
In
0.4.0
, the external postgresql and elasticsearch charts were dropped. You will need to maintain those dependencies on your own.
Key | Type | Default | Description |
---|---|---|---|
affinity | object | {} |
Configure affinity rules for the fusionauth Deployment. |
annotations | object | {} |
Define annotations for fusionauth Deployment. |
app.memory | string | "256M" |
Configures the amount of memory to allocate to the Java VM (sets FUSIONAUTH_APP_MEMORY ). |
app.runtimeMode | string | "development" |
Configures runtime mode (sets FUSIONAUTH_APP_RUNTIME_MODE ). Must be development or production . |
app.silentMode | bool | false |
Configures silent mode (sets FUSIONAUTH_APP_SILENT_MODE ). Must be true or false . |
autoscaling.enabled | bool | false |
Enable Horizontal Pod Autoscaling. See the values file for more HPA parameters. |
autoscaling.minReplicas | int | 2 |
Minimum number of running instances when HPA is enabled. Ignored when autoscaling.enabled is false . |
autoscaling.maxReplicas | int | 5 |
Maximum number of running instances when HPA is enabled. Ignored when autoscaling.enabled is false . |
autoscaling.targetCPU | int | 50 |
CPU use % threshold to trigger a HPA scale up. Ignored when autoscaling.enabled is false . |
database.existingSecret | string | "" |
The name of an existing Kubernetes Secret that contains the database passwords. |
database.host | string | "" |
Hostname or IP address of the fusionauth database. |
database.name | string | "fusionauth" |
Name of the fusionauth database. |
database.password | string | "" |
Database password for fusionauth to use in normal operation - not required if database.existingSecret is configured. |
database.port | int | 5432 |
Port used by the fusionauth database. |
database.protocol | string | "postgresql" |
Should either be postgresql or mysql . Protocol for jdbc connection to database. |
database.root.password | string | "" |
Database password for fusionauth to use during initial bootstrap - not required if database.existingSecret is configured. |
database.root.user | string | "" |
Database username for fusionauth to use during initial bootstrap - not required if you have manually bootstrapped your database. |
database.tls | bool | false |
Configures whether or not to use tls when connecting to the database. |
database.tlsMode | string | "require" |
If tls is enabled, this configures the mode. |
database.user | string | "" |
Database username for fusionauth to use in normal operation. |
dnsConfig | object | {} |
Define dnsConfig for fusionauth pods. |
dnsPolicy | string | "ClusterFirst" |
Define dnsPolicy for fusionauth pods. |
environment | list | [] |
Configure additional environment variables. |
extraVolumeMounts | list | [] |
Define mount paths for extraVolumes . |
extraContainers | list | [] |
Create containers for the pods. Can be used for sidecars, ambassador, and adapter patterns. |
extraInitContainers | list | [] |
Add extra init containers. Can be used for setup or wait for other dependent services. |
extraVolumes | list | [] |
Define extra volumes to mount in the deployment. |
fullnameOverride | string | "" |
Overrides full resource names. |
image.pullPolicy | string | "IfNotPresent" |
Kubernetes image pullPolicy to use for fusionauth-app. |
image.repository | string | "fusionauth/fusionauth-app" |
The image repository to use for fusionauth-app. |
image.tag | string | "${APP_VERSION}" |
The image tag to pull for fusionauth-app (this is the fusionauth-app version). |
imagePullSecrets | list | [] |
Configures Kubernetes secrets to use for pulling images from private repositories. |
ingress.annotations | object | {} |
Configure annotations to add to the ingress object. |
ingress.enabled | bool | false |
Enables ingress creation for fusionauth. |
ingress.extraPaths | list | [] |
Define path objects which will be inserted before regular paths. Can be useful for things like ALB Ingress Controller actions. |
ingress.hosts | list | [] |
List of hostnames to configure the ingress with. |
ingress.ingressClassName | string | "" |
Specify the ingressClass to be used by the Ingress. |
ingress.paths | list | [] |
Paths to be used by the Ingress. |
ingress.tls | list | [] |
List of secrets used to configure TLS for the ingress. |
initContainers.waitForDb | bool | true |
Create an init container which waits for the database to be ready. |
initContainers.waitForEs | bool | true |
Create an init container which waits for elasticsearch to be ready. |
initContainers.image.repository | string | "busybox" |
Image to use for initContainers docker image. |
initContainers.image.tag | string | "1.36.1" |
Tag to use for initContainers docker image. |
initContainers.resources | object | {} |
Resource requests and limits to use for initContainers . |
kickstart.data | object | {} |
Fusionauth kickstart settings. |
kickstart.enabled | bool | false |
Enable fusionauth kickstart settings. |
lifecycle | object | {} |
Define custom lifecycle settings for the deployment. |
livenessProbe | object | {"failureThreshold":3,"httpGet":{"path":"/","port":"http"},"periodSeconds":30,"timeoutSeconds":5} |
Configures a livenessProbe to ensure fusionauth is running. |
nameOverride | string | "" |
Overrides resource names. |
nodeSelector | object | {} |
Define nodeSelector for kubernetes to use when scheduling fusionauth pods. |
podAnnotations | object | {} |
Define annotations for fusionauth pods. |
podDisruptionBudget.enabled | bool | false |
Enables creation of a PodDisruptionBudget . |
readinessProbe | object | {"failureThreshold":5,"httpGet":{"path":"/","port":"http"},"timeoutSeconds":5} |
Configures a readinessProbe to ensure fusionauth is ready for requests. |
replicaCount | int | 1 |
The number of fusionauth-app instances to run. |
resources | object | {} |
Define resource requests and limits for fusionauth-app. |
search.engine | string | "elasticsearch" |
Protocol to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch . |
search.host | string | "" |
Hostname or ip to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch . |
search.port | int | 9200 |
Port to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch . |
search.protocol | string | "http" |
Protocol to use when connecting to elasticsearch. Ignored when search.engine is NOT elasticsearch . |
service.annotations | object | {} |
Extra annotations to add to the service object. |
service.port | int | 9011 |
Port for the Kubernetes service to expose. |
service.spec | object | {} |
Any extra fields to add to the service object spec. |
service.type | string | "ClusterIP" |
Type of Kubernetes service to create. |
serviceAccount.annotations | object | {} |
Extra annotations to add to the service account object. |
serviceAccount.automount | bool | false |
Automatically mount a service account's API credentials. |
serviceAccount.create | bool | false |
If set to true , service account will be created. Otherwise, the default serviceaccount will be used. |
serviceAccount.name | string | "" |
The name of the service account to use. If not set and create is true , a name is generated using the fullname template. |
startupProbe | object | {"failureThreshold":20,"httpGet":{"path":"/","port":"http"},"periodSeconds":10,"timeoutSeconds":5} |
Configures a startupProbe to ensure fusionauth has finished starting up. |
tolerations | list | [] |
Define tolerations for kubernetes to use when scheduling fusionauth pods. |
topologySpreadConstraints | list | [] |
Define topologySpreadConstraints for kubernetes to use when scheduling fusionauth pods. |