ESET PRIVATE Scanning Solutions – Table of Contents

Helm Chart Configuration Parameters

The ESET Private Scanning Solutions Helm chart exposes a comprehensive set of configuration parameters for deploying to your on-premises environment, covering image references, registry authentication, TLS management, network policies, resource limits, and external integrations.

Image and registry (image.*) - Define the container registry URL, repository, image pull policy, and registry credentials either via a Kubernetes secret (pullSecret, default: registry-auth) or directly via username/password.

 

Gateway (env.gateway.*) - Configure the Gateway API class, name, host, and namespace for ingress routing (default: Traefik).

 

Certificate and TLS (env.certificate.*) — Supports both manual certificate injection (x509-formatted CA, certificate, and key) and automatic certificate management via cert-manager, with configurable common name, SANs (DNS names and IP addresses), validity duration (default: 8760h), issuer kind (Issuer or ClusterIssuer), and renewal window (default: 720h). The TLS secret name defaults to ecscn-tls.

 

Networking and security (env.networkPolicy.*, env.nodeSelector, env.tolerations) - Configure Cilium-based network policies, restrict ingress CIDRs (default: 0.0.0.0/0), set the Valkey Operator namespace, and control pod placement via nodeSelector and tolerations. Optionally enable injectReleaseNodeSelector for Karpenter-managed clusters.

 

Monitoring and observability (env.prometheus.*, env.grafana.*) - Enable PrometheusRule creation with configurable labels (default: release: prometheus) and tune alerting thresholds: disk space usage (default: 85%), load balancer incoming/outgoing data rates (default: 10000/1000 bytes/sec), scanner queue backlog (default: 10), and slow scan duration (default: 300s). Configure a target namespace for Grafana dashboard ConfigMaps.

 

External secrets (env.externalSecrets.*) - Enable integration with external secret providers (currently supports aws-sm). Configure the full ESO provider block (e.g. AWS Secrets Manager with static credentials or IRSA via JWT/ServiceAccount), add annotations to the ESO ServiceAccount, and set the reconciliation refresh interval (default: 1h).

 

LoadBalancer (loadbalancer.*) - Control the image version, ESET license and JWK public key credentials, fine-grained liveness/readiness probe settings, resource limits (Guaranteed QoS class), service type (default: LoadBalancer) and port (default: 50052), service annotations, and the full load balancer config block.

 

Scanner (scanner.*) - Control image version, replica count, rolling update strategy (maxSurge, maxUnavailable), PodDisruptionBudget (with minAvailable or maxUnavailable), ESET license credentials, resource limits (Guaranteed QoS class), persistent cache volume (storage class and size, default: 4Gi), liveness/readiness probes, and topology spread constraints (configurable key and whenUnsatisfiable policy — useful for on-prem host-level spread or cloud AZ-level spread).

 

Keycloak (keycloak.*) — Configure replica count (set to 0 to disable), image version, admin credentials, RSA key pairs for JWT signing and encryption (DER-formatted, base64-encoded), and two OIDC clients (monitoring_client, scanner_client) with client name, secret, and JWT claims for simultaneous scan count (scc) and license expiration (lex). Resource limits use separate requests/limits.

 

Valkey (valkey.*) — Enable or disable the Valkey deployment (Redis-compatible store, default: disabled), configure image and sidecar versions, authentication password, persistent storage (storage class and size, default: 2Gi), and resource limits.

Always refer to the README included with the Helm chart for the full and up-to-date list of parameters, default values, and usage examples.